Networking Concepts: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 8: | Line 8: | ||
! Concept !! Description | ! Concept !! Description | ||
|- | |- | ||
| [[OSI Model]] || A layered framework | | [[OSI Model]] || A layered framework for analyzing and interacting with data at different stages in transmission. Essential for identifying where to intercept, manipulate, or disrupt communication. | ||
|- | |- | ||
| [[TCP/IP Stack]] || The | | [[TCP/IP Stack]] || The real-world implementation of protocol layers used on the Internet. Useful for understanding how to interact with systems across layers, including link-level and transport-level tools. | ||
|- | |- | ||
| [[ | | [[LAN Topologies]] || Physical and logical layouts of local networks. Critical for anticipating traffic flow, identifying broadcast domains, and locating single points of failure. | ||
|- | |- | ||
| [[ | | [[IP Addressing]] || How systems are identified and reached across networks. Core to enumeration, pivoting, and access control evasion. | ||
|- | |- | ||
| [[ | | [[Subnetting]] || Divides networks into segments. Knowledge of subnet boundaries is key for identifying internal targets and lateral movement opportunities. | ||
|- | |- | ||
| [[ | | [[CIDR Notation]] || Defines IP range boundaries. Used in scanning, filtering, and identifying exploitable scope. | ||
|- | |- | ||
| [[ | | [[Subnets]] || Smaller network segments with defined access. Awareness helps bypass segmentation, pivot into isolated areas, or escalate presence. | ||
|- | |- | ||
| [[ | | [[MAC Addressing]] || Unique identifiers used within local networks. Can be spoofed to bypass MAC filters or impersonate trusted devices. | ||
|- | |- | ||
| [[ | | [[ARP Protocol]] || Resolves IP-to-MAC mappings. Often abused in spoofing attacks for intercepting or redirecting local traffic. | ||
|- | |- | ||
| [[ | | [[Routing Basics]] || Explains how packets reach destinations across networks. Understanding routing behavior supports traffic redirection and network infiltration. | ||
|- | |- | ||
| [[ | | [[NAT]] || Obscures internal addressing. Understanding NAT behavior is necessary to reach internal systems or manage reverse connections. | ||
|- | |- | ||
| [[Packet Fragmentation]] || | | [[PAT]] || Translates multiple internal systems to one public IP via port mappings. Relevant when exploiting or tunneling through limited egress points. | ||
|- | |||
| [[MTU]] || Defines maximum packet size before fragmentation. Manipulating MTU can influence detection, fingerprinting, or IDS evasion. | |||
|- | |||
| [[Packet Fragmentation]] || Breaks large packets into smaller ones. Sometimes exploited to evade detection or bypass firewalls and inspection systems. | |||
|} | |} | ||
Revision as of 13:57, 7 June 2025
Networking Concepts
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
| Concept | Description |
|---|---|
| OSI Model | A layered framework for analyzing and interacting with data at different stages in transmission. Essential for identifying where to intercept, manipulate, or disrupt communication. |
| TCP/IP Stack | The real-world implementation of protocol layers used on the Internet. Useful for understanding how to interact with systems across layers, including link-level and transport-level tools. |
| LAN Topologies | Physical and logical layouts of local networks. Critical for anticipating traffic flow, identifying broadcast domains, and locating single points of failure. |
| IP Addressing | How systems are identified and reached across networks. Core to enumeration, pivoting, and access control evasion. |
| Subnetting | Divides networks into segments. Knowledge of subnet boundaries is key for identifying internal targets and lateral movement opportunities. |
| CIDR Notation | Defines IP range boundaries. Used in scanning, filtering, and identifying exploitable scope. |
| Subnets | Smaller network segments with defined access. Awareness helps bypass segmentation, pivot into isolated areas, or escalate presence. |
| MAC Addressing | Unique identifiers used within local networks. Can be spoofed to bypass MAC filters or impersonate trusted devices. |
| ARP Protocol | Resolves IP-to-MAC mappings. Often abused in spoofing attacks for intercepting or redirecting local traffic. |
| Routing Basics | Explains how packets reach destinations across networks. Understanding routing behavior supports traffic redirection and network infiltration. |
| NAT | Obscures internal addressing. Understanding NAT behavior is necessary to reach internal systems or manage reverse connections. |
| PAT | Translates multiple internal systems to one public IP via port mappings. Relevant when exploiting or tunneling through limited egress points. |
| MTU | Defines maximum packet size before fragmentation. Manipulating MTU can influence detection, fingerprinting, or IDS evasion. |
| Packet Fragmentation | Breaks large packets into smaller ones. Sometimes exploited to evade detection or bypass firewalls and inspection systems. |
Protocol Behavior
- TCP Protocol and TCP Three-Way Handshake
- UDP Protocol and stateless behavior
- ICMP Protocol – echo requests, TTL, and diagnostics
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
Transport & Application Protocols
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- TLS 1.3, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media
- DNSSEC, DoT, DoH
Port Overview
Understanding ports and services is critical for network reconnaissance and service identification.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Assigns IP addresses automatically |
| 69 | UDP | TFTP | Trivial File Transfer Protocol – lightweight file transfers |
| 80 | TCP | HTTP | Standard web traffic |
| 110 | TCP | POP3 | Email retrieval |
| 123 | UDP | NTP | Clock synchronization |
| 135 | TCP | RPC | Microsoft Remote Procedure Call |
| 137–139 | UDP/TCP | NetBIOS | Windows NetBIOS services (name resolution, session services) |
| 143 | TCP | IMAP | Internet Message Access Protocol – email |
| 161, 162 | UDP | SNMP | Device monitoring |
| 389 | TCP/UDP | LDAP | Lightweight Directory Access Protocol |
| 443 | TCP | HTTPS | Encrypted HTTP via TLS |
| 445 | TCP | SMB | Windows file/printer sharing |
| 465 | TCP | SMTPS | Secure SMTP (over SSL) |
| 514 | UDP | Syslog | Logging protocol for network devices |
| 587 | TCP | SMTP Submission | Mail submission with STARTTLS |
| 636 | TCP | LDAPS | Secure LDAP (over SSL) |
| 993 | TCP | IMAPS | Secure IMAP (over SSL) |
| 995 | TCP | POP3S | Secure POP3 (over SSL) |
| 1433 | TCP | MSSQL | Microsoft SQL Server |
| 1521 | TCP | Oracle DB | Oracle Database listener |
| 1723 | TCP | PPTP | Point-to-Point Tunneling Protocol (VPN) |
| 1883 | TCP | MQTT | Lightweight messaging protocol for IoT |
| 2049 | TCP/UDP | NFS | Network File System |
| 3128 | TCP | Squid Proxy | Default Squid proxy port |
| 3306 | TCP | MySQL | MySQL database service |
| 3389 | TCP | RDP | Windows remote access |
| 3690 | TCP | SVN | Subversion version control |
| 4444 | TCP | Metasploit | Common port for reverse shells and Metasploit handlers |
| 5060 | UDP/TCP | SIP | Session Initiation Protocol – VoIP signaling |
| 5900 | TCP | VNC | Virtual Network Computing remote desktop |
| 5985, 5986 | TCP | WinRM | Windows Remote Management – HTTP/HTTPS |
| 6379 | TCP | Redis | In-memory key-value data store |
| 8000 | TCP | HTTP-Alt | Alternate HTTP services |
| 8080 | TCP | HTTP-Alt | Proxy or alternate web services |
| 8443 | TCP | HTTPS-Alt | Alternate HTTPS with TLS |
| 9000 | TCP | PHP-FPM | FastCGI Process Manager for PHP |
| 9200 | TCP | Elasticsearch | REST API for Elasticsearch nodes |
| 11211 | TCP | Memcached | High-performance caching system |
| 27017 | TCP | MongoDB | NoSQL database used in many web apps |
IPv6 Considerations
- IPv6 Addressing: link-local vs global
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their use in evasion
- Dual Stack Networking and Teredo
- IPv6 Attack Surface – RA spoofing, header chains
Diagnostic & Monitoring Tools
- ping, traceroute / tracert
- netstat / ss, ip / ifconfig
- dig / nslookup
- tcpdump, Wireshark, nmap, masscan
- nc / netcat, hping3, scapy
Packet Crafting & Manipulation
Tunneling & Encapsulation
- SSH Tunneling (local/remote/SOCKS)
- VPNs: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- Overlay protocols: GRE, VXLAN, GENEVE
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- WAFs and proxy filtering
- VLAN Segmentation, Zero Trust
- Load Balancers – L4 vs L7
Packet Capture & Analysis
- tcpdump, Wireshark, pcap files
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization
- Nmap, Netdiscover, Zenmap
- Traceroute topology graphs