That sounds rather black hat, you might think. Why would a legitimate network security analyst need such a tool? Consider this scenario: a desktop on your network has been compromised with a password stealing trojan and there is an active connection with an unknown host spawned by the malware. Faster than you can run to the box and pull the plug, faster than you can get emergency permission to have the port disabled, you can use tcpkill to knock down that connection, and keep it knocked down until the box is pulled offline.
tcpkill is very easy to use. The syntax is tcpkill -i
Say your compromised box is at 10.1.1.1 and you have an interface that monitors a span port on an edge switch (you should monitor at a chok e point for your Internet connection so you could shoot down any external connection, if that's your goal).
You would run the command tcpkill -i eth0 'host 10.1.1.1'. This would shoot down any connections from 10.1.1.1 that the monitoring point sees. If that's too draconian and you only want to shoot down that unknown connect, use a bpf to specify both hosts such as 'host 10.1.1.1 and host x.x.x.x'. That's all there is to it.
Fortunately tcpkill (and dsniff) only run on Linux flavors, which reduces the chances of someone using it in a rogue fashion on your internal network.
No comments:
Post a Comment