OS Credential Dumping: /etc/passwd and /etc/shadow


Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanLinux machinesAuthenticated ScanSSHLinux UsersPlugin ID: 95928


Linux User List Enumeration

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Platform: Linux

Tenable Release Date: 2023 Q4