1. Examine the following password hashes obtained from a Windows XP machine using LM hashing:
B757BF5C0D87772FAAD3B435B51404EE
BA810DBA98995F1817306D272A9441BB
E52CAC67419A9A224A3B108F3FA6CB6D
0182BD0BD4444BF836077A718CCDF409
CEC52EB9C8E3455DC2265B23734E0DAC
Which of the following is true regarding the hashes listed?
A. The hashes are protected using Syskey.
B. The third hash listed is the local administrator’s password.
C. The first hash listed is from a password of seven characters or less.
D. The hashes can be easily decrypted by reversing the hash algorithm.
C. Windows 2000 and NT-type machines used something called LAN Manager, and then NT LAN Manager, to hash passwords. LM hashing is an older, outdated, and easily crackable method. It worked by converting all password characters to uppercase and, if necessary, appending blank spaces to reach 14 characters. Next, the password was split directly in the middle and both sides would then be hashed separately. The problem with this is the LM hash value of seven blank characters will always be the same (AAD3B435B51404EE). This greatly simplifies your cracking efforts, because running through only seven characters is much easier than 14.
A is incorrect because Syskey is not in use here. Syskey is an older, optional utility added in Windows NT 4.0 SP3 that encrypted hashed password information in a SAM database using a 128-bit encryption key. It was meant to protect against offline password-cracking attacks; however, security problems were discovered that rendered it moot: Brute-force attacking worked even with Syskey in place.
B is incorrect because there is no way to tell from a hash which password belongs with which user.
D is incorrect because hashes cannot be reversed.
2. Which of the following correctly describes brute-force password attacks?
A. Feed a list of words into a cracking program.
B. Compare the hash values to lists of pre-hashed values for a match.
C. Attempt all possible combinations of letters, numbers, and special characters in succession.
D. Threaten the user with physical violence unless they reveal their password.
C. A brute-force attack uses every possible combination of letters, numbers, and special characters against an authentication effort—whether in succession or (more commonly) at random. The drawbacks to its use are substantial: It takes the longest amount of time and a tremendous amount of processing resources. However, it is your best option on complex passwords, and there is no arguing its effectiveness—given enough time every password can be cracked using brute force. It may take years to try every combination, but if you keep at it long enough, it is successful 100 percent of the time.
A is incorrect because this describes a dictionary attack. It is much easier and faster than a brute force, and uses far fewer resources. The attack works by using a list of passwords in a text file, which is then hashed by the same algorithm/process the original password was put through. The hashes are compared and, if a match is found, the password is cracked. Although this attack is supposed to (technically speaking) only use words you’d find in a dictionary, you can create your own word list to feed into the cracker. Using this method, you can crack “complex” passwords too; however, the word list you use must have the exact match in it—you can’t get it close, it must be exact. Although it may be fun for you to spend hours of your day creating your own dictionary file, it’s a lot easier to simply download one of the thousands already out on the Internet.
B is incorrect because this describes the use of rainbow tables. A rainbow table crack effort can be faster than anything else, assuming you can pull the right one to look through. Rainbow tables are created when someone, with lots of time on their hands, feeds every conceivable password in creation through a hash. The hashes are then saved to a table, to which you can compare the password hashes off your target machine. It’s simple and easy; however, keep in mind these tables are huge. Additionally, “salting” a password makes rainbow tables moot. One final note for the purists in the reading audience: The use of multi-GPU cracking systems (employing computing resources to cracking passwords that boggle the mind) may be faster than using rainbow tables. Just don’t say that on your exam!
D is incorrect because this refers to something defined by EC Council and the CEH exam as a rubber hose attack. No, I’m not making this up. And I’m not encouraging you to use this in your own pen testing—just know it for your exam.
3. Which password theft method is almost always successful, requires little technical knowledge, and is nearly impossible to detect?
A. Install a hardware keylogger.
B. Install a software keylogger.
C. Sniff the network segment with Ettercap.
D. Brute force using Cain and Abel.
A. Questions on hardware keyloggers will almost always reference the fact that they’re nearly impossible to detect. Unless the user notices them, or you have dedicated security staff watching for them, these are foolproof, easy to install, and great tools to use. These are usually small devices connected between the keyboard cable and the computer that simply capture all keystrokes going by. Install one day and just wait—when you pick it up it will be filled with all the access information you need.
B is incorrect because although a software keylogger does the same thing as a hardware keylogger and will provide excellent results (I’ve used one on my kids before—it’s fantastic), it’s fairly easy to spot and requires a little configuration to get things just the way you want them.
C is incorrect because sniffing a network tap with Ettercap isn’t going to provide you with anything other than an open text protocol password (FTP and so on). Sniffing isn’t guaranteed to provide anything password-wise. Yes, Ettercap is powerful, but it does require a fairly substantial amount of technical know-how to get the most out of it.
D is incorrect because a brute-force attack—with any tool—is exceedingly easy to detect. Additionally, it’s not just a point-and-shoot endeavor: You do have to have some technical ability to pull it off. Lastly, I know some of you are thinking that taking the passwords offline and pounding away at them is as quiet as you can get. Trust me, that’s not the intent of this question, and don’t let that fact trip you up.
4. Which of the following will extract an executable file from NTFS streaming?
A.
c:> cat file1.txt:hidden.exe > visible.exe
B.
c:> more file1.txt | hidden.exe > visible.exe
C.
c:> type notepad.exe > file1.txt:hidden.exe
D.
c:> list file1.txt$hidden.exe > visible.exe
A. This is the correct syntax. The cat command will extract the executable directly into the folder you execute the command from. NTFS file steaming allows you to hide virtually any file behind any other file, rendering it invisible to directory searches. The file can be a text file, to remind you of steps to take when you return to the target, or even an executable file you can run at your leisure later on. Alternate Data Streams (ADS) in the form of NTFS file streaming is a feature of the Windows-native NTFS file systems to ensure compatibility with Apple file systems (called HFS). Be careful on the exam—you will see ADS and NTFS file streaming used interchangeably. As an aside, the cat command isn’t available on Windows 7 machines—you’ll need a Linux emulator or something like it to pull this off on a Windows 7 system.
B is incorrect because this is not the correct syntax. There is no pipe (|) function in extracting a file, and the “more” command is used to display the contents of a text file, not extract an executable from ADS.
C is incorrect because this is not the correct syntax. This option would display the contents of a hidden text file—maybe one you’ve stowed away instructions in for use later.
D is incorrect because the syntax is not correct in any shape of the imagination. This is included as a distractor.
5. Which command is used to allow all privileges to the user, read-only to the group and read-only for all others to a particular file, on a Linux machine?
A.
chmod 411 file1
B.
chmod 114 file1
C.
chmod 117 file1
D.
chmod 711 file1
E.
chmod 744 file1
D. You’re going to need to know some basic Linux commands to survive this exam, and one command I can guarantee you’ll see a question on is chmod. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read is equivalent to 4, write to 2, and execute to 1. To accumulate permissions, you add the number: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7.
A, B, C, and E are all incorrect syntax for what we’re trying to accomplish here: 411 equates to read-only, execute, and execute (with 114 being the reverse of that), and 117 equates to execute, execute, full permissions, with 711 being the reverse.
6. Examine the following passwd file:
Which of the following statements are true regarding this passwd file? (Choose all that apply.)
A. None of the user accounts have passwords assigned.
B. The system makes use of the shadow file.
C. The root account password is root.
D. The root account has a shadowed password.
E. Files created by Alecia will initially be viewable by Jason.
B, D, and E. If there are not two to four questions on your exam regarding the Linux passwd file, I’ll eat my hat. Every exam and practice exam I’ve ever taken references this file—a lot—and it’s included here to ensure you pay attention. Fields in the passwd file, from left to right, are as follows:
• User Name This is what the user types in as the login name. Each of these must be unique.
• Password If a shadow file is being used, an x will be displayed here. If not, you’ll see the password in clear text. As an aside, setting this to an asterisk (*) is a method to deactivate an account.
• UID The user identifier is used by the operating system for internal purposes. It is typically incremented by 1 for each new user added.
• GID The group identifier identifies the primary group of the user. All files that are created by this user will normally be accessible to this group, unless a chmod command prevents it.
• Gecos Descriptive field for the user, generally containing contact information separated by commas.
• Home Directory The location of the user’s home directory.
• Startup Program This is the program that is started every time the user logs in. It’s usually a shell for the user to interact with the system.
A is incorrect because the x indicates a shadowed password, not the absence of one.
C is incorrect because the x indicates that root does indeed have a password, but it is shadowed. Could it actually be root? Sure, but there’s no way to tell that from this listing.
7. You are attempting to hack a Windows machine and wish to gain a copy of the SAM file. Where can you find it? (Choose all that apply.)
A. etcpasswd
B. etcshadow
C. c:windowssystem32config
D. c:winntconfig
E. c:windows
epair
C and E. From Microsoft’s definition, the Security Account Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer. The SAM file can be found in c:windowssystem32 config. If you’re having problems getting there, try pulling a copy from system restore (c:windows
epair).
A and B are both incorrect because the /etc is a dead giveaway this is a Linux folder (note the forward slash instead of the Windows backward slash). The etc folder contains all the administration files and passwords on a Linux system. Both the password and shadow file are found here.
D is incorrect because this is not the correct location of the SAM. It’s included as a distractor.
8. Which of the following statements are true concerning Kerberos? (Choose all that apply.)
A. Kerberos uses symmetric encryption.
B. Kerberos uses asymmetric encryption.
C. Clients ask for authentication tickets from the KDC in clear text.
D. KDC responses to clients never include a password.
E. Clients decrypt a TGT from the server.
A, B, C, D, and E. All answers are correct. Kerberos makes use of both symmetric and asymmetric encryption technologies to securely transmit passwords and keys across a network. The entire process is made up of a Key Distribution Center (KDC), an Authentication Service (AS), a Ticket Granting Service (TGS), and the Ticket Granting Ticket (TGT). A basic Kerberos exchange starts with a client asking the KDC, which holds the AS and TGS, for a ticket, which will be used to authenticate throughout the network. This request is in clear text. The server will respond with a secret key, which is hashed by the password copy kept on the server (password are never sent—only hashes and keys). This is known as the TGT. The client decrypts the message, since it knows the password, and the TGT is sent back to the server requesting a TGS service ticket. The server responds with the service ticket, and the client is allowed to logon and access network resources.
9. What is the difference between a dictionary attack and a hybrid attack?
A. Dictionary attacks are based solely on word lists, whereas hybrid attacks make use of both word lists and rainbow tables.
B. Dictionary attacks are based solely on whole word lists, whereas hybrid attacks can use a variety of letters, numbers, and special characters.
C. Dictionary attacks use predefined word lists, whereas hybrid attacks substitute numbers and symbols within those words.
D. Hybrid and dictionary attacks are the same.
C. A hybrid attack is a variant on a dictionary attack. In this effort, you still have a word list, however the cracker is smart enough to replace letters and characters within those words. For example, both attacks might use a list containing the word Password. To have multiple variants on it, the dictionary attack would have to have each variant added to the list individually (P@ssword, Pa$$word, etc.). A Hybrid attack would only require the word list to include ‘Password,’ as it would swap out characters and letters to find different versions of the same word.
A is incorrect because hybrid attacks don’t use rainbow tables.
B is incorrect because dictionary attacks can use all sorts of variants of a whole word, they just need to be listed separately in the list.
D is incorrect because hybrid and dictionary attacks are most definitely different.
10. Which of the following SIDs indicates the true administrator account?
A. S-1-5-21-1388762127-2960977290-773940301-1100
B. S-1-5-21-1388762127-2960977290-773940301-1101
C. S-1-5-21-1388762127-2960977290-773940301-500
D. S-1-5-21-1388762127-2960977290-773940301-501
C. The Security Identifier (commonly abbreviated SID) in Windows is used to identify a “security principle.” It’s unique to each account and service, and is good for the life of the principle. Everything else associated with the account is simply a property of the SID, allowing accounts to be renamed without affecting their security attributes. In a Windows system, the true administrator account always has an RID (relative identifier) of 500.
A and B are incorrect because neither 1100 nor 1101 are the RID associated with the administrator account. RID values between 1000 and 1500 indicate a standard user account.
D is incorrect because 501 is the RID for the guest account.
11. You have obtained a password hash and wish to quickly determine the associated plaintext password. Which of the following is the best choice?
A. Use a rainbow table.
B. Reverse the hash algorithm.
C. Use User2SID.
D. Use SID2User.
E. Use the public key of the user.
A. As discussed earlier, rainbow tables were created specifically for this purpose. If you have a password hash offline, running it against rainbow tables is a very quick way to obtain the password that created it. As an aside (and as mentioned earlier in this chapter), multi-GPU processing can beat rainbow table cracking in the modern world. A good write-up on how and why that can happen can be found at http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html.
B is incorrect because you cannot reverse a hash. By design, they are one-way algorithms.
C is incorrect because User2SID is a program that can retrieve an SID from the SAM on a local or remote machine. It does not technically exploit anything—it just uses built-in functionality in Windows. For a remote machine, it does require a null session connection, though.
D is incorrect because SID2User is used to retrieve the names of user accounts given an associated SID.
E is incorrect because a public key has nothing to do with password cracking.
12. You are monitoring traffic between two systems communicating over SSL. Which of the following techniques is your best bet in gaining access?
A. Sniff the traffic with Cain and Abel.
B. Practice active sniffing.
C. Sidejacking.
D. ARP poisoning.
C. Sidejacking is one of those neat little attacks you don’t hear much about. The idea is to steal the cookies exchanged between two systems and determine which one to use as a replay-style attack. The attack monitors the victim’s traffic using a sniffer and packet capture. For example, with a program called Ferret, a file called Hamster.txt is created. After the victim has logged in to a site or two, the attacker fires up the Hamster tool as a proxy, and the cookies and authentication streams from the captured .txt file will be displayed. Then, you simply click through them until one works. This can also be accomplished with other tools and methods—Ettercap and many other man-in-the-middle (MITM) tools can pull it off quite nicely.
A is incorrect because sniffing an SSL connection won’t reveal anything useful—it’s encrypted, after all. Cain and Abel does provide some substantial password SSL cracking, but sniffing traffic isn’t going to work here.
B is incorrect for the same reason—sniffing an encrypted channel just won’t work in this case.
D is incorrect because ARP poisoning isn’t used for this purpose. You could blow up traffic between the two, but you wouldn’t gain any real access.
13. Which password would be considered the most secure?
A. CEH123TEST
B. CEHisaHARDTEST
C. 638154849675
D. C3HisH@rd
D. According to EC Council and the CEH exam, D is the correct answer. On this exam, complexity trumps length no matter what. Sure, an argument can be made that a longer password is better than a shorter one (regardless of complexity and if used for a shorter amount of time), but just stick with complexity—using letters, numbers, and special characters—and you’ll be fine. However, obviously, a longer complex password is more secure than a shorter one.
A is incorrect because it only uses letters and numbers.
B is incorrect for the same reason. It is much longer than the correct answer, but there’s no complexity.
C is incorrect because it only used numbers. It has no complexity and it’s a fairly short length.
14. Your client makes use of Sigverif on his servers. What functionality does this tool provide?
A. Verifies digital signatures in SSL certificates.
B. Displays a list of unsigned drivers.
C. Displays a list of corrupted (nonfunctioning) drivers.
D. Verifies SAM database integrity.
B. Drivers are, obviously, very important to a system. An unsigned driver can be an indicator of manipulated files on a system, indicating a malware infection or worse. For example, in 2010 a worm by the name of STUXNET (specifically targeting SCADA systems) used unsigned drivers in its trek across the Internet. Sigverif can find unsigned drivers and verify device drivers in Windows XP. Windows 7 makes using unsigned drivers much more difficult to pull off; however, just remember that in the real world, the bad guys know not to use unsigned drivers (they are a tipoff that something is amiss).
A is incorrect because this tool has nothing to do with SSL certificates. This answer is included as a distractor.
C is incorrect because Sigverif does not necessarily display corrupted or nonfunctioning drivers. It simply verifies legitimate drivers on your system.
D is incorrect because this tool has nothing to do with the SAM on a machine. This answer is included as a distractor.
15. Which of the following are considered offline password attacks? (Choose all that apply.)
A. Using a hardware keylogger
B. Brute-force cracking with Cain and Abel on a stolen SAM file
C. Using John the Ripper on a stolen passwd file
D. Shoulder surfing
A, B, and C. An offline password attack occurs when you take the password file (or the passwords themselves) offline for work. Common methods are stealing the SAM or passwd (shadow) files and then running dictionary, hybrid, or brute-force attacks against them (using a password-cracking tool such as Cain and Abel or John the Ripper). Keyloggers are also considered offline attacks because you examine the contents off network.
D is incorrect because shoulder surfing is considered another form of attack altogether—a non-electronic attack. No, I’m not making this up—it’s actually a term in CEH lingo, and refers to social engineering methods of obtaining a password. Shoulder surfing is basically standing behind someone and watching their keystrokes.
16. Examine the following portion of a log file, captured during a hacking attempt:
What was the attacker attempting to do?
A. Copy files for later examination.
B. Cover his tracks.
C. Change the shell to lock out other users.
D. Upload a rootkit.
B. You’ll definitely see basic Linux commands on your test, and this is one example of how you’ll be asked about them. In this example, the rm command is used to remove (delete) files on a Linux system. Looking at what the hacker is attempting to remove, it seems logical to assume—even without seeing the rest of the log—that the hacker is covering his tracks.
A is incorrect because the command for copy in Linux is cp.
C is incorrect because the shell is not being tampered with. This answer is included as a distractor.
D is incorrect because there is no evidence in this capture that anything is being uploaded—all commands are for removal of files (using the rm command). Granted, it’s highly likely something was uploaded before this portion, but we’re not privy to that information here.
17. You suspect a hack has occurred against your Linux machine. Which command will display all running processes for you to review?
A. ls -d
B. ls -l
C. su
D. ps -ef
E. ifconfig
D. The ps command is used in Linux to display processes. The –e switch selects all processes, running or not, and the –f switch provides a full listing. A couple of other options you might see include –r (restrict output to running processes), -u (select by effective user ID; supports names), and –p (select by process ID).
A and B are incorrect because the ls command in Linux lists files inside a storage directory. A couple switches of note include –d (list directory entries instead of contents), -h (print sizes in human readable format), -l (use a long listing format) and –p (file type).
C is incorrect because the su command in Linux is for “switch user.” Assuming you have permission/authentication to do so, this allows you to change the effective user ID and group ID to whatever you want.
E is incorrect because ifconfig is used to configure a network interface in Linux. It looks, and works, very much like the ipconfig command in Windows, which makes it an easy target for test question writers, so pay close attention to the OS when asked about configuring your NIC.
18. Examine the following command output:
Which of the following are true regarding this output? (Choose all that apply.)
A. This output is from net commands.
B. This output is from nbtstat.
C. This output is from netstat.
D. This output is from nslookup.
B. Nbtstat is a built-in tool Microsoft put into their operating systems to help troubleshoot NetBIOS name resolution issues. You have loads of options and switches you can use (this one came from the –r switch, displaying the count of all NetBIOS names resolved by broadcast and by querying a WINS server). This command is usually associated with the scanning and enumeration phases, but is often used once you’ve gained access to a machine, so it is included here. Additionally, CEH official documentation mentions this in the system hacking objectives, so there we are.
A is incorrect because this is not output from the net commands. Common net commands you will see on the exam are the null session (net use \targetipc$ "" /u:") and net view options (net view / domain:domainname to show all systems in the domain name provided and net view \systemname to provide a list of open shares on the system named).
C is incorrect because this is not output from a netstat command. Netstat is another Microsoft goodie that displays active TCP connections, ports on which the computer is listening, network statistics, and the IP routing table. If you use it with no parameters defined, it will display active TCP connections.
D is incorrect because nslookup, as we covered previously, is used for DNS lookups and does not provide this type of output.
19. Which rootkit type makes use of system-level calls to hide their existence?
A. Application level
B. Kernel level
C. Library level
D. System level
C. A rootkit is a collection of software put in place by an attacker that is designed to obscure system compromise. In other words, if a system has a properly introduced rootkit installed, neither the user nor security monitors will even know anything is wrong. Rootkits are designed to provide backdoors for the attacker to use later on, and they include measures to remove and hide evidence of any activity. A library-level rootkit will most commonly replace or alter system calls with versions that hide information so the rootkit is not visible by normal means.
A is incorrect because application-level rootkits, as the name implies, are directed toward replacing valid application files with Trojan binaries. These kits work inside an application and can use an assortment of means to change the application’s behavior, user rights level, and actions.
B is incorrect because kernel-level rootkits attack the boot sectors and kernel level of the operating systems themselves, replacing kernel code with backdoor code. These are by far the most dangerous and are difficult to detect and remove. In fact, your recommended fix action on discovery of a kernel-level rootkit is a complete wipe and reload from clean software.
D is incorrect because this is not a rootkit type and is included as a distractor. A good one, but a distractor nonetheless.
20. Which folder in Linux holds administrative commands and daemons?
A. /sbin
B. /bin
C. /dev
D. /mnt
E. /usr
A. The system binaries folder holds most administrative commands (/etc holds others) and is the repository for most of the routines Linux runs (known as daemons).
B is incorrect because this folder holds all sorts of basic Linux commands (a lot like the C:WindowsSystem32 folder in Windows).
C is incorrect because this folder contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives and additional hard drives or partitions. By the way, everything in Linux is a file. Everything.
D is incorrect because this folder holds the access locations you’ve actually mounted.
E is incorrect because this folder holds most of the information, commands, and files unique to the users.
21. What are the three commands necessary to install an application in Linux?
A. ./install
B. make
C. make install
D. ./configure
B, C, and D. Linux zealots are a funny group. Instead of enjoying the beauty of simply double-clicking an install file and watching it work on its own, they like to obtain software directly from the source code and install from there. Usually this involves three steps: configure, compile the code, and install the executable. A configure script accomplishes the first of these steps, and is what you’ll be asked for on the exam. You won’t actually be installing anything, just know the big three needs: ./configure, make and make install.
A is incorrect because ./install isn’t a part of this install process. It’s a great distractor that probably fooled at least a couple of you. However, it isn’t a correct answer.
22. You are examining files on a Windows machine and note one file’s attributes include “h.” What does this indicate?
A. The file is flagged for backup.
B. The file is part of the help function.
C. The file is fragmented due to size.
D. The file has been quarantined by an antivirus program.
E. The file is hidden.
E. The hidden attribute can be set on any file to hide it from standard directory searches. You can accomplish this with the attrib +h filename
command line, or by right-clicking, choosing Properties, and checking the Hidden attribute check box at the bottom of the dialog.
A, B, C, and D are all incorrect definitions of the hidden attribute.
23. You have gained access to a SAM file from an older Windows machine and are preparing to run a Syskey cracker against it. How many bits are used for Syskey encryption?
A. 128
B. 256
C. 512
D. 1024
A. Okay, so Syskey is outdated, old, and you’ll probably never see it again. However, it’s still in your exam pool, so you have to know it. I could rehash the definition, but it appears in an earlier question and you should have it memorized by now anyway. Just know it provides additional security on older Windows NT boxes and uses 128 bits for encryption.
B, C, and D are incorrect because Syskey only uses 128 bits for encryption.
24. Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)
A. LADS
B. ADS Spy
C. Sfind
D. Snow
A, B, and C. NTFS streaming (alternate data streaming) isn’t a huge security problem, but it is something many security administrators concern themselves with. If you want to know where it’s going on, you can use any of these tools: LADS and Ads Spy are freeware tools that list all alternate data streams of an NTFS directory. Ads Spy can also remove Alternate Data Streams (ADS) from NTFS file systems. Sfind, probably the oldest one here, is a Foundstone forensic tool you can use for finding ADS.
D is incorrect because snow is a steganography tool used to conceal messages in ASCII text by appending whitespace to the end of lines.
25. Which authentication method uses DES for encryption and forces 14-character passwords for hash storage?
A. NTLMv1
B. NTLMv2
C. LAN Manager
D. Kerberos
C. LAN Manager is an older authentication model that burst onto the scene around the Windows 95 launch. It uses DES as an encryption standard (a 56-bit key DES, to be technical) and, as covered before, has a quirky habit of capitalizing passwords and splitting them into two seven-character halves. Believe it or not, this is still in use out there in the field.
A is incorrect because NTLMv1 (NT LAN Manager) improved upon LM methods. It stopped crazy practices such as padding passwords to 14 characters and so on, and it supported stronger encryption.
B is incorrect because NTLMv2 also did not follow the encryption methods used by LM. In addition to the improvements from version 1, NTLMv2 made use of 128-bit MD5 hashing.
D is incorrect because Kerberos is a very strong and secure authentication method that does not work like LM. Kerberos makes use of a Key Distribution Center (KDC) and grants tickets to properly authenticated clients to access resources on the network.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.