During a penetration test, you have obtained an elevated Meterpreter session on a Windows workstation through Metasploit. You must collect the local SAM password hashes so that you can attempt pass-the-hash authentication on nearby hosts. Which built-in Meterpreter action accomplishes this with the least impact on the target user?
Run the hashdump command (or smart_hashdump module) to dump SAM hashes
Upload and launch an external Mimikatz binary from disk to dump credentials
Execute the ps command and save the process list for later analysis
Enable the WDigest registry setting to capture plaintext credentials after reboot
The hashdump command (or the post/windows/gather/smart_hashdump module) is built into Meterpreter and extracts password hashes from the SAM database entirely in memory, avoiding external binaries, scheduled tasks, or registry changes that could alert the user or security tools. Listing processes, enabling WDigest, or uploading an external Mimikatz executable either fails to provide SAM hashes immediately or creates additional artifacts that increase the risk of detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the SAM database, and why is it important for collecting password hashes?
Open an interactive chat with Bash
What is the difference between hashdump and smart_hashdump in Meterpreter?
Open an interactive chat with Bash
What is pass-the-hash authentication, and how does it work after obtaining SAM hashes?