GCIH · Question #674
How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?
The correct answer is D. Access a SAMBA share on the server. A stolen Windows NTLM hash can be used in a pass-the-hash attack to authenticate to a SAMBA share on a Linux server because SAMBA supports NTLM-based authentication natively.
Question
How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?
Options
- AAccess the server using SSH
- BLog in directly to the server
- CBecome a man-in-the-middle between the Windows and Linux hosts
- DAccess a SAMBA share on the server
How the community answered
(24 responses)- A4% (1)
- B21% (5)
- C8% (2)
- D67% (16)
Why each option
A stolen Windows NTLM hash can be used in a pass-the-hash attack to authenticate to a SAMBA share on a Linux server because SAMBA supports NTLM-based authentication natively.
SSH authentication relies on passwords or public-key cryptography and does not use NTLM hashes, making a stolen Windows hash unusable for SSH authentication.
Direct Linux console or PAM-based login does not use NTLM hashes for credential verification, so a Windows account hash cannot be leveraged for this access method.
Becoming a man-in-the-middle requires network positioning to intercept live traffic and does not directly leverage a pre-stolen hash to gain unauthorized access to server resources.
SAMBA implements the SMB/CIFS protocol on Linux and supports NTLM authentication, which uses the same hash format as Windows account credentials. In a pass-the-hash attack, the adversary supplies the stolen NTLM hash directly in response to the authentication challenge without ever needing the plaintext password. Because SAMBA accepts this NTLM hash as valid proof of identity, the attacker gains access to shared resources on the Linux server using only the stolen credential material.
Concept tested: Pass-the-hash attack against SAMBA NTLM authentication
Source: https://attack.mitre.org/techniques/T1550/002/
Topics
Community Discussion
No community discussion yet for this question.