Which of the following commands would allow the penetration tester to enumerate password hashes?

During an assessment, a penetration tester exploits an SQLi vulnerability.

Which of the following commands would allow the penetration tester to enumerate password hashes?
A . sqlmap -u www.example.com/?id=1 –search -T user
B . sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred
C . sqlmap -u www.example.com/?id=1 –tables -D accounts
D . sqlmap -u www.example.com/?id=1 –schema –current-user –current-db

View Answer

Answer: B

Explanation:

To enumerate password hashes using an SQL injection vulnerability, the penetration tester needs to extract specific columns from the database that typically contain password hashes. The –dump command in sqlmap is used to dump the contents of the specified database table.

Here’s a breakdown of the options:

Option A: sqlmap -u www.example.com/?id=1 –search -T user

The –search option is used to search for columns and not to dump data. This would not enumerate password hashes.

Option B: sqlmap -u www.example.com/?id=1 –dump -D accounts -T users -C cred

This command uses –dump to extract data from the specified database accounts, table users, and column cred. This is the correct option to enumerate password hashes, assuming cred is the column containing the password hashes.

Option C: sqlmap -u www.example.com/?id=1 –tables -D accounts

The –tables option lists all tables in the specified database but does not extract data.

Option D: sqlmap -u www.example.com/?id=1 –schema –current-user –current-db

The –schema option provides the database schema information, and –current-user and –current-db

provide information about the current user and database but do not dump data.

Reference from Pentest:

Writeup HTB: Demonstrates using sqlmap to dump data from specific tables to retrieve sensitive information, including password hashes​.

Luke HTB: Shows the process of exploiting SQL injection to extract user credentials and hashes by dumping specific columns from the database​.