MITRE ATT&CK Technique
Description
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats) Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats) Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-11T18:46:56.263Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to dump the contents of '
'<code>/etc/passwd</code> and <code>/etc/shadow</code> to '
'enable offline password cracking. Most modern Linux operating '
'systems use a combination of <code>/etc/passwd</code> and '
'<code>/etc/shadow</code> to store user account information, '
'including password hashes in <code>/etc/shadow</code>. By '
'default, <code>/etc/shadow</code> is only readable by the '
'root user.(Citation: Linux Password and Shadow File Formats)\n'
'\n'
'Linux stores user information such as user ID, group ID, home '
'directory path, and login shell in <code>/etc/passwd</code>. '
'A "user" on the system may belong to a person or a service. '
'All password hashes are stored in <code>/etc/shadow</code> - '
'including entries for users with no passwords and users with '
'locked or disabled accounts.(Citation: Linux Password and '
'Shadow File Formats)\n'
'\n'
'Adversaries may attempt to read or dump the '
'<code>/etc/passwd</code> and <code>/etc/shadow</code> files '
'on Linux systems via command line utilities such as the '
'<code>cat</code> command.(Citation: Arctic Wolf) '
'Additionally, the Linux utility <code>unshadow</code> can be '
'used to combine the two files in a format suited for password '
'cracking utilities such as John the Ripper - for example, via '
'the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > '
'/tmp/crack.password.db</code>(Citation: nixCraft - John the '
'Ripper). Since the user information stored in '
'<code>/etc/passwd</code> are linked to the password hashes in '
'<code>/etc/shadow</code>, an adversary would need to have '
'access to both.',
'external_references': [{'external_id': 'T1003.008',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1003/008'},
{'description': 'Julian Tuin, Stefan Hostetler, Jon '
'Grimm, Aaron Diaz, and Trevor Daher. '
'(2024, November 22). Arctic Wolf '
'Observes Threat Campaign Targeting '
'Palo Alto Networks Firewall Devices. '
'Retrieved January 8, 2025.',
'source_name': 'Arctic Wolf',
'url': 'https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/'},
{'description': 'The Linux Documentation Project. '
'(n.d.). Linux Password and Shadow '
'File Formats. Retrieved February 19, '
'2020.',
'source_name': 'Linux Password and Shadow File '
'Formats',
'url': 'https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html'},
{'description': 'Vivek Gite. (2014, September 17). '
'Linux Password Cracking: Explain '
'unshadow and john Commands (John the '
'Ripper Tool). Retrieved February 19, '
'2020.',
'source_name': 'nixCraft - John the Ripper',
'url': 'https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/'}],
'id': 'attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:25.253Z',
'name': '/etc/passwd and /etc/shadow',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux'],
'x_mitre_version': '1.2'}