nerdexam
GIAC

GCIH · Question #689

What built-in Windows tool can be used to collect Active Directory database data and the SYSTEM registry hive for off-line password cracking?

The correct answer is A. ntdsutil. ntdsutil is a built-in Windows administrative utility that can export the Active Directory database (NTDS.dit) and, combined with the SYSTEM registry hive, enables offline extraction and cracking of password hashes.

Vulnerability Exploitation & Privilege Escalation

Question

What built-in Windows tool can be used to collect Active Directory database data and the SYSTEM registry hive for off-line password cracking?

Options

  • Antdsutil
  • Bprocdump
  • Csysmon
  • Dpsinfo

How the community answered

(29 responses)
  • A
    86% (25)
  • B
    3% (1)
  • C
    3% (1)
  • D
    7% (2)

Why each option

ntdsutil is a built-in Windows administrative utility that can export the Active Directory database (NTDS.dit) and, combined with the SYSTEM registry hive, enables offline extraction and cracking of password hashes.

AntdsutilCorrect

ntdsutil is a legitimate Windows command-line tool for managing the Active Directory Domain Services database. Attackers abuse its 'ifm' (Install from Media) feature to create a snapshot of the NTDS.dit file, which stores all AD user credential hashes. When paired with the SYSTEM hive - which holds the boot key (SYSKEY) needed to decrypt those hashes - the extracted data can be fed into tools like Impacket's secretsdump or hashcat for offline cracking.

Bprocdump

procdump is a Sysinternals utility used to capture process memory dumps (such as LSASS memory for credential extraction), not to extract the Active Directory database file or registry hives.

Csysmon

Sysmon is a Windows system monitoring and logging service used by defenders for threat detection and forensics, not a tool for extracting AD credential data.

Dpsinfo

psinfo is a Sysinternals tool that retrieves general system configuration details from local or remote hosts, not Active Directory database contents or registry hives.

Concept tested: ntdsutil abuse for Active Directory credential extraction

Source: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)

Topics

#ntdsutil#Active Directory#NTDS.dit#offline password cracking

Community Discussion

No community discussion yet for this question.

Full GCIH Practice