The correct answer is B because the scenario exactly describes a pass-the-hash attack. In Windows environments, NTLM authentication uses password hashes as part of the authentication process. In a pass-the-hash attack, the attacker or authorized penetration tester does not need to recover the cleartext password. Instead, they extract the NTLM hash and reuse that hash directly to authenticate to another system or service. CEH-aligned system hacking material explains that Windows stores password hash values and that an attacker can steal a hash and send it instead of cracking the password. This is different from brute force, where many password guesses are attempted until the correct password is found. It is also different from Kerberoasting, which targets Kerberos service tickets for offline cracking. “Replay attack” is a broader term, but the precise Windows/NTLM technique described here is pass-the-hash. Therefore, option B is the best answer.