nerdexam
GIAC

GCIH · Question #112

Adam works as a Security Administrator for the Umbrella Inc. A project has been assigned to him to strengthen the security policies of the company, including its password policies. However, due to som

The correct answer is A. Dumps the SAM password hashes to pwd.txt. The command (such as pwdump or a similar SAM extraction utility) extracts NTLM password hashes stored in the Windows SAM database and writes them to a file.

Vulnerability Exploitation & Privilege Escalation

Question

Adam works as a Security Administrator for the Umbrella Inc. A project has been assigned to him to strengthen the security policies of the company, including its password policies. However, due to some old applications, Adam is only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He informed the employees of the company, that the new password policy requires that everyone must have complex passwords with at least 14 characters. Adam wants to ensure that everyone is using complex passwords that meet the new security policy requirements. He logged on to one of the network's domain controllers and runs the following command:

Which of the following actions will this command take?

Exhibit

GCIH question #112 exhibit

Options

  • ADumps the SAM password hashes to pwd.txt
  • BDumps the SAM password file to pwd.txt
  • CDumps the Active Directory password hashes to pwd.txt
  • DThe password history file is transferred to pwd.txt

How the community answered

(26 responses)
  • A
    73% (19)
  • B
    12% (3)
  • C
    4% (1)
  • D
    12% (3)

Why each option

The command (such as pwdump or a similar SAM extraction utility) extracts NTLM password hashes stored in the Windows SAM database and writes them to a file.

ADumps the SAM password hashes to pwd.txtCorrect

The Windows SAM (Security Account Manager) database stores local user credentials as NTLM or LM hashes, not plaintext passwords. Tools like pwdump extract these hashes from the SAM database or its in-memory representation held by the LSASS process and redirect the output to a file such as pwd.txt for subsequent offline cracking.

BDumps the SAM password file to pwd.txt

The SAM is a registry hive structure, not a flat file that can be directly copied; the command extracts hashes from it rather than dumping the raw file itself.

CDumps the Active Directory password hashes to pwd.txt

Active Directory password hashes are stored in NTDS.dit on domain controllers and require separate tools such as ntdsutil or secretsdump to extract; the SAM database holds only local account hashes.

DThe password history file is transferred to pwd.txt

Password history is a policy-enforced attribute tracked within the SAM or AD database, not a standalone transferable file, and hash-dumping tools target credential hashes rather than history records.

Concept tested: Extracting Windows SAM password hashes with pwdump

Source: https://attack.mitre.org/techniques/T1003/002/

Topics

#SAM database#password hash dumping#Active Directory#credential extraction

Community Discussion

No community discussion yet for this question.

Full GCIH Practice