GIAC Certified Incident Handler (GCIH) — Question 118

For what purpose would an auditor obtain a copy of the /etc/passwd file for a password audit of a linux machine?

Answer options

• A. The file contains hashes for rainbow tables cracking
• B. The file is required for a dictionary guessing approach
• C. The file allows for user enumeration prior to password cracking
• D. The file allows for a brute force audit approach

Correct answer: C

Explanation

The correct answer is C because the /etc/passwd file contains user account information, which can be used to identify valid usernames for password cracking attempts. Options A and B are incorrect as they refer to methods that do not specifically require the /etc/passwd file. Option D is also wrong since a brute-force audit can be performed without prior user enumeration.