Generate docs from job=validate_atomics_generate_docs branch=master

2020-01-23 20:26:46 +00:00
parent 2ee6318e8b
commit 42687f2055
4 changed files with 93 additions and 1 deletions
@@ -14,6 +14,8 @@ Adversaries may use the information from [System Network Configuration Discovery

 - [Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)

+- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
+

 <br/>

@@ -103,4 +105,60 @@ nltest /domain_trusts



+<br/>
+<br/>
+
+## Atomic Test #5 - List Open Egress Ports
+This is to test for what ports are open outbound.  The technique used was taken from the following blog:
+https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder\T1016\src\top-128.txt|
+| output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+$ports = Get-content #{port_file}
+$file = "#{output_file}"
+$totalopen = 0
+$totalports = 0
+New-Item $file -Force
+foreach ($port in $ports) {
+    $test = new-object system.Net.Sockets.TcpClient
+    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
+    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
+    $totalports++ | Out-Null
+    if ($test.Connected) {
+        $result = "$port open" 
+        Write-Host -ForegroundColor Green $result
+        $result | Out-File -Encoding ASCII -append $file
+        $totalopen++ | Out-Null
+    }
+    else {
+        $result = "$port closed" 
+        Write-Host -ForegroundColor Red $result
+        $totalclosed++ | Out-Null
+        $result | Out-File -Encoding ASCII -append $file
+    }
+}
+$results = "There were a total of $totalopen open ports out of $totalports ports tested."
+$results | Out-File -Encoding ASCII -append $file
+Write-Host $results
+```
+
+#### Cleanup Commands:
+```
+Remove-Item -ErrorAction ignore "#{output_file}"
+```
+
+
+
+
+
 <br/>
@@ -635,6 +635,7 @@
  - Atomic Test #2: List Windows Firewall Rules [windows]
  - Atomic Test #3: System Network Configuration Discovery [macos, linux]
  - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
+  - Atomic Test #5: List Open Egress Ports [windows]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -18906,11 +18906,43 @@ discovery:
      executor:
        name: command_prompt
        elevation_required: false
-        command: |-
+        command: |
          ipconfig /all
          net config workstation
          net view /all /domain
          nltest /domain_trusts
+    - name: List Open Egress Ports
+      description: |
+        This is to test for what ports are open outbound.  The technique used was taken from the following blog:
+        https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
+      supported_platforms:
+      - windows
+      input_arguments:
+        port_file:
+          description: The path to a text file containing ports to be scanned, one
+            port per line. The default list uses the top 128 ports as defined by Nmap.
+          type: Path
+          default: PathToAtomicsFolder\T1016\src\top-128.txt
+        output_file:
+          description: Path of file to write port scan results
+          type: Path
+          default: "$env:USERPROFILE\\Desktop\\open-ports.txt"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen
+          = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n
+          \   $test = new-object system.Net.Sockets.TcpClient\n    $wait = $test.beginConnect(\"allports.exposed\",
+          $port, $null, $null)\n    $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n
+          \   $totalports++ | Out-Null\n    if ($test.Connected) {\n        $result
+          = \"$port open\" \n        Write-Host -ForegroundColor Green $result\n        $result
+          | Out-File -Encoding ASCII -append $file\n        $totalopen++ | Out-Null\n
+          \   }\n    else {\n        $result = \"$port closed\" \n        Write-Host
+          -ForegroundColor Red $result\n        $totalclosed++ | Out-Null\n        $result
+          | Out-File -Encoding ASCII -append $file\n    }\n}\n$results = \"There were
+          a total of $totalopen open ports out of $totalports ports tested.\"\n$results
+          | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n"
+        cleanup_command: Remove-Item -ErrorAction ignore "#{output_file}"
  T1049:
    technique:
      x_mitre_permissions_required:
@@ -454,6 +454,7 @@
  - Atomic Test #1: System Network Configuration Discovery [windows]
  - Atomic Test #2: List Windows Firewall Rules [windows]
  - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
+  - Atomic Test #5: List Open Egress Ports [windows]
 - [T1049 System Network Connections Discovery](./T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]