Chapter 43 Quiz: Network Penetration Testing¶

B — -sV probes open ports to determine service version and -sC runs default NSE scripts for enumeration

The -sV flag performs service version detection by sending probes to open ports and analyzing responses to identify the running service and version. The -sC flag is equivalent to --script=default and runs Nmap Scripting Engine (NSE) scripts in the default category, which perform safe enumeration tasks like SMB OS discovery, HTTP title extraction, and SSL certificate analysis.

B — Hosts broadcast LLMNR/NBT-NS name resolution requests when DNS fails, and an attacker on the same network segment can respond with a spoofed answer to capture authentication hashes

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used when DNS resolution fails. These protocols broadcast queries on the local network, allowing any host to respond. Responder exploits this by answering these queries with its own IP address, causing victims to send NTLMv2 authentication hashes to the attacker's machine.

B — SMB relay attacks, where captured NTLMv2 authentication can be forwarded to another host to gain unauthorized access

When SMB signing is not required, an attacker can intercept NTLMv2 authentication (e.g., via LLMNR poisoning) and relay it to another host where the victim has administrative access. Tools like ntlmrelayx (Impacket) automate this process. SMB signing ensures message integrity and prevents relay attacks by cryptographically binding authentication to the specific session.

B — PtH uses NTLM hashes to authenticate without knowing the plaintext password; PtT uses stolen Kerberos TGT or TGS tickets to access services

Pass-the-Hash exploits NTLM authentication by submitting the hash directly instead of the password. Pass-the-Ticket extracts Kerberos tickets (TGT for broader access or TGS for specific services) from memory and injects them into another session. Both techniques enable lateral movement without knowing plaintext credentials, but they target different authentication protocols.

B — It enumerates all accessible SMB shares on hosts where the provided credentials successfully authenticate

CrackMapExec (now NetExec) is a post-exploitation tool for network-wide credential validation and enumeration. The --shares flag lists all SMB shares accessible with the provided credentials on every host in the target range. This reveals sensitive shares like SYSVOL, NETLOGON, IT department shares, and misconfigured shares with excessive permissions.

B — TGS-REP — it contains a service ticket encrypted with the target service account's NTLM hash, which can be brute-forced offline

Kerberoasting exploits the fact that any authenticated domain user can request a TGS (Ticket Granting Service) ticket for any service with a registered SPN. The TGS-REP contains the service ticket encrypted with the service account's NTLM hash. Since the attacker possesses this encrypted ticket, they can attempt offline brute-force or dictionary attacks against the service account's password without generating additional network traffic or failed logon events.

B — Mimikatz using sekurlsa::logonpasswords and sekurlsa::tickets

Mimikatz is the standard tool for extracting credentials from LSASS (Local Security Authority Subsystem Service) process memory. The sekurlsa::logonpasswords module dumps NTLM hashes, plaintext passwords (when available via WDigest), and Kerberos keys. The sekurlsa::tickets module exports Kerberos TGT and TGS tickets from memory. Both require local administrator or SYSTEM privileges on the compromised host.

B — nmap -f — fragment packets into 8-byte fragments

The -f flag fragments Nmap probe packets into 8-byte IP fragments (using -f once) or 16-byte fragments (using -ff). This technique can evade packet inspection firewalls and IDS/IPS that do not reassemble fragmented packets before inspection. While modern security appliances typically handle fragmentation, this technique remains effective against legacy or misconfigured devices.

B — SMB (port 445) to copy a service binary, then the Windows Service Control Manager (SCM) to execute it using NTLM or Kerberos authentication

PsExec (both Sysinternals and Impacket versions) connects to the target's ADMIN$ share via SMB, copies a service executable, and uses the Service Control Manager API to create and start a Windows service that executes the desired command. This requires administrative credentials and SMB access (port 445). The technique generates Windows Event ID 7045 (service installation) and is a well-known indicator of lateral movement.

B — MAC address cloning of an authenticated device combined with hub-based or transparent bridge insertion between an authenticated device and the switch port

802.1X authenticates devices at the switch port level. Bypass techniques include cloning the MAC address of an already-authenticated device and inserting a transparent bridge (or hub) between the authenticated device and the switch port to piggyback on the existing authentication session. More sophisticated bypasses exploit the fact that 802.1X often authenticates only at port link-up and allows additional MAC addresses afterward.

B — Full device configuration disclosure (with read community strings) and potential configuration modification (with write community strings), all transmitted in cleartext

SNMP v1/v2c transmits community strings (effectively passwords) in cleartext and provides no encryption. Default or easily guessable community strings (public/private) allow attackers to enumerate complete device configurations, routing tables, ARP caches, interface details, and — with write access — modify device configurations. This can enable VLAN hopping, route injection, and ACL modification.

B — To perform comprehensive SMB/NetBIOS enumeration including users, groups, shares, password policies, and OS information

enum4linux is a Linux-based SMB enumeration tool that wraps smbclient, rpcclient, and net commands. The -a flag performs all enumeration checks: user listing via RID cycling, share enumeration, group membership, password policy extraction, OS identification, and workgroup/domain information. It is a standard first-step tool after discovering SMB services during internal network assessments.

B — Relay the NTLMv2 hash to another service using ntlmrelayx if SMB signing is not enforced on the target

NTLMv2 hashes captured via LLMNR/NBT-NS poisoning contain a server challenge component that makes them specific to that authentication session — they cannot be directly used in Pass-the-Hash attacks (which require NT hashes). However, in real-time relay attacks, the captured authentication can be forwarded to another service (SMB, LDAP, HTTP, MSSQL) if that service does not require signing.

B — The host is likely a domain controller, making it a high-value target for attacks such as DCSync, Kerberoasting, and credential extraction

Port 88 (Kerberos KDC) is a hallmark of Active Directory domain controllers. Identifying domain controllers early in an internal assessment is critical because they store all domain credentials (NTDS.dit), manage Group Policy, and are the target for high-impact attacks including DCSync (credential replication), Golden Ticket creation, and domain-level persistence.

B — Credential Guard isolates NTLM hashes and Kerberos tickets in a Virtualization-Based Security (VBS) protected container, preventing Mimikatz from extracting them from LSASS memory

Windows Defender Credential Guard uses hardware virtualization (VBS) to create an isolated memory region (LSAIso) where NTLM hashes and Kerberos TGT/TGS tickets are stored. Even with SYSTEM privileges, Mimikatz cannot access this isolated container. Testers must use alternative credential harvesting techniques such as keylogging, DCSync (if domain admin), or targeting systems where Credential Guard is not enabled.