Scanning IP Blocks

Information

• Name: Scanning IP Blocks

• ID: T1595.001

• Tactics: TA0043

• Technique: T1595

Introduction

Scanning IP Blocks (T1595.001) is a sub-technique within the MITRE ATT&CK framework, categorized under Active Scanning (T1595). This technique involves adversaries systematically probing large ranges of IP addresses to identify live hosts, open ports, and available services. By scanning IP blocks, attackers gather valuable reconnaissance data that can be leveraged in subsequent attack stages, such as exploitation, lateral movement, or denial-of-service attacks. It is a foundational step in adversary reconnaissance and often precedes more targeted and sophisticated cyber operations.

Deep Dive Into Technique

Scanning IP Blocks involves systematically sending network packets to large sets of IP addresses, typically within a specified range or subnet, to detect responsive hosts and open services. Attackers employ various scanning methodologies and tools to perform this reconnaissance:

• Scanning Methods:

  • Ping Sweep (ICMP Echo Requests): Identifies active hosts by sending ICMP echo requests and listening for echo replies.

  • TCP SYN Scan: Sends TCP SYN packets to targeted ports; responses (SYN-ACK) indicate open ports, while RST or no response indicates closed or filtered ports.

  • UDP Scan: Sends UDP packets to specific ports; lack of response or ICMP unreachable messages help identify open, closed, or filtered UDP ports.

  • Stealth Scan (FIN, NULL, XMAS scans): Uses specially crafted TCP packets to evade traditional detection mechanisms.

  • ACK Scan: Determines firewall rulesets by analyzing responses to ACK packets.

• Common Tools Used:

  • Nmap: Widely used network scanning tool capable of performing various scans (TCP, UDP, stealth, OS detection, script scanning).

  • Masscan: High-speed scanner capable of scanning large IP ranges rapidly.

  • Zmap: Fast, Internet-scale scanner commonly used for large-scale network reconnaissance.

  • Shodan and Censys: Online platforms providing pre-scanned data of Internet-connected assets.

• Mechanisms and Procedures:

  • Attackers typically automate scans using scripts or scanning tools to rapidly cover extensive IP ranges.

  • They often randomize or slow down scanning activities to evade detection systems and IDS/IPS alerts.

  • Results from scanning are analyzed to identify vulnerable hosts, open ports, versions of services, and potential entry points for further exploitation.

When this Technique is Usually Used

Scanning IP Blocks frequently appears in various attack stages and scenarios, including:

• Reconnaissance Stage:

  • Early-phase information gathering to identify live hosts, open ports, and available services.

  • Preparation for targeted exploitation or credential harvesting.

• Initial Access Stage:

  • Identifying vulnerable or misconfigured services that can serve as entry points for exploitation.

• Lateral Movement Stage:

  • Internal network scans to discover additional hosts and services for lateral movement within compromised environments.

• Pre-Attack Planning for Denial-of-Service (DoS/DDoS):

  • Identifying target networks and systems susceptible to resource exhaustion or service disruption attacks.

• Opportunistic Attacks:

  • Attackers scanning broad IP ranges to identify easily exploitable targets for mass exploitation campaigns.

How this Technique is Usually Detected

Detection of IP Block Scanning involves analyzing network traffic, monitoring logs, and employing specialized security tools:

• Network-Based Detection:

  • Intrusion Detection Systems (IDS) such as Snort, Suricata, or Zeek (formerly Bro) can detect scanning patterns based on signatures or anomaly detection.

  • Firewall logs and network traffic analytics tools identify unusual spikes in connection attempts or packet flows from single or multiple IP addresses.

• Behavioral Analysis:

  • Security Information and Event Management (SIEM) solutions correlate events and identify patterns indicative of scanning activities.

  • Machine-learning-based Network Traffic Analysis (NTA) solutions detect anomalous network behavior, such as high rates of connection attempts or unusual port access patterns.

• Host-Based Detection:

  • Host-based Intrusion Detection Systems (HIDS) and endpoint protection tools log suspicious connection attempts or unusual network activity from unknown sources.

• Specific Indicators of Compromise (IoCs):

  • Sudden increase in ICMP echo requests (ping sweeps) across multiple hosts.

  • Numerous connection attempts to sequential or random IP addresses and ports.

  • Repeated TCP SYN packets without completion of TCP handshake (half-open connections).

  • Anomalous UDP packets or ICMP "Port Unreachable" messages indicative of UDP scans.

  • Alerts triggered by known scanning tools' signatures (e.g., Nmap, Masscan).

Why it is Important to Detect This Technique

Early detection and mitigation of IP Block Scanning is crucial due to its potential impact on organizational security posture:

• Preventing Subsequent Exploitation:

  • Early detection and blocking of scanning activities prevent attackers from identifying vulnerable assets, reducing the risk of targeted exploitation.

• Reducing Attack Surface Exposure:

  • Identifying scanning attempts enables organizations to proactively secure vulnerable services and close unnecessary ports, minimizing attack surface.

• Protecting Sensitive Information:

  • Preventing reconnaissance reduces the likelihood of attackers discovering critical infrastructure or sensitive systems within the network.

• Avoiding Resource Exhaustion and Denial-of-Service:

  • Early detection and response prevent attackers from conducting large-scale DoS/DDoS attacks by identifying potential targets in advance.

• Compliance and Security Posture:

  • Detecting and responding to scanning activities aligns with compliance requirements and demonstrates proactive security measures, enhancing overall security posture and reducing organizational risk.

Examples

Real-world examples of Scanning IP Blocks in attack scenarios:

• Mirai Botnet:

  • Leveraged automated IP scanning to identify vulnerable IoT devices with default credentials and open Telnet ports.

  • Tools Used: Custom scanning scripts, automated bots.

  • Impact: Massive DDoS attacks against targets, including DNS provider Dyn, causing widespread Internet outages.

• WannaCry Ransomware:

  • Conducted internal network scans post-infection to identify additional hosts vulnerable to the EternalBlue SMB exploit.

  • Tools Used: Built-in SMB scanning capabilities, leveraging EternalBlue exploit.

  • Impact: Global ransomware outbreak affecting hundreds of thousands of systems, causing significant operational disruption.

• Shodan and Censys Usage by Attackers:

  • Attackers utilize publicly available scanning data from platforms like Shodan and Censys to identify vulnerable Internet-facing systems.

  • Tools Used: Shodan, Censys, custom scripts to query exposed services.

  • Impact: Targeted exploitation of vulnerable hosts, data breaches, and unauthorized access.

• APT28 (Fancy Bear):

  • Conducted extensive reconnaissance through IP scanning to identify targets' exposed services and potential vulnerabilities.

  • Tools Used: Nmap, custom scanning scripts, stealth scanning techniques.

  • Impact: Targeted cyber espionage campaigns, data exfiltration, and compromise of sensitive governmental and organizational networks.