Networking Concepts: Difference between revisions

Revision as of 13:59, 7 June 2025

Networking Concepts

Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.

This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.

Concept	Description
OSI Model	Identifies where to inspect, disrupt, or manipulate traffic across layers.
TCP/IP Stack	Shows how real-world protocols interact and where tools operate.
IP Addressing	Core to scanning, access targeting, and pivoting.
Subnetting	Defines internal boundaries useful for lateral movement.
CIDR Notation	Helps calculate scan ranges and filter scopes.
MAC Addressing	Used for impersonation and local device spoofing.
ARP Protocol	Enables redirection and interception on local networks.
Routing Basics	Explains packet paths across and between networks.
NAT	Masks internal systems; relevant for ingress and egress control.
LAN Topologies	Reveals traffic flow, bottlenecks, and broadcast domains.

Protocol Behavior

TCP Protocol and TCP Three-Way Handshake
UDP Protocol and stateless behavior
ICMP Protocol – echo requests, TTL, and diagnostics
DNS Resolution and record types (A Record, CNAME, MX, TXT)

Transport & Application Protocols

TCP vs UDP vs SCTP – flow control and reliability
HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
TLS 1.3, cipher suites, and Forward Secrecy
SMB Protocol, LDAP, Kerberos Authentication
SIP Protocol, RTP Protocol – VoIP signaling and media
DNSSEC, DoT, DoH

Port Overview

Understanding ports and services is critical for network reconnaissance and service identification.

Port	Protocol	Common Service	Description
20, 21	TCP	FTP	File Transfer Protocol – used for transferring files
22	TCP	SSH	Secure Shell – remote access to systems
23	TCP	Telnet	Unencrypted remote login service
25	TCP	SMTP	Simple Mail Transfer Protocol – sending emails
53	UDP/TCP	DNS	Domain Name System – resolves domain names to IP addresses
67, 68	UDP	DHCP	Assigns IP addresses automatically
69	UDP	TFTP	Trivial File Transfer Protocol – lightweight file transfers
80	TCP	HTTP	Standard web traffic
110	TCP	POP3	Email retrieval
123	UDP	NTP	Clock synchronization
135	TCP	RPC	Microsoft Remote Procedure Call
137–139	UDP/TCP	NetBIOS	Windows NetBIOS services (name resolution, session services)
143	TCP	IMAP	Internet Message Access Protocol – email
161, 162	UDP	SNMP	Device monitoring
389	TCP/UDP	LDAP	Lightweight Directory Access Protocol
443	TCP	HTTPS	Encrypted HTTP via TLS
445	TCP	SMB	Windows file/printer sharing
465	TCP	SMTPS	Secure SMTP (over SSL)
514	UDP	Syslog	Logging protocol for network devices
587	TCP	SMTP Submission	Mail submission with STARTTLS
636	TCP	LDAPS	Secure LDAP (over SSL)
993	TCP	IMAPS	Secure IMAP (over SSL)
995	TCP	POP3S	Secure POP3 (over SSL)
1433	TCP	MSSQL	Microsoft SQL Server
1521	TCP	Oracle DB	Oracle Database listener
1723	TCP	PPTP	Point-to-Point Tunneling Protocol (VPN)
1883	TCP	MQTT	Lightweight messaging protocol for IoT
2049	TCP/UDP	NFS	Network File System
3128	TCP	Squid Proxy	Default Squid proxy port
3306	TCP	MySQL	MySQL database service
3389	TCP	RDP	Windows remote access
3690	TCP	SVN	Subversion version control
4444	TCP	Metasploit	Common port for reverse shells and Metasploit handlers
5060	UDP/TCP	SIP	Session Initiation Protocol – VoIP signaling
5900	TCP	VNC	Virtual Network Computing remote desktop
5985, 5986	TCP	WinRM	Windows Remote Management – HTTP/HTTPS
6379	TCP	Redis	In-memory key-value data store
8000	TCP	HTTP-Alt	Alternate HTTP services
8080	TCP	HTTP-Alt	Proxy or alternate web services
8443	TCP	HTTPS-Alt	Alternate HTTPS with TLS
9000	TCP	PHP-FPM	FastCGI Process Manager for PHP
9200	TCP	Elasticsearch	REST API for Elasticsearch nodes
11211	TCP	Memcached	High-performance caching system
27017	TCP	MongoDB	NoSQL database used in many web apps

IPv6 Considerations

IPv6 Addressing: link-local vs global
Neighbor Discovery Protocol (NDP) and SLAAC
IPv6 Extension Headers and their use in evasion
Dual Stack Networking and Teredo
IPv6 Attack Surface – RA spoofing, header chains

Diagnostic & Monitoring Tools

Packet Crafting & Manipulation

Tunneling & Encapsulation

SSH Tunneling (local/remote/SOCKS)
VPNs: IPsec, OpenVPN, WireGuard
DNS Tunneling, ICMP Tunneling, HTTP Tunneling
Overlay protocols: GRE, VXLAN, GENEVE
Tools: ssh, stunnel, iodine, chisel

Network Security Devices & Controls

Stateless vs Stateful Firewalls
IDS / IPS (Snort, Suricata)
WAFs and proxy filtering
VLAN Segmentation, Zero Trust
Load Balancers – L4 vs L7

@@ Line 4: / Line 4: @@
 This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
 {| class="wikitable sortable"
 ! Concept !! Description
 |-
-| [[OSI Model]] || A layered framework for analyzing and interacting with data at different stages in transmission. Essential for identifying where to intercept, manipulate, or disrupt communication.
+| [[OSI Model]] || Identifies where to inspect, disrupt, or manipulate traffic across layers.
-|-
-| [[TCP/IP Stack]] || The real-world implementation of protocol layers used on the Internet. Useful for understanding how to interact with systems across layers, including link-level and transport-level tools.
-|-
-| [[LAN Topologies]] || Physical and logical layouts of local networks. Critical for anticipating traffic flow, identifying broadcast domains, and locating single points of failure.
 |-
-| [[IP Addressing]] || How systems are identified and reached across networks. Core to enumeration, pivoting, and access control evasion.
+| [[TCP/IP Stack]] || Shows how real-world protocols interact and where tools operate.
 |-
-| [[Subnetting]] || Divides networks into segments. Knowledge of subnet boundaries is key for identifying internal targets and lateral movement opportunities.
+| [[IP Addressing]] || Core to scanning, access targeting, and pivoting.
 |-
-| [[CIDR Notation]] || Defines IP range boundaries. Used in scanning, filtering, and identifying exploitable scope.
+| [[Subnetting]] || Defines internal boundaries useful for lateral movement.
 |-
-| [[Subnets]] || Smaller network segments with defined access. Awareness helps bypass segmentation, pivot into isolated areas, or escalate presence.
+| [[CIDR Notation]] || Helps calculate scan ranges and filter scopes.
 |-
-| [[MAC Addressing]] || Unique identifiers used within local networks. Can be spoofed to bypass MAC filters or impersonate trusted devices.
+| [[MAC Addressing]] || Used for impersonation and local device spoofing.
 |-
-| [[ARP Protocol]] || Resolves IP-to-MAC mappings. Often abused in spoofing attacks for intercepting or redirecting local traffic.
+| [[ARP Protocol]] || Enables redirection and interception on local networks.
 |-
-| [[Routing Basics]] || Explains how packets reach destinations across networks. Understanding routing behavior supports traffic redirection and network infiltration.
+| [[Routing Basics]] || Explains packet paths across and between networks.
 |-
-| [[NAT]] || Obscures internal addressing. Understanding NAT behavior is necessary to reach internal systems or manage reverse connections.
+| [[NAT]] || Masks internal systems; relevant for ingress and egress control.
 |-
-| [[PAT]] || Translates multiple internal systems to one public IP via port mappings. Relevant when exploiting or tunneling through limited egress points.
+| [[LAN Topologies]] || Reveals traffic flow, bottlenecks, and broadcast domains.
-|-
-| [[MTU]] || Defines maximum packet size before fragmentation. Manipulating MTU can influence detection, fingerprinting, or IDS evasion.
-|-
-| [[Packet Fragmentation]] || Breaks large packets into smaller ones. Sometimes exploited to evade detection or bypass firewalls and inspection systems.
 |}
 === Protocol Behavior ===

Networking Concepts: Difference between revisions

Revision as of 13:59, 7 June 2025

Contents