OS Credential Dumping: /etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.[1]

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:[2] # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

ID: T1003.008
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Linux
Permissions Required: root
Version: 1.0
Created: 11 February 2020
Last Modified: 20 March 2020

Procedure Examples

Name Description
LaZagne

LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[3]

Mitigations

Mitigation Description
Password Policies

Ensure that root accounts have complex, unique passwords across all systems on the network.

Privileged Account Management

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.

Detection

The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

References