Networking Concepts: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| (5 intermediate revisions by one other user not shown) | |||
| Line 4: | Line 4: | ||
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations. | This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations. | ||
{| class="wikitable sortable" | |||
! Concept !! Description | |||
|- | |||
| [[OSI Model]] || Identifies where to inspect, disrupt, or manipulate traffic across layers. | |||
|- | |||
| [[TCP/IP Stack]] || Shows how real-world protocols interact and where tools operate. | |||
|- | |||
| [[UDP Protocol]] || Explains fast, connectionless traffic used in DNS, VoIP, and amplification attacks. | |||
|- | |||
| [[IP Addressing]] || Core to scanning, access targeting, and pivoting. | |||
|- | |||
| [[Subnetting]] || Defines internal boundaries useful for lateral movement. | |||
|- | |||
| [[CIDR Notation]] || Helps calculate scan ranges and filter scopes. | |||
|- | |||
| [[MAC Addressing]] || Used for impersonation and local device spoofing. | |||
|- | |||
| [[ARP Protocol]] || Enables redirection and interception on local networks. | |||
|- | |||
| [[Routing Basics]] || Explains packet paths across and between networks. | |||
|- | |||
| [[NAT]] || Masks internal systems; relevant for ingress and egress control. | |||
|- | |||
| [[LAN Topologies]] || Reveals traffic flow, bottlenecks, and broadcast domains. | |||
|} | |||
=== Protocol Behavior === | === Protocol Behavior === | ||
| Line 21: | Line 41: | ||
* [[TCP vs UDP vs SCTP]] – flow control and reliability | * [[TCP vs UDP vs SCTP]] – flow control and reliability | ||
* [[HTTP Protocols]]: HTTP/1.1, HTTP/2, [[HTTP/3 (QUIC)]] | * [[HTTP Protocols]]: HTTP/1.1, HTTP/2, [[HTTP/3 (QUIC)]] | ||
* [[Making HTTP Requests]] | |||
* [[TLS 1.3]], cipher suites, and [[Forward Secrecy]] | * [[TLS 1.3]], cipher suites, and [[Forward Secrecy]] | ||
* [[SMB Protocol]], [[LDAP]], [[Kerberos Authentication]] | * [[SMB Protocol]], [[LDAP]], [[Kerberos Authentication]] | ||
| Line 43: | Line 64: | ||
|- | |- | ||
| 67, 68 || UDP || [[DHCP]] || Assigns IP addresses automatically | | 67, 68 || UDP || [[DHCP]] || Assigns IP addresses automatically | ||
|- | |||
| 69 || UDP || [[TFTP]] || Trivial File Transfer Protocol – lightweight file transfers | |||
|- | |- | ||
| 80 || TCP || [[HTTP]] || Standard web traffic | | 80 || TCP || [[HTTP]] || Standard web traffic | ||
| Line 49: | Line 72: | ||
|- | |- | ||
| 123 || UDP || [[NTP]] || Clock synchronization | | 123 || UDP || [[NTP]] || Clock synchronization | ||
|- | |||
| 135 || TCP || [[RPC]] || Microsoft Remote Procedure Call | |||
|- | |||
| 137–139 || UDP/TCP || [[NetBIOS]] || Windows NetBIOS services (name resolution, session services) | |||
|- | |- | ||
| 143 || TCP || [[IMAP]] || Internet Message Access Protocol – email | | 143 || TCP || [[IMAP]] || Internet Message Access Protocol – email | ||
|- | |- | ||
| 161, 162 || UDP || [[SNMP]] || Device monitoring | | 161, 162 || UDP || [[SNMP]] || Device monitoring | ||
|- | |||
| 389 || TCP/UDP || [[LDAP]] || Lightweight Directory Access Protocol | |||
|- | |- | ||
| 443 || TCP || [[HTTPS]] || Encrypted HTTP via TLS | | 443 || TCP || [[HTTPS]] || Encrypted HTTP via TLS | ||
|- | |- | ||
| 445 || TCP || [[SMB]] || Windows file/printer sharing | | 445 || TCP || [[SMB]] || Windows file/printer sharing | ||
|- | |||
| 465 || TCP || [[SMTPS]] || Secure SMTP (over SSL) | |||
|- | |||
| 514 || UDP || [[Syslog]] || Logging protocol for network devices | |||
|- | |||
| 587 || TCP || [[SMTP Submission]] || Mail submission with STARTTLS | |||
|- | |||
| 636 || TCP || [[LDAPS]] || Secure LDAP (over SSL) | |||
|- | |||
| 993 || TCP || [[IMAPS]] || Secure IMAP (over SSL) | |||
|- | |||
| 995 || TCP || [[POP3S]] || Secure POP3 (over SSL) | |||
|- | |||
| 1433 || TCP || [[MSSQL]] || Microsoft SQL Server | |||
|- | |||
| 1521 || TCP || [[Oracle DB]] || Oracle Database listener | |||
|- | |||
| 1723 || TCP || [[PPTP]] || Point-to-Point Tunneling Protocol (VPN) | |||
|- | |||
| 1883 || TCP || [[MQTT]] || Lightweight messaging protocol for IoT | |||
|- | |||
| 2049 || TCP/UDP || [[NFS]] || Network File System | |||
|- | |||
| 3128 || TCP || [[Squid Proxy]] || Default Squid proxy port | |||
|- | |- | ||
| 3306 || TCP || [[MySQL]] || MySQL database service | | 3306 || TCP || [[MySQL]] || MySQL database service | ||
|- | |- | ||
| 3389 || TCP || [[RDP]] || Windows remote access | | 3389 || TCP || [[RDP]] || Windows remote access | ||
|- | |||
| 3690 || TCP || [[SVN]] || Subversion version control | |||
|- | |||
| 4444 || TCP || [[Metasploit]] || Common port for reverse shells and Metasploit handlers | |||
|- | |||
| 5060 || UDP/TCP || [[SIP]] || Session Initiation Protocol – VoIP signaling | |||
|- | |||
| 5900 || TCP || [[VNC]] || Virtual Network Computing remote desktop | |||
|- | |||
| 5985, 5986 || TCP || [[WinRM]] || Windows Remote Management – HTTP/HTTPS | |||
|- | |||
| 6379 || TCP || [[Redis]] || In-memory key-value data store | |||
|- | |||
| 8000 || TCP || [[HTTP-Alt]] || Alternate HTTP services | |||
|- | |- | ||
| 8080 || TCP || [[HTTP-Alt]] || Proxy or alternate web services | | 8080 || TCP || [[HTTP-Alt]] || Proxy or alternate web services | ||
|- | |||
| 8443 || TCP || [[HTTPS-Alt]] || Alternate HTTPS with TLS | |||
|- | |||
| 9000 || TCP || [[PHP-FPM]] || FastCGI Process Manager for PHP | |||
|- | |||
| 9200 || TCP || [[Elasticsearch]] || REST API for Elasticsearch nodes | |||
|- | |||
| 11211 || TCP || [[Memcached]] || High-performance caching system | |||
|- | |||
| 27017 || TCP || [[MongoDB]] || NoSQL database used in many web apps | |||
|} | |} | ||
Latest revision as of 14:08, 14 June 2025
Networking Concepts[edit | edit source]
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
| Concept | Description |
|---|---|
| OSI Model | Identifies where to inspect, disrupt, or manipulate traffic across layers. |
| TCP/IP Stack | Shows how real-world protocols interact and where tools operate. |
| UDP Protocol | Explains fast, connectionless traffic used in DNS, VoIP, and amplification attacks. |
| IP Addressing | Core to scanning, access targeting, and pivoting. |
| Subnetting | Defines internal boundaries useful for lateral movement. |
| CIDR Notation | Helps calculate scan ranges and filter scopes. |
| MAC Addressing | Used for impersonation and local device spoofing. |
| ARP Protocol | Enables redirection and interception on local networks. |
| Routing Basics | Explains packet paths across and between networks. |
| NAT | Masks internal systems; relevant for ingress and egress control. |
| LAN Topologies | Reveals traffic flow, bottlenecks, and broadcast domains. |
Protocol Behavior[edit | edit source]
- TCP Protocol and TCP Three-Way Handshake
- UDP Protocol and stateless behavior
- ICMP Protocol – echo requests, TTL, and diagnostics
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
Transport & Application Protocols[edit | edit source]
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- Making HTTP Requests
- TLS 1.3, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media
- DNSSEC, DoT, DoH
Port Overview[edit | edit source]
Understanding ports and services is critical for network reconnaissance and service identification.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Assigns IP addresses automatically |
| 69 | UDP | TFTP | Trivial File Transfer Protocol – lightweight file transfers |
| 80 | TCP | HTTP | Standard web traffic |
| 110 | TCP | POP3 | Email retrieval |
| 123 | UDP | NTP | Clock synchronization |
| 135 | TCP | RPC | Microsoft Remote Procedure Call |
| 137–139 | UDP/TCP | NetBIOS | Windows NetBIOS services (name resolution, session services) |
| 143 | TCP | IMAP | Internet Message Access Protocol – email |
| 161, 162 | UDP | SNMP | Device monitoring |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access Protocol |
| 443 | TCP | HTTPS | Encrypted HTTP via TLS |
| 445 | TCP | SMB | Windows file/printer sharing |
| 465 | TCP | SMTPS | Secure SMTP (over SSL) |
| 514 | UDP | Syslog | Logging protocol for network devices |
| 587 | TCP | SMTP Submission | Mail submission with STARTTLS |
| 636 | TCP | LDAPS | Secure LDAP (over SSL) |
| 993 | TCP | IMAPS | Secure IMAP (over SSL) |
| 995 | TCP | POP3S | Secure POP3 (over SSL) |
| 1433 | TCP | MSSQL | Microsoft SQL Server |
| 1521 | TCP | Oracle DB | Oracle Database listener |
| 1723 | TCP | PPTP | Point-to-Point Tunneling Protocol (VPN) |
| 1883 | TCP | MQTT | Lightweight messaging protocol for IoT |
| 2049 | TCP/UDP | NFS | Network File System |
| 3128 | TCP | Squid Proxy | Default Squid proxy port |
| 3306 | TCP | MySQL | MySQL database service |
| 3389 | TCP | RDP | Windows remote access |
| 3690 | TCP | SVN | Subversion version control |
| 4444 | TCP | Metasploit | Common port for reverse shells and Metasploit handlers |
| 5060 | UDP/TCP | SIP | Session Initiation Protocol – VoIP signaling |
| 5900 | TCP | VNC | Virtual Network Computing remote desktop |
| 5985, 5986 | TCP | WinRM | Windows Remote Management – HTTP/HTTPS |
| 6379 | TCP | Redis | In-memory key-value data store |
| 8000 | TCP | HTTP-Alt | Alternate HTTP services |
| 8080 | TCP | HTTP-Alt | Proxy or alternate web services |
| 8443 | TCP | HTTPS-Alt | Alternate HTTPS with TLS |
| 9000 | TCP | PHP-FPM | FastCGI Process Manager for PHP |
| 9200 | TCP | Elasticsearch | REST API for Elasticsearch nodes |
| 11211 | TCP | Memcached | High-performance caching system |
| 27017 | TCP | MongoDB | NoSQL database used in many web apps |
IPv6 Considerations[edit | edit source]
- IPv6 Addressing: link-local vs global
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their use in evasion
- Dual Stack Networking and Teredo
- IPv6 Attack Surface – RA spoofing, header chains
Diagnostic & Monitoring Tools[edit | edit source]
- ping, traceroute / tracert
- netstat / ss, ip / ifconfig
- dig / nslookup
- tcpdump, Wireshark, nmap, masscan
- nc / netcat, hping3, scapy
Packet Crafting & Manipulation[edit | edit source]
Tunneling & Encapsulation[edit | edit source]
- SSH Tunneling (local/remote/SOCKS)
- VPNs: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- Overlay protocols: GRE, VXLAN, GENEVE
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls[edit | edit source]
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- WAFs and proxy filtering
- VLAN Segmentation, Zero Trust
- Load Balancers – L4 vs L7
Packet Capture & Analysis[edit | edit source]
- tcpdump, Wireshark, pcap files
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization[edit | edit source]
- Nmap, Netdiscover, Zenmap
- Traceroute topology graphs