Tcpkill: Difference between revisions
From charlesreid1
No edit summary |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
tcpkill will kill TCP connections by spoofing the TCP hangup request, which interferes with the connection. | tcpkill will kill TCP connections by spoofing the TCP hangup request, which interferes with the connection. | ||
To a victim, the end result is an infuriating mix of a network connection that | To a victim, the end result is an infuriating mix of a network connection that appears connected and working when diagnosed, but that cannot keep any TCP connections alive. | ||
==How to use it?== | ==How to use it?== | ||
| Line 13: | Line 13: | ||
To run tcpkill, you need a network card that can be operated in promiscuous mode (i.e., not Mac or Windows). | To run tcpkill, you need a network card that can be operated in promiscuous mode (i.e., not Mac or Windows). | ||
You provide three arguments: | |||
* the network interface to listen on | |||
* the degree of brute force to use in killing a connection (1-9, default is 3). use higher numbers for faster connections, to inject more forged RST packets and get the timing right | |||
* a tcpdump filter expression to select connections to kill | |||
=Examples= | |||
A few examples of tcpdump filter expressions that are useful: | |||
* Blocking all traffic from/to a particular website (host), such as example.com | |||
* Blocking all traffic from/to a particular IP address on the network, such as 192.168.0.101 | |||
* Blocking traffic on a particular port, like 8000 | |||
To block all traffic to/from a particular website (using the -9 hammer): | |||
<pre> | |||
tcpkill -i eth0 -9 host example.com and host example2.com | |||
</pre> | |||
To block all network traffic to a local IP address 192.168.0.101 (using the -9 hammer): | |||
<pre> | |||
tcpkill -i eth0 -9 192.168.0.101 | |||
</pre> | |||
To block all network traffic on a particular port: | |||
<pre> | |||
tcpkill −9 port 6346 | |||
</pre> | |||
To block all traffic going to/from 192.168.0.101 except traffic coming from 192.168.0.202: | |||
<pre> | |||
tcpkill ip host 192.168.0.101 and not 192.168.0.202 | |||
</pre> | |||
=Links= | =Links= | ||
Latest revision as of 20:06, 5 March 2022
Overview
What is it?
tcpkill is a command line utility installed as part of the Dsniff suite.
tcpkill will kill TCP connections by spoofing the TCP hangup request, which interferes with the connection.
To a victim, the end result is an infuriating mix of a network connection that appears connected and working when diagnosed, but that cannot keep any TCP connections alive.
How to use it?
To run tcpkill, you need a network card that can be operated in promiscuous mode (i.e., not Mac or Windows).
You provide three arguments:
- the network interface to listen on
- the degree of brute force to use in killing a connection (1-9, default is 3). use higher numbers for faster connections, to inject more forged RST packets and get the timing right
- a tcpdump filter expression to select connections to kill
Examples
A few examples of tcpdump filter expressions that are useful:
- Blocking all traffic from/to a particular website (host), such as example.com
- Blocking all traffic from/to a particular IP address on the network, such as 192.168.0.101
- Blocking traffic on a particular port, like 8000
To block all traffic to/from a particular website (using the -9 hammer):
tcpkill -i eth0 -9 host example.com and host example2.com
To block all network traffic to a local IP address 192.168.0.101 (using the -9 hammer):
tcpkill -i eth0 -9 192.168.0.101
To block all network traffic on a particular port:
tcpkill −9 port 6346
To block all traffic going to/from 192.168.0.101 except traffic coming from 192.168.0.202:
tcpkill ip host 192.168.0.101 and not 192.168.0.202
Links
Code
Official version: https://monkey.org/~dugsong/dsniff/
Patched C version: https://github.com/chartbeat/tcpkill
Python version: https://github.com/Kkevsterrr/tcpkiller
- ethernet only, no 802.11 headers