Certified Ethical Hacker (CEH v13) — Question 290

An ethical hacker is attempting to crack NTLM hashed passwords from a Windows SAM file using a rainbow table attack. He has dumped the on-disk contents of the SAM file successfully and noticed that all LM hashes are blank. Given this scenario, which of the following would be the most likely reason for the blank LM hashes?

Answer options

• A. The SAM file has been encrypted using the SYSKEY function.
• B. The passwords exceeded 14 characters in length and therefore, the LM hashes were set to a “dummy" value.
• C. The Windows system is Vista or a later version, where LM hashes are disabled by default.
• D. The Windows system is using the Kerberos authentication protocol as the default method.

Correct answer: C

Explanation

The correct answer is C because starting from Windows Vista, LM hashes are disabled by default as a security measure, resulting in blank LM hashes. Options A and D are incorrect as they do not specifically address the reason for the absence of LM hashes, and option B is also wrong since it applies to cases where passwords exceed the character limit, but does not explain the default behavior in newer Windows versions.