Skip to content

Latest commit

 

History

History
134 lines (74 loc) · 3.27 KB

T1046.md

File metadata and controls

134 lines (74 loc) · 3.27 KB
Raw

T1046 - Network Service Scanning

Description from ATT&CK

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Atomic Tests


Atomic Test #1 - Port Scan

Scan ports to check for listening ports.

Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

for port in {1..65535};
do
  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done


Atomic Test #2 - Port Scan Nmap

Scan ports to check for listening ports with Nmap.

Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
host Host to scan. string 192.168.1.1
port Ports to scan. string 80
network_range Network Range to Scan. string 192.168.1.0/24

Attack Commands: Run with sh!

nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

Dependencies: Run with sh!

Description: Check if nmap command exists on the machine
Check Prereq Commands:
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
echo "Install nmap on the machine to run the test."; exit 1;


Atomic Test #3 - Port Scan NMap for Windows

Scan ports to check for listening ports for the local host 127.0.0.1

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
nmap_url NMap installer download URL url https://nmap.org/dist/nmap-7.80-setup.exe
host_to_scan The host to scan with NMap string 127.0.0.1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

nmap #{host_to_scan}

Dependencies: Run with powershell!

Description: NMap must be installed
Check Prereq Commands:
if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
Start-Process $env:temp\nmap-7.80-setup.exe /S