CHAPTER 1
Fulfilling Pre-ATT&CK Objectives

Originally, MITRE Pre-ATT&CK was a stand-alone matrix within the MITRE ATT&CK framework. It detailed the various steps that an attacker could take to prepare before attempting to gain initial access to a target environment.

In October 2020, MITRE restructured the ATT&CK framework and condensed MITRE Pre-ATT&CK into two tactics of the ATT&CK matrix. The new version breaks Pre-ATT&CK into Reconnaissance and Resource Development, as shown in Figure 1.1.

Figure 1.1: MITRE Pre-ATT&CK

In this chapter, we will focus on the Reconnaissance tactic of MITRE Pre-ATT&CK. The reason is that while Resource Development can be automated, the details can vary greatly, and this stage of the attack is not visible to the defender. For example, Python could be used for implementing a domain generation algorithm (DGA) for phishing or automating the deployment of web-based services, but these apply only in certain types of attacks and can easily be implemented in other ways.

Reconnaissance, on the other hand, can benefit significantly from automation. Also, Python includes several packages that help with automating reconnaissance, such as scapy and various DNS libraries.

The MITRE Pre-ATT&CK framework includes 10 techniques for Reconnaissance. Here, we will explore the use of Python for the Active Scanning and Search Open Technical Databases techniques.

The code sample archive for this chapter can be found on the Download Code tab at https://www.wiley.com/go/pythonforcybersecurity and contains the following sample code files:

• PortScan.py
• HoneyScan.py
• DNSExploration.py
• HoneyResolver.py

Active Scanning

Network reconnaissance can be performed by either active or passive means. Active reconnaissance involves interacting with the target environment, while passive reconnaissance can involve eavesdropping on traffic or taking advantage of publicly available sources of information.

As its name suggests, the Active Scanning technique in MITRE ATT&CK is an example of Active Reconnaissance. It involves performing port or vulnerability scans against a target to determine which IP addresses are active, what services they are running, any vulnerabilities that may exist, and similar intelligence.

Scanning Networks with scapy

Nmap is the most used tool for port scanning. It implements several different types of scans and can be used to detect the versions of operating systems and services and to perform custom vulnerability scans.

In this section, we'll implement a couple of simple scans:

• SYN scan: A SYN scan sends a TCP SYN packet to a port and looks for a SYN/ACK packet in response.
• DNS scan: A DNS scan tests to see whether a DNS server is running on the target system.

To implement these scans, we'll be using the scapy library in Python. scapy makes it easy to create and send custom packets over the network and to sniff network traffic for responses.

PortScan.py

The code file PortScan.py implements a simple SYN and DNS scan using scapy. As shown near the top of the file, the code scans some commonly used ports for listening services, including 25, 80, 53, 443, 445, 8080, and 8443.

Implementing a SYN Scan in scapy

To start, take a look at the SynScan function in the code. As shown in Figure 1.2, a SYN scan sends out a SYN packet and looks for a SYN/ACK in response. A SYN/ACK indicates an open port, while a RST/ACK or no response within the two-second timeout indicates that a port is closed.

Figure 1.2: SYN scan in Wireshark

scapy breaks a packet into layers and makes it easy to access the various packet fields at each layer. Implementing a SYN scan in scapy requires setting values at the IP and TCP layers. Necessary values include the following:

• Destination IP address: This is set to the IP address of the target system.
• Source port: scapy uses a default port of 20, but it's best to set a high ephemeral port value instead.
• Destination port: scapy allows a list of ports to be passed to it and will create a packet for each.
• TCP flags: A SYN scan requires the SYN flag to be set.

This can be accomplished with the command IP(dst=host)/TCP(dport=ports,flags="S"). Layers in scapy are specified as classes with the desired values passed as parameters. Any fields in the packet that are not specified by the user are set automatically by scapy.

After building the SYN packet, the SynScan function sends it with the sr function. Here, sr stands for send/receive, meaning that it will transmit the SYN packet and monitor for any responses. Answered SYN scan packets are stored in ans, while unanswered ones are stored in unans.

The sr function in SynScan has a timeout of two seconds. After the time has elapsed or the connection is otherwise closed, it unpacks the contents of ans to look for responses that indicate open ports.

Within ans, SynScan looks at s and r, which are the SYN packets it sent and the responses that it received. With the command s[TCP].dport, the code accesses the TCP layer of a SYN packet it sent out and extracts the destination port to compare with the source port of the received packet. If they match and the received packet has the SYN/ACK flags set, then the port is marked as open.

Performing a DNS Scan in scapy

The only difference between implementing a SYN scan in scapy and a DNS scan is the structure of the packets that the code sends out. A SYN scan is performed at the TCP layer, while a DNS query is usually sent out over UDP and includes a DNS layer.

scapy's ability to set default values for unused fields means that only a few values need to be explicitly set within the DNS request packet:

• Destination IP address: The IP address of the target system.
• UDP port number: Set to 53, which is the default for DNS.
• Recursion desired (rd): Set this to 1.
• Query: A DNSQR structure containing the desired domain (qname).

This can all be put together in the command IP(sport=33333,dst=host)/ UDP(dport=53)/ DNS(rd=1,qd=DNSQR(qname=" google.com ")).

The DNSScan function also uses scapy's sr function to send out packets and look for responses. However, its code for checking for responses is simpler than the SYN scan. The query will receive a response only if a system is running a DNS server. If the ans variable is not empty, then the scanner has identified a DNS server.

Running the Code

After implementing the SYNScan and DNSScan functions, all that is left is the main function and running the code. PortScan.py uses Python's input function to request an IP address from the user and tests its validity with the ip_address function from the ipaddress Python library.

If the IP address is valid, then the code calls the SYNScan and DNSScan functions to produce the following output. The code must be run with Administrator/root permissions.

In the previous example, the IP address points to Google's DNS server. It makes sense that this would be running both a DNS server (port 53) and a web server (port 443).

Now, try running the code with an invalid IP address.