A penetration tester is able to capture the NTLM challenge-response traffic between a client and a server. Which of the following can be done with the pcap to gain access to the server?
A.
Perform vertical privilege escalation.
B.
Replay the captured traffic to the server to recreate the session.
D. Utilize a pass-the-hash attack.
A pass-the-hash attack is a method of authenticating to a server or service by using the underlying NTLM or LANMAN hash of a user's password, instead of the actual password. The NTLM challenge-response traffic contains the hash of the password, which can be extracted and used in a pass-the-hash attack.
Replaying the captured traffic to the server to recreate the session may not work as the session may have timed out or otherwise been terminated. Performing vertical privilege escalation would involve escalating privileges on the compromised system, which is not related to gaining access to the server. Using John the Ripper to crack the password would be ineffective as the traffic contains the hash of the password, not the password itself.
The best action to take with the pcap is to use a pass-the-hash attack. A pass-the-hash attack enables an attacker to authenticate to a remote service or system without knowing the user's password or having access to any other credentials. By capturing the NTLM challenge-response traffic between the client and server, a penetration tester can use the captured information to execute a successful pass-the-hash attack.
The question itself states "capture the NTLM challenge-response traffic." No hash has been captured yet so there is no hash to pass or crack yet right? What am I missing or not understanding? With B, couldn't the captured authentication sequence be replayed to gain access?
The NTLM challenge-response traffic captures the authentication exchange between the client and server, which includes the user's credentials in the form of a hashed password. From the options given, option D, utilizing a pass-the-hash attack, would be the most viable way to gain access to the server.
Option B, replaying the captured traffic to the server to recreate the session, would not work because the server would detect the replayed traffic as invalid.
D- The pcap of the NTLM challenge traffic can be replayed using wireshark, then the NTLM hashes can then be extracted from there and used in pass the Hash attack.
Answer: B. Replay the captured traffic to the server to recreate the session.
A. Perform vertical privilege escalation. - This is incorrect because a penetration tester is able to capture NTLM challenge-response traffic, not necessarily perform privilege escalation.
B. Replay the captured traffic to the server to recreate the session. - This is correct because it is possible to replay the captured traffic to the server to recreate the session.
C. Use John the Ripper to crack the password. - This is incorrect because John the Ripper is a tool used to crack passwords, not to replay the captured traffic.
D. Utilize a pass-the-hash attack. - This is incorrect because a pass-the-hash attack relies on a stolen password hash, not NTLM challenge-response traffic.
This is Tricky.. I want to go with B after reading this. The packet capture should not have the Hash, but we could replay the session, get access to the server and then get the Hshes locally. https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0
The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.
This is wrong, you cannot get to the hashes on the server. You do capture the session with Wireshark and can recreate the session. Then grab any hashes once you have a foothold.
Yes, a pass-the-hash attack is possible after capturing NTLM challenge-response traffic between a client and a server. The NTLM protocol is used for authentication in a Windows network environment, and the challenge-response traffic exchanged between the client and server contains the NTLM hash of the user's password. This hash can be captured and used in a pass-the-hash attack to authenticate to the server and gain access without the need for the actual password.
In a pass-the-hash attack, the attacker uses the captured NTLM hash of the user's password to impersonate the user and authenticate to the server. This allows the attacker to gain access to the server and potentially sensitive information or resources without having to crack the password.
It's important to note that NTLM is considered a less secure authentication protocol compared to newer protocols such as Kerberos, and it is recommended to use stronger authentication mechanisms to secure systems and networks.
The NTLM hashes can be extracted from the captured traffic (pcap) using the wireshark.
upvoted 3 times
...
...
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RRabbit_111
Highly Voted 9 months, 3 weeks agocy_analyst
8 months agocy_analyst
8 months ago[Removed]
7 months, 4 weeks agonickwen007
Highly Voted 8 months ago[Removed]
7 months, 4 weeks agoRic350
Most Recent 2 months agocy_analyst
7 months, 1 week agokenechi
8 months ago[Removed]
8 months, 2 weeks agoNotAHackerJustYet
9 months ago2Fish
9 months, 1 week agodcyberguy
11 months ago[Removed]
10 months agoVikt0r
8 months, 4 weeks ago[Removed]
8 months, 4 weeks agoVikt0r
8 months, 3 weeks ago[Removed]
8 months, 3 weeks ago[Removed]
8 months, 2 weeks agomasso435
11 months, 2 weeks agokenechi
8 months ago