PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Blue Team Tactics

From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Mon, 17 Aug 2009 12:56:03 -0500
Another idea I had this morning.

 

Assuming you're controlling a server that is only supposed to accept connections from specific IPs...

Setup a "block all" IPSEC policy with a filter list that includes all IPs that you aren't using and all protocols.  Set 
the filter action to block all and then for the authentication type select preshared key and just mash on your keyboard 
for a bit.  

 

This isn't that much different from setting up default deny rules in a firewall except that it's built-in AND it goes 
both ways.  So even if the attackers get something running on the box, it can't phone home unless they can complete the 
tunnel.  If you've got an old Win2K server to support, now you've got a built-in firewall.  And if you want to get 
really fancy, you could even block known IPs and only allow specific ports through just like a firewall.  

 

-- Nathan

 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of John 
Strand
Sent: Wednesday, August 05, 2009 3:17 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics

 

See..

That is the kind of evil that makes me cry....

Happy, happy tears.

Nathan, Dave, you each win one free Internet.

john

On Wed, Aug 5, 2009 at 12:14 PM, Nathan Sweaney <NSweaney at tulsacash.com> wrote:

Better yet:

Route add <att.ack.ers.ip> mask 255.255.255.255 <att.ack.ers.ip>

Agent deployed.... oh wait...



--------------------------------------------------------------------------

Nathan Sweaney | Security Specialist - GPEN,GWAPT
Tulsa Cash Register / Bottom Line Solutions
918.294.1777 x 311 | 918.307.2071 | mailto:NSweaney at tulsacash.com
http://www.tulsacash.com/


 Serving Oklahoma for 51 years.

Main Number 24 Hour Customer Support Line: 918.294.1777 (Follow Prompts)

Notice: This E-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 
??2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby 
notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. 
Please reply to the sender that you have received the message in error, then delete it. Thank you.
Please consider the environment before printing this email.


-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com

[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dave Hull
Sent: Wednesday, August 05, 2009 10:48 AM
To: PaulDotCom Security Weekly Mailing List

Subject: Re: [Pauldotcom] Blue Team Tactics

On Sat, Aug 1, 2009 at 9:30 AM, John Strand<strandjs at gmail.com> wrote:


[snip]

Now I want you to focus on the CLI and the built-in tools you get with

a

Windows or Linux system.


How about the route command for null routing the attackers IP
address(es)?

route add <att.ack.ers.ip> mask 255.255.255.255 127.0.0.1

I'm not a CTF player (yet), but off the top of my head for native
tools on Windows -- netstat, tasklist, route, net, wmic...
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090817/bc96ad65/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: