diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index 8baa9595..b8201893 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -200,7 +200,7 @@ atomic_tests: - windows input_arguments: ip_address: - description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. + description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots) type: string default: "" port_list: @@ -212,33 +212,58 @@ atomic_tests: type: string default: "200" executor: - command: | + command: |- $ipAddr = "#{ip_address}" - if ($ipAddr -eq "") { - # Assumes the "primary" interface is shown at the top - $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1 - Write-Host "[i] Using Interface $interface" - $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress - } - Write-Host "[i] Base IP-Address for Subnet: $ipAddr" - $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1) - # Always assumes /24 subnet - Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'" - - $ports = #{port_list} - $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" } - - foreach ($ip in $subnetIPs) { - foreach ($port in $ports) { - try { - $tcp = New-Object Net.Sockets.TcpClient - $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null - } catch {} - if ($tcp.Connected) { - $tcp.Close() - Write-Host "Port $port is open on $ip" - } + if ($ipAddr -like "*,*") { + $ip_list = $ipAddr -split "," + $ip_list = $ip_list.ForEach({ $_.Trim() }) + Write-Host "[i] IP Address List: $ip_list" + + $ports = #{port_list} + + foreach ($ip in $ip_list) { + foreach ($port in $ports) { + Write-Host "[i] Establishing connection to: $ip : $port" + try { + $tcp = New-Object Net.Sockets.TcpClient + $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null + } catch {} + if ($tcp.Connected) { + $tcp.Close() + Write-Host "Port $port is open on $ip" + } + } } + } elseif ($ipAddr -notlike "*,*") { + if ($ipAddr -eq "") { + # Assumes the "primary" interface is shown at the top + $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1 + Write-Host "[i] Using Interface $interface" + $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress + } + Write-Host "[i] Base IP-Address for Subnet: $ipAddr" + $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1) + # Always assumes /24 subnet + Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'" + + $ports = #{port_list} + $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" } + + foreach ($ip in $subnetIPs) { + foreach ($port in $ports) { + try { + $tcp = New-Object Net.Sockets.TcpClient + $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null + } catch {} + if ($tcp.Connected) { + $tcp.Close() + Write-Host "Port $port is open on $ip" + } + } + } + } else { + Write-Host "[Error] Invalid Inputs" + exit 1 } name: powershell - name: Remote Desktop Services Discovery via PowerShell