Skip to content

T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.1

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:2 # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

Item Value
ID T1003.008
Sub-techniques T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008
Tactics TA0006
Platforms Linux
Permissions required root
Version 1.0
Created 11 February 2020
Last Modified 20 March 2020

Procedure Examples

ID Name Description
S0349 LaZagne LaZagne can obtain credential information from /etc/shadow using the module.3


ID Mitigation Description
M1027 Password Policies Ensure that root accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access