Which statement about sniffing the challenge/response traffic is true?

Sniffing challenge/response traffic tests what an attacker can do when credentials are proven rather than sent in clear. In this setup, the server issues a random challenge and the client replies with a value derived from the password and that challenge. The password itself isn’t transmitted, but if you capture the exchange, you can perform offline guessing against the observed response to recover the password or the underlying hash. For weaker schemes like LANMAN, the resulting data can be cracked more easily, so the attacker can often recover credentials with relatively modest effort. However, turning captured challenge/response into the actual password is still an offline, resource-intensive process, and it generally requires more computing power than simply cracking the LANMAN hash directly. So, it can work, but it typically demands more resources than a direct LANMAN crack.