What does the GCIH Password Attacks domain cover?

GCIH Password Attacks covers password attacks — brute force, dictionary attacks, rainbow tables, Hashcat, John the Ripper, credential stuffing, and password spraying. Expect scenario-based questions on Brute Force Attacks, Dictionary Attacks, Rainbow Tables, Hashcat / John the Ripper, Credential Stuffing, Password Spraying.

How many Password Attacks practice questions are on this page?

This free practice set includes 6 GCIH Password Attacks questions with detailed explanations. Premium members get unlimited access to the full GCIH question bank with 590+ questions across all 14 GIAC domains.

Is this GCIH Password Attacks practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

Free GCIH Password Attacks Practice Test 2026 — GIAC Incident Handler Questions

This free GCIH Password Attacks practice test covers password attacks — brute force, dictionary attacks, rainbow tables, Hashcat, John the Ripper, credential stuffing, and password spraying. Each question includes a detailed explanation — perfect for GIAC Certified Incident Handler / SANS SEC504 exam prep.

Key Topics in GCIH Password Attacks

Brute Force Attacks
Dictionary Attacks
Rainbow Tables
Hashcat / John the Ripper
Credential Stuffing
Password Spraying

6 Free GCIH Password Attacks Practice Questions with Answers

Sample Question 1 — Password Attacks

When using John the Ripper for password cracking, what does the "--incremental" mode do?

A. Performs dictionary attacks only
B. Generates passwords using character combinations (Correct answer)
C. Uses rainbow tables for hash lookups
D. Performs brute-force attacks with patterns

Correct answer: B

Explanation: The --incremental mode in John the Ripper generates passwords by trying different character combinations based on character frequency analysis. This is more efficient than pure brute-force as it tries more likely combinations first.

Sample Question 2 — Password Attacks

During an incident response, you discover that an attacker has used a password cracking tool to gain unauthorized access to a system. The attacker used a pre-computed table of hashes to crack the passwords. Which technique did the attacker most likely use?

A. Brute force attack
B. Dictionary attack
C. Rainbow table attack (Correct answer)
D. Hashcat attack

Correct answer: C

Explanation: A rainbow table attack involves the use of pre-computed tables of hash values to crack passwords quickly. Unlike brute force attacks, which try every possible combination, rainbow tables use these pre-computed hashes to match against the hashed passwords, making the process much faster. Dictionary attacks use a list of common passwords but do not involve pre-computed hashes. Hashcat is a tool that can perform various types of password attacks, including using rainbow tables, but the technique in question is specifically a rainbow table attack.

Sample Question 3 — Password Attacks

You are tasked with investigating a suspected password attack on a corporate network. During your analysis, you observe the following command being executed on a compromised machine: 'john --wordlist=passwords.txt --rules --incremental'. What type of attack is being performed with this command?

A. Rainbow table attack
B. Brute force attack
C. Dictionary attack
D. Hybrid attack (Correct answer)

Correct answer: D

Explanation: The command uses John the Ripper with a wordlist and rules, as well as the --incremental option, which indicates a hybrid attack. This combines a dictionary attack with rule-based modifications and brute force attempts (incremental mode) to enhance the chances of cracking more complex passwords. A rainbow table attack would not use a wordlist or rules in this manner. A brute force attack would not require a wordlist. A dictionary attack would not use the --incremental option.

Sample Question 4 — Password Attacks

During a routine network monitoring session, an incident handler notices a spike in traffic to the organization's authentication server. Initial analysis suggests the presence of a password brute-force attack. What is the most effective initial action the incident handler should take to mitigate the impact of this attack?

A. Immediately block the source IP address at the firewall.
B. Alert the system administrators to reset all user passwords.
C. Increase the logging level on the authentication server to capture more detailed information.
D. Implement account lockout policies to limit failed login attempts. (Correct answer)

Correct answer: D

Explanation: The most effective initial action is to implement account lockout policies to limit failed login attempts (Option D). This action directly mitigates the impact of the brute-force attack by preventing further attempts after a certain number of failures, thus protecting user accounts. Blocking the source IP (Option A) may be effective, but attackers can quickly change IPs, making this a less reliable immediate response. Alerting system administrators to reset passwords (Option B) is not practical as an immediate response and could cause unnecessary disruption. Increasing logging (Option C) is useful for analysis but does not directly mitigate the attack.

Sample Question 5 — Password Attacks

During an incident response, you suspect a password attack is underway on your network. What is the FIRST step you should take to confirm the attack?

A. Immediately reset all user passwords in the network.
B. Use Wireshark to capture and analyze network traffic for suspicious authentication attempts. (Correct answer)
C. Run a full vulnerability scan using Nmap on the network.
D. Deploy Exiftool to analyze metadata in network files.

Correct answer: B

Explanation: The first step in confirming a password attack is to gather evidence of suspicious activity. Wireshark can be used to capture network traffic and analyze patterns such as repeated failed login attempts, which are indicative of password attacks. Resetting all user passwords (Option A) is premature without confirmation. Running a vulnerability scan with Nmap (Option C) is not directly related to detecting password attacks. Exiftool (Option D) is used for file metadata analysis and is not useful for detecting password attacks.

Sample Question 6 — Password Attacks

You are responding to a suspected brute-force password attack on your organization's web server. Which of the following should be your primary focus during initial triage?

A. Identify and block the source IP address of the attack. (Correct answer)
B. Increase the complexity requirements for user passwords.
C. Immediately notify all users to change their passwords.
D. Review server logs to identify the attack vector.

Correct answer: A

Explanation: The primary focus during initial triage of a brute-force attack should be to stop the attack by blocking the source IP address (Option A). This action helps to immediately mitigate the threat. Increasing password complexity (Option B) is a long-term measure, not an immediate response. Notifying users to change passwords (Option C) is unnecessary at this stage without evidence of a breach. Reviewing server logs (Option D) is important but secondary to stopping the attack.

About the GCIH Exam

Questions: 106 multiple choice
Time: 4 hours
Passing score: 70%
Provider: GIAC (SANS Institute)
Aligned with: SANS SEC504
Total domains: 14

Other GCIH Practice Domains

Start the free GCIH Password Attacks practice test now | 10-question quick start | All GCIH domains