Exactly!
Does anyone know of any "false" Windows shells (i.e. a replacement
cmd.exe)?
There is Tiny Honeypot for Unix. I was wondering if there was
something like that for Windows...
If not, it might be time to fire up a new executable....
john
On Aug 17, 2009, at 11:56 AM, Nathan Sweaney wrote:
Another idea I had this morning.
Assuming you’re controlling a server that is only supposed to accept
connections from specific IPs…
Setup a “block all” IPSEC policy with a filter list that includes
all IPs that you aren’t using and all protocols. Set the filter
action to block all and then for the authentication type select
preshared key and just mash on your keyboard for a bit.
This isn’t that much different from setting up default deny rules in
a firewall except that it’s built-in AND it goes both ways. So even
if the attackers get something running on the box, it can’t phone
home unless they can complete the tunnel. If you’ve got an old
Win2K server to support, now you’ve got a built-in firewall. And if
you want to get really fancy, you could even block known IPs and
only allow specific ports through just like a firewall.
-- Nathan
From: [email protected] [mailto:[email protected]
] On Behalf Of John Strand
Sent: Wednesday, August 05, 2009 3:17 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics
See..
That is the kind of evil that makes me cry....
Happy, happy tears.
Nathan, Dave, you each win one free Internet.
john
On Wed, Aug 5, 2009 at 12:14 PM, Nathan Sweaney <[email protected]
> wrote:
Better yet:
Route add <att.ack.ers.ip> mask 255.255.255.255 <att.ack.ers.ip>
Agent deployed.... oh wait...
--------------------------------------------------------------------------
Nathan Sweaney | Security Specialist - GPEN,GWAPT
Tulsa Cash Register / Bottom Line Solutions
918.294.1777 x 311 | 918.307.2071 | mailto:[email protected]
http://www.tulsacash.com/
Serving Oklahoma for 51 years.
Main Number 24 Hour Customer Support Line: 918.294.1777 (Follow
Prompts)
Notice: This E-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. §§2510-2521, is
confidential and may be legally privileged. If you are not the
intended recipient, you are hereby notified that any retention,
dissemination, distribution, or copying of this communication is
strictly prohibited. Please reply to the sender that you have
received the message in error, then delete it. Thank you.
Please consider the environment before printing this email.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Dave Hull
Sent: Wednesday, August 05, 2009 10:48 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Blue Team Tactics
On Sat, Aug 1, 2009 at 9:30 AM, John Strand<[email protected]> wrote:
>
> [snip]
>
> Now I want you to focus on the CLI and the built-in tools you get
with
a
> Windows or Linux system.
How about the route command for null routing the attackers IP
address(es)?
route add <att.ack.ers.ip> mask 255.255.255.255 127.0.0.1
I'm not a CTF player (yet), but off the top of my head for native
tools on Windows -- netstat, tasklist, route, net, wmic...
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
