T1003.008 /etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.1
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:2 # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Item | Value |
---|---|
ID | T1003.008 |
Sub-techniques | T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008 |
Tactics | TA0006 |
Platforms | Linux |
Permissions required | root |
Version | 1.0 |
Created | 11 February 2020 |
Last Modified | 20 March 2020 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0349 | LaZagne | LaZagne can obtain credential information from /etc/shadow using the shadow.py module.3 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies | Ensure that root accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management | Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
References
-
The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020. ↩
-
Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020. ↩
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩