Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.
Platforms: Linux, macOS, Windows
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network
Permissions Required: User, Administrator, SYSTEM
Scan ports to check for listening ports
Supported Platforms: Linux, macOS
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
Scan ports to check for listening ports with Nmap.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| network_range | Network Range to Scan. | string | 192.168.1.0/24 |
| port | Ports to scan. | string | 80 |
| host | Host to scan. | string | 192.168.1.1 |
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}