Description
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
Adversaries may attempt to read or dump the /etc/passwd and /etc/shadow files on Linux systems via command line utilities such as the cat command.(Citation: Arctic Wolf) Additionally, the Linux utility unshadow can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db(Citation: nixCraft - John the Ripper). Since the user information stored in /etc/passwd are linked to the password hashes in /etc/shadow, an adversary would need to have access to both.
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.
Password PoliciesM1027
Ensure that root accounts have complex, unique passwords across all systems on the network.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can obtain credential information from /etc/shadow using the shadow.py module.(Citation: GitHub LaZ... |
Related CWE Weaknesses
References
- Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher. (2024, November 22). Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices. Retrieved January 8, 2025.
- The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.
- Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.
Frequently Asked Questions
What is T1003.008 (/etc/passwd and /etc/shadow)?
T1003.008 is a MITRE ATT&CK technique named '/etc/passwd and /etc/shadow'. It belongs to the Credential Access tactic(s). Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <cod...
How can T1003.008 be detected?
Detection of T1003.008 (/etc/passwd and /etc/shadow) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.008?
There are 2 documented mitigations for T1003.008. Key mitigations include: Privileged Account Management, Password Policies.
Which threat groups use T1003.008?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.