Which tool is known for extracting password hashes from Windows memory (LSASS)?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

Which tool is known for extracting password hashes from Windows memory (LSASS)?

Explanation:
Credential dumping from Windows memory, especially LSASS, is what this item tests. Mimikatz is built specifically to pull credentials from memory, including password hashes stored in LSASS. It can extract NTLM (and sometimes other) hashes directly from a live Windows session, enabling techniques like pass-the-hash. The other tools operate differently: John the Ripper and Hashcat are designed to crack hashes that you’ve already captured or dumped, not to pull them from memory in the first place. Hydra focuses on network service brute-forcing rather than local credential extraction.

Credential dumping from Windows memory, especially LSASS, is what this item tests. Mimikatz is built specifically to pull credentials from memory, including password hashes stored in LSASS. It can extract NTLM (and sometimes other) hashes directly from a live Windows session, enabling techniques like pass-the-hash.

The other tools operate differently: John the Ripper and Hashcat are designed to crack hashes that you’ve already captured or dumped, not to pull them from memory in the first place. Hydra focuses on network service brute-forcing rather than local credential extraction.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy