OSCP Password Attacks and Cracking 2

Question 1

What is a rainbow table attack and why is it less effective against salted hashes?

Accepted Answer

A precomputed table of hash-to-plaintext mappings; salting adds random data making each hash unique and invalidating precomputed tables

Answer

A GPU-accelerated brute-force attack; salting slows GPU computations

Answer

A dictionary attack using colorful wordlists; salting encrypts the wordlist

Answer

A network-based attack; salting hides the hash from network sniffers

Question 2

What does the Responder tool do and how is it used in OSCP for credential capture?

Accepted Answer

It poisons LLMNR/NBT-NS/mDNS broadcast queries to capture NTLMv2 hashes from network hosts

Answer

It brute-forces passwords against network services

Answer

It replays captured tickets against Kerberos services

Answer

It performs ARP spoofing to intercept cleartext credentials

Question 3

What hashcat command cracks an NTLM hash using the rockyou wordlist?

Accepted Answer

hashcat -a 0 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

Answer

hashcat -mode ntlm -list rockyou.txt hashes.txt

Answer

hashcat --ntlm -w rockyou.txt -o cracked.txt

Answer

hashcat -a 3 -m 0 hashes.txt ?a?a?a?a

Question 4

What is the purpose of adding rules (like best64.rule) when cracking passwords with hashcat?

Accepted Answer

Rules apply transformations to wordlist words (capitalize, add numbers, leet speak) to create more password candidates

Answer

Rules limit which hashes are targeted to the easiest 64 per run

Answer

Rules set the maximum thread count for GPU cracking

Answer

Rules filter out false positives from the cracking results

Question 5

What are NTLMv2 challenge-response hashes and how are they typically cracked in OSCP?

Accepted Answer

They are captured during authentication challenges (via Responder) and cracked offline with hashcat using module 5600

Answer

They are stored in the SAM database and cracked with secretsdump.py

Answer

They require a live connection to crack via pass-the-hash

Answer

They are base64-encoded and can be decoded directly

Question 6

What is the CrackMapExec (CME/NetExec) tool primarily used for in OSCP Windows environments?

Accepted Answer

Executing commands, spraying credentials, and enumerating Windows/AD environments over SMB/WinRM

Answer

Cracking captured password hashes offline

Answer

Generating custom wordlists from target information

Answer

Performing web application SQL injection attacks