A penetration tester has acquired a large credential dump from a dark web forum, claiming to be from a recent breach of the target company. The dump contains usernames and NTLM hashes. The tester needs to validate the dump's legitimacy with the lowest possible risk of detection before planning further actions. Which of the following is the most appropriate initial step?
Perform a low-and-slow password spraying attack using the most common passwords against the discovered usernames.
Execute a pass-the-hash attack with one of the credentials against a known company server.
Cross-reference the usernames from the dump against employee profiles on professional networking sites.
Attempt to crack a sample of the hashes offline using a common password wordlist.
The most appropriate and safest initial step is to attempt to crack a subset of the password hashes offline. This method does not interact with the target's live systems, eliminating the risk of account lockouts or detection by security monitoring tools. A successful crack of even a small percentage of hashes against a common wordlist provides strong evidence that the dump is legitimate. Password spraying and pass-the-hash are active online attacks that carry a high risk of detection and should only be performed after initial validation. Cross-referencing usernames confirms only one part of the data and does not validate the password hashes themselves.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an offline cracking tool?
Open an interactive chat with Bash
What is a wordlist-based check?
Open an interactive chat with Bash
Why are online login attempts discouraged for credential validation?