nerdexam
GIAC

GCIH · Question #669

Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \\192.168.44.213

The correct answer is B. Local logon credentials will be sent to 192.168.44.213. Running 'net use' against a remote host triggers NTLM authentication, which sends the current user's local logon credentials to the target machine.

Vulnerability Exploitation & Privilege Escalation

Question

Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \192.168.44.213

Options

  • AGuest user account permissions will be granted
  • BLocal logon credentials will be sent to 192.168.44.213
  • CIPC$ share returns a list of running processes
  • DHost at 192.168.44.213 will exchange a temporary authentication key

How the community answered

(66 responses)
  • A
    3% (2)
  • B
    77% (51)
  • C
    14% (9)
  • D
    6% (4)

Why each option

Running 'net use' against a remote host triggers NTLM authentication, which sends the current user's local logon credentials to the target machine.

AGuest user account permissions will be granted

Guest permissions are not automatically granted; Windows uses the currently logged-in user's credentials unless explicitly overridden with the /user: flag or anonymous access is configured on the target.

BLocal logon credentials will be sent to 192.168.44.213Correct

When 'net use' is executed against a remote host without specifying explicit credentials, Windows automatically attempts authentication using the current user's logon session via NTLM. This credential exchange is transparent and sends the username along with an NTLM challenge-response hash derived from the local logon password to the target host at 192.168.44.213.

CIPC$ share returns a list of running processes

The IPC$ share is an interprocess communication share used for named pipe connections, not a mechanism that returns a list of running processes.

DHost at 192.168.44.213 will exchange a temporary authentication key

Exchanging a temporary authentication key describes aspects of Kerberos ticket-granting service operations, not the NTLM challenge-response mechanism used by 'net use'.

Concept tested: NTLM credential passing via net use command

Source: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/gg651155(v=ws.11)

Topics

#SMB authentication#credential exposure#null session#Windows networking

Community Discussion

No community discussion yet for this question.

Full GCIH Practice