T1003.008: /etc/passwd and /etc/shadow

Data from MITRE ATT&CK®:

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Password Policies

Set and enforce secure password policies for accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Access /etc/master.passwd (Local)

linux

Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat

linux

Access /etc/passwd (Local)

linux

Access /etc/shadow (Local)

linux

Access /etc/{shadow,passwd,master.passwd} with shell builtins

linux