Thursday, April 2, 2009


A handy item to have in the NetSec toolkit is the tcpkill app. Part of the dsniff suite written by dugsong (, this tool allows you to reset tcp connections. It does this by sending spoofed reset packets to each end of the connection.
That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i . It supports any bpf.
Say your compromised box is at and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host'. This would shoot down any connections from that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.

No comments:

Blog Archive