PaulDotCom mailing list archives

Blue Team Tactics

From: strandjs at gmail.com (John Strand)
Date: Sun, 23 Aug 2009 13:55:52 -0600

Exactly!

Does anyone know of any "false" Windows shells (i.e. a replacement  
cmd.exe)?

There is Tiny Honeypot for Unix. I was wondering if there was  
something like that for Windows...

If not, it might be time to fire up a new executable....

john




On Aug 17, 2009, at 11:56 AM, Nathan Sweaney wrote:

Another idea I had this morning.

Assuming you?re controlling a server that is only supposed to accept  
connections from specific IPs?
Setup a ?block all? IPSEC policy with a filter list that includes  
all IPs that you aren?t using and all protocols.  Set the filter  
action to block all and then for the authentication type select  
preshared key and just mash on your keyboard for a bit.

This isn?t that much different from setting up default deny rules in  
a firewall except that it?s built-in AND it goes both ways.  So even  
if the attackers get something running on the box, it can?t phone  
home unless they can complete the tunnel.  If you?ve got an old  
Win2K server to support, now you?ve got a built-in firewall.  And if  
you want to get really fancy, you could even block known IPs and  
only allow specific ports through just like a firewall.

-- Nathan

From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com 
] On Behalf Of John Strand
Sent: Wednesday, August 05, 2009 3:17 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics

See..

That is the kind of evil that makes me cry....

Happy, happy tears.

Nathan, Dave, you each win one free Internet.

john

On Wed, Aug 5, 2009 at 12:14 PM, Nathan Sweaney <NSweaney at tulsacash.com

wrote:

Better yet:

Route add <att.ack.ers.ip> mask 255.255.255.255 <att.ack.ers.ip>

Agent deployed.... oh wait...



--------------------------------------------------------------------------

Nathan Sweaney | Security Specialist - GPEN,GWAPT
Tulsa Cash Register / Bottom Line Solutions
918.294.1777 x 311 | 918.307.2071 | mailto:NSweaney at tulsacash.com
http://www.tulsacash.com/


 Serving Oklahoma for 51 years.

Main Number 24 Hour Customer Support Line: 918.294.1777 (Follow  
Prompts)

Notice: This E-mail (including attachments) is covered by the  
Electronic Communications Privacy Act, 18 U.S.C. ??2510-2521, is  
confidential and may be legally privileged. If you are not the  
intended recipient, you are hereby notified that any retention,  
dissemination, distribution, or copying of this communication is  
strictly prohibited. Please reply to the sender that you have  
received the message in error, then delete it. Thank you.
Please consider the environment before printing this email.

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dave Hull
Sent: Wednesday, August 05, 2009 10:48 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics

On Sat, Aug 1, 2009 at 9:30 AM, John Strand<strandjs at gmail.com> wrote:


[snip]

Now I want you to focus on the CLI and the built-in tools you get

with
a

Windows or Linux system.


How about the route command for null routing the attackers IP
address(es)?

route add <att.ack.ers.ip> mask 255.255.255.255 127.0.0.1

I'm not a CTF player (yet), but off the top of my head for native
tools on Windows -- netstat, tasklist, route, net, wmic...
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090823/7a4bd8aa/attachment.htm

Current thread:

Blue Team Tactics John Strand (Aug 01)
- Blue Team Tactics Jack Daniel (Aug 01)
- Blue Team Tactics Russell Butturini (Aug 02)
  - Blue Team Tactics strandjs at gmail.com (Aug 03)
- Blue Team Tactics Dave Hull (Aug 05)
  - Blue Team Tactics Nathan Sweaney (Aug 05)
    - Blue Team Tactics John Strand (Aug 05)
    - Blue Team Tactics Nathan Sweaney (Aug 17)
    - Blue Team Tactics John Strand (Aug 23)
    - Blue Team Tactics Nick Drage (Aug 25)