nerdexam
EC-Council

312-50V11 · Question #654

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? c:\> cmd /c type c:\winnt\repair\sam > c:\har.txt Volume in drive C has no label. Volum

The correct answer is B. SAM file. The command copies the SAM file from the repair directory to har.txt, revealing the attacker's goal of stealing Windows password hashes.

System Hacking

Question

Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? c:> cmd /c type c:\winnt\repair\sam > c:\har.txt Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p CONFIG.SYS 12/26/00 07:36p < DIR > exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p < DIR > InetPub 12/07/00 03:12p < DIR > Multimedia Files 12/26/00 07:10p < DIR > New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p < DIR > Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p < DIR > TEMP 02/04/01 07:05a < DIR > WINNT 12/26/00 07:09p < DIR > wiretrip 02/04/01 06:43a 0 mine.txt 15 File(s) 78,648,918 bytes 1,689,455,616 bytes free c:> type har.txt c:> copy har.txt c:\inetpub\wwwroot c:> GET har.txt HTTP/1.1 Server: Microsoft-IIS/4.0 Date: Sun, 04 Feb 2001 13:11:28 GMT Content-Type: text/plain Accept-Ranges: bytes Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT ETag: “5063fd6fab8ec01:b85” Content-Length: 5327

Options

  • Ahar.txt
  • BSAM file
  • Cwwwroot
  • DRepair file

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    82% (23)
  • C
    11% (3)
  • D
    4% (1)

Why each option

The command copies the SAM file from the repair directory to har.txt, revealing the attacker's goal of stealing Windows password hashes.

Ahar.txt

har.txt is merely the attacker-created output file used to exfiltrate the SAM data - it is the container, not the target.

BSAM fileCorrect

The SAM (Security Account Manager) file stores hashed Windows user credentials. The repair directory contains a backup copy readable without locking restrictions, making it a common target. The attacker used 'cmd /c type c:\winnt\repair\sam > c:\har.txt' to redirect the SAM file contents to an accessible output file for later exfiltration.

Cwwwroot

wwwroot is an IIS web root directory and does not appear in the command or directory listing as a target.

DRepair file

The repair directory is only the storage location of the SAM backup, not the item of value being stolen.

Concept tested: Windows SAM file exfiltration via repair directory

Source: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management

Topics

#SAM file#password hashes#credential theft#Windows passwords

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice