Networking Concepts
Jump to navigation
Jump to search
Networking Concepts[edit | edit source]
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
| Concept | Description |
|---|---|
| OSI Model | Identifies where to inspect, disrupt, or manipulate traffic across layers. |
| TCP/IP Stack | Shows how real-world protocols interact and where tools operate. |
| UDP Protocol | Explains fast, connectionless traffic used in DNS, VoIP, and amplification attacks. |
| IP Addressing | Core to scanning, access targeting, and pivoting. |
| Subnetting | Defines internal boundaries useful for lateral movement. |
| CIDR Notation | Helps calculate scan ranges and filter scopes. |
| MAC Addressing | Used for impersonation and local device spoofing. |
| ARP Protocol | Enables redirection and interception on local networks. |
| Routing Basics | Explains packet paths across and between networks. |
| NAT | Masks internal systems; relevant for ingress and egress control. |
| LAN Topologies | Reveals traffic flow, bottlenecks, and broadcast domains. |
Protocol Behavior[edit | edit source]
- TCP Protocol and TCP Three-Way Handshake
- UDP Protocol and stateless behavior
- ICMP Protocol – echo requests, TTL, and diagnostics
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
Transport & Application Protocols[edit | edit source]
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- Making HTTP Requests
- TLS 1.3, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media
- DNSSEC, DoT, DoH
Port Overview[edit | edit source]
Understanding ports and services is critical for network reconnaissance and service identification.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Assigns IP addresses automatically |
| 69 | UDP | TFTP | Trivial File Transfer Protocol – lightweight file transfers |
| 80 | TCP | HTTP | Standard web traffic |
| 110 | TCP | POP3 | Email retrieval |
| 123 | UDP | NTP | Clock synchronization |
| 135 | TCP | RPC | Microsoft Remote Procedure Call |
| 137–139 | UDP/TCP | NetBIOS | Windows NetBIOS services (name resolution, session services) |
| 143 | TCP | IMAP | Internet Message Access Protocol – email |
| 161, 162 | UDP | SNMP | Device monitoring |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access Protocol |
| 443 | TCP | HTTPS | Encrypted HTTP via TLS |
| 445 | TCP | SMB | Windows file/printer sharing |
| 465 | TCP | SMTPS | Secure SMTP (over SSL) |
| 514 | UDP | Syslog | Logging protocol for network devices |
| 587 | TCP | SMTP Submission | Mail submission with STARTTLS |
| 636 | TCP | LDAPS | Secure LDAP (over SSL) |
| 993 | TCP | IMAPS | Secure IMAP (over SSL) |
| 995 | TCP | POP3S | Secure POP3 (over SSL) |
| 1433 | TCP | MSSQL | Microsoft SQL Server |
| 1521 | TCP | Oracle DB | Oracle Database listener |
| 1723 | TCP | PPTP | Point-to-Point Tunneling Protocol (VPN) |
| 1883 | TCP | MQTT | Lightweight messaging protocol for IoT |
| 2049 | TCP/UDP | NFS | Network File System |
| 3128 | TCP | Squid Proxy | Default Squid proxy port |
| 3306 | TCP | MySQL | MySQL database service |
| 3389 | TCP | RDP | Windows remote access |
| 3690 | TCP | SVN | Subversion version control |
| 4444 | TCP | Metasploit | Common port for reverse shells and Metasploit handlers |
| 5060 | UDP/TCP | SIP | Session Initiation Protocol – VoIP signaling |
| 5900 | TCP | VNC | Virtual Network Computing remote desktop |
| 5985, 5986 | TCP | WinRM | Windows Remote Management – HTTP/HTTPS |
| 6379 | TCP | Redis | In-memory key-value data store |
| 8000 | TCP | HTTP-Alt | Alternate HTTP services |
| 8080 | TCP | HTTP-Alt | Proxy or alternate web services |
| 8443 | TCP | HTTPS-Alt | Alternate HTTPS with TLS |
| 9000 | TCP | PHP-FPM | FastCGI Process Manager for PHP |
| 9200 | TCP | Elasticsearch | REST API for Elasticsearch nodes |
| 11211 | TCP | Memcached | High-performance caching system |
| 27017 | TCP | MongoDB | NoSQL database used in many web apps |
IPv6 Considerations[edit | edit source]
- IPv6 Addressing: link-local vs global
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their use in evasion
- Dual Stack Networking and Teredo
- IPv6 Attack Surface – RA spoofing, header chains
Diagnostic & Monitoring Tools[edit | edit source]
- ping, traceroute / tracert
- netstat / ss, ip / ifconfig
- dig / nslookup
- tcpdump, Wireshark, nmap, masscan
- nc / netcat, hping3, scapy
Packet Crafting & Manipulation[edit | edit source]
Tunneling & Encapsulation[edit | edit source]
- SSH Tunneling (local/remote/SOCKS)
- VPNs: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- Overlay protocols: GRE, VXLAN, GENEVE
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls[edit | edit source]
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- WAFs and proxy filtering
- VLAN Segmentation, Zero Trust
- Load Balancers – L4 vs L7
Packet Capture & Analysis[edit | edit source]
- tcpdump, Wireshark, pcap files
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization[edit | edit source]
- Nmap, Netdiscover, Zenmap
- Traceroute topology graphs