/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information, including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd
. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow
- including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
Adversaries may attempt to read or dump the /etc/passwd
and /etc/shadow
files on Linux systems via command line utilities such as the cat
command.(Citation: Arctic Wolf) Additionally, the Linux utility unshadow
can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
(Citation: nixCraft - John the Ripper). Since the user information stored in /etc/passwd
are linked to the password hashes in /etc/shadow
, an adversary would need to have access to both.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) | Attack Pattern | /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) | Attack Pattern | 1 |