Skip to content

Latest commit

 

History

History
138 lines (79 loc) · 4.01 KB

T1018.md

File metadata and controls

138 lines (79 loc) · 4.01 KB

T1018 - Remote System Discovery

Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.

Windows

Examples of tools and commands that acquire this information include "ping" or "net view" using Net. The contents of the C:\Windows\System32\Drivers\etc\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system.

Mac

Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.

Linux

Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.

Cloud

In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs with information about remote systems and services.

Atomic Tests


Atomic Test #1 - Remote System Discovery - net

Identify remote systems with net.exe

Supported Platforms: Windows

Run it with command_prompt!

net view /domain
net view


Atomic Test #2 - Remote System Discovery - ping sweep

Identify remote systems via ping sweep

Supported Platforms: Windows

Run it with command_prompt!

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i


Atomic Test #3 - Remote System Discovery - arp

Identify remote systems via arp

Supported Platforms: Windows

Run it with command_prompt!

arp -a


Atomic Test #4 - Remote System Discovery - arp nix

Identify remote systems via arp

Supported Platforms: Linux, macOS

Run it with sh!

arp -a | grep -v '^?'


Atomic Test #5 - Remote System Discovery - sweep

Identify remote systems via ping sweep

Supported Platforms: Linux, macOS

Run it with sh!

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done


Atomic Test #6 - Remote System Discovery - nslookup

Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig

Supported Platforms: Windows

Run it with powershell! Elevation Required (e.g. root or admin)

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}