After gaining SYSTEM-level access on a Windows workstation during a penetration test, you need to harvest credentials that are currently stored in RAM so they can be reused on other hosts. Which action will BEST achieve this objective?
Perform an LLMNR/NBT-NS poisoning attack on the local subnet to capture password hashes from network traffic.
Dump the LSASS process with a credential-dumping tool such as Mimikatz or Pypykatz, then parse the dump for passwords and hashes.
Search each user profile for browser password stores and export any saved credentials.
Copy the SAM and SYSTEM registry hives and crack the extracted NTLM hashes offline.
Tools such as Mimikatz or its Python port Pypykatz can dump the Local Security Authority Subsystem Service (LSASS) process and parse the resulting memory to reveal plaintext passwords, NTLM hashes, and Kerberos tickets for every interactive session. Other techniques shown in the distractors can reveal credentials indirectly (e.g., SAM offline cracking) or over the network, but they do not pull active authentication material straight from RAM.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Local Security Authority Subsystem Service (LSASS)?
Open an interactive chat with Bash
What tools are typically used for memory analysis during a security assessment?
Open an interactive chat with Bash
Why are memory analysis tools preferred over methods like log reviews for retrieving stored credentials?