nerdexam
GIAC

GPEN · Question #414

GPEN Question #414: Real Exam Question with Answer & Explanation

The correct answer is B. Read /etc/shadow and look for "x" or "II" in the second colon-delimited field. Shadow passwords on Unix systems store hashed credentials in /etc/shadow, with specific field markers indicating when shadow authentication is active.

Question

How can a non-privileged user on a Unix system determine if shadow passwords are being used?

Options

  • ARead /etc/password and look for "x" or "II" in the second colon-delimited field
  • BRead /etc/shadow and look for "x" or "II" in the second colon-delimited field
  • CVerify that /etc/password has been replaced with /etc/shadow
  • DRead /etc/shadow and look NULL values In the second comma delimited field

Explanation

Shadow passwords on Unix systems store hashed credentials in /etc/shadow, with specific field markers indicating when shadow authentication is active.

Common mistakes.

  • A. The filename /etc/password does not exist as a standard Unix file; the correct filename is /etc/passwd, making this option based on an incorrect file reference.
  • C. Shadow passwords do not replace /etc/passwd; both files coexist, with /etc/passwd retaining user account metadata while /etc/shadow stores the password hashes.
  • D. /etc/shadow uses colon-delimited fields, not comma-delimited fields, so referencing comma-delimited NULL values reflects a fundamentally incorrect understanding of the file format.

Concept tested. Unix shadow password file format and field indicators

Reference. https://www.man7.org/linux/man-pages/man5/shadow.5.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GPEN Practice