- Home
- Techniques
- Enterprise
- OS Credential Dumping
- /etc/passwd and /etc/shadow
OS Credential Dumping: /etc/passwd and /etc/shadow
Other sub-techniques of OS Credential Dumping (8)
ID | Name |
---|---|
T1003.001 | LSASS Memory |
T1003.002 | Security Account Manager |
T1003.003 | NTDS |
T1003.004 | LSA Secrets |
T1003.005 | Cached Domain Credentials |
T1003.006 | DCSync |
T1003.007 | Proc Filesystem |
T1003.008 | /etc/passwd and /etc/shadow |
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.[1]
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:[2] # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Procedure Examples
Name | Description |
---|---|
LaZagne |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[3] |
Mitigations
Mitigation | Description |
---|---|
Password Policies |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
Privileged Account Management |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
Detection
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd
and /etc/shadow
, alerting on the pid, process name, and arguments of such programs.