• Tutorials
  • Courses
  • Tracks

Cyber Quiz Day 26

Last Updated :
Discuss
Comments

Question 1

In a flat Windows subnet, a user types \\fileserver01 and DNS fails. Your Kali box is running responder -I eth0 -wdv. What happens next in an LLMNR poisoning scenario?

  • Client retries DNS until timeout; no traffic hits your box

  • Client sends a unicast NBNS query to the DC only

  • Client multicasts LLMNR; attacker spoofs the reply and captures NTLMv2 hash

  • Client falls back to Kerberos and no hashes are exposed

Discuss it

Question 2

In an LLMNR-poisoning lab, a victim browses \\10.0.2.7 and your Kali box runs:

responder -I eth0 -wdv

You capture an NTLMv2 hash. Which follow-up is most aligned with the attack chain described?

  • Crack with hashcat -m 5600 using a wordlist

  • Replay the hash directly to RDP on any host

  • Convert the hash to Kerberos and use pass-the-ticket

  • Use -m 0 in hashcat because it’s “MD5 equivalent”

Discuss it

Question 3

You ran Nmap:

nmap --scripts=smb2-security-mode.nse -p445 10.0.2.0/24

One host shows “SMB signing required”; another shows “signing not required.” For SMB relay with ntlmrelayx.py, which target is viable and why?

  • The “required” host, because relays need signing

  • The “not required” host, because relays succeed when signing is optional

  • Either host; signing is irrelevant to relays

  • Neither; relays only work over RDP, not SMB

Discuss it

Question 4

In an SMB Relay operation, you ran

responder -I eth0 -wdv
Edited Responder.conf to set SMB=Off, HTTP=Off
Launched ntlmrelayx.py -tf targets.txt -smb2support

What is the main reason to disable SMB/HTTP in Responder here?

  • To allow Responder to serve WPAD PAC files faster

  • To avoid conflicting with DNS over HTTPS

  • To stop Responder from terminating the NTLM handshake, letting ntlmrelayx relay it onward

  • To force downgrade to NTLMv1 for easier cracking

Discuss it

Question 5

In your IPv6 AD attack, the line

sudo mitm6 -d GFG.local

is launched before running ntlmrelayx.py -6 …. What’s the exact role of mitm6 in this chain?

  • It cracks NTLM hashes passively

  • It runs a rogue IPv6 DHCP/DNS to hijack name resolution

  • It upgrades NTLM to Kerberos for ticket reuse

  • It disables WPAD to avoid proxy loops

Discuss it

Question 6

You configure Responder for SMB relay by turning SMB/HTTP off in Responder.conf. Why does this improve your chance of a successful relay?

  • It prevents Responder from answering, forcing clients to use DNS

  • It avoids Responder terminating the auth flow; hashes are forwarded untouched to targets by ntlmrelayx

  • It enables WPAD pinning in browsers

  • It converts NTLM to NTLMSSP for LDAP only


Discuss it

Question 7

Your nmap --scripts=smb2-security-mode.nse -p445 10.0.2.0/24 scan shows:

Server A: “message signing required”
Workstation B: “message signing not required”

Where is SMB relay still viable and why?

  • Nowhere; signing presence on any host blocks the whole relay

  • Server A only, because servers accept all relays

  • Both; signing doesn’t affect relays

  • Workstation B, because signing not required allows relaying to succeed

Discuss it

Question 8

An IPv4-only AD shop “doesn’t use IPv6,” yet you gain domain insights with mitm6 + ntlmrelayx. What explains this?

  • kerberized fallback permits IPv6 regardless of config

  • Only Exchange enables IPv6 by default

  • Windows enables and trusts IPv6 mechanisms by default, even when the org thinks it’s IPv4-only

  • IPv6 is disabled by default on Windows 10

Discuss it

Question 9

You run:

sudo mitm6 -d GFG.local
ntlmrelayx.py -6 -t ldap://10.0.2.15 -wh fwpad.gfg.local -l lootme

What’s the best description of the attack flow?

  • mitm6 cracks NTLM hashes before relaying them to LDAP

  • mitm6 spoofs IPv6 DNS/DHCP, clients authenticate to attacker-controlled hostnames, ntlmrelayx relays NTLM to LDAP/AD services

  • ntlmrelayx serves PXE images over IPv6 to persistence

  • mitm6 disables DNSSEC, forcing LLMNR

Discuss it

Question 10

Which combined defense set most directly weakens all three attacks (LLMNR poisoning, SMB relay, IPv6 MITM)?

  • Enforce HSTS, disable TLS1.0, rotate service accounts monthly

  • Disable LLMNR/NBT-NS, require SMB signing, enforce LDAP signing + channel binding, control/limit IPv6 (DHCPv6/RA/WPAD), and harden privileged accounts

  • Replace NTLM with SSL certificates only

  • Use longer DNS TTLs and block port 53 egress

Discuss it

There are 10 questions to complete.

Take a part in the ongoing discussion