System Network Configuration Discovery¶

What is System Network Configuration Discovery?¶

System Network Configuration Discovery refers to the techniques used by attackers to gather information about the network configuration of a target system. This includes details such as IP addressing, domain information, network services running on devices, and the architecture of the underlying network. This category is part of a broader set of tactics outlined by MITRE ATT&CK, specifically under the reconnaissance phase where adversaries attempt to collect valuable information that can be used to refine attack strategies.

How is System Network Network Configuration Discovery Performed?¶

1. IP Address Enumeration: Attackers use tools like ifconfig, ipconfig, or ip command on Unix-like and Windows systems respectively to discover the IP addresses configured on a compromised host.

2. Network Topology Mapping: Tools such as traceroute, nmap, or more sophisticated network scanners are used to map out the network topology, identifying how systems are interconnected, and what other devices are present in the environment.

3. Domain Information Gathering: Techniques involve querying DNS records using tools like dig or nslookup. This can reveal not only domain names but also associated subdomains and IP addresses linked to services.

4. Viewing Routing Tables: Commands like netstat -r or route allow attackers to view routing tables, understanding how traffic is routed within networks which could be crucial for lateral movement.

5. Inspecting Configured Ports and Services: Using commands like netstat -an or tools like Wireshark provides insights into active connections and listening ports, revealing potential entry points for further exploits.

6. Wireless Network Information: On wireless-enabled devices, commands like iwconfig or tools like Airmon-ng can be used to gather information about local wireless networks which might offer an alternative vector for attacks.

Where is System Network Configuration Discovery Applied?¶

This tactic is applied primarily at the host level initially after gaining some form of access but can expand outward as more networked devices are compromised. The reconnaissance can happen in any environment where networked computers operate — from small home networks to large enterprise environments. It's particularly prevalent in targeted attacks where understanding the environment is key to achieving specific objectives without being detected.

Why Perform System Network Configuration Discovery?¶

The primary reason for performing system network configuration discovery is to facilitate further attacks by:

• Identifying Weak Points: Understanding network configurations helps in identifying poorly secured nodes, misconfigurations, or outdated systems that are easier targets.
• Lateral Movement: Detailed knowledge of the network topology assists attackers in planning lateral movements within a compromised environment effectively.
• Avoiding Detection: By understanding how monitoring and logging are configured over the network (e.g., location of firewalls and IDS), attackers can navigate around security measures.
• Tailoring Exploits: Certain vulnerabilities might only exist under specific configurations; thus, detailed reconnaissance allows crafting of bespoke exploits that have higher chances of success.
• Strategic Planning: Long-term foothold within a network requires an understanding of its layout and key assets; this discovery phase feeds into this strategic planning by highlighting critical infrastructure components (like servers hosting sensitive data).

In summary, System Network Configuration Discovery forms a foundational step in many cyberattack frameworks allowing attackers to map out their attack surface efficiently and plan subsequent stages of their intrusion campaigns with greater precision.