From 42687f20558653cc042dfab183e6846a6f4b5e09 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 23 Jan 2020 20:26:46 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1016/T1016.md | 58 ++++++++++++++++++++++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 34 ++++++++++++++++++++++- atomics/windows-index.md | 1 + 4 files changed, 93 insertions(+), 1 deletion(-) diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index f8f705a3..2f62dfaf 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -14,6 +14,8 @@ Adversaries may use the information from [System Network Configuration Discovery - [Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style) +- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports) +
@@ -103,4 +105,60 @@ nltest /domain_trusts +
+
+ +## Atomic Test #5 - List Open Egress Ports +This is to test for what ports are open outbound. The technique used was taken from the following blog: +https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ + +**Supported Platforms:** Windows + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder\T1016\src\top-128.txt| +| output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt| + + +#### Attack Commands: Run with `powershell`! +``` +$ports = Get-content #{port_file} +$file = "#{output_file}" +$totalopen = 0 +$totalports = 0 +New-Item $file -Force +foreach ($port in $ports) { + $test = new-object system.Net.Sockets.TcpClient + $wait = $test.beginConnect("allports.exposed", $port, $null, $null) + $wait.asyncwaithandle.waitone(250, $false) | Out-Null + $totalports++ | Out-Null + if ($test.Connected) { + $result = "$port open" + Write-Host -ForegroundColor Green $result + $result | Out-File -Encoding ASCII -append $file + $totalopen++ | Out-Null + } + else { + $result = "$port closed" + Write-Host -ForegroundColor Red $result + $totalclosed++ | Out-Null + $result | Out-File -Encoding ASCII -append $file + } +} +$results = "There were a total of $totalopen open ports out of $totalports ports tested." +$results | Out-File -Encoding ASCII -append $file +Write-Host $results +``` + +#### Cleanup Commands: +``` +Remove-Item -ErrorAction ignore "#{output_file}" +``` + + + + +
diff --git a/atomics/index.md b/atomics/index.md index b6a6bda3..189348df 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -635,6 +635,7 @@ - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #3: System Network Configuration Discovery [macos, linux] - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows] + - Atomic Test #5: List Open Egress Ports [windows] - [T1049 System Network Connections Discovery](./T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index c1fa488a..7431b633 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -18906,11 +18906,43 @@ discovery: executor: name: command_prompt elevation_required: false - command: |- + command: | ipconfig /all net config workstation net view /all /domain nltest /domain_trusts + - name: List Open Egress Ports + description: | + This is to test for what ports are open outbound. The technique used was taken from the following blog: + https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ + supported_platforms: + - windows + input_arguments: + port_file: + description: The path to a text file containing ports to be scanned, one + port per line. The default list uses the top 128 ports as defined by Nmap. + type: Path + default: PathToAtomicsFolder\T1016\src\top-128.txt + output_file: + description: Path of file to write port scan results + type: Path + default: "$env:USERPROFILE\\Desktop\\open-ports.txt" + executor: + name: powershell + elevation_required: false + command: "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen + = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n + \ $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", + $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n + \ $totalports++ | Out-Null\n if ($test.Connected) {\n $result + = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result + | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n + \ }\n else {\n $result = \"$port closed\" \n Write-Host + -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result + | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were + a total of $totalopen open ports out of $totalports ports tested.\"\n$results + | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" + cleanup_command: Remove-Item -ErrorAction ignore "#{output_file}" T1049: technique: x_mitre_permissions_required: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 6f9020fd..11dff745 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -454,6 +454,7 @@ - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows] + - Atomic Test #5: List Open Egress Ports [windows] - [T1049 System Network Connections Discovery](./T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]