Professional Documents
Culture Documents
Module 3 Ethical Hacking
Module 3 Ethical Hacking
Networking
Common terms -
OSI TCP/IP
Application
Presentation Application
Session
Transport Transport
Network Internet
Data link Network Interface
Physical
Network Topologies –
Network topology refers to the manner in which the links and nodes of a
network is arranged to relate to each other.
Bus network topology: Also known as backbone network topology,
this configuration connects all devices to a main cable via drop lines.
The advantages of bus network topology lie in its simplicity, as there
is less cable required than in alternative topologies, which makes for
easy installation.
Mesh network topology: A dedicated point-to-point link connects
each device on the network to another device on the network, only
carrying data between two devices.
Ring network topology: Two dedicated point-to-point links connect a
device to the two devices located on either side of it, creating a ring
of devices through which data is forwarded via repeaters until it
reaches the target device.
Star network topology: The most common network topology, star
topology connects each device in the network to a central hub.
Devices can only communicate with each other indirectly through the
central hub.
Hybrid network topology: Any combination of two or more topologies
is a hybrid topology.
Tree network topology: This topology consists of a parent-child
hierarchy in which star networks are interconnected via bus networks.
Nodes branch out linearly from one root node, and two connected
nodes only share one mutual connection.
TCP Protocol
TCP packets are called: Segments
3-Way Handshake: SYN,SYN/ACK,ACK
Connection Reset: FIN,ACK/FIN,ACK
UDP Protocol
UDP packets are called: Datagrams
Ports
In computer networking, a port is a number assigned to uniquely identify
a connection endpoint and to direct data to a specific service.
Connection type – TCP
Hub: Hub repeats every signal it receives via any of its ports out every
other port. For Example - To connect a network of personal
computers, you can join them through a central hub. A hub can be a
repeater.
MAC Floods: MAC Floods are a tactic commonly used by red teams
as a way of actively sniffing packets. MAC Flooding is intended to
stress the switch and fill the CAM table. Once the CAM table is filled
the switch will no longer accept new MAC addresses and so in order
to keep the network alive, the switch will send out packets to all ports
of the switch.
Wireshark
Packet Details –
HTTP PACKET FROM A SAMPLE CAPTURE
Frame (Layer 1) –
This will show you what frame / packet you are looking at as well as details specific to the
Physical layer of the OSI model.
Source [MAC] (Layer 2) –
This will show you the source and destination MAC Addresses; from the Data Link layer of
the OSI model.
Protocol Errors –
This is a continuation of the 4th layer showing specific segments from TCP that needed to be
reassembled.
Application Protocol (Layer 5) –
This will show details specific to the protocol being used such HTTP, FTP, SMB, etc. From the
Application layer of the OSI model.
Application Data –
This is an extension of layer 5 that can show the application - specific data.
Filter packets –
Filtering operations
Operator Representation
and operator &&
or operator ||
equals operator eq ==
not equal operator ne !=
greater than operator gt >
less than operator lt <
ICMP
ICMP or Internet Control Message Protocol is used to analyze various
nodes on a network. This is most commonly used with utilities like ping
and traceroute.
Identification: request to the server from ICMP, then a reply from the
server.
TCP
TCP or Transmission Control Protocol handles the delivery of packets
including sequencing and errors.
nmap –
DNS
DNS or Domain Name Service protocol is used to resolves names with IP
addresses.
There are a couple of things outlined below that you should keep in the
back of your mind when analyzing DNS packets.
Query-Response
DNS-Servers Only
UDP
DNS Request
DNS Response
HTTP
HTTPS
Encrypted HTTP
Before sending encrypted information, the client and server need to agree
upon various steps in order to make a secure tunnel.
1. Client and server agree on a protocol version
2. Client and server select a cryptographic algorithm
3. The client and server can authenticate to each other; this step is
optional
4. Creates a secure tunnel with a public key
Zerologon
Zerologon (CVE-2020-1472) is a critical vulnerability that affects
Windows servers. Given certain circumstances, this vulnerability can allow
an attacker to bypass authentication and then gain administrator-level
privileges in a matter of seconds.
DRSUAPI + SMB
https://dirkjanm.io/a-different-way-of-abusing-zerologon/
General Networking Tools - whois, dig, traceroute, ping