Discovery.md

MITRE ATT&CK - Discovery

  • Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.

Account Discovery

Linux

  • On Linux, local users can be enumerated through the use of the /etc/passwd file which is world readable. In mac, this same file is only used in single-user mode in addition to the /etc/master.passwd file.

OS X

  • On Mac, groups can be enumerated through the groups and id commands. In mac specifically, dscl . list /Groups and dscacheutil -q group can also be used to enumerate groups and users.
  • dscl . list /Users

Windows

  • Account Discovery - ATT&CK
    • Adversaries may attempt to get a listing of local system or domain accounts.
    • Example commands that can acquire this information are net user, net group <groupname>, and net localgroup <groupname> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.
  • Net.exe reference
  • Dsquery - technet
  • “I Hunt Sys Admins” - Harmjoy
  • Powerview | Powershell Mafia - Powersploit - Recon
    • PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. It also implements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options. For detailed output of underlying functionality, pass the -Verbose or -Debug flags.

Application Window Discovery

  • Application Window Discovery - ATT&CK
    • Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script.

OS X

Linux

Windows

File and Directory Discovery


  • File and Directory Discovery - ATT&CK
    • Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Linux

OS X

Windows

  • MITRE
    • Example utilities used to obtain this information are dir and tree. JPCERT Custom tools may also be used to gather file and directory information and interact with the Windows API.
  • Microsoft DOS tree command
    • Is present on MS DOS -> 10.
  • dir - technet
    • Displays a list of a directory's files and subdirectories. If used without parameters, dir displays the disk's volume label and serial number, followed by a list of directories and files on the disk (including their names and the date and time each was last modified). For files, dir displays the name extension and the size in bytes. Dir also displays the total number of files and directories listed, their cumulative size, and the free space (in bytes) remaining on the disk.

Network Service Scanning


  • Network Service Scanning - ATT&CK
    • Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

Windows

  • scanless
    • Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
  • ms15-034.nse Script

DNS:

DNS

  • Altdns
    • Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
  • AQUATONE
    • AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
  • DNSRecon
  • dns-discovery
    • Discovery peers in a distributed system using regular dns and multicast dns.
  • dns-parallel-prober
    • This script is a proof of concept for a parallelised domain name prober. It creates a queue of threads and tasks each one to probe a sub-domain of the given root domain. At every iteration step each dead thread is removed and the queue is replenished as necessary.
  • DNS Recon
  • DNS Dumpster
    • DNSdumpster.com is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
  • enumall
    • Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scarping, netcraft, and bruteforces to find subdomains. Plus resolves to IP.
  • Knockpy
    • Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
  • Sublist3r
    • Fast subdomains enumeration tool for penetration testers
  • sub6
    • subdomain take over detector and crawler
  • TXTDNS
    • TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques: Typos: Mised, doouble and transposde keystrokes; TLD/ccSLD rotation; Dictionary attack; Full Brute-force attack using alpha, numeric or alphanumeric charsets; Reverse grinding.
  • DNSEnum
    • Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Email

Email

  • SIMPLYEMAIL
    • What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
  • Swaks - Swiss Army Knife for SMTP

Network Host/Service:

Network Host/Service

  • Nmap
    • Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
  • Enumerator
    • enumerator is a tool built to assist in automating the often tedious task of enumerating a target or list of targets during a penetration test.
  • hostmap
    • hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro Tanasi
  • Angry IP Scanner
    • Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.
  • UnicornScan
    • Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
  • hping
    • hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
  • Consul
    • Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
  • CloudFail
    • CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server.
  • discover - Kali Scripts
    • For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
  • Firewalk
    • Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response. To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be bound) we can begin our scan.
  • CiscoRouter - tool
    • CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using accompanying CiscoRule application (see this repo) and stored in the "rules" directory.

SSH:

SSH

  • ssh-audit
    • SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

SQL:

SQL

  • SQLMap
    • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
  • PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
    • The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to quickly inventory the SQL Servers in their ADS domain.
    • [Documentation](https TLS/SSL Vulnerabilities ://github.com/NetSPI/PowerUpSQL/wiki)
    • Overview of PowerUpSQL

Netbios:

Netbios

  • NbtScan
    • This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.

SMTP:

SNMP:

SNMP

  • Onesixtyone
    • onesixtyone is an SNMP scanner which utilizes a sweep technique to achieve very high performance. It can scan an entire class B network in under 13 minutes. It can be used to discover devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.
  • SNMPWALK
    • snmpwalk - retrieve a subtree of management values using SNMP GETNEXT requests

SIP:

MISC:

  • t50 - the fastest packet injector.
    • T50 was designed to perform “Stress Testing” on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP, TCP and UDP), some infra-structure specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP, EIGRP and OSPF).
  • gateway-finder
    • Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
  • a
    • ActiveMQ CLI testing and message management
  • OnionScan

Web:

Web

  • WPScan
    • WPScan is a black box WordPress vulnerability scanner.
  • WhatWeb
    • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
  • webDisco
    • Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
  • w3af
    • w3af: web application attack and audit framework, the open source web vulnerability scanner.
  • Tachyon
    • Tachyon is a Fast Multi-Threaded Web Discovery Tool
  • dirsearch
    • dirsearch is a simple command line tool designed to brute force directories and files in websites.
  • virtual-host-discovery
    • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
  • RAWR - Rapid Assessment of Web Resources
  • blacksheepwall
    • blacksheepwall is a hostname reconnaissance tool
  • virtual-host-discovery
    • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.

Network Share Discovery


  • [Network Share Discovery - ATT&CK](Network Share Discovery)
    • Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Linux

OS X

Windows

  • MITRE
    • File sharing over a Windows network occurs over the SMB protocol.Wikipedia Shared ResourceTechNet Shared Folder
    • Net can be used to query a remote system for available shared drives using the net view \remotesystem command. It can also be used to query shared drives on the local system using net share.
    • Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
  • Get-SmbShare
    • Retrieves the Server Message Block (SMB) shares on the computer.
  • NetResView
    • NetResView is a small utility that displays the list of all network resources (computers, disk shares, and printer shares) on your LAN. As opposed to "My Network Places" module of Windows, NetResView display all network resources from all domains/workgroups in one screen, and including admin/hidden shares.
  • Can you use a powershell script to find all shares on servers? - serverfault
  • Find shares with PowerShell where Everyone has Full Control permissions
  • Obtain a list of non-admin file shares from multiple Windows servers
  • Nmap NSE - smb-enum-shares
    • Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. Running NetShareEnumAll will work anonymously against Windows 2000, and requires a user-level account on any other Windows version. Calling NetShareGetInfo requires an administrator account on all versions of Windows up to 2003, as well as Windows Vista and Windows 7, if UAC is turned down. Even if NetShareEnumAll is restricted, attempting to connect to a share will always reveal its existence. So, if NetShareEnumAll fails, a pre-generated list of shares, based on a large test network, are used. If any of those succeed, they are recorded.
  • List Shares in Windows w/ PowerShell
The command, from PowerShell would be something similar to the following:

    get-WmiObject -class Win32_Share 

Assuming communication is working as intended, you can also query for the shares of other systems, by adding a -computer switch and specifying the host you’re listing shares on, as follows:

    get-WmiObject -class Win32_Share -computer dc1.krypted.com

One can also list shared printers with a little trickeration in the {} side of things:
get-WmiObject -list | where {$_.name -match “Printer”}

Peripheral Device Discovery


  • Peripheral Device Discovery - ATT&CK
    • Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

Linux

OS X

Windows

Permission Groups Discovery


Linux

OS X

  • MITRE
    • On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.
  • dscl . list /Users
  • dscl . list /Groups

Windows

  • MITRE
    • Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.
  • Local Users and Groups overview - technet
  • Managing Permissions - technet
  • Windows: View “all” permissions of a specific user or group
  • BloodHound
    • BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Process Discovery


  • Process Discovery - ATT&CK
    • Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.

Linux

OS X

Windows

Query Registry


  • Query Registry - ATT&CK
    • Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.Wikipedia Windows Registry Some of the information may help adversaries to further their operation within a network.

Windows

Remote System Discovery


  • Remote System Discovery
    • Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.

Linux

  • MITRE
    • Utilities such as "ping" and others can be used to gather information about remote systems.
  • ping, arp, etc.

OS X

  • Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.

Windows

  • MITRE
  • Examples of tools and commands that acquire this information include "ping" or "net view" using Net.

Windows

Security Software Discovery


  • Security Software Discovery - ATT&CK
    • Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.

OS X

  • MITRE
    • It's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Windows

System Information Discovery


  • System Information Discovery - ATT&CK
    • An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Linux

OS X

  • MITRE
    • On Mac, the systemsetup command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the system_profiler gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.
  • Get OS X System Info from the Command Line
  • Using System Profiler in Terminal

Windows

System Network Configuration Discovery


  • System Network Configuration Discovery - ATT&CK
    • Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Linux

OS X

Windows

  • Netstat - technet
    • Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.
  • Listing Windows Firewall Rules Using Microsoft PowerShell
  • Arp - technet
    • Arp allows you to view and modify the ARP cache.
  • Route - technet
    • Displays and modifies the entries in the local IP routing table. Used without parameters, route displays help.
  • NetBIOS over TCP/IP - Wikipedia
  • Nbtstat - technet
    • Nbtstat is designed to help troubleshoot NetBIOS name resolution problems. When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. It does this through several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query.
  • Ipconfig
    • IPConfig is a command-line tool that displays the current configuration of the installed IP stack on a networked computer.

System Network Connections Discovery


  • System Network Connections Discovery - ATT&CK
    • Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Linux

  • MITRE
    • In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".

OS X

Windows

  • MITRE
    • Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
  • Netstat - technet
    • Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.
  • netstat - Wikipedia

System Owner/User Discovery


  • System Owner/User Discovery - ATT&CK
    • Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs.
Linux
  • MITRE
    • On Linux, the currently logged in user can be identified with w and who.

OS X

  • MITRE
    • On Mac, the currently logged in user can be identified with users,w, and who.
Windows

System Service Discovery


  • System Service Discovery - ATT&CK
    • Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist, and "net start" using Net, but adversaries may also use other tools as well.

Linux

OS X

Windows

  • Net Commands On Windows Operating Systems - support ms
  • NET.exe - ss64
  • SC - technet
    • Communicates with the Service Controller and installed services. SC.exe retrieves and sets control information about services. You can use SC.exe for testing and debugging service programs. Service properties stored in the registry can be set to control how service applications are started at boot time and run as background processes. SC.exe parameters can configure a specific service, retrieve the current status of a service, as well as stop and start a service. You can create batch files that call various SC.exe commands to automate the startup or shutdown sequence of services. SC.exe provides capabilities similar to Services in the Administrative Tools item in Control Panel.
  • Tasklist
    • Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.

System Time Discovery


  • System Time Discovery - ATT&CK
    • The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.MSDN System TimeTechnet Windows Time Service An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. Time Service The information could be useful for performing other techniques, such as executing a file with a Scheduled TaskRSA EU12 They're Inside, or to discover locality information based on time zone to assist in victim targeting.

Linux

  • date command

OS X

Windows

  • W32tm - technet
    • A tool used to diagnose problems occurring with Windows Time
  • W32tm
    • W32tm command reference