T1003.008: /etc/passwd and /etc/shadow
Essential information
- MITRE technique ID
T1003.008- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
T1003.008
Platforms
linux
Description
Adversaries may attempt to dump the contents of `/etc/passwd` and `/etc/shadow` to enable offline password cracking. Most modern Linux operating systems use a combination of `/etc/passwd` and `/etc/shadow` to store user account information, including password hashes in `/etc/shadow`. By default, `/etc/shadow` is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
Linux stores user information such as user ID, group ID, home directory path, and login shell in `/etc/passwd`. A "user" on the system may belong to a person or a service. All password hashes are stored in `/etc/shadow` - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
Adversaries may attempt to read or dump the `/etc/passwd` and `/etc/shadow` files on Linux systems via command line utilities such as the `cat` command.(Citation: Arctic Wolf) Additionally, the Linux utility `unshadow` can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command `/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db`(Citation: nixCraft - John the Ripper). Since the user information stored in `/etc/passwd` are linked to the password hashes in `/etc/shadow`, an adversary would need to have access to both.
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.