OS Credential Dumping: Содержимое файлов /etc/passwd и /etc/shadow
Other sub-techniques of OS Credential Dumping (8)
Adversaries may attempt to dump the contents of /etc/passwd
and /etc/shadow
to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd
and /etc/shadow
to store user account information including password hashes in /etc/shadow
. By default, /etc/shadow
is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Примеры процедур |
|
Название | Описание |
---|---|
LaZagne |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.(Citation: GitHub LaZagne Dec 2018) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Password Policies |
Set and enforce secure password policies for accounts. |
Обнаружение
The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd
and /etc/shadow
, alerting on the pid, process name, and arguments of such programs.
Ссылки
- Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.
- The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.