Copying password hashes and cracking them offline generates no network traffic toward the target, so signature-based IDS/IPS sensors cannot detect the activity. Once a hash is successfully cracked, the tester can log in with valid credentials in a single attempt, further avoiding alarms triggered by repeated or anomalous inputs.

B. Dictionary brute forcing sends numerous login attempts over the network, a pattern readily flagged by IDS/IPS account-lockout and anomaly rules.

C. SQL-injection strings (e.g., ‘OR 1=1) traverse the network and match common IDS/IPS signatures for injection attacks.

D. XSS requires injecting scripts into web content; even if successful, it relies on user interaction and does not directly yield account credentials, plus reflective requests are often signature-detected.

1. NIST SP 800-115

Technical Guide to Information Security Testing

§5.5 “Password Cracking”

pp. 5-14 – 5-15: distinguishes online guessing from offline cracking and notes offline cracking “does not generate network traffic that can be detected.”

2. MIT OpenCourseWare 6.857 “Network and Computer Security

” Lecture 5 slides

p. 18: explains that once hashes are obtained

“offline cracking is invisible to IDS.”

3. OWASP Testing Guide v5

Test Password Strength (OTG-AUTHN-002)

§3.2: highlights that offline attacks avoid detection mechanisms monitoring login endpoints.