nerdexam
GIAC

GCIH · Question #699

What is the goal of an attacker who has entered the commands shown in the screenshot?

The correct answer is C. Gather password and hash data for off-line cracking. The commands shown are used to extract stored password hashes from the target system for subsequent offline cracking, a standard post-exploitation credential-access technique.

Vulnerability Exploitation & Privilege Escalation

Question

What is the goal of an attacker who has entered the commands shown in the screenshot?

Exhibit

GCIH question #699 exhibit

Options

  • AEnumerate listening ports on the target machine
  • BCreate a mountable snapshot to access older versions of the filesystem
  • CGather password and hash data for off-line cracking
  • DCorrupt system backups

How the community answered

(60 responses)
  • A
    8% (5)
  • B
    17% (10)
  • C
    72% (43)
  • D
    3% (2)

Why each option

The commands shown are used to extract stored password hashes from the target system for subsequent offline cracking, a standard post-exploitation credential-access technique.

AEnumerate listening ports on the target machine

Enumerating listening ports uses commands like 'netstat -an', 'ss -tulnp', or 'nmap localhost', not commands targeting credential stores or registry hives.

BCreate a mountable snapshot to access older versions of the filesystem

Creating a mountable snapshot involves volume management commands such as 'lvcreate --snapshot' on Linux or vssadmin on Windows, which are unrelated to password hash extraction.

CGather password and hash data for off-line crackingCorrect

Attackers use commands or tools - such as accessing /etc/shadow on Linux or running 'hashdump' via Metasploit on Windows - to dump stored password hashes from the compromised system. These hashes are then taken offline and subjected to brute-force or dictionary attacks using tools like Hashcat or John the Ripper, allowing cracking without generating further noise on the target network.

DCorrupt system backups

Corrupting backups requires destructive write operations against backup files or services, not read operations against credential stores.

Concept tested: Post-exploitation OS credential dumping for offline hash cracking

Source: https://attack.mitre.org/techniques/T1003/

Topics

#credential dumping#hash extraction#offline cracking#password harvesting

Community Discussion

No community discussion yet for this question.

Full GCIH Practice