08-active-connection-defense.md at main

dunkirk.sh / ncae-tools
fork
this repo has no description
fork
ncae-tools / 08-active-connection-defense.md
at main 206 lines 4.4 kB view raw view rendered
wrap content
Kieran Klukas feat: update dns section 3mo ago
afa4d5fc
  1# Active Connection Defense
  2
  3Techniques for monitoring and terminating suspicious connections during competition.
  4
  5---
  6
  7## View Active Connections
  8
  9### netstat Command
 10
 11Basic usage (too much output):
 12```bash
 13netstat
 14```
 15
 16**Useful filtered version:**
 17```bash
 18netstat -tu      # TCP and UDP connections only
 19netstat -tun     # + resolve port numbers (shows 22 instead of "ssh")
 20netstat -tuna    # + show listening ports too
 21sudo netstat -tunap  # + show process IDs (requires sudo)
 22```
 23
 24**Remember: `netstat -tunap`** (tuna + p)
 25
 26| Flag | Meaning |
 27|------|---------|
 28| `-t` | TCP connections |
 29| `-u` | UDP connections |
 30| `-n` | Show port numbers (not names) |
 31| `-a` | Show all (including listening) |
 32| `-p` | Show process IDs (requires sudo) |
 33
 34Example output:
 35```
 36Proto  Local Address         Foreign Address       State       PID/Program
 37tcp    192.168.8.2:22       192.168.8.100:51736   ESTABLISHED 26546/sshd: jenny
 38tcp    192.168.8.2:22       192.168.8.100:51732   ESTABLISHED 26540/sshd: bob
 39```
 40
 41### Filter with grep
 42```bash
 43sudo netstat -tunap | grep ESTABLISHED
 44sudo netstat -tunap | grep ssh
 45```
 46
 47### ss Command (alternative to netstat)
 48
 49Some systems don't have netstat - use `ss` instead:
 50```bash
 51ss
 52ss -t      # TCP only
 53ss | grep ESTABLISHED
 54```
 55
 56---
 57
 58## View Logged-In Users
 59
 60### w Command
 61```bash
 62w
 63```
 64
 65Shows:
 66- Username
 67- TTY (terminal)
 68- From (IP address for remote, `:0` for local GUI)
 69- Login time
 70- What they're running
 71
 72Example output:
 73```
 74USER     TTY      FROM             LOGIN@   WHAT
 75sandbox  :0       :0               09:00    /usr/bin/gnome-shell   <- Local GUI
 76bob      pts/1    192.168.8.100    10:15    -bash                  <- Remote SSH
 77jenny    pts/2    192.168.8.100    10:16    -bash                  <- Remote SSH
 78```
 79
 80**Note:** `:0` means local GUI session (probably your teammate), IP address means remote connection (possibly attacker).
 81
 82---
 83
 84## Kill Connections
 85
 86### Kill by Process ID
 87
 881. Find the PID with `netstat -tunap`
 892. Kill it:
 90```bash
 91sudo kill <PID>
 92```
 93
 94Example:
 95```bash
 96sudo netstat -tunap | grep ESTABLISHED
 97# See jenny's connection has PID 26546
 98sudo kill 26546
 99```
100
101### Kill by Username
102
103Log out all sessions for a specific user:
104```bash
105sudo pkill -kill -u jenny
106sudo pkill -kill -u bob
107```
108
109**⚠️ WARNING: Don't kill yourself!**
110```bash
111sudo pkill -kill -u sandbox  # This kills YOUR session too!
112```
113
114If attacker is using the same account as you, kill by PID instead.
115
116---
117
118## Monitor Processes
119
120### top Command
121```bash
122top      # Live view of running processes
123htop     # Fancier version (may need to install)
124```
125
126Press `q` to quit.
127
128### ps Command
129```bash
130ps -aux   # Show all processes with details
131ps -aux | grep python   # Find Python scripts
132ps -aux | grep bash     # Find bash scripts
133```
134
135Look for suspicious scripts running in background (attackers may leave these).
136
137---
138
139## Send Messages to Users
140
141### Broadcast to All Users
142```bash
143wall "Server shutting down in 5 minutes. Please save your work."
144```
145
146All logged-in users see the message in their terminal.
147
148### Message Specific User
149```bash
150w                           # Find their TTY (e.g., pts/2)
151sudo write bob pts/2        # Opens interactive message
152# Type your message, Ctrl+C to end
153```
154
155---
156
157## Competition Strategy
158
159### Active Defense Workflow
160
1611. **Monitor continuously:**
162   ```bash
163   sudo netstat -tunap | grep ESTABLISHED
164   w
165   ```
166
1672. **Identify suspicious connections:**
168   - Unknown usernames
169   - Connections from unexpected IPs
170   - Multiple sessions from same IP
171
1723. **Kill suspicious connections:**
173   ```bash
174   sudo kill <PID>           # By process ID
175   sudo pkill -kill -u <user>  # By username
176   ```
177
1784. **Meanwhile, teammate secures server:**
179   - Change passwords
180   - Lock down user accounts
181   - Enable firewall
182   - Remove unnecessary services
183
184### Watch Out For
185
186- **Background scripts**: Attackers may leave Python/bash scripts running
187  ```bash
188  ps -aux | grep python
189  ps -aux | grep bash
190  ```
191- **Cron jobs**: Check `crontab -l` and `/etc/cron.*`
192- **Friendly fire**: Don't kill your own sessions or teammates!
193
194---
195
196## Quick Reference
197
198| Task | Command |
199|------|---------|
200| View connections | `sudo netstat -tunap` |
201| View logged-in users | `w` |
202| Kill by PID | `sudo kill <PID>` |
203| Kill by username | `sudo pkill -kill -u <user>` |
204| View processes | `ps -aux` or `top` |
205| Broadcast message | `wall "message"` |
206| Message specific user | `sudo write <user> <tty>` |
Configure Feed

Configure Feed
