Wordlist Scanning (T1595.003)

Information

• Name: Wordlist Scanning

• ID: T1595.003

• Tactics:

• Technique:

Introduction

Wordlist Scanning (T1595.003) is a sub-technique under the MITRE ATT&CK framework, specifically categorized within Active Scanning (T1595). Attackers perform wordlist scanning to systematically discover valid resources, paths, usernames, passwords, or services by iterating through predefined lists of common or potential values. This method is typically leveraged during reconnaissance and initial access phases to identify vulnerabilities, enumerate sensitive information, or exploit weak authentication mechanisms.

Deep Dive Into Technique

Wordlist scanning involves the automated use of extensive lists containing common or predictable words, phrases, usernames, passwords, directory names, and service identifiers. Attackers utilize specialized tools and scripts to iterate through these wordlists systematically, attempting to identify valid resources or credentials.

Technical execution methods include:

• Web Directory Enumeration: Attackers use tools such as Dirbuster, Gobuster, or Dirsearch to discover hidden directories and files on web servers by systematically sending HTTP requests using wordlists containing common directory and file names.

• Credential Brute-Forcing: Attackers leverage tools like Hydra, Medusa, or Burp Suite Intruder to perform brute-force attacks against authentication mechanisms (e.g., SSH, FTP, HTTP login forms) using wordlists of common usernames and passwords.

• DNS Enumeration: Attackers employ tools such as DNSRecon, Fierce, or Sublist3r to discover subdomains and DNS records by querying DNS servers with wordlists of potential hostnames.

• SNMP Enumeration: Attackers use SNMP enumeration tools (e.g., snmpwalk, onesixtyone) with wordlists of common community strings to discover sensitive network information.

• SMTP Enumeration: Attackers utilize SMTP enumeration tools to guess valid email addresses and usernames by systematically testing wordlists against mail servers.

Real-world procedures typically involve:

1. Selecting or generating appropriate wordlists based on target context (industry, region, technologies).

2. Configuring scanning tools to automate enumeration and brute-force attempts.

3. Analyzing responses to identify successful hits or potential vulnerabilities.

4. Refining wordlists and scanning parameters based on initial results to enhance effectiveness.

When this Technique is Usually Used

Attackers commonly employ wordlist scanning during multiple stages of an attack lifecycle, including:

• Reconnaissance Stage: To identify potential entry points, such as hidden directories, administrative interfaces, or exposed services.

• Initial Access Stage: To brute-force credentials and gain unauthorized access to systems, web applications, or network devices.

• Privilege Escalation Stage: To discover sensitive files, configuration data, or credentials stored in predictable locations that could lead to privilege escalation.

• Lateral Movement Stage: To enumerate hostnames, usernames, and passwords within internal networks, facilitating lateral movement and persistence.

• Post-Exploitation Stage: To identify additional sensitive resources or services accessible from compromised hosts.

Typical scenarios include:

• Web application penetration tests or attacks to discover hidden administrative panels or configuration files.

• Credential stuffing attacks against authentication endpoints using breached credential lists.

• Internal network penetration tests or attacks to enumerate valid user accounts, hostnames, or services.

How this Technique is Usually Detected

Detection of wordlist scanning activities involves monitoring network traffic, server logs, and authentication events for abnormal patterns indicative of enumeration or brute-force attempts. Effective detection methods include:

• Network Traffic Analysis:

  • Identify high volumes of HTTP requests with a significant number of 404 (Not Found) responses, indicating directory enumeration attempts.

  • Detect multiple DNS queries for nonexistent subdomains or hostnames within a short timeframe.

  • Monitor SNMP queries from unknown IP addresses attempting multiple community strings.

• Log Analysis and Monitoring:

  • Web server logs: Monitor for repeated requests to non-existent resources or directories.

  • Authentication logs: Detect multiple failed login attempts from single or multiple IP addresses.

  • SMTP logs: Spot enumeration attempts through multiple RCPT TO commands targeting nonexistent email addresses.

• Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS):

  • Employ IDS/IPS signatures to detect known scanning patterns and brute-force attempts.

  • Use behavioral analysis to identify anomalous scanning behavior.

• Security Information and Event Management (SIEM) Solutions:

  • Correlate logs from multiple sources to detect scanning patterns across network segments and services.

  • Generate alerts based on threshold-based rules (e.g., excessive failed attempts, unusual access patterns).

Specific Indicators of Compromise (IoCs):

• High frequency of requests with predictable patterns (alphabetically or numerically ordered paths).

• Numerous failed authentication attempts from the same IP address or user-agent.

• Repeated DNS queries for non-existent subdomains or hosts.

• SNMP requests with multiple invalid community strings.

Why it is Important to Detect This Technique

Detecting wordlist scanning is critical due to the significant security implications and potential impacts on systems and networks:

• Early Identification of Reconnaissance Activities: Detecting scanning attempts early helps organizations proactively identify and block potential attackers before they achieve initial access.

• Prevent Credential Compromise: Early detection and mitigation prevent attackers from successfully brute-forcing credentials, thus reducing the risk of unauthorized access.

• Minimize Exposure of Sensitive Information: Early detection prevents attackers from discovering hidden directories, sensitive files, or vulnerable services that could lead to further exploitation.

• Reducing Attack Surface: Identifying and blocking enumeration attempts limits attackers' ability to map the internal structure and resources of networks and applications.

• Compliance and Regulatory Requirements: Early detection and response to scanning attempts help organizations remain compliant with cybersecurity standards and regulations that mandate proactive threat detection and mitigation.

Failure to detect and mitigate wordlist scanning can result in:

• Unauthorized access to critical systems and sensitive data.

• Compromise of user accounts, leading to lateral movement and privilege escalation.

• Exposure of sensitive files and configurations, increasing vulnerability to further attacks.

• Increased risk of data breaches, financial losses, reputational damage, and regulatory penalties.

Examples

Real-world examples demonstrating wordlist scanning include:

• Credential Brute-Forcing Using Hydra:

  • Attack scenario: Attackers target SSH services exposed to the internet using Hydra and common username/password lists.

  • Tools used: Hydra, Medusa, Ncrack.

  • Impact: Successful authentication compromise leading to unauthorized access, lateral movement, and data exfiltration.

• Web Directory Enumeration Using Gobuster:

  • Attack scenario: Attackers use Gobuster to enumerate hidden web directories on a public-facing web server.

  • Tools used: Gobuster, Dirbuster, Dirsearch.

  • Impact: Discovery of sensitive files, configuration backups, or administrative interfaces, leading to further exploitation or privilege escalation.

• DNS Subdomain Enumeration Using Sublist3r:

  • Attack scenario: Attackers enumerate subdomains of a target organization to identify potentially vulnerable applications or services.

  • Tools used: Sublist3r, DNSRecon, Fierce.

  • Impact: Identification of vulnerable subdomains or services that attackers exploit to gain initial foothold or perform lateral movement.

• SNMP Enumeration Using Onesixyone and SNMPWalk:

  • Attack scenario: Attackers perform SNMP enumeration using common community strings to extract network topology information, device configurations, or sensitive data.

  • Tools used: Onesixyone, SNMPWalk, SNMP-Check.

  • Impact: Disclosure of sensitive network information, facilitating further targeted attacks or lateral movement.

• SMTP Enumeration Using Metasploit SMTP Enumeration Module:

  • Attack scenario: Attackers perform email enumeration against SMTP servers to identify valid user accounts.

  • Tools used: Metasploit SMTP Enumeration Module, smtp-user-enum.

  • Impact: Identification of valid email addresses and usernames, enabling targeted phishing attacks or credential brute-forcing.

These examples illustrate how attackers leverage wordlist scanning across multiple scenarios, highlighting the importance of detecting and mitigating this technique proactively.