Adversaries may attempt to dump the contents of/etc/passwd
and/etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of/etc/passwd
and/etc/shadow
to store user account information including password hashes in/etc/shadow
. By default,/etc/shadow
is only readable by the root user.(Citation: Linux Password and Shadow File Formats) The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper)# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that’s not cat
Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins
/etc/shadow file is accessed in Linux environments
Supported Platforms: Linux
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
1
bash
! Elevation Required (e.g. root or admin)1
2
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
1
rm -f #{output_file}
/etc/master.passwd file is accessed in FreeBSD environments
Supported Platforms: Linux
auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
1
sh
! Elevation Required (e.g. root or admin)1
2
sudo cat /etc/master.passwd > #{output_file}
cat #{output_file}
1
rm -f #{output_file}
/etc/passwd file is accessed in FreeBSD and Linux environments
Supported Platforms: Linux
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
1
sh
!1
2
cat /etc/passwd > #{output_file}
cat #{output_file}
1
rm -f #{output_file}
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
Supported Platforms: Linux
auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
1
sh
! Elevation Required (e.g. root or admin)1
2
unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
1
rm -f #{output_file}
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
Supported Platforms: Linux
auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
1
sh
! Elevation Required (e.g. root or admin)1
2
3
4
testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
testcat /etc/passwd
testcat /etc/shadow
1
rm -f #{output_file}