H3-2021-0045

Credential Dumping - /etc/shadow File

Description

The attacker technique known as "Credential Dumping - /etc/shadow File" involves extracting password hashes from the /etc/shadow file on Linux systems. This file contains hashed passwords and is typically only readable by the root user, meaning the attacker must have root privileges to access it. By executing the 'unshadow' command, attackers can combine the /etc/passwd and /etc/shadow files to prepare the data for password cracking using tools like John the Ripper.

Impact

By exploiting this deficiency, an attacker can potentially gain access to password hashes, which they can then crack offline to obtain user passwords. This information allows the attacker to impersonate legitimate users and expand their control over the compromised system and potentially move laterally to other systems through credential reuse.

References

• Red Hat: How to monitor permission, ownership or any other change to a particular directory or file
• MITRE ATT&CK Technique: OS Credential Dumping: /etc/passwd and /etc/shadow