T1003.008 /etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.1
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:2 # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
| Item | Value |
|---|---|
| ID | T1003.008 |
| Sub-techniques | T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008 |
| Tactics | TA0006 |
| Platforms | Linux |
| Permissions required | root |
| Version | 1.0 |
| Created | 11 February 2020 |
| Last Modified | 20 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0349 | LaZagne | LaZagne can obtain credential information from /etc/shadow using the shadow.py module.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1027 | Password Policies | Ensure that root accounts have complex, unique passwords across all systems on the network. |
| M1026 | Privileged Account Management | Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
References
-
The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020. ↩
-
Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020. ↩
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩