/etc/shadow is the Linux file that stores user password hashes and aging information, readable only by root (unlike the world-readable /etc/passwd). Each line holds a hash in a format like $6$ (SHA-512) or $y$ (yescrypt) with a salt. An attacker who reads /etc/shadow (after gaining root) cracks the hashes offline with John or Hashcat to recover passwords, often reused elsewhere. It is the Linux equivalent of dumping the SAM.
What /etc/shadow is
On Linux, account names live in the world-readable /etc/passwd, but the password hashes were moved into /etc/shadow, readable only by root, precisely so ordinary users cannot grab and crack them.
Each /etc/shadow line has the username and a salted hash (the $id$salt$hash format, where $6$ is SHA-512crypt and $y$ is yescrypt), plus password-aging fields. The salt means identical passwords hash differently, so cracking is per-hash work.
The attack and payload
After gaining root (via a privilege escalation), the attacker takes the hashes and cracks them offline:
- Combine the files for cracking:
unshadow /etc/passwd /etc/shadow > hashes.txt - Crack with John:
john --wordlist=rockyou.txt hashes.txt - Or Hashcat (SHA-512crypt):
hashcat -m 1800 hashes.txt rockyou.txt
Recovered passwords are frequently reused for SSH, sudo, databases, or other hosts, extending the compromise. Documented for defensive context.
How to defend
- Enforce strong, unique passwords so salted hashes resist offline cracking.
- Use a strong hashing scheme (yescrypt or SHA-512 with high rounds), which modern distros default to.
- Prevent the privilege escalation that gives root in the first place (the only way to read shadow).
- Do not reuse Linux passwords for SSH keys, databases, or other systems.
- Monitor for reads of
/etc/shadowby non-root processes and unusual access.
References
- [1]Linux man-pages: shadow(5)(man7.org)
- [2]MITRE ATT&CK: OS Credential Dumping (T1003)(MITRE)
- [3]MITRE ATT&CK: Credential Access (TA0006)(MITRE)