OS Credential Dumping: /etc/passwd and /etc/shadow
Adversaries may attempt to dump the contents of
/etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of
/etc/shadow to store user account information including password hashes in
/etc/shadow. By default,
/etc/shadow is only readable by the root user.
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:
# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Ensure that root accounts have complex, unique passwords across all systems on the network.
|Privileged Account Management||
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access
/etc/shadow, alerting on the pid, process name, and arguments of such programs.