Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.Examples of tools and commands that acquire this information include "ping" or "net view" using Net. The contents of the
C:\Windows\System32\Drivers\etc\hostsfile can be viewed to gain insight into the existing hostname to IP mappings on the system.Specific to Mac, the
bonjourprotocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the/etc/hostsfile can be viewed to gain insight into existing hostname to IP mappings on the system.Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the
/etc/hostsfile can be viewed to gain insight into existing hostname to IP mappings on the system.In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs with information about remote systems and services.
Identify remote systems with net.exe
Supported Platforms: Windows
net view /domain
net view
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Supported Platforms: Windows
net group "Domain Computers" /domain
Identify domain controllers for specified domain.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_domain | Domain to query for domain controllers | String | domain.local |
nltest.exe /dclist:#{target_domain}
Identify remote systems via ping sweep
Supported Platforms: Windows
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
Identify remote systems via arp
Supported Platforms: Windows
arp -a
Identify remote systems via arp
Supported Platforms: Linux, macOS
arp -a | grep -v '^?'
Identify remote systems via ping sweep
Supported Platforms: Linux, macOS
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
Supported Platforms: Windows
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}