Skip to content

Latest commit

 

History

History
330 lines (166 loc) · 8.54 KB

T1018.md

File metadata and controls

330 lines (166 loc) · 8.54 KB

T1018 - Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.

Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.

Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)

Atomic Tests


Atomic Test #1 - Remote System Discovery - net

Identify remote systems with net.exe.

Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net view /domain
net view


Atomic Test #2 - Remote System Discovery - net group Domain Computers

Identify remote systems with net.exe querying the Active Directory Domain Computers group.

Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net group "Domain Computers" /domain


Atomic Test #3 - Remote System Discovery - nltest

Identify domain controllers for specified domain.

Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
target_domain Domain to query for domain controllers String domain.local

Attack Commands: Run with command_prompt!

nltest.exe /dclist:#{target_domain}


Atomic Test #4 - Remote System Discovery - ping sweep

Identify remote systems via ping sweep.

Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i


Atomic Test #5 - Remote System Discovery - arp

Identify remote systems via arp.

Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

arp -a


Atomic Test #6 - Remote System Discovery - arp nix

Identify remote systems via arp.

Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

arp -a | grep -v '^?'

Dependencies: Run with sh!

Description: Check if arp command exists on the machine
Check Prereq Commands:
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; 
Get Prereq Commands:
echo "Install arp on the machine."; exit 1;


Atomic Test #7 - Remote System Discovery - sweep

Identify remote systems via ping sweep.

Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
start_host Subnet used for ping sweep. string 1
stop_host Subnet used for ping sweep. string 254
subnet Subnet used for ping sweep. string 192.168.1

Attack Commands: Run with sh!

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done


Atomic Test #8 - Remote System Discovery - nslookup

Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.

Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}


Atomic Test #9 - Remote System Discovery - adidnsdump

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name username including domain. string domain\user
acct_pass Account password. string password
host_name hostname or ip address to connect to. string 192.168.1.1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

Dependencies: Run with powershell!

Description: Computer must have python 3 installed
Check Prereq Commands:
if (python --version) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
if (pip3 -V) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "PIP must be installed manually"
Description: adidnsdump must be installed and part of PATH
Check Prereq Commands:
if (cmd /c adidnsdump -h) {exit 0} else {exit 1} 
Get Prereq Commands:
pip3 install adidnsdump