Adversaries may attempt to dump the contents of
/etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of
/etc/shadow to store user account information including password hashes in
/etc/shadow. By default,
/etc/shadow is only readable by the root user.
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:
# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Ensure that root accounts have complex, unique passwords across all systems on the network.
|M1026||Privileged Account Management||
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.
|ID||Data Source||Data Component|
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access
/etc/shadow, alerting on the pid, process name, and arguments of such programs.