nerdexam
GIAC

GCIH · Question #676

Which file would an attacker need to read in order to crack passwords on a modern Linux system?

The correct answer is D. /etc/shadow. Modern Linux systems store hashed passwords in /etc/shadow, not /etc/passwd, making /etc/shadow the target for offline password cracking.

Vulnerability Exploitation & Privilege Escalation

Question

Which file would an attacker need to read in order to crack passwords on a modern Linux system?

Options

  • A/etc/passwd
  • B/usr/sbin/adduser
  • C%systemroot%\NTDS\NTDS.dit
  • D/etc/shadow

How the community answered

(28 responses)
  • A
    7% (2)
  • B
    4% (1)
  • D
    89% (25)

Why each option

Modern Linux systems store hashed passwords in /etc/shadow, not /etc/passwd, making /etc/shadow the target for offline password cracking.

A/etc/passwd

/etc/passwd is world-readable but on modern Linux systems it stores only account metadata such as UID, GID, home directory, and shell, with an 'x' placeholder where password hashes used to reside.

B/usr/sbin/adduser

/usr/sbin/adduser is a utility binary used to create user accounts and contains no password hashes or credential data.

C%systemroot%\NTDS\NTDS.dit

%systemroot%\NTDS\NTDS.dit is the Active Directory database file on Windows Domain Controllers and is not a Linux file or path.

D/etc/shadowCorrect

/etc/shadow stores the actual hashed passwords (and salts) for all user accounts on modern Linux systems. Unlike /etc/passwd, which is world-readable, /etc/shadow is restricted to root access only. An attacker who gains read access to /etc/shadow can extract the hashes and perform offline brute-force or dictionary attacks to recover plaintext passwords.

Concept tested: Linux shadow password file and credential storage

Source: https://www.man7.org/linux/man-pages/man5/shadow.5.html

Topics

#Linux password files#/etc/shadow#password cracking#Linux authentication

Community Discussion

No community discussion yet for this question.

Full GCIH Practice