Which statement best captures the relationship between offline password cracking and hash exfiltration during a pentest?

Offline password cracking works by taking hash values that you’ve already obtained from the target environment and trying to recover the original passwords on your own hardware, without any interaction with the live system. In a pentest, hash exfiltration is the act of stealing those hashes so you can then run cracking tools locally, using dictionaries, rules, and brute force, to map hashes back to plaintext passwords. This separation—acquiring hashes first, then cracking them offline—is exactly what the statement describes. That’s why it’s the best answer: it captures the practical flow of a typical offline cracking workflow, where you don’t contact the target system during the cracking phase. Online cracking, by contrast, would involve sending guesses to the live login interface, which is a different tactic and riskier in terms of alerts and account lockouts. As for salted hashes, they don’t render cracking impossible; they simply force the attacker to crack many independent hashes (one per salt), often making the job harder but not infeasible. Modern hashes with strong parameters do slow down cracking, but given enough time and resources, offline cracking can still succeed against many password sets.