Tuesday, April 21, 2009
Security Dashboard at Security Database
There's a nice Security Dashboard for recently discovered vulnerabilities located at http://www.security-database.com/dashboard.php. Includes info on Microsoft, Cisco, CVE, Sun and several flavors of Linux...
Monday, April 13, 2009
Secureworks Research Tools
Secureworks, a network security services company, has a page of free tools available here for the network security professional. Amazingly you do not need to fill out a contact form to download the tools.
Thursday, April 2, 2009
TCPKill
A handy item to have in the NetSec toolkit is the tcpkill app. Part of the dsniff suite written by dugsong (http://monkey.org/~dugsong/dsniff/), this tool allows you to reset tcp connections. It does this by sending spoofed reset packets to each end of the connection.
That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i . It supports any bpf.
Say your compromised box is at 10.1.1.1 and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host 10.1.1.1'. This would shoot down any connections from 10.1.1.1 that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host 10.1.1.1 and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.
That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i
Say your compromised box is at 10.1.1.1 and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host 10.1.1.1'. This would shoot down any connections from 10.1.1.1 that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host 10.1.1.1 and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.
Subscribe to:
Posts (Atom)