T1595.003 - Active Scanning: Wordlist Scanning
Description from ATT&CK (opens in a new tab)
Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force (opens in a new tab), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: Gather Victim Org Information (opens in a new tab), or Search Victim-Owned Websites (opens in a new tab)).
For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: Exploit Public-Facing Application (opens in a new tab) or Brute Force (opens in a new tab)).
As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage Data from Cloud Storage (opens in a new tab) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally.
Atomic Tests
Atomic Test #1 - Web Server Wordlist Scan
This test will scan a target system with a wordlist of common directories and file paths.
Supported Platforms: Windows, Linux, macOS
auto_generated_guid: 89a83c3e-0b39-4c80-99f5-c2aa084098bd
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target | The target system to scan | string | http://localhost (opens in a new tab) |
wordlist | The wordlist to use for scanning | path | PathToAtomicsFolder/T1595.003/src/wordlist.txt |
request_timeout | The timeout for each request (in seconds) | integer | 5 |
output_file | File to output results to | string | $env:TMPDIR/wordlist_scan.txt |
Attack Commands: Run with powershell
!
Import-Module "PathToAtomicsFolder/T1595.003/src/WebServerScan.ps1"
Invoke-WordlistScan -Target "#{target}" -Wordlist "#{wordlist}" -Timeout "#{request_timeout}" -OutputFile "#{output_file}"
Write-Host "Scan complete. Results saved to: #{output_file}"