An attacker has exfiltrated password hashes. Which type of password attack is this?

The correct answer is the type of password attack known as pass-the-hash. This attack method leverages the fact that password hashes can be used as credentials in certain authentication protocols. When an attacker obtains password hashes, they can authenticate as the legitimate user without needing to know the actual passwords. This is particularly effective in environments where systems do not sufficiently protect or check against the hashed passwords during authentication processes.

Attacks like dictionary, brute-force, and password spraying involve attempting to guess the password itself or using common passwords to uncover user access, but they do not exploit the use of hashes directly. Pass-the-hash specifically capitalizes on the ability to use these hashes for unauthorized access, making it a unique and potent method of attack in environments characterized by weak security measures regarding hash management.