PaulDotCom mailing list archives
Blue Team Tactics
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Mon, 17 Aug 2009 12:56:03 -0500
Another idea I had this morning. Assuming you're controlling a server that is only supposed to accept connections from specific IPs... Setup a "block all" IPSEC policy with a filter list that includes all IPs that you aren't using and all protocols. Set the filter action to block all and then for the authentication type select preshared key and just mash on your keyboard for a bit. This isn't that much different from setting up default deny rules in a firewall except that it's built-in AND it goes both ways. So even if the attackers get something running on the box, it can't phone home unless they can complete the tunnel. If you've got an old Win2K server to support, now you've got a built-in firewall. And if you want to get really fancy, you could even block known IPs and only allow specific ports through just like a firewall. -- Nathan ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of John Strand Sent: Wednesday, August 05, 2009 3:17 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blue Team Tactics See.. That is the kind of evil that makes me cry.... Happy, happy tears. Nathan, Dave, you each win one free Internet. john On Wed, Aug 5, 2009 at 12:14 PM, Nathan Sweaney <NSweaney at tulsacash.com> wrote: Better yet: Route add <att.ack.ers.ip> mask 255.255.255.255 <att.ack.ers.ip> Agent deployed.... oh wait... -------------------------------------------------------------------------- Nathan Sweaney | Security Specialist - GPEN,GWAPT Tulsa Cash Register / Bottom Line Solutions 918.294.1777 x 311 | 918.307.2071 | mailto:NSweaney at tulsacash.com http://www.tulsacash.com/ Serving Oklahoma for 51 years. Main Number 24 Hour Customer Support Line: 918.294.1777 (Follow Prompts) Notice: This E-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. ??2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. Please consider the environment before printing this email. -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dave Hull Sent: Wednesday, August 05, 2009 10:48 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blue Team Tactics On Sat, Aug 1, 2009 at 9:30 AM, John Strand<strandjs at gmail.com> wrote:
[snip] Now I want you to focus on the CLI and the built-in tools you get with
a
Windows or Linux system.
How about the route command for null routing the attackers IP address(es)? route add <att.ack.ers.ip> mask 255.255.255.255 127.0.0.1 I'm not a CTF player (yet), but off the top of my head for native tools on Windows -- netstat, tasklist, route, net, wmic... _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090817/bc96ad65/attachment.htm
Current thread:
- Blue Team Tactics John Strand (Aug 01)
- Blue Team Tactics Jack Daniel (Aug 01)
- Blue Team Tactics Russell Butturini (Aug 02)
- Blue Team Tactics strandjs at gmail.com (Aug 03)
- Blue Team Tactics Dave Hull (Aug 05)
- Blue Team Tactics Nathan Sweaney (Aug 05)
- Blue Team Tactics John Strand (Aug 05)
- Blue Team Tactics Nathan Sweaney (Aug 17)
- Blue Team Tactics John Strand (Aug 23)
- Blue Team Tactics Nathan Sweaney (Aug 05)
- Blue Team Tactics Nick Drage (Aug 25)