H3-2021-0045

Credential Dumping - /etc/shadow File

Category	SECURITY_CONTROLS
Base Score	6.7

Description

The /etc/shadow file contains password hashes for all local users on Linux systems. By default, only accounts with root privileges are able to access this file.

Impact

Attackers who are able to crack any password hashes from this file can login with those credentials to appear like legitimate users. They can also exploit password re-use to move laterally to other systems.

References

• MITRE ATT&CK Technique: OS Credential Dumping: /etc/passwd and /etc/shadow
• Red Hat: How to monitor permission, ownership or any other change to a particular directory or file