nerdexam
GIAC

GCIH · Question #674

How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?

The correct answer is D. Access a SAMBA share on the server. A stolen Windows NTLM hash can be used in a pass-the-hash attack to authenticate to a SAMBA share on a Linux server because SAMBA supports NTLM-based authentication natively.

Vulnerability Exploitation & Privilege Escalation

Question

How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?

Options

  • AAccess the server using SSH
  • BLog in directly to the server
  • CBecome a man-in-the-middle between the Windows and Linux hosts
  • DAccess a SAMBA share on the server

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    21% (5)
  • C
    8% (2)
  • D
    67% (16)

Why each option

A stolen Windows NTLM hash can be used in a pass-the-hash attack to authenticate to a SAMBA share on a Linux server because SAMBA supports NTLM-based authentication natively.

AAccess the server using SSH

SSH authentication relies on passwords or public-key cryptography and does not use NTLM hashes, making a stolen Windows hash unusable for SSH authentication.

BLog in directly to the server

Direct Linux console or PAM-based login does not use NTLM hashes for credential verification, so a Windows account hash cannot be leveraged for this access method.

CBecome a man-in-the-middle between the Windows and Linux hosts

Becoming a man-in-the-middle requires network positioning to intercept live traffic and does not directly leverage a pre-stolen hash to gain unauthorized access to server resources.

DAccess a SAMBA share on the serverCorrect

SAMBA implements the SMB/CIFS protocol on Linux and supports NTLM authentication, which uses the same hash format as Windows account credentials. In a pass-the-hash attack, the adversary supplies the stolen NTLM hash directly in response to the authentication challenge without ever needing the plaintext password. Because SAMBA accepts this NTLM hash as valid proof of identity, the attacker gains access to shared resources on the Linux server using only the stolen credential material.

Concept tested: Pass-the-hash attack against SAMBA NTLM authentication

Source: https://attack.mitre.org/techniques/T1550/002/

Topics

#pass-the-hash#SAMBA authentication#cross-platform attacks#credential reuse

Community Discussion

No community discussion yet for this question.

Full GCIH Practice