Living Off The Land
Living Off The Land (LOTL) techniques leverage native tools, present in the target or victim’s environment, to accomplish tasks such as information gathering, persistence, and even execution. By using native tools, attackers often avoid detection, as these tools are usually trusted and permitted to operate freely.
One fundamental technique used in penetration testing and ethical hacking is port scanning. In this write-up, we’ll explore ways to perform port scanning using basic commands and tools found in many environments, specifically focusing on Python, Bash, and PowerShell.
Python
Python is ubiquitous and often installed on Linux and sometimes even on Windows servers. Here’s a basic port scanner using Python’s socket library:
import socket
target = "example.com"
ports = range(1, 1025)
for port in ports:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
result = s.connect_ex((target, port))
if result == 0:
print(f"Port {port} is open.")
s.close()
To run this code, you’d typically save it to a .py file and execute it with Python. However, for a LOTL scenario, you’d probably want to run this directly from the command line. You can use Python’s one-liner execution:
python -c 'import socket; target="example.com"; ports=range(1,1025); [print(f"Port {port} is open.") for port in ports if not socket.create_connection((target, port), timeout=1).close()]'
Inline:
python -c 'import socket; target="example.com"; [print(f"Port {port} is open.") for port in range(1,1025) if not socket.create_connection((target, port), timeout=1).close()]'
Bash
On Linux, the bash shell provides a way to interface with the system. One common tool we can leverage for port scanning in bash is /dev/tcp. Here’s how we can use it:
#!/bin/bash
target="example.com"
for port in {1..1024}; do
(echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do (echo >/dev/tcp/$target/$port) > /dev/null 2>&1 && echo "Port $port is open."; done
PowerShell
PowerShell is incredibly powerful and offers a breadth of functionality on Windows machines. Here’s a simple port scanner in PowerShell:
$target = "example.com"
1..1024 | ForEach-Object {
$port = $_
$TCPClient = New-Object System.Net.Sockets.TcpClient
Try {
$TCPClient.Connect($target, $port)
$TCPClient.Close()
Write-Host "Port $port is open."
} Catch {}
}
# Single port
Test-NetConnection -Port 80 $IP
This script uses the .NET TcpClient class to attempt to connect to each port on the target. If it connects successfully, the port is open.
Inline:
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("$IP", $_)) "TCP port $_ is open"} 2>$null$Alternative:
$target="example.com"; 1..1024 | % { $port=$_; $TCPClient=New-Object System.Net.Sockets.TcpClient; Try{$TCPClient.Connect($target, $port); $TCPClient.Close(); Write-Host "Port $port is open."}Catch{}}
Netcat
Netcat is a powerful tool for reading and writing to network connections. It’s available on many systems and offers a quick way to check for open ports.
#!/bin/bash
target="example.com"
for port in {1..1024}; do
nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."
done
Inline:
target="example.com"; for port in {1..1024}; do nc -zv -w1 $target $port 2>&1 | grep succeeded && echo "Port $port is open."; done
Advantages and Drawbacks
Advantages:
- Stealth: Utilizing built-in tools can circumvent typical detection mechanisms.
- Environment Friendly: No need to upload or transfer potentially malicious tools.
Drawbacks:
- Verbosity: LOTL scans are often noisier due to their simple and non-optimized nature.
- Capability: They may not offer advanced techniques found in specialized tools.
Conclusion:
LOTL techniques, when used strategically, can offer a significant advantage in penetration testing, red teaming, and cybersecurity assessments. While specialized tools have their place and often provide advanced capabilities, understanding and utilizing built-in tools like Python, Bash, PowerShell, and netcat provides the ethical hacker with a stealthy, adaptable, and often undetectable approach. However, always ensure any scanning activity is ethical, legal, and authorized.
