PT0-002 Question #157: Real Exam Question with Answer & Explanation

Question

A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server?

Options

• APerform vertical privilege escalation.
• BReplay the captured traffic to the server to recreate the session.
• CUse John the Ripper to crack the password.
• DUtilize a pass-the-hash attack.

Explanation

By capturing NTLM challenge-response traffic, a penetration tester can perform a replay attack by sending this captured authentication exchange back to the server. This technique allows the attacker to impersonate the legitimate client and potentially recreate an authenticated session without needing to crack the password hash.

Common mistakes.

• A. Vertical privilege escalation refers to gaining higher privileges after initial access, not the method of gaining initial access from captured NTLM traffic.
• C. While NTLM hashes can be cracked offline with tools like John the Ripper, the question asks what can be done with the pcap to gain access to the server directly, and a replay attack uses the captured challenge-response data without needing to crack the password.
• D. A pass-the-hash attack involves using a captured NTLM hash (the user's password hash) directly for authentication, not the entire challenge-response traffic. Replaying the traffic is distinct from passing the hash.

Concept tested. NTLM replay attacks

Reference. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-ntlm-auditing

No community discussion yet for this question.