PT0-001 · Question #187
During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password b
The correct answer is A. #medusa -h hosts.txt -U usera.txt -P hashes, txt -M smbnt. -m GROP:LOCAL -O out.txt -m. A successful pass-the-hash attack against local Windows accounts requires the smbnt module with the GROUP:LOCAL modifier so Medusa authenticates in the local account context rather than the domain context.
Question
During an internal network penetration test the tester is able to compromise a Windows system and recover the NTLM hash for a local wrltsrnAdrain account Attempting to recover the plaintext password by cracking the hash has proved to be unsuccessful, and the tester has decided to try a pass-the-hash attack to see if the credentials are reused on other in-scope systems Using the Medusa tool the tester attempts to authenticate to a list of systems, including the originally compromised host, with no success Given the output below:
Which of the following Medusa commands would potentially provide better results?
Options
- A#medusa -h hosts.txt -U usera.txt -P hashes, txt -M smbnt. -m GROP:LOCAL -O out.txt -m
- B#medusa -H hosts.txt -U users, txt -P hashes, txt -M smbnt -m PASS:HASH -o out. txt
- C#medusa -H hosts.txt -u WrkStnAdmin -p
- D#medusa -H hosts.txt -C creds.txt -M mssq1 -m GROUP: DOMAIN -o out.txt
How the community answered
(28 responses)- A68% (19)
- B11% (3)
- C7% (2)
- D14% (4)
Why each option
A successful pass-the-hash attack against local Windows accounts requires the smbnt module with the GROUP:LOCAL modifier so Medusa authenticates in the local account context rather than the domain context.
Option A includes the GROUP:LOCAL modifier with the smbnt module, which is the critical parameter when targeting local accounts rather than domain accounts. Without GROUP:LOCAL, Medusa defaults to domain-context authentication and will fail against locally scoped NTLM hashes. Specifying LOCAL ensures the credential challenge and response are scoped correctly to the local SAM database, which is where the recovered hash originates.
Option B specifies PASS:HASH correctly but omits GROUP:LOCAL, meaning Medusa would attempt authentication in a domain context and fail against the local account whose hash was recovered.
Option C is an incomplete command missing both a hash value and a module specification, rendering it non-functional as a pass-the-hash attack.
Option D targets the MSSQL service with GROUP:DOMAIN, which is unrelated to passing a local Windows NTLM hash over SMB to authenticate as a local administrator.
Concept tested: Pass-the-hash attack with Medusa targeting local accounts
Source: https://www.kali.org/tools/medusa/
Topics
Community Discussion
No community discussion yet for this question.