T1003.008SubTechniquecredential-accessagent-callable

T1003.008/etc/passwd and /etc/shadow

Sub-technique of T1003

Platforms: Linux

ATT&CK version: 14.1

What it is

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats) The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1003/008
  2. https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
  3. https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1003.008: /etc/passwd and /etc/shadow | SQUR Knowledge Base