Skip to content
Atomic Red Team
atomics
T1595.003

T1595.003 - Active Scanning: Wordlist Scanning

Description from ATT&CK (opens in a new tab)

Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force (opens in a new tab), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information (opens in a new tab), or Search Victim-Owned Websites (opens in a new tab)).

For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application (opens in a new tab) or Brute Force (opens in a new tab)).

As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage Data from Cloud Storage (opens in a new tab) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.

Atomic Tests


Atomic Test #1 - Web Server Wordlist Scan

This test will scan a target system with a wordlist of common directories and file paths.

Supported Platforms: Windows, Linux, macOS

auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd

Inputs:

NameDescriptionTypeDefault Value
targetThe target system to scanstringhttp://localhost (opens in a new tab)
wordlistThe wordlist to use for scanningpathPathToAtomicsFolder/T1595.003/src/wordlist.txt
request_timeoutThe timeout for each request (in seconds)integer5
output_fileFile to output results tostring$env:TMPDIR/wordlist_scan.txt

Attack Commands: Run with powershell!

Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
Write-Host "Scan complete. Results saved to: #{output_file}"