T1003.008.md

T1003.008 - /etc/passwd and /etc/shadow

Description from ATT&CK

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

Atomic Tests

• Atomic Test #1 - Access /etc/shadow (Local)

• Atomic Test #2 - Access /etc/passwd (Local)

Atomic Test #1 - Access /etc/shadow (Local)

/etc/shadow file is accessed in Linux environments

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1003.008.txt

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

sudo cat /etc/shadow > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}

Atomic Test #2 - Access /etc/passwd (Local)

/etc/passwd file is accessed in Linux environments

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Path where captured results will be placed	Path	/tmp/T1003.008.txt

Attack Commands: Run with sh!

cat /etc/passwd > #{output_file}
cat #{output_file}

Cleanup Commands:

rm -f #{output_file}