A penetration tester has extracted password hashes from the lsass.exe memory process. Which of the following should the tester perform NEXT to pass the hash and provide persistence with the newly acquired credentials?
A.
Use Patator to pass the hash and Responder for persistence.
B.
Use Hashcat to pass the hash and Empire for persistence.
C.
Use a bind shell to pass the hash and WMI for persistence.
D.
Use Mimikatz to pass the hash and PsExec for persistence.
Mimikatz is a popular tool used for extracting password hashes from Windows memory. It can also be used to pass the hash, which allows an attacker to authenticate to a system without knowing the actual password, using only the extracted password hash.
PsExec is a Windows tool that allows for remote command execution, making it a good option for establishing persistence using the newly acquired credentials.
D. Use Mimikatz to pass the hash and PsExec for persistence.
The other options combine tools and techniques that don't align with the task described or are not typically used for the purposes of passing the hash and creating persistence.
D is the answer
Mimikatz is a credential hacking tool that can be used to extract logon passwords from the LSASS process and pass them to other systems. Once the tester has the hashes, they can then use PsExec, a command-line utility from Sysinternals, to pass the hash to the remote system and authenticate with the new credentials. This provides the tester with persistence on the system, allowing them to access it even after a reboot.
"A penetration tester who has extracted password hashes from the lsass.exe memory process can use various tools to pass the hash and gain access to other systems using the same credentials. One tool commonly used for this purpose is Mimikatz, which can extract plaintext passwords from memory or provide a pass-the-hashcapability. After gaining access to a system, the tester can use various tools for persistence, such as PsExec or WMI." (CompTIA PenTest+ Study Guide, p. 186)
lsass.exe is a Windows process that is responsible for local security authentication and authorization. It is necessary for normal system operation and should not be terminated unless absolutely necessary. However, it can be targeted by malicious actors as it is responsible for verifying credentials, making it a prime target for attacks like Pass-the-Hash or similar credential harvesting techniques. It is important to practice good cyber security hygiene to protect systems against these types of attacks.
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cy_analyst
Highly Voted 1 year, 1 month agocy_analyst
1 year, 1 month agosolutionz
Most Recent 8 months, 3 weeks ago[Removed]
1 year, 1 month agonickwen007
1 year, 1 month ago[Removed]
1 year, 1 month ago[Removed]
1 year, 2 months ago[Removed]
1 year, 2 months agozimuz
1 year, 2 months agokloug
1 year, 2 months agoFrog_Man
1 year, 2 months ago[Removed]
1 year, 2 months ago