Generate docs from job=validate_atomics_generate_docs branch=master

2019-09-23 19:01:07 +00:00
parent 247367100b
commit 0860bb1ec7
4 changed files with 52 additions and 10 deletions
@@ -18,14 +18,16 @@ Utilities such as "ping" and others can be used to gather information about remo

 - [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)

- [Atomic Test #2 - Remote System Discover - ping sweep](#atomic-test-2---remote-system-discover---ping-sweep)
+- [Atomic Test #2 - Remote System Discovery - ping sweep](#atomic-test-2---remote-system-discovery---ping-sweep)

- [Atomic Test #3 - Remote System Discover - arp](#atomic-test-3---remote-system-discover---arp)
+- [Atomic Test #3 - Remote System Discovery - arp](#atomic-test-3---remote-system-discovery---arp)

 - [Atomic Test #4 - Remote System Discovery - arp nix](#atomic-test-4---remote-system-discovery---arp-nix)

 - [Atomic Test #5 - Remote System Discovery - sweep](#atomic-test-5---remote-system-discovery---sweep)

+- [Atomic Test #6 - Remote System Discovery - nslookup](#atomic-test-6---remote-system-discovery---nslookup)
+

 <br/>

@@ -46,7 +48,7 @@ net view
 <br/>
 <br/>

-## Atomic Test #2 - Remote System Discover - ping sweep
+## Atomic Test #2 - Remote System Discovery - ping sweep
 Identify remote systems via ping sweep

 **Supported Platforms:** Windows
@@ -62,7 +64,7 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
 <br/>
 <br/>

-## Atomic Test #3 - Remote System Discover - arp
+## Atomic Test #3 - Remote System Discovery - arp
 Identify remote systems via arp

 **Supported Platforms:** Windows
@@ -107,4 +109,25 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192



+<br/>
+<br/>
+
+## Atomic Test #6 - Remote System Discovery - nslookup
+Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
+$pieces = $localip.split(".")
+$firstOctet = $pieces[0]
+$secondOctet = $pieces[1]
+$thirdOctet = $pieces[2]
+foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
+```
+
+
+
 <br/>
@@ -475,10 +475,11 @@
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
  - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discover - ping sweep [windows]
-  - Atomic Test #3: Remote System Discover - arp [windows]
+  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #3: Remote System Discovery - arp [windows]
  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #6: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -14016,7 +14016,7 @@ discovery:
        command: |
          net view /domain
          net view
-    - name: Remote System Discover - ping sweep
+    - name: Remote System Discovery - ping sweep
      description: 'Identify remote systems via ping sweep

 '
@@ -14028,7 +14028,7 @@ discovery:
        command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

 '
-    - name: Remote System Discover - arp
+    - name: Remote System Discovery - arp
      description: 'Identify remote systems via arp

 '
@@ -14067,6 +14067,23 @@ discovery:
          0 ] && echo "192.168.1.$ip UP" || : ; done

 '
+    - name: Remote System Discovery - nslookup
+      description: 'Powershell script that runs nslookup on cmd.exe against the local
+        /24 network of the first network adaptor listed in ipconfig
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          $localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
+          $pieces = $localip.split(".")
+          $firstOctet = $pieces[0]
+          $secondOctet = $pieces[1]
+          $thirdOctet = $pieces[2]
+          foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
  T1063:
    technique:
      external_references:
@@ -320,8 +320,9 @@
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
  - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discover - ping sweep [windows]
-  - Atomic Test #3: Remote System Discover - arp [windows]
+  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #3: Remote System Discovery - arp [windows]
+  - Atomic Test #6: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]