GCIH · Question #699
What is the goal of an attacker who has entered the commands shown in the screenshot?
The correct answer is C. Gather password and hash data for off-line cracking. The commands shown are used to extract stored password hashes from the target system for subsequent offline cracking, a standard post-exploitation credential-access technique.
Question
What is the goal of an attacker who has entered the commands shown in the screenshot?
Exhibit
Options
- AEnumerate listening ports on the target machine
- BCreate a mountable snapshot to access older versions of the filesystem
- CGather password and hash data for off-line cracking
- DCorrupt system backups
How the community answered
(60 responses)- A8% (5)
- B17% (10)
- C72% (43)
- D3% (2)
Why each option
The commands shown are used to extract stored password hashes from the target system for subsequent offline cracking, a standard post-exploitation credential-access technique.
Enumerating listening ports uses commands like 'netstat -an', 'ss -tulnp', or 'nmap localhost', not commands targeting credential stores or registry hives.
Creating a mountable snapshot involves volume management commands such as 'lvcreate --snapshot' on Linux or vssadmin on Windows, which are unrelated to password hash extraction.
Attackers use commands or tools - such as accessing /etc/shadow on Linux or running 'hashdump' via Metasploit on Windows - to dump stored password hashes from the compromised system. These hashes are then taken offline and subjected to brute-force or dictionary attacks using tools like Hashcat or John the Ripper, allowing cracking without generating further noise on the target network.
Corrupting backups requires destructive write operations against backup files or services, not read operations against credential stores.
Concept tested: Post-exploitation OS credential dumping for offline hash cracking
Source: https://attack.mitre.org/techniques/T1003/
Topics
Community Discussion
No community discussion yet for this question.
