- Application; layer 7 (and basically layers 5 & 6) (includes API, HTTP, etc.).
- Transport; layer 4 (TCP/UDP).
- Network; layer 3 (Routing).
- Datalink; layer 2 (Error checking and frame synchronization).
- Physical; layer 1 (Bits over fiber).
-
HTTP/S
- Port 80, 443
-
SSL/TLS
- Port 443
- Super important to learn this, includes learning about handshakes, encryption, signing, certificate authorities, trust systems. A good primer on all these concepts and algorithms is made available by the Dutch cybersecurity center.
- Various attacks against older versions of SSL/TLS (with catchy names) on Wikipedia.
-
ICMP
- Ping and traceroute.
-
Mail
- SMTP ( Port 25, 587, 465)
- IMAP (Port 143, 993)
- POP3 (Port 110, 995)
-
SSH
- Port 22
- Handshake uses asymmetric encryption to exchange symmetric key.
-
Telnet
- Port 23, 992
- Allows remote communication with hosts.
-
ARP
- Who is 0.0.0.0? Tell 0.0.0.1.
- Pairing MAC address with IP Address for IP connections. Looks at cache first.
- A protocol used for mapping an IP address to a computer connected to a local network LAN. Since each computer has a unique physical address called a MAC address, the ARP converts the IP address to the MAC address. This ensures each computer has a unique network identification.
- Is ARP UDP or TCP? Neither
-
DHCP
- Port 67, 68, 546, 547
- Automatic (leases IP address and remembers MAC and IP pairing in a table).
- Manual (static IP set by administrator).
- Dynamic (leases IP address, not persistent. Allocated by router).
DHCPDISCOVER->DHCPOFFER->DHCPREQUEST->DHCPACK- Rogue DHCP: A rogue DHCP server can redirect IP address assignments to allow the hacker to identify and redirect the client computer to another network segment. The hacker can then sniff network traffic from the target machine
-
IRC
- Understand use by hackers (botnets).
-
FTP/SFTP
- port 21, 22
-
RPC
- Predefined set of tasks that remote clients can execute.
- Used inside orgs.
-
Service ports
- 0 - 1023: Reserved for common services - sudo required.
- 1024 - 49151: Registered ports used for IANA-registered services.
- 49152 - 65535: Dynamic ports that can be used for anything.
TCP guarantees the recipient will receive the packets in order by numbering them.
When using UDP, packets are just sent to the recipient. The sender will not wait to make sure the recipient received the packet — it will just continue sending the next packets.
TCP, TCP has to make connection
Port 53
Requests to DNS are usually UDP, unless the server gives a redirect notice asking for a TCP connection. Look up in cache happens first. DNS exfiltration. Using raw IP addresses means no DNS logs, but there are HTTP logs. DNS sinkholes.
In a reverse DNS lookup, PTR might contain- 2.152.80.208.in-addr.arpa, which will map to 208.80.152.2. DNS lookups start at the end of the string and work backwards, which is why the IP address is backwards in PTR.
- Sending data as subdomains.
- 26856485f6476a567567c6576e678.badguy.com
- Doesn’t show up in http logs.
- Start of Authority (SOA).
- IP addresses (A and AAAA).
- SMTP mail exchangers (MX).
- Name servers (NS).
- Pointers for reverse DNS lookups (PTR).
- Domain name aliases (CNAME).
The Domain Name System (DNS) allots your website under a certain domain that is easily recognizable and also keeps the information about other domain names.
It works like a directory for everything on the internet.
Thus, DNS monitoring is very important since you can easily visit a website without actually having to memorize their IP address.
Authoritative name servers store DNS record information –usually a DNS hosting provider or domain registrar.
Recursive name servers are the “middlemen” between authoritative servers and end-users because they have to recuse up the DNS tree to reach the name servers authoritative for storing the domain’s records.
You can control the flow of traffic using ACLs, QoS, or route-maps, enabling you to identify threats, close points of entry, and target your responses more easily.
Limit access to resources on wireless clients, ensuring that valuable information isn’t easily accessible in remote locations.
ICMP does not use ports
Rules to prevent incoming and outgoing connections.
A firewall is a device or service that acts as a gate keeper, deciding what enters and exits the network. It analyzes the traffic it sees passing through it by checking the packet headers and data. Based on its configuration, the firewall then decides accordingly whether to deny or allow traffic to pass through.
The primary function of a firewall is to prevent/control traffic flow from an untrusted network (outside). A firewall is not able to detect an attack in which the data is deviating from its regular pattern, whereas an IPS can detect and reset that connection as it has inbuilt anomaly detection
NIDS (Network Intrusion Detection system) is a system that attempts to detect hacking activities, denial of service attacks or port scans on a computer network or a computer itself. The NIDS monitors network traffic and helps to detect these malicious activities by identifying suspicious patterns in the incoming packets.
- | Verb | Path | HTTP version |
- Domain
- Accept
- Accept-language
- Accept-charset
- Accept-encoding(compression type)
- Connection- close or keep-alive
- Referrer
- Return address
- Expected Size?
- HTTP version
- Status Codes:
- 1xx: Informational Response
- 2xx: Successful
- 3xx: Redirection
- 4xx: Client Error
- 5xx: Server Error
- Type of data in response
- Type of encoding
- Language
- Charset
- SQL injection
- URL interpretation
- Impersonation
- Buffer overflow
- Session Hijacking
- Cross-Site Scripting
A malicious attempt to make a server or a network resource unavailable to users.
It is achieved by saturating a service, which results in its temporary suspension or interruption.
A Denial of Service (DoS) attack involves a single machine used to either target a software vulnerability or flood a targeted resource with packets, requests or queries.
A Distributed Denial of Service (DDoS) attack, however, uses multiple connected devices—often executed by botnets or, on occasion, by individuals who have coordinated their activity.
Usually uses UDP, but might also use ICMP Echo Request or TCP SYN. TTL, or hop-limit.
Initial hop-limit is 128 for windows and 64 for *nix. Destination returns ICMP Echo Reply
Small Time To Live (TTL) values are transmitted through packets via traceroute. This process prevents the packets from getting into loops. After the router subtracts from the given packet’s TTL, the packet immediately expires after the TTL reaches absolute zero. After that the sender is sent messages from Traceroute that exceed the time. When small values of TTL are used, the expiration happens quickly and thus the traceroute generates ICMP messages for identifying the router.
It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.
Network scanning tool
TCP SYN (Stealth) scan https://nmap.org/book/synscan.html
TCP connect scan https://nmap.org/book/scan-methods-connect-scan.html
Look at DigiNotar.
CA (Certificate Authority), CRL(Certificate Revocation List), Online Certificate Status Protocol (OCSP)
Can verify certificates against public logs
Bearer tokens, this can be stolen and used, just like cookies.
Useful to understand IPv4 vs IPv6.
Timeshare, statistical share, just useful to know it exists.
Understand PKI (public key infrastructure in relation to this).
Hide traffic from ISP but expose traffic to VPN provider.
Traffic is obvious on a network.
How do organized crime investigators find people on tor networks.
Why 7 proxies won’t help you.
Border Gateway Protocol.
Holds the internet together.
Wireshark
Tcpdump
Burp suite
Source port
Destination port
Length
Checksum