312-50V11 · Question #654
Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? c:\> cmd /c type c:\winnt\repair\sam > c:\har.txt Volume in drive C has no label. Volum
The correct answer is B. SAM file. The command copies the SAM file from the repair directory to har.txt, revealing the attacker's goal of stealing Windows password hashes.
Question
Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? c:> cmd /c type c:\winnt\repair\sam > c:\har.txt Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p CONFIG.SYS 12/26/00 07:36p < DIR > exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p < DIR > InetPub 12/07/00 03:12p < DIR > Multimedia Files 12/26/00 07:10p < DIR > New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p < DIR > Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p < DIR > TEMP 02/04/01 07:05a < DIR > WINNT 12/26/00 07:09p < DIR > wiretrip 02/04/01 06:43a 0 mine.txt 15 File(s) 78,648,918 bytes 1,689,455,616 bytes free c:> type har.txt c:> copy har.txt c:\inetpub\wwwroot c:> GET har.txt HTTP/1.1 Server: Microsoft-IIS/4.0 Date: Sun, 04 Feb 2001 13:11:28 GMT Content-Type: text/plain Accept-Ranges: bytes Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT ETag: “5063fd6fab8ec01:b85” Content-Length: 5327
Options
- Ahar.txt
- BSAM file
- Cwwwroot
- DRepair file
How the community answered
(28 responses)- A4% (1)
- B82% (23)
- C11% (3)
- D4% (1)
Why each option
The command copies the SAM file from the repair directory to har.txt, revealing the attacker's goal of stealing Windows password hashes.
har.txt is merely the attacker-created output file used to exfiltrate the SAM data - it is the container, not the target.
The SAM (Security Account Manager) file stores hashed Windows user credentials. The repair directory contains a backup copy readable without locking restrictions, making it a common target. The attacker used 'cmd /c type c:\winnt\repair\sam > c:\har.txt' to redirect the SAM file contents to an accessible output file for later exfiltration.
wwwroot is an IIS web root directory and does not appear in the command or directory listing as a target.
The repair directory is only the storage location of the SAM backup, not the item of value being stolen.
Concept tested: Windows SAM file exfiltration via repair directory
Source: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/credentials-protection-and-management
Topics
Community Discussion
No community discussion yet for this question.