Table of Contents
Tcpkill
enables priviledged user to kill TCP connections, it uses the tcpdump expression. It’s part of the dsniff
package. The default degree of brute force to use in killing a connection is 3, fast connections may require a higher number in order to land a RST
in the moving receive window.
tcpkill [-i interface] [-1...9] expression
For example, to kill the established and also to prevent any connections from 192.168.1.7 (client) to 192.168.1.9 (server) on port 22, use the following parameters:
192.168.1.9:~$ sudo /usr/sbin/tcpkill -i enp0s3 src 192.168.1.7 and dst port 22
tcpkill: listening on enp0s3 [src 192.168.1.7 and dst port 22]
192.168.1.7:57502 > 192.168.1.9:22: R 462778052:462778052(0) win 0
192.168.1.7:57502 > 192.168.1.9:22: R 462782148:462782148(0) win 0
192.168.1.7:57502 > 192.168.1.9:22: R 462790340:462790340(0) win 0
...
On the receiving end 192.168.1.7 (client), connection is killed and new connection is denied:
192.168.1.9:~$ wpacket_write_wait: Connection to 192.168.1.9: Broken pipe
192.168.1.7:~$
192.168.1.7:~$ ssh tzy@192.168.1.9
192.168.1.9's password:
ssh_dispatch_run_fatal: Connection to 192.168.1.9: Broken pipe
192.168.1.7:~$
GDB
If only the socket required to close but the process must keep alive, we could attach the process under a debugger and close the FD (file descriptor).
To illustrate, open a simple client (192.168.1.7) and server (192.168.1.9) TCP connection:
192.168.1.9:~$ ncat -v -l -p 9999
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.168.1.7.
Ncat: Connection from 192.168.1.7:65253.
hello world
192.168.1.7:~$ nc 192.168.1.9 9999
hello world
192.168.1.9:~$ netstat -ptuW
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.9:9999 192.168.1.7:65253 ESTABLISHED 4050/ncat
...
Locate and identify the target socket’s file, $pid
, i.e., 4050
and also the FD
, i.e., 5u
192.168.1.9:~$ lsof -np $pid
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ncat 4050 tzy 5u IPv4 31028 0t0 TCP 192.168.1.9:9999->192.168.1.7:65253 (ESTABLISHED)
Then attach the process to gdb, close the socket with the FD
identifier and detach the debugger with quit:
192.168.1.9:~$ gdb -p $pid
...
(gdb) call close(5u)
$1 = 0
(gdb) quit