After gaining SYSTEM-level access on a Windows workstation during a penetration test, you need to harvest credentials that are currently stored in RAM so they can be reused on other hosts. Which action will BEST achieve this objective?
Perform an LLMNR/NBT-NS poisoning attack on the local subnet to capture password hashes from network traffic.
Search each user profile for browser password stores and export any saved credentials.
Copy the SAM and SYSTEM registry hives and crack the extracted NTLM hashes offline.
Dump the LSASS process with a credential-dumping tool such as Mimikatz or Pypykatz, then parse the dump for passwords and hashes.
Tools such as Mimikatz or its Python port Pypykatz can dump the Local Security Authority Subsystem Service (LSASS) process and parse the resulting memory to reveal plaintext passwords, NTLM hashes, and Kerberos tickets for every interactive session. Other techniques shown in the distractors can reveal credentials indirectly (e.g., SAM offline cracking) or over the network, but they do not pull active authentication material straight from RAM.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is LSASS and why is it targeted for credential dumping?
Open an interactive chat with Bash
How do tools like Mimikatz work to extract credentials from LSASS?
Open an interactive chat with Bash
What are NTLM hashes and why are they important in credential reuse attacks?