Internal Nmap Sweep

§ Where this technique fits

§ Dossiers chaining this technique

• Unauth DICOM PACS → mass medical-image exfil

  PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).

  step 1 / 5

• z/OS TN3270 → RACF userID brute → mainframe shell

  Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.

  step 1 / 6

• EternalBlue (MS17-010) → SMBv1 wormable spread

  Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.

  step 1 / 5

• BACnet HVAC → disrupt building operations

  BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.

  step 1 / 5

• vCenter pre-auth RCE → root on every ESXi → mass encrypt

  Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.

  step 1 / 6

• Unpatched Confluence (CVE-2023-22515) → internal foothold

  Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.

  step 1 / 6

• Reconfigure MFP LDAP → harvest service-account credentials

  Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.

  step 1 / 7

• PJL / PostScript → printer root → quiet network foothold

  PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.

  step 1 / 6

• HMI default credentials → operations disruption

  Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.

  step 1 / 5

• Reachable Modbus PLC → direct register override

  Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.

  step 1 / 5

• Open ADB on the network → device shell

  An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data.

  step 1 / 5

• Jenkins /script Groovy console → RCE → AD

  Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.

  step 1 / 6

• ArgoCD weak RBAC → cluster admin via custom Application

  ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.

  step 1 / 6

• Exposed etcd → cluster-wide secret raid

  etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin.

  step 1 / 6

• Industroyer2 IEC-104 substation hijack

  Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.

  step 2 / 6

• VLAN hopping → cross into production

  Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs.

  step 4 / 5

• PMKID attack → offline crack with no client interaction

  WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.

  step 5 / 5

• 802.1X NAC bypass via printer MAC spoof

  Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.

  step 5 / 6

• npm typosquat → developer workstation → corporate VPN

  Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.

  step 6 / 6

• WPA2-PSK handshake capture + crack → LAN access

  Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.

  step 6 / 6

§ What commonly comes next

1. 01
   Account Discovery

   T1087 · Discovery
   seen 3×
2. 02
   Default Credentials

   W-AUTH-DEFAULT · Credential Access
   seen 3×
3. 03
   ADB Open on Network

   MOB-ADB-OPEN · Initial Access
   seen 1×
4. 04
   DICOM C-STORE Unauth Access

   HC-DICOM-CSTORE · Collection
   seen 1×
5. 05
   EternalBlue (MS17-010 / CVE-2017-0144)

   CVE-ETERNALBLUE · Initial Access
   seen 1×
6. 06
   HMI Default Credentials

   OT-HMI-DEFAULTS · Initial Access
   seen 1×
7. 07
   Industroyer2 Timed IEC-104 Sweep

   ICS-INDUSTROYER2 · Impact
   seen 1×
8. 08
   LLMNR/NBT-NS Poisoning and SMB Relay

   T1557.001 · Credential Access
   seen 1×