Networking Concepts: Difference between revisions
Jump to navigation
Jump to search
Created page with "== Networking Concepts == Networking is the backbone of all digital communication. Understanding how systems connect, route data, and expose services is foundational for both attackers and defenders. === Core Concepts === * OSI Model and TCP/IP Stack * IP Addressing (IPv4 vs IPv6), CIDR Notation, Subnets * MAC Addressing and ARP Protocol * DNS Resolution and record types (A Record, CNAME, MX, TXT) * NAT, PAT, and..." |
|||
| (7 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
== Networking Concepts == | == Networking Concepts == | ||
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection. | |||
= | This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations. | ||
{| class="wikitable sortable" | |||
! Concept !! Description | |||
* [[ | |- | ||
| [[OSI Model]] || Identifies where to inspect, disrupt, or manipulate traffic across layers. | |||
|- | |||
| [[TCP/IP Stack]] || Shows how real-world protocols interact and where tools operate. | |||
|- | |||
| [[UDP Protocol]] || Explains fast, connectionless traffic used in DNS, VoIP, and amplification attacks. | |||
|- | |||
| [[IP Addressing]] || Core to scanning, access targeting, and pivoting. | |||
|- | |||
| [[Subnetting]] || Defines internal boundaries useful for lateral movement. | |||
|- | |||
| [[CIDR Notation]] || Helps calculate scan ranges and filter scopes. | |||
|- | |||
| [[MAC Addressing]] || Used for impersonation and local device spoofing. | |||
|- | |||
| [[ARP Protocol]] || Enables redirection and interception on local networks. | |||
|- | |||
| [[Routing Basics]] || Explains packet paths across and between networks. | |||
|- | |||
| [[NAT]] || Masks internal systems; relevant for ingress and egress control. | |||
|- | |||
| [[LAN Topologies]] || Reveals traffic flow, bottlenecks, and broadcast domains. | |||
|} | |||
=== Protocol Behavior === | |||
* [[TCP Protocol]] and [[TCP Three-Way Handshake]] | |||
* [[UDP Protocol]] and stateless behavior | |||
* [[ICMP Protocol]] – echo requests, TTL, and diagnostics | |||
* [[DNS Resolution]] and record types ([[A Record]], [[CNAME]], [[MX]], [[TXT]]) | * [[DNS Resolution]] and record types ([[A Record]], [[CNAME]], [[MX]], [[TXT]]) | ||
=== Transport & Application Protocols === | === Transport & Application Protocols === | ||
* [[TCP vs UDP vs SCTP]] – flow control and reliability | * [[TCP vs UDP vs SCTP]] – flow control and reliability | ||
* [[HTTP Protocols]]: HTTP/1.1, HTTP/2, [[HTTP/3 (QUIC)]] | * [[HTTP Protocols]]: HTTP/1.1, HTTP/2, [[HTTP/3 (QUIC)]] | ||
* [[TLS 1.3]] | * [[Making HTTP Requests]] | ||
* [[TLS 1.3]], cipher suites, and [[Forward Secrecy]] | |||
* [[SMB Protocol]], [[LDAP]], [[Kerberos Authentication]] | * [[SMB Protocol]], [[LDAP]], [[Kerberos Authentication]] | ||
* [[SIP Protocol]], [[RTP Protocol]] – VoIP signaling and media | * [[SIP Protocol]], [[RTP Protocol]] – VoIP signaling and media | ||
* [[DNSSEC]], [[ | * [[DNSSEC]], [[DoT]], [[DoH]] | ||
=== Port Overview === | === Port Overview === | ||
Understanding ports and services is critical for network reconnaissance and service identification | Understanding ports and services is critical for network reconnaissance and service identification. | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
| Line 46: | Line 63: | ||
| 53 || UDP/TCP || [[DNS]] || Domain Name System – resolves domain names to IP addresses | | 53 || UDP/TCP || [[DNS]] || Domain Name System – resolves domain names to IP addresses | ||
|- | |- | ||
| 67, 68 || UDP || [[DHCP]] || | | 67, 68 || UDP || [[DHCP]] || Assigns IP addresses automatically | ||
|- | |||
| 69 || UDP || [[TFTP]] || Trivial File Transfer Protocol – lightweight file transfers | |||
|- | |||
| 80 || TCP || [[HTTP]] || Standard web traffic | |||
|- | |||
| 110 || TCP || [[POP3]] || Email retrieval | |||
|- | |||
| 123 || UDP || [[NTP]] || Clock synchronization | |||
|- | |||
| 135 || TCP || [[RPC]] || Microsoft Remote Procedure Call | |||
|- | |||
| 137–139 || UDP/TCP || [[NetBIOS]] || Windows NetBIOS services (name resolution, session services) | |||
|- | |||
| 143 || TCP || [[IMAP]] || Internet Message Access Protocol – email | |||
|- | |||
| 161, 162 || UDP || [[SNMP]] || Device monitoring | |||
|- | |||
| 389 || TCP/UDP || [[LDAP]] || Lightweight Directory Access Protocol | |||
|- | |||
| 443 || TCP || [[HTTPS]] || Encrypted HTTP via TLS | |||
|- | |||
| 445 || TCP || [[SMB]] || Windows file/printer sharing | |||
|- | |||
| 465 || TCP || [[SMTPS]] || Secure SMTP (over SSL) | |||
|- | |||
| 514 || UDP || [[Syslog]] || Logging protocol for network devices | |||
|- | |||
| 587 || TCP || [[SMTP Submission]] || Mail submission with STARTTLS | |||
|- | |||
| 636 || TCP || [[LDAPS]] || Secure LDAP (over SSL) | |||
|- | |||
| 993 || TCP || [[IMAPS]] || Secure IMAP (over SSL) | |||
|- | |||
| 995 || TCP || [[POP3S]] || Secure POP3 (over SSL) | |||
|- | |||
| 1433 || TCP || [[MSSQL]] || Microsoft SQL Server | |||
|- | |- | ||
| | | 1521 || TCP || [[Oracle DB]] || Oracle Database listener | ||
|- | |- | ||
| | | 1723 || TCP || [[PPTP]] || Point-to-Point Tunneling Protocol (VPN) | ||
|- | |- | ||
| | | 1883 || TCP || [[MQTT]] || Lightweight messaging protocol for IoT | ||
|- | |- | ||
| | | 2049 || TCP/UDP || [[NFS]] || Network File System | ||
|- | |- | ||
| | | 3128 || TCP || [[Squid Proxy]] || Default Squid proxy port | ||
|- | |- | ||
| | | 3306 || TCP || [[MySQL]] || MySQL database service | ||
|- | |- | ||
| | | 3389 || TCP || [[RDP]] || Windows remote access | ||
|- | |- | ||
| | | 3690 || TCP || [[SVN]] || Subversion version control | ||
|- | |- | ||
| | | 4444 || TCP || [[Metasploit]] || Common port for reverse shells and Metasploit handlers | ||
|- | |- | ||
| 8080 || TCP || [[HTTP-Alt]] || | | 5060 || UDP/TCP || [[SIP]] || Session Initiation Protocol – VoIP signaling | ||
|- | |||
| 5900 || TCP || [[VNC]] || Virtual Network Computing remote desktop | |||
|- | |||
| 5985, 5986 || TCP || [[WinRM]] || Windows Remote Management – HTTP/HTTPS | |||
|- | |||
| 6379 || TCP || [[Redis]] || In-memory key-value data store | |||
|- | |||
| 8000 || TCP || [[HTTP-Alt]] || Alternate HTTP services | |||
|- | |||
| 8080 || TCP || [[HTTP-Alt]] || Proxy or alternate web services | |||
|- | |||
| 8443 || TCP || [[HTTPS-Alt]] || Alternate HTTPS with TLS | |||
|- | |||
| 9000 || TCP || [[PHP-FPM]] || FastCGI Process Manager for PHP | |||
|- | |||
| 9200 || TCP || [[Elasticsearch]] || REST API for Elasticsearch nodes | |||
|- | |||
| 11211 || TCP || [[Memcached]] || High-performance caching system | |||
|- | |||
| 27017 || TCP || [[MongoDB]] || NoSQL database used in many web apps | |||
|} | |} | ||
=== IPv6 Considerations === | |||
* [[IPv6 Addressing]]: link-local vs global | |||
* [[Neighbor Discovery Protocol (NDP)]] and [[SLAAC]] | |||
* [[IPv6 Extension Headers]] and their use in evasion | |||
* [[Dual Stack Networking]] and [[Teredo]] | |||
* [[IPv6 Attack Surface]] – RA spoofing, header chains | |||
=== Diagnostic & Monitoring Tools === | === Diagnostic & Monitoring Tools === | ||
* [[ping]] | * [[ping]], [[traceroute]] / [[tracert]] | ||
* [[netstat]] / [[ss]], [[ip]] / [[ifconfig]] | |||
* [[netstat]] / [[ss]] | * [[dig]] / [[nslookup]] | ||
* [[tcpdump]], [[Wireshark]], [[nmap]], [[masscan]] | |||
* [[dig]] / [[nslookup]] | * [[nc]] / [[netcat]], [[hping3]], [[scapy]] | ||
* [[tcpdump]] | |||
* [[nc]] / [[netcat]] | |||
=== Packet Crafting & Manipulation === | === Packet Crafting & Manipulation === | ||
* [[TCP/UDP Floods]] | * [[TCP/UDP Floods]], [[Fragmentation Attacks]] | ||
* [[Packet Replay]], [[TTL Analysis]] | |||
* [[Packet Replay]] | |||
* Tools: [[scapy]], [[hping3]], [[nping]] | * Tools: [[scapy]], [[hping3]], [[nping]] | ||
=== Tunneling & Encapsulation === | === Tunneling & Encapsulation === | ||
* [[SSH Tunneling]] (local | * [[SSH Tunneling]] (local/remote/SOCKS) | ||
* | * VPNs: [[IPsec]], [[OpenVPN]], [[WireGuard]] | ||
* [[DNS Tunneling]], [[ICMP Tunneling]], [[HTTP Tunneling]] | * [[DNS Tunneling]], [[ICMP Tunneling]], [[HTTP Tunneling]] | ||
* [[GRE]], [[VXLAN]], | * Overlay protocols: [[GRE]], [[VXLAN]], [[GENEVE]] | ||
* Tools: [[ssh]], [[stunnel]], [[iodine]], [[chisel]] | * Tools: [[ssh]], [[stunnel]], [[iodine]], [[chisel]] | ||
| Line 98: | Line 171: | ||
* [[Stateless vs Stateful Firewalls]] | * [[Stateless vs Stateful Firewalls]] | ||
* [[IDS]] / [[IPS]] (Snort, Suricata) | * [[IDS]] / [[IPS]] (Snort, Suricata) | ||
* [[ | * [[WAFs]] and proxy filtering | ||
* [[VLAN Segmentation]], [[Zero Trust]] | |||
* [[VLAN Segmentation]] | |||
* [[Load Balancers]] – L4 vs L7 | * [[Load Balancers]] – L4 vs L7 | ||
=== Packet Capture & Analysis === | === Packet Capture & Analysis === | ||
* [[tcpdump]] | * [[tcpdump]], [[Wireshark]], [[pcap]] files | ||
* Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name` | * Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name` | ||
=== Network Mapping & Visualization === | === Network Mapping & Visualization === | ||
* [[Nmap]] | * [[Nmap]], [[Netdiscover]], [[Zenmap]] | ||
* [[Traceroute]] topology graphs | |||
* [[Traceroute]] graphs | |||
* [[ | === Protocol References === | ||
* [https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers Wikipedia: Port List] | |||
* [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml IANA Registry] | |||
* [https://speedguide.net/port.php SpeedGuide Reference] | |||
Latest revision as of 14:08, 14 June 2025
Networking Concepts[edit | edit source]
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
| Concept | Description |
|---|---|
| OSI Model | Identifies where to inspect, disrupt, or manipulate traffic across layers. |
| TCP/IP Stack | Shows how real-world protocols interact and where tools operate. |
| UDP Protocol | Explains fast, connectionless traffic used in DNS, VoIP, and amplification attacks. |
| IP Addressing | Core to scanning, access targeting, and pivoting. |
| Subnetting | Defines internal boundaries useful for lateral movement. |
| CIDR Notation | Helps calculate scan ranges and filter scopes. |
| MAC Addressing | Used for impersonation and local device spoofing. |
| ARP Protocol | Enables redirection and interception on local networks. |
| Routing Basics | Explains packet paths across and between networks. |
| NAT | Masks internal systems; relevant for ingress and egress control. |
| LAN Topologies | Reveals traffic flow, bottlenecks, and broadcast domains. |
Protocol Behavior[edit | edit source]
- TCP Protocol and TCP Three-Way Handshake
- UDP Protocol and stateless behavior
- ICMP Protocol – echo requests, TTL, and diagnostics
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
Transport & Application Protocols[edit | edit source]
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- Making HTTP Requests
- TLS 1.3, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media
- DNSSEC, DoT, DoH
Port Overview[edit | edit source]
Understanding ports and services is critical for network reconnaissance and service identification.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Assigns IP addresses automatically |
| 69 | UDP | TFTP | Trivial File Transfer Protocol – lightweight file transfers |
| 80 | TCP | HTTP | Standard web traffic |
| 110 | TCP | POP3 | Email retrieval |
| 123 | UDP | NTP | Clock synchronization |
| 135 | TCP | RPC | Microsoft Remote Procedure Call |
| 137–139 | UDP/TCP | NetBIOS | Windows NetBIOS services (name resolution, session services) |
| 143 | TCP | IMAP | Internet Message Access Protocol – email |
| 161, 162 | UDP | SNMP | Device monitoring |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access Protocol |
| 443 | TCP | HTTPS | Encrypted HTTP via TLS |
| 445 | TCP | SMB | Windows file/printer sharing |
| 465 | TCP | SMTPS | Secure SMTP (over SSL) |
| 514 | UDP | Syslog | Logging protocol for network devices |
| 587 | TCP | SMTP Submission | Mail submission with STARTTLS |
| 636 | TCP | LDAPS | Secure LDAP (over SSL) |
| 993 | TCP | IMAPS | Secure IMAP (over SSL) |
| 995 | TCP | POP3S | Secure POP3 (over SSL) |
| 1433 | TCP | MSSQL | Microsoft SQL Server |
| 1521 | TCP | Oracle DB | Oracle Database listener |
| 1723 | TCP | PPTP | Point-to-Point Tunneling Protocol (VPN) |
| 1883 | TCP | MQTT | Lightweight messaging protocol for IoT |
| 2049 | TCP/UDP | NFS | Network File System |
| 3128 | TCP | Squid Proxy | Default Squid proxy port |
| 3306 | TCP | MySQL | MySQL database service |
| 3389 | TCP | RDP | Windows remote access |
| 3690 | TCP | SVN | Subversion version control |
| 4444 | TCP | Metasploit | Common port for reverse shells and Metasploit handlers |
| 5060 | UDP/TCP | SIP | Session Initiation Protocol – VoIP signaling |
| 5900 | TCP | VNC | Virtual Network Computing remote desktop |
| 5985, 5986 | TCP | WinRM | Windows Remote Management – HTTP/HTTPS |
| 6379 | TCP | Redis | In-memory key-value data store |
| 8000 | TCP | HTTP-Alt | Alternate HTTP services |
| 8080 | TCP | HTTP-Alt | Proxy or alternate web services |
| 8443 | TCP | HTTPS-Alt | Alternate HTTPS with TLS |
| 9000 | TCP | PHP-FPM | FastCGI Process Manager for PHP |
| 9200 | TCP | Elasticsearch | REST API for Elasticsearch nodes |
| 11211 | TCP | Memcached | High-performance caching system |
| 27017 | TCP | MongoDB | NoSQL database used in many web apps |
IPv6 Considerations[edit | edit source]
- IPv6 Addressing: link-local vs global
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their use in evasion
- Dual Stack Networking and Teredo
- IPv6 Attack Surface – RA spoofing, header chains
Diagnostic & Monitoring Tools[edit | edit source]
- ping, traceroute / tracert
- netstat / ss, ip / ifconfig
- dig / nslookup
- tcpdump, Wireshark, nmap, masscan
- nc / netcat, hping3, scapy
Packet Crafting & Manipulation[edit | edit source]
Tunneling & Encapsulation[edit | edit source]
- SSH Tunneling (local/remote/SOCKS)
- VPNs: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- Overlay protocols: GRE, VXLAN, GENEVE
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls[edit | edit source]
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- WAFs and proxy filtering
- VLAN Segmentation, Zero Trust
- Load Balancers – L4 vs L7
Packet Capture & Analysis[edit | edit source]
- tcpdump, Wireshark, pcap files
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization[edit | edit source]
- Nmap, Netdiscover, Zenmap
- Traceroute topology graphs