GCIH · Question #112
Adam works as a Security Administrator for the Umbrella Inc. A project has been assigned to him to strengthen the security policies of the company, including its password policies. However, due to som
The correct answer is A. Dumps the SAM password hashes to pwd.txt. The command (such as pwdump or a similar SAM extraction utility) extracts NTLM password hashes stored in the Windows SAM database and writes them to a file.
Question
Adam works as a Security Administrator for the Umbrella Inc. A project has been assigned to him to strengthen the security policies of the company, including its password policies. However, due to some old applications, Adam is only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He informed the employees of the company, that the new password policy requires that everyone must have complex passwords with at least 14 characters. Adam wants to ensure that everyone is using complex passwords that meet the new security policy requirements. He logged on to one of the network's domain controllers and runs the following command:
Which of the following actions will this command take?
Exhibit
Options
- ADumps the SAM password hashes to pwd.txt
- BDumps the SAM password file to pwd.txt
- CDumps the Active Directory password hashes to pwd.txt
- DThe password history file is transferred to pwd.txt
How the community answered
(26 responses)- A73% (19)
- B12% (3)
- C4% (1)
- D12% (3)
Why each option
The command (such as pwdump or a similar SAM extraction utility) extracts NTLM password hashes stored in the Windows SAM database and writes them to a file.
The Windows SAM (Security Account Manager) database stores local user credentials as NTLM or LM hashes, not plaintext passwords. Tools like pwdump extract these hashes from the SAM database or its in-memory representation held by the LSASS process and redirect the output to a file such as pwd.txt for subsequent offline cracking.
The SAM is a registry hive structure, not a flat file that can be directly copied; the command extracts hashes from it rather than dumping the raw file itself.
Active Directory password hashes are stored in NTDS.dit on domain controllers and require separate tools such as ntdsutil or secretsdump to extract; the SAM database holds only local account hashes.
Password history is a policy-enforced attribute tracked within the SAM or AD database, not a standalone transferable file, and hash-dumping tools target credential hashes rather than history records.
Concept tested: Extracting Windows SAM password hashes with pwdump
Source: https://attack.mitre.org/techniques/T1003/002/
Topics
Community Discussion
No community discussion yet for this question.
