- Home
- ECCouncil
- Certified Ethical Hacker Exam (CEHv13)
- ECCouncil.312-50v13.v2025-05-19.q235
- Question 67
Valid 312-50v13 Dumps shared by ExamDiscuss.com for Helping Passing 312-50v13 Exam! ExamDiscuss.com now offer the newest 312-50v13 exam dumps, the ExamDiscuss.com 312-50v13 exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com 312-50v13 dumps with Test Engine here:
Access 312-50v13 Dumps Premium Version
(569 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 67/235
A network security analyst, while conducting penetration testing, is aiming to identify a service account password using the Kerberos authentication protocol. They have a valid user authentication ticket (TGT) and decided to carry out a Kerberoasting attack. In the scenario described, which of the following steps should the analyst take next?
Correct Answer: D
A Kerberoasting attack is a technique that exploits the weak encryption of Kerberos service tickets to obtain the password hashes of service accounts that have a Service Principal Name (SPN) associated with them. The attacker can then crack the hashes offline and use the plaintext passwords to impersonate the service accounts and access network resources.
A Kerberoasting attack follows these steps1:
* The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user.
* The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts.
* The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords. Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2.
* Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to.
Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account.
References:
* How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX
* PRINCE: PRobability INfinite Chained Elements
A Kerberoasting attack follows these steps1:
* The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user.
* The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts.
* The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords. Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2.
* Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to.
Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account.
References:
* How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX
* PRINCE: PRobability INfinite Chained Elements
- Question List (235q)
- Question 1: How does a denial-of-service attack work?...
- Question 2: Bob, an attacker, has managed to access a target loT device....
- Question 3: You have compromised a server on a network and successfully ...
- Question 4: John, a professional hacker, decided to use DNS to perform d...
- Question 5: A penetration tester was assigned to scan a large network ra...
- Question 6: Sam is a penetration tester hired by Inception Tech, a secur...
- Question 7: Judy created a forum, one day. she discovers that a user is ...
- Question 8: Which of the following tools is used to analyze the files pr...
- Question 9: Bill has been hired as a penetration tester and cyber securi...
- Question 10: George, an employee of an organization, is attempting to acc...
- Question 11: Which rootkit is characterized by its function of adding cod...
- Question 12: Bob, a system administrator at TPNQM SA, concluded one day t...
- Question 13: Which type of security feature stops vehicles from crashing ...
- Question 14: Calvin, a software developer, uses a feature that helps him ...
- Question 15: You are a cybersecurity specialist at CloudTech Inc., a comp...
- Question 16: Clark, a professional hacker, attempted to perform a Btlejac...
- Question 17: Which Nmap switch helps evade IDS or firewalls?...
- Question 18: _________ is a type of phishing that targets high-profile ex...
- Question 19: Elante company has recently hired James as a penetration tes...
- Question 20: Sophia is a shopping enthusiast who spends significant time ...
- Question 21: Which of the following is a low-tech way of gaining unauthor...
- Question 22: An attacker changes the profile information of a particular ...
- Question 23: During the process of encryption and decryption, what keys a...
- Question 24: John is an incident handler at a financial institution. His ...
- Question 25: "........is an attack type for a rogue Wi-Fi access point th...
- Question 26: Upon establishing his new startup, Tom hired a cloud service...
- Question 27: What would be the fastest way to perform content enumeration...
- Question 28: A cyber attacker has initiated a series of activities agains...
- Question 29: Jack, a professional hacker, targets an organization and per...
- Question 30: As a budding cybersecurity enthusiast, you have set up a sma...
- Question 31: You have successfully logged on a Linux system. You want to ...
- Question 32: What is the least important information when you analyze a p...
- Question 33: Which of the following tools can be used for passive OS fing...
- Question 34: What is the following command used for? net use \targetipc$ ...
- Question 35: Peter, a system administrator working at a reputed IT firm, ...
- Question 36: What type of analysis is performed when an attacker has part...
- Question 37: Session splicing is an IDS evasion technique in which an att...
- Question 38: Which of the following viruses tries to hide from anti-virus...
- Question 39: Samuel a security administrator, is assessing the configurat...
- Question 40: Bob, your senior colleague, has sent you a mail regarding a ...
- Question 41: Elliot is in the process of exploiting a web application tha...
- Question 42: Which iOS jailbreaking technique patches the kernel during t...
- Question 43: By using a smart card and pin, you are using a two-factor au...
- Question 44: Given the complexities of an organization's network infrastr...
- Question 45: An attacker identified that a user and an access point are b...
- Question 46: An ethical hacker has been tasked with assessing the securit...
- Question 47: which type of virus can change its own code and then cipher ...
- Question 48: Jake, a network security specialist, is trying to prevent ne...
- Question 49: What port number is used by LDAP protocol?...
- Question 50: What is the main security service a cryptographic hash provi...
- Question 51: An ethical hacker is scanning a target network. They initiat...
- Question 52: A company's security policy states that all Web browsers mus...
- Question 53: Study the following log extract and identify the attack. (Ex...
- Question 54: Which definition among those given below best describes a co...
- Question 55: An attacker runs netcat tool to transfer a secret file betwe...
- Question 56: An attacker scans a host with the below command. Which three...
- Question 57: Sarah, a system administrator, was alerted of potential mali...
- Question 58: An attacker can employ many methods to perform social engine...
- Question 59: Dorian Is sending a digitally signed email to Polly, with wh...
- Question 60: You are trying to break into a highly classified top-secret ...
- Question 61: As part of a college project, you have set up a web server f...
- Question 62: In an intricate web application architecture using an Oracle...
- Question 63: Attacker Lauren has gained the credentials of an organizatio...
- Question 64: Robin, a professional hacker, targeted an organization's net...
- Question 65: How can you determine if an LM hash you extracted contains a...
- Question 66: Based on the following extract from the log of a compromised...
- Question 67: A network security analyst, while conducting penetration tes...
- Question 68: Your organization has signed an agreement with a web hosting...
- Question 69: Insecure direct object reference is a type of vulnerability ...
- Question 70: Identify the UDP port that Network Time Protocol (NTP) uses ...
- Question 71: Jim, a professional hacker, targeted an organization that is...
- Question 72: Why containers are less secure that virtual machines?...
- Question 73: Being a Certified Ethical Hacker (CEH), a company has brough...
- Question 74: Jude, a pen tester working in Keiltech Ltd., performs sophis...
- Question 75: Which of the following Bluetooth hacking techniques does an ...
- Question 76: Yancey is a network security administrator for a large elect...
- Question 77: ping-* 6 192.168.0.101 Output: Pinging 192.168.0.101 with 32...
- Question 78: If a token and 4-digit personal identification number (PIN) ...
- Question 79: This form of encryption algorithm is asymmetric key block ci...
- Question 80: Mary found a high vulnerability during a vulnerability scan ...
- Question 81: As a cybersecurity analyst for SecureNet, you are performing...
- Question 82: Emily, an extrovert obsessed with social media, posts a larg...
- Question 83: Leverox Solutions hired Arnold, a security professional, for...
- Question 84: An incident investigator asks to receive a copy of the event...
- Question 85: Security administrator John Smith has noticed abnormal amoun...
- Question 86: Peter, a Network Administrator, has come to you looking for ...
- Question 87: John is investigating web-application firewall logs and obse...
- Question 88: A penetration tester is performing the footprinting process ...
- Question 89: During an attempt to perform an SQL injection attack, a cert...
- Question 90: How can rainbow tables be defeated?...
- Question 91: To hide the file on a Linux system, you have to start the fi...
- Question 92: #!/usr/bin/python import socket buffer=[""A""] counter=50 wh...
- Question 93: Why should the security analyst disable/remove unnecessary I...
- Question 94: When a normal TCP connection starts, a destination host rece...
- Question 95: A security analyst uses Zenmap to perform an ICMP timestamp ...
- Question 96: What is a "Collision attack" in cryptography?...
- Question 97: Bob is going to perform an active session hijack against Bro...
- Question 98: Email is transmitted across the Internet using the Simple Ma...
- Question 99: A skilled ethical hacker was assigned to perform a thorough ...
- Question 100: The company ABC recently contracts a new accountant. The acc...
- Question 101: You are the lead cybersecurity analyst at a multinational co...
- Question 102: You are tasked to configure the DHCP server to lease the las...
- Question 103: A group of hackers were roaming around a bank office buildin...
- Question 104: You are the Network Admin, and you get a complaint that some...
- Question 105: Which of the following statements about a zone transfer is c...
- Question 106: During a penetration testing assignment, a Certified Ethical...
- Question 107: Null sessions are un-authenticated connections (not using a ...
- Question 108: Thomas, a cloud security professional, is performing securit...
- Question 109: The Heartbleed bug was discovered in 2014 and is widely refe...
- Question 110: An ethical hacker is testing the security of a website's dat...
- Question 111: Study the snort rule given below: (Exhibit) From the options...
- Question 112: This kind of password cracking method uses word lists in com...
- Question 113: Clark is a professional hacker. He created and configured mu...
- Question 114: Nedved is an IT Security Manager of a bank in his country. O...
- Question 115: Ricardo has discovered the username for an application in hi...
- Question 116: (Exhibit) Identify the correct terminology that defines the ...
- Question 117: As a security analyst for Sky Secure Inc., you are working w...
- Question 118: You need to deploy a new web-based software package for your...
- Question 119: What hacking attack is challenge/response authentication use...
- Question 120: Bobby, an attacker, targeted a user and decided to hijack an...
- Question 121: In the process of implementing a network vulnerability asses...
- Question 122: During a reconnaissance mission, an ethical hacker uses Malt...
- Question 123: A Certified Ethical Hacker (CEH) is given the task to perfor...
- Question 124: While performing a security audit of a web application, an e...
- Question 125: An Intrusion Detection System (IDS) has alerted the network ...
- Question 126: Bill is a network administrator. He wants to eliminate unenc...
- Question 127: Your company, SecureTech Inc., is planning to transmit some ...
- Question 128: Which of the following tactics uses malicious code to redire...
- Question 129: Jane is working as a security professional at CyberSol Inc. ...
- Question 130: Which of the following is the BEST way to defend against net...
- Question 131: which of the following information security controls creates...
- Question 132: You are an ethical hacker contracted to conduct a security a...
- Question 133: What is the first step for a hacker conducting a DNS cache p...
- Question 134: An attacker with access to the inside network of a small com...
- Question 135: What does the -oX flag do in an Nmap scan?...
- Question 136: The "Gray-box testing" methodology enforces what kind of res...
- Question 137: Bob is doing a password assessment for one of his clients. B...
- Question 138: What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht...
- Question 139: What piece of hardware on a computer's motherboard generates...
- Question 140: Don, a student, came across a gaming app in a third-party ap...
- Question 141: Kevin, an encryption specialist, implemented a technique tha...
- Question 142: A cybersecurity analyst in an organization is using the Comm...
- Question 143: Robert, a professional hacker, is attempting to execute a fa...
- Question 144: Tess King is using the nslookup command to craft queries to ...
- Question 145: Mason, a professional hacker, targets an organization and sp...
- Question 146: Tony is a penetration tester tasked with performing a penetr...
- Question 147: What ports should be blocked on the firewall to prevent NetB...
- Question 148: There are multiple cloud deployment options depending on how...
- Question 149: When considering how an attacker may exploit a web server, w...
- Question 150: An audacious attacker is targeting a web server you oversee....
- Question 151: Allen, a professional pen tester, was hired by xpertTech sol...
- Question 152: An unauthorized individual enters a building following an em...
- Question 153: The change of a hard drive failure is once every three years...
- Question 154: During the enumeration phase. Lawrence performs banner grabb...
- Question 155: A newly joined employee. Janet, has been allocated an existi...
- Question 156: Which of the following is a component of a risk assessment?...
- Question 157: Mr. Omkar performed tool-based vulnerability assessment and ...
- Question 158: Johnson, an attacker, performed online research for the cont...
- Question 159: You are a Network Security Officer. You have two machines. T...
- Question 160: Gavin owns a white-hat firm and is performing a website secu...
- Question 161: Calvin, a grey-hat hacker, targets a web application that ha...
- Question 162: Firewalk has just completed the second phase (the scanning p...
- Question 163: This TCP flag instructs the sending system to transmit all b...
- Question 164: James is working as an ethical hacker at Technix Solutions. ...
- Question 165: You are performing a penetration test for a client and have ...
- Question 166: Which of the following Google advanced search operators help...
- Question 167: Which of the following antennas is commonly used in communic...
- Question 168: What is the proper response for a NULL scan if the port is c...
- Question 169: In a large organization, a network security analyst discover...
- Question 170: Which of the following tools can be used to perform a zone t...
- Question 171: Suppose your company has just passed a security risk assessm...
- Question 172: Lewis, a professional hacker, targeted the loT cameras and d...
- Question 173: Daniel Is a professional hacker who Is attempting to perform...
- Question 174: A large company intends to use Blackberry for corporate mobi...
- Question 175: Fingerprinting an Operating System helps a cracker because:...
- Question 176: These hackers have limited or no training and know how to us...
- Question 177: Sam is working as a system administrator In an organization....
- Question 178: A penetration tester is conducting an assessment of a web ap...
- Question 179: The configuration allows a wired or wireless network interfa...
- Question 180: Which of the following is considered an exploit framework an...
- Question 181: Which utility will tell you in real time which ports are lis...
- Question 182: You are using a public Wi-Fi network inside a coffee shop. B...
- Question 183: One of your team members has asked you to analyze the follow...
- Question 184: Your company suspects a potential security breach and has hi...
- Question 185: What is the purpose of a demilitarized zone on a network?...
- Question 186: Bob, a network administrator at BigUniversity, realized that...
- Question 187: Bob wants to ensure that Alice can check whether his message...
- Question 188: John, a disgruntled ex-employee of an organization, contacte...
- Question 189: Ralph, a professional hacker, targeted Jane, who had recentl...
- Question 190: Which access control mechanism allows for multiple systems t...
- Question 191: Under what conditions does a secondary name server request a...
- Question 192: Which file is a rich target to discover the structure of a w...
- Question 193: As an IT Security Analyst, you've been asked to review the s...
- Question 194: Websites and web portals that provide web services commonly ...
- Question 195: What is one of the advantages of using both symmetric and as...
- Question 196: what firewall evasion scanning technique make use of a zombi...
- Question 197: An ethical hacker is testing a web application of a financia...
- Question 198: OpenSSL on Linux servers includes a command line tool for te...
- Question 199: Your company was hired by a small healthcare provider to per...
- Question 200: You are analysing traffic on the network with Wireshark. You...
- Question 201: During an Xmas scan what indicates a port is closed?...
- Question 202: Clark, a professional hacker, was hired by an organization l...
- Question 203: Ben purchased a new smartphone and received some updates on ...
- Question 204: Which of the following programs is usually targeted at Micro...
- Question 205: This is an attack that takes advantage of a web site vulnera...
- Question 206: A penetration tester is performing an enumeration on a clien...
- Question 207: Which of the following Linux commands will resolve a domain ...
- Question 208: You are an ethical hacker tasked with conducting an enumerat...
- Question 209: Ron, a security professional, was pen testing web applicatio...
- Question 210: This wireless security protocol allows 192-bit minimum-stren...
- Question 211: Attacker Simon targeted the communication network of an orga...
- Question 212: Alice needs to send a confidential document to her coworker....
- Question 213: A "Server-Side Includes" attack refers to the exploitation o...
- Question 214: You are tasked to configure the DHCP server to lease the las...
- Question 215: To invisibly maintain access to a machine, an attacker utili...
- Question 216: Based on the below log, which of the following sentences are...
- Question 217: env x='(){ :;};echo exploit' bash -c 'cat/etc/passwd' What i...
- Question 218: What is the way to decide how a packet will move from an unt...
- Question 219: Why is a penetration test considered to be more thorough tha...
- Question 220: Dayn, an attacker, wanted to detect if any honeypots are ins...
- Question 221: User A is writing a sensitive email message to user B outsid...
- Question 222: In order to tailor your tests during a web-application scan,...
- Question 223: Alice, a professional hacker, targeted an organization's clo...
- Question 224: Tremp is an IT Security Manager, and he is planning to deplo...
- Question 225: John, a security analyst working for an organization, found ...
- Question 226: Wilson, a professional hacker, targets an organization for f...
- Question 227: Bob is acknowledged as a hacker of repute and is popular amo...
- Question 228: You have successfully comprised a server having an IP addres...
- Question 229: By performing a penetration test, you gained access under a ...
- Question 230: An IT security team is conducting an internal review of secu...
- Question 231: DHCP snooping is a great solution to prevent rogue DHCP serv...
- Question 232: Jack, a disgruntled ex-employee of Incalsol Ltd., decided to...
- Question 233: You have retrieved the raw hash values from a Windows 2000 D...
- Question 234: Larry, a security professional in an organization, has notic...
- Question 235: Which of the following is a command line packet analyzer sim...
