Which file is typically targeted to obtain password hashes during credential dumping?

Study for the EC-Council Certified Ethical Hacker (CEH) v13 Exam. Utilize flashcards and multiple-choice questions with helpful hints and detailed explanations. Excel in your exam preparation!

Multiple Choice

Which file is typically targeted to obtain password hashes during credential dumping?

Explanation:
Password hashes live in the Windows Security Account Manager database. This database is stored as a file on disk and contains the hashed credentials for local accounts (NT hashes, and LM hashes on older systems). In credential dumping, attackers target this file because it directly provides the values that can be cracked offline or reused in pass-the-hash attacks. The SAM file is typically found in Windows\System32\Config\SAM, and in practice gaining access to and decrypting its contents often involves also obtaining the SYSTEM hive, which holds the boot key needed to unlock the SAM data. By contrast, event logs (security, system, etc.) record activity and do not store password hashes, so they aren’t used to retrieve credentials.

Password hashes live in the Windows Security Account Manager database. This database is stored as a file on disk and contains the hashed credentials for local accounts (NT hashes, and LM hashes on older systems). In credential dumping, attackers target this file because it directly provides the values that can be cracked offline or reused in pass-the-hash attacks. The SAM file is typically found in Windows\System32\Config\SAM, and in practice gaining access to and decrypting its contents often involves also obtaining the SYSTEM hive, which holds the boot key needed to unlock the SAM data. By contrast, event logs (security, system, etc.) record activity and do not store password hashes, so they aren’t used to retrieve credentials.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy