nerdexam
GIAC

GCIH · Question #675

What is the outcome of the command below? hashcat -m 3000 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?u?d?s --increment ?1?1?1?1?1?1

The correct answer is B. Crack six digit LANMAN passwords. This hashcat command performs an incremental brute-force mask attack against LANMAN hashes, targeting passwords up to six characters using uppercase letters, digits, and special characters.

Vulnerability Exploitation & Privilege Escalation

Question

What is the outcome of the command below? hashcat -m 3000 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?u?d?s --increment ?1?1?1?1?1?1

Options

  • AAdd new users from a potfile to a Windows Domain Controller
  • BCrack six digit LANMAN passwords
  • CRemove the encryption from the ntds.dat file
  • DCreate a dictionary of 3000 usernames

How the community answered

(67 responses)
  • A
    22% (15)
  • B
    64% (43)
  • C
    4% (3)
  • D
    9% (6)

Why each option

This hashcat command performs an incremental brute-force mask attack against LANMAN hashes, targeting passwords up to six characters using uppercase letters, digits, and special characters.

AAdd new users from a potfile to a Windows Domain Controller

Hashcat is an offline password cracking tool that operates on extracted hash files and has no capability to add, modify, or interact with user accounts on a Windows Domain Controller.

BCrack six digit LANMAN passwordsCorrect

The -m 3000 flag specifies LANMAN (LM) hash mode, which is the legacy Windows password algorithm that splits passwords into two 7-character chunks before hashing each separately. The -a 3 flag triggers mask attack mode, and the mask ?1?1?1?1?1?1 defines a six-character pattern using the custom charset -1 ?u?d?s (uppercase letters, digits, and special characters). The --increment flag causes hashcat to attempt all lengths from 1 through 6 characters, systematically cracking all LANMAN hashes with passwords up to six characters long.

CRemove the encryption from the ntds.dat file

Hashcat does not decrypt or remove encryption from database files - it performs offline hash cracking by comparing candidate hashes against extracted hash values already present in the target file.

DCreate a dictionary of 3000 usernames

The -m 3000 parameter specifies the hash algorithm type to attack rather than a count of usernames, and hashcat generates password candidates to recover plaintext credentials rather than building username lists.

Concept tested: Hashcat LANMAN hash cracking with mask attack

Source: https://hashcat.net/wiki/doku.php?id=hashcat

Topics

#hashcat#LANMAN hash cracking#brute force attack#mask attack

Community Discussion

No community discussion yet for this question.

Full GCIH Practice