IP Addresses (T1590.005)

Information

• Name: IP Addresses

• ID: T1590.005

• Tactics:

• Technique:

Introduction

The MITRE ATT&CK sub-technique T1590.005, IP Addresses, is categorized under the broader technique of gathering victim network information. This sub-technique specifically focuses on adversaries identifying and enumerating IP addresses associated with a targeted organization. Attackers use this information to map out the target's network architecture, identify potential entry points, and prepare further attacks or reconnaissance activities. Obtaining precise IP address information helps attackers better understand the victim's external and internal network landscape, enabling more targeted and effective cyber operations.

Deep Dive Into Technique

Attackers leverage multiple methods to identify and enumerate IP addresses belonging to a victim organization. Common technical methods include:

• DNS Enumeration and Reconnaissance:

  • Performing DNS lookups, zone transfers, or reverse DNS queries to map hostnames to IP addresses.

  • Utilizing publicly available DNS enumeration tools such as dnsenum, dnsrecon, dig, and nslookup.

• Scanning and Probing:

  • Using network scanning tools like Nmap, Masscan, or Zmap to perform active reconnaissance and identify responding IP addresses.

  • Conducting TCP/UDP scans, ping sweeps, and ICMP echo requests to confirm active hosts.

• Passive Reconnaissance Techniques:

  • Leveraging open-source intelligence (OSINT) tools and services such as Shodan, Censys, ZoomEye, and SecurityTrails to discover publicly exposed IP addresses without directly interacting with the target network.

  • Analyzing SSL/TLS certificate transparency logs and historical DNS records to identify IP addresses previously or currently associated with the targeted domain.

• Cloud Service Enumeration:

  • Enumerating cloud infrastructure IP addresses through cloud provider APIs, metadata services, or DNS enumeration of cloud-hosted resources.

  • Identifying IP address ranges assigned to cloud providers (AWS, Azure, Google Cloud Platform) and correlating them with victim-owned domains or cloud resources.

• Web-based Reconnaissance:

  • Inspecting HTTP headers, website source code, and web application responses to identify internal or external IP addresses inadvertently disclosed through configuration errors or misconfigured services.

Attackers may combine multiple methods to cross-validate obtained IP addresses and improve the accuracy of their reconnaissance data.

When this Technique is Usually Used

This sub-technique is primarily observed during the reconnaissance and initial access phases of the cyber kill chain. Typical attack scenarios and stages include:

• Initial Reconnaissance:

  • Attackers gather initial intelligence about the target's network infrastructure to plan further attacks.

  • Enumerating IP addresses to identify externally facing services and possible entry points.

• Pre-Attack Planning:

  • Attackers map the victim's network infrastructure to identify potential vulnerabilities, misconfigurations, or weak security controls.

  • IP address enumeration can inform targeted phishing attacks, vulnerability scanning, and exploitation attempts.

• Establishing Persistence and Lateral Movement:

  • After gaining initial access, attackers enumerate internal IP addresses to identify additional targets for lateral movement and privilege escalation.

  • Network enumeration helps attackers understand the internal network segmentation, security controls, and critical assets.

• Information Gathering for Advanced Persistent Threats (APTs):

  • Advanced adversaries continuously monitor and enumerate IP addresses and network infrastructure changes to maintain situational awareness and adapt their attack strategies.

How this Technique is Usually Detected

Detection of IP address enumeration activities involves monitoring network traffic, DNS logs, application logs, and security alerts. Common detection methods and indicators include:

• Network Traffic Analysis:

  • Detecting high-volume or anomalous scanning activity (ICMP, TCP SYN, UDP packets) from external IP addresses using intrusion detection systems (IDS) such as Snort, Suricata, Zeek (formerly Bro), or commercial IDS/IPS solutions.

  • Identifying unusual patterns of failed connection attempts or port scans.

• DNS Log Monitoring:

  • Reviewing DNS logs for unusual patterns of DNS queries, reverse DNS lookups, or attempts to perform unauthorized DNS zone transfers.

  • Monitoring DNS servers for queries targeting internal IP address ranges or sensitive subdomains.

• Web Application and Server Logs:

  • Analyzing web server logs (Apache, Nginx, IIS) for suspicious HTTP requests indicative of reconnaissance activities, such as repeated requests to non-existent resources or probing for sensitive files that may disclose IP addresses.

  • Alerting on unusual HTTP header values or requests attempting to exploit misconfigurations to reveal IP addresses.

• Cloud Infrastructure Monitoring:

  • Utilizing cloud security tools (AWS CloudWatch, Azure Security Center, Google Cloud Logging) to detect abnormal API requests, metadata service queries, or enumeration attempts targeting cloud-hosted IP addresses and resources.

• OSINT Monitoring and Threat Intelligence:

  • Leveraging threat intelligence platforms and OSINT monitoring services to detect exposure of internal IP addresses or infrastructure details online.

  • Identifying attacker IP addresses or scanning activities reported by external intelligence feeds.

Indicators of Compromise (IoCs) associated with IP address enumeration:

• Repeated DNS queries and reverse lookups from unfamiliar IP addresses.

• High-frequency ICMP echo requests or TCP SYN scans from external sources.

• Unusual HTTP requests attempting to access configuration files or internal IP addresses.

• Cloud API requests from unknown or unauthorized IP addresses.

Why it is Important to Detect This Technique

Early detection of IP address enumeration is crucial for preventing further exploitation and reducing the potential impact of cyber-attacks. Key reasons include:

• Reducing Attack Surface:

  • Early identification can help organizations proactively secure exposed IP addresses and services, limiting an attacker's ability to exploit vulnerabilities.

• Preventing Initial Access:

  • Detecting reconnaissance activities allows security teams to implement timely countermeasures, such as firewall rule adjustments, IP blocking, or alerting, to prevent attackers from gaining initial footholds.

• Mitigating Lateral Movement:

  • Identifying internal IP address enumeration attempts can help security teams detect and respond quickly to ongoing intrusions, limiting attackers' ability to move laterally within the network.

• Enhancing Incident Response:

  • Early detection provides valuable contextual information for incident responders, enabling faster containment and remediation of security incidents.

• Protecting Sensitive Information:

  • Preventing the enumeration of internal IP addresses helps protect sensitive network infrastructure details, reducing the risk of targeted attacks against critical systems and data.

Examples

Real-world examples and attack scenarios involving IP address enumeration:

• APT29 (Cozy Bear):

  • Known to conduct extensive reconnaissance and enumeration of IP addresses and DNS records to map victim networks, identify critical systems, and prepare targeted attacks.

  • Used tools such as custom scripts, Nmap, and DNS enumeration utilities to perform IP address reconnaissance against government and private sector targets.

• Mirai Botnet:

  • Conducted mass scanning and enumeration of IP addresses to identify vulnerable IoT devices accessible over the internet.

  • Utilized automated scanning tools to rapidly enumerate and exploit vulnerable IP addresses, leading to massive distributed denial-of-service (DDoS) attacks.

• FIN7 Cybercriminal Group:

  • Performed detailed reconnaissance, including IP address enumeration, to identify externally facing services, payment systems, and point-of-sale (POS) devices.

  • Conducted DNS enumeration and network scanning to map out victim networks before deploying targeted phishing campaigns and malware.

• Cloud Hopper Campaign (APT10):

  • Targeted managed service providers (MSPs) and cloud infrastructure, extensively enumerating IP addresses and cloud resources through DNS reconnaissance, cloud API enumeration, and passive OSINT methods.

  • Leveraged obtained IP address information to infiltrate cloud environments, move laterally, and exfiltrate sensitive data.

Tools commonly used in IP address enumeration attacks:

• Nmap: Widely used network scanning tool for active reconnaissance and IP enumeration.

• Masscan/Zmap: High-speed internet-wide scanning tools for enumerating large IP address ranges.

• dnsenum/dnsrecon: DNS enumeration utilities to identify IP addresses through DNS queries and zone transfers.

• Shodan/Censys/ZoomEye: OSINT search engines providing information on publicly exposed IP addresses and services.

Impacts of successful IP address enumeration:

• Increased likelihood of successful exploitation and compromise.

• Potential for unauthorized access, data breaches, and lateral movement within victim networks.

• Exposure of sensitive infrastructure details, facilitating targeted attacks.

• Risk of operational disruption, financial losses, and reputational damage.