Chapter 14: Quiz — Password Attacks and Authentication Bypass

Test your understanding of password attack techniques and authentication defenses. Select the best answer for each question.

Question 1. What is the fundamental difference between an online password attack and an offline password attack?

A) Online attacks use the internet; offline attacks work without internet access B) Online attacks target live authentication services with lockout risks; offline attacks crack hashes locally with no lockout C) Online attacks are faster; offline attacks are more thorough D) Online attacks require credentials; offline attacks do not

Question 2. Why is bcrypt preferred over MD5 or SHA-256 for password storage?

A) bcrypt produces shorter hashes that use less storage space B) bcrypt is a newer algorithm and therefore more secure by definition C) bcrypt is deliberately slow and includes a configurable cost factor, making cracking computationally expensive D) bcrypt uses AES encryption, which is considered unbreakable

Question 3. What is the purpose of a "salt" in password hashing?

A) To encrypt the hash for additional security B) To add a random value to each password before hashing, ensuring identical passwords produce different hashes C) To compress the password before hashing for efficiency D) To verify the integrity of the hash after storage

Question 4. How does password spraying differ from traditional brute force?

A) Password spraying uses only dictionary words, not random characters B) Password spraying tries many passwords against one account; brute force tries one password against many accounts C) Password spraying tries a few passwords against many accounts with delays to avoid lockout; brute force tries many passwords against one account D) Password spraying is faster; brute force is more reliable

Question 5. What is credential stuffing?

A) Filling credential databases with fake entries to confuse attackers B) Using credentials leaked from one service breach to attempt login on other services C) Padding short passwords with extra characters to meet length requirements D) Encoding credentials for transmission over insecure networks

Question 6. A modern GPU can crack NTLM hashes at approximately 160 billion hashes per second but bcrypt (cost 12) at only about 183,000 hashes per second. What does this approximately 875,000x speed difference tell us?

A) NTLM uses a stronger algorithm than bcrypt B) The hash algorithm choice is the single most important factor in password storage security C) GPU cracking is not effective against any password hashing algorithm D) bcrypt is too slow for production use

Question 7. What is Kerberoasting?

A) Attacking the Kerberos protocol by brute-forcing the KDC B) Requesting Kerberos TGS tickets for service accounts and cracking them offline to recover service account passwords C) Stealing Kerberos TGTs from domain controllers using network sniffing D) Exploiting a vulnerability in the Kerberos authentication protocol itself

Question 8. Which tool is primarily used to capture NTLM hashes by poisoning LLMNR and NBT-NS requests on a local network?

A) Hashcat B) John the Ripper C) Responder D) Hydra

Question 9. In a pass-the-hash attack, why is knowing the plaintext password unnecessary?

A) The attacker uses a rainbow table to reverse the hash instantly B) NTLM authentication uses the hash directly in the challenge-response protocol, not the plaintext password C) The attacker exploits a vulnerability in NTLM that bypasses password verification entirely D) The hash is used to decrypt the password, which is then submitted normally

Question 10. What makes an NTLM relay attack different from a pass-the-hash attack?

A) NTLM relay requires cracking the hash first; pass-the-hash does not B) NTLM relay forwards a live authentication attempt to a different target in real time; pass-the-hash uses a previously captured hash C) NTLM relay only works against Linux systems; pass-the-hash only works against Windows D) There is no difference; they are different names for the same technique

Question 11. Which NIST SP 800-63B recommendation represents a significant change from traditional password policies?

A) Requiring special characters in all passwords B) Eliminating mandatory periodic password rotation and composition rules C) Reducing minimum password length to 6 characters D) Requiring passwords to be changed every 30 days

Question 12. What is the "MFA fatigue" or "push bombing" attack technique?

A) Overwhelming the MFA server with authentication requests until it crashes B) Repeatedly sending MFA push notifications to a user until they accept one out of frustration C) Using a brute force attack against the MFA token seed D) Exploiting a timing vulnerability in TOTP token generation

Question 13. Which hash format is indicated by the prefix $6$ in a Linux /etc/shadow file?

A) MD5 B) SHA-256 C) SHA-512 D) bcrypt

Question 14. You capture an NTLMv2 hash using Responder. Can you use this hash directly for pass-the-hash authentication?

A) Yes, NTLMv2 hashes work the same as NTLM hashes for PtH B) No, NTLMv2 is a challenge-response that must be cracked to obtain the NTLM hash for PtH C) Yes, but only against the original authentication target D) No, NTLMv2 hashes cannot be cracked at all

Question 15. What is the primary defense against Kerberoasting attacks?

A) Disabling Kerberos authentication in the domain B) Using strong, random passwords (25+ characters) for service accounts or implementing Group Managed Service Accounts (gMSAs) C) Enabling NTLM authentication as a fallback D) Rotating service account passwords daily

Question 16. Which MFA mechanism is most resistant to real-time phishing (adversary-in-the-middle) attacks?

A) SMS-based one-time passwords B) TOTP authenticator apps C) FIDO2/WebAuthn hardware keys D) Email-based verification codes

Question 17. During a MedSecure password audit, you crack 35% of domain passwords within the first hour using just the RockYou wordlist. What does this indicate?

A) The RockYou wordlist is unusually effective against healthcare organizations B) The organization's password policy allows common, weak passwords and likely lacks breach screening C) The encryption used by Active Directory is fundamentally flawed D) The password hashing algorithm is bcrypt with a low cost factor

Question 18. What is the purpose of Hashcat's -r flag?

A) To resume a previously interrupted cracking session B) To specify rule files that mutate dictionary words into common password variations C) To set the number of retry attempts for each hash D) To enable recursive directory scanning for hash files

Answer Key

  1. B — Online attacks target live authentication services (SSH, HTTP, RDP), are limited by network speed, and risk triggering account lockouts. Offline attacks crack hashes on the attacker's local hardware at billions of attempts per second with no lockout and no detection.

  2. C — bcrypt is a key derivation function specifically designed for password storage. Its configurable cost factor (work factor) makes it deliberately slow, with each increase doubling the computation time. This means cracking bcrypt hashes requires orders of magnitude more time than cracking fast hashes like MD5 or SHA-256.

  3. B — A salt is a random value added to each password before hashing. This ensures that two users with the password "password123" will have completely different hashes, defeating precomputed rainbow tables and preventing attackers from identifying users with identical passwords.

  4. C — Password spraying tries a small number of common passwords against many accounts, with delays between attempts to stay below lockout thresholds. Traditional brute force tries many passwords against a single account, which quickly triggers lockout. Spraying exploits the statistical certainty that some users will have common passwords.

  5. B — Credential stuffing uses username/password combinations leaked from breaches on one service to attempt login on other services. It exploits the widespread practice of password reuse and can be effective against 0.5-2% of accounts, which at scale means thousands of compromised accounts.

  6. B — The dramatic speed difference demonstrates that hash algorithm choice determines cracking resistance more than any other factor. An 8-character password hashed with NTLM can be cracked in seconds, while the same password hashed with bcrypt (cost 12) would take years.

  7. B — Kerberoasting exploits the fact that any authenticated domain user can request a TGS ticket for any service account with an SPN. The ticket is encrypted with the service account's NTLM hash and can be cracked offline. No special privileges are required to request the tickets.

  8. C — Responder is designed to poison LLMNR, NBT-NS, and MDNS requests on local networks. When a Windows client fails to resolve a name via DNS and falls back to these protocols, Responder responds and captures the resulting NTLM authentication hashes.

  9. B — NTLM authentication uses a challenge-response protocol where the client proves knowledge of the password hash, not the password itself. The server sends a challenge, the client encrypts it with the NTLM hash, and the server verifies. An attacker with the hash can perform this exchange directly.

  10. B — NTLM relay captures a live authentication attempt and forwards it to a different target in real time, piggybacking on the victim's credentials as the authentication happens. Pass-the-hash uses a previously obtained hash to authenticate independently. Relay does not require possessing the hash beforehand.

  11. B — NIST SP 800-63B (2017) recommended eliminating mandatory password rotation and composition rules, recognizing that these policies lead to weaker passwords (predictable patterns like Password1!, Password2!). Instead, NIST recommends screening against breached password databases and supporting longer passphrases.

  12. B — MFA fatigue (push bombing) involves repeatedly triggering MFA push notifications to a target user—sometimes dozens of times, including at night—until the user approves one out of frustration or confusion. This was successfully used in the 2022 Uber breach.

  13. C — In Linux shadow files, $6$ indicates SHA-512 hashing. Other prefixes: $1$ = MD5, $5$ = SHA-256, $2a$/$2b$ = bcrypt, $y$ = yescrypt.

  14. B — NTLMv2 is a challenge-response that includes the server's challenge value, making it specific to that authentication exchange. It cannot be used for pass-the-hash. However, it can be cracked offline (Hashcat mode 5600) to recover the NTLM hash, which can then be used for PtH.

  15. B — The best defense against Kerberoasting is ensuring service account passwords are strong enough to resist offline cracking. Random 25+ character passwords are practically uncrackable. Group Managed Service Accounts (gMSAs) use automatically rotated 120-character passwords, making Kerberoasting irrelevant.

  16. C — FIDO2/WebAuthn hardware keys are bound to the legitimate website's domain through the origin parameter in the cryptographic challenge. Even if a victim visits a phishing site, the key will not authenticate because the domain does not match. SMS, TOTP, and email codes can all be relayed through a phishing proxy.

  17. B — Cracking 35% of passwords with a common wordlist indicates widespread use of weak, predictable passwords. The organization's password policy likely allows passwords that appear in breach databases and does not enforce sufficient complexity. Implementing breach screening and longer minimum lengths would dramatically reduce this percentage.

  18. B — The -r flag specifies rule files that define transformations applied to dictionary words during cracking. Rules like "capitalize first letter and append a digit" transform password into Password1, Password2, etc. Hashcat includes many built-in rule files, and custom rules can target organization-specific patterns.