Another idea I had this morning.
Assuming you're controlling a server that is only supposed to accept connections from specific IPs... Setup a "block all" IPSEC policy with a filter list that includes all IPs that you aren't using and all protocols. Set the filter action to block all and then for the authentication type select preshared key and just mash on your keyboard for a bit. This isn't that much different from setting up default deny rules in a firewall except that it's built-in AND it goes both ways. So even if the attackers get something running on the box, it can't phone home unless they can complete the tunnel. If you've got an old Win2K server to support, now you've got a built-in firewall. And if you want to get really fancy, you could even block known IPs and only allow specific ports through just like a firewall. -- Nathan ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of John Strand Sent: Wednesday, August 05, 2009 3:17 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blue Team Tactics See.. That is the kind of evil that makes me cry.... Happy, happy tears. Nathan, Dave, you each win one free Internet. john On Wed, Aug 5, 2009 at 12:14 PM, Nathan Sweaney <[email protected]> wrote: Better yet: Route add <att.ack.ers.ip> mask 255.255.255.255 <att.ack.ers.ip> Agent deployed.... oh wait... -------------------------------------------------------------------------- Nathan Sweaney | Security Specialist - GPEN,GWAPT Tulsa Cash Register / Bottom Line Solutions 918.294.1777 x 311 | 918.307.2071 | mailto:[email protected] http://www.tulsacash.com/ Serving Oklahoma for 51 years. Main Number 24 Hour Customer Support Line: 918.294.1777 (Follow Prompts) Notice: This E-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. ยงยง2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. Please consider the environment before printing this email. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Hull Sent: Wednesday, August 05, 2009 10:48 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blue Team Tactics On Sat, Aug 1, 2009 at 9:30 AM, John Strand<[email protected]> wrote: > > [snip] > > Now I want you to focus on the CLI and the built-in tools you get with a > Windows or Linux system. How about the route command for null routing the attackers IP address(es)? route add <att.ack.ers.ip> mask 255.255.255.255 127.0.0.1 I'm not a CTF player (yet), but off the top of my head for native tools on Windows -- netstat, tasklist, route, net, wmic... _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
