Module : 3

Networking
Common terms -

● IP Address: An IP address is a unique address that identifies a device

on the internet or a local network
● Mac Address: A media access control address (MAC address) is a
unique identifier assigned to a network interface controller (NIC) for
use as a network address in communications within a network segment.
● Host: A network host is a computer or other device connected to a
computer network
● Topologies: Network topology refers to the manner in which the links and
nodes of a network are arranged to relate to each other.
● Ports: In computer networking, a port is a number assigned to uniquely
identify a connection endpoint and to direct data to a specific service.
● Subnetting: A subnetwork or subnet is a logical subdivision of an IP
network.
● Internet Protocol version 4 (IPv4): is the fourth version of the standard
that routes Internet traffic and other packet-switched networks introduced in
1982 by the Internet Engineering Task Force (IETF)
● Internet Protocol version 6 (IPv6): is the most recent version of the
Internet Protocol, the communications protocol that provides an
identification and location system for computers on networks and routes
traffic across the Internet.
OSI Model -

Number Layer Packet Labeling Supports/Protocols

7 Application Data HTTP, SMTP, FTP,
SMB, TELNET
6 Presentation Data WMV, JPEG, MOV,
Encryption,
Compression
5 Session Data Session
management
4 Transport Segments/Datagram TCP/UDP
3 Network Packets IP addresses,
routing,
ICMP, (OSRF)Open
Shortest Path First,
(RIP)Routing
Information
Protocol
2 Data link Frames Switching, MAC
addresses, Error
checking(trailer),
Packet to
frames
1 Physical Bits data cables, cat6

Sender End: Encapsulation

Receiver End: De-encapsulation
TCP/IP Model –

OSI TCP/IP
Application
Presentation Application
Session
Transport Transport
Network Internet
Data link Network Interface
Physical

Sender End: Encapsulation

Receiver End: Decapsulation

Network Topologies –

Network topology refers to the manner in which the links and nodes of a
network is arranged to relate to each other.
Bus network topology: Also known as backbone network topology,
this configuration connects all devices to a main cable via drop lines.
The advantages of bus network topology lie in its simplicity, as there
is less cable required than in alternative topologies, which makes for
easy installation.
Mesh network topology: A dedicated point-to-point link connects
each device on the network to another device on the network, only
carrying data between two devices.
Ring network topology: Two dedicated point-to-point links connect a
device to the two devices located on either side of it, creating a ring
of devices through which data is forwarded via repeaters until it
reaches the target device.
Star network topology: The most common network topology, star
topology connects each device in the network to a central hub.
Devices can only communicate with each other indirectly through the
central hub.
Hybrid network topology: Any combination of two or more topologies
is a hybrid topology.
Tree network topology: This topology consists of a parent-child
hierarchy in which star networks are interconnected via bus networks.
Nodes branch out linearly from one root node, and two connected
nodes only share one mutual connection.
TCP Protocol
TCP packets are called: Segments
3-Way Handshake: SYN,SYN/ACK,ACK
Connection Reset: FIN,ACK/FIN,ACK
UDP Protocol
UDP packets are called: Datagrams
Ports
In computer networking, a port is a number assigned to uniquely identify
a connection endpoint and to direct data to a specific service.
Connection type – TCP

Service Port number Comment

FTP 21 -
SSH 22 This protocol is used to
securely login to systems
via a text-based interface
for management, SSH is
encrypted version of
TELNET
TELNET 23 This protocol is used to
securely login to systems
via a text-based interface
for management, SSH is
encrypted version of
TELNET
SMTP 25 -
POP3 110 are all related to mail
IMAP 143 -
DNS 53 -
HTTP 80 -
HTTPS 443 -
SMB (NETBIOS over 139,445 Server Message Block
TCP) used for file sharing
remotely.
Windows NETBIOS 139 -
LDAP 389 -
MySQL protocol 3306 -
RDP 3389 -
Connection type – UDP
Service Port number Comment
DNS 53 -
DHCP 67,68 Dynamic Host
Configuration Protocol
(DHCP) is a network
management protocol
used to assign IP
automatically
TFTP 69 Trivial File Transfer
Protocol, TFTP is a very
simple file transfer
protocol.
SNMP 161 Simple Network
Management Protocol is
an Internet Standard
protocol for collecting
and organizing
information about
managed devices on IP
networks and for
modifying that
information to change
device behavior.(SNMP
is an APPLICATION
layer protocol that runs
on UDP)
CharGEN 19 -
SNMPv2 161 -
QOTD 17 -
RPC 135 -
SSDP 1900 -
CLDAP 389 -
TFTP 69 -
NetBIOS 137,138,139 -
 Quake Network Protocol 26000 -
VoIP 5060 -

Switch, Hub, Router –

Switch: A switch, in contrast, keeps track of which devices are on

which ports and forwards frames only to the devices for which they
are intended. Switches allow connections to multiple devices,
manage ports, manage VLAN security settings.

Hub: Hub repeats every signal it receives via any of its ports out every
other port. For Example - To connect a network of personal
computers, you can join them through a central hub. A hub can be a
repeater.

Router: A router connects two or more networks together for

example - it connects a LAN to the WAN
Collection methods – Ways to gather PCAP file

Network Taps: Network taps are a physical implant in which you

physically tap between a cable, these techniques are commonly used
by Threat Hunting/DFIR teams and red teams in an engagement to
sniff and capture packets. The tap will replicate packets as they pass the tap.

Vampire tap - Profishark tap –

Inline network tap –

Port Mirroring: Port mirroring is a method of copying and sending

network packets transmitted as input from a port to another port of a
monitoring computer/switch/device.

MAC Floods: MAC Floods are a tactic commonly used by red teams
as a way of actively sniffing packets. MAC Flooding is intended to
stress the switch and fill the CAM table. Once the CAM table is filled
the switch will no longer accept new MAC addresses and so in order
to keep the network alive, the switch will send out packets to all ports
of the switch.

ARP Poisoning: ARP Poisoning is another technique used by red

teams to actively sniff packets. By ARP Poisoning you can redirect the
traffic from the host(s) to the machine you're monitoring from. This
technique will not stress network equipment like MAC Flooding
 however, should still be used with caution and only if other
techniques like network taps are unavailable.

Wireshark

Wireshark, is a tool used for creating and analyzing PCAPs (network

packet capture files), is commonly used as one of the best packet analyses
tools
Color Rules : View -> Colour Rules

Packet Details –
HTTP PACKET FROM A SAMPLE CAPTURE

Frame (Layer 1) –
This will show you what frame / packet you are looking at as well as details specific to the
Physical layer of the OSI model.
Source [MAC] (Layer 2) –
This will show you the source and destination MAC Addresses; from the Data Link layer of
the OSI model.

Source [IP] (Layer 3) –

This will show you the source and destination IPv4 Addresses; from the Network layer of the
OSI model.
Protocol (Layer 4) –
This will show you details of the protocol used (UDP/TCP) along with source and destination
ports; from the Transport layer of the OSI model.

Protocol Errors –
This is a continuation of the 4th layer showing specific segments from TCP that needed to be
reassembled.
Application Protocol (Layer 5) –
This will show details specific to the protocol being used such HTTP, FTP, SMB, etc. From the
Application layer of the OSI model.

Application Data –
This is an extension of layer 5 that can show the application - specific data.

Filter packets –
Filtering operations
Operator Representation
and operator &&
or operator ||
equals operator eq ==
not equal operator ne !=
greater than operator gt >
less than operator lt <

Capture filter and Display filter –

Capture filter: capture filter is applied prior to capture
Display filter: display filter is applied during active capturing or on a pre-captured packets

Select any packet or any field:

Right click > Apply as Filter > Selected

Combine two filter select any packet or any field:

Right click > prepare as a Filter > {Different operators available eg:and}

Create your own expression:

Analyze > Display filter expression
Statistics –
Used to Add comment and view internal properties of file: Statistics > Capture File Properties

View Protocols summary of captured packets: Statistics > Protocol hierarchy

ARP
ARP or Address Resolution Protocol is a Layer 2 protocol that is used to
connect IP Addresses with MAC Addresses. They will contain REQUEST
messages and RESPONSE messages. To identify packets the message
header will contain one of two operation codes:

ICMP
ICMP or Internet Control Message Protocol is used to analyze various
nodes on a network. This is most commonly used with utilities like ping
and traceroute.
Identification: request to the server from ICMP, then a reply from the
server.

TCP
TCP or Transmission Control Protocol handles the delivery of packets
including sequencing and errors.

Port is not open as ACK=0

edit > preferences > protocols > TCP > relative sequence numbers (uncheck
boxes).
Understand packet flow –

nmap –

DNS
DNS or Domain Name Service protocol is used to resolves names with IP
addresses.
There are a couple of things outlined below that you should keep in the
back of your mind when analyzing DNS packets.
Query-Response
DNS-Servers Only
UDP

DNS Request

DNS Response

HTTP

HTTP or Hypertext Transfer Protocol is a commonly used port for the

world wide web and used by some websites, however, its encrypted
counterpart: HTTPS is more common which we will discuss in the next
text. HTTP is used to send GET and POST requests to a web server in
order to receive things like webpages. Knowing how to analyze HTTP can
be helpful to quickly spot things like SQLi, Web Shells, and other web-
related attack vectors.

HTTPS
Encrypted HTTP
Before sending encrypted information, the client and server need to agree
upon various steps in order to make a secure tunnel.
1. Client and server agree on a protocol version
2. Client and server select a cryptographic algorithm
3. The client and server can authenticate to each other; this step is
optional
4. Creates a secure tunnel with a public key

Zerologon
Zerologon (CVE-2020-1472) is a critical vulnerability that affects
Windows servers. Given certain circumstances, this vulnerability can allow
an attacker to bypass authentication and then gain administrator-level
privileges in a matter of seconds.

DRSUAPI + SMB

https://dirkjanm.io/a-different-way-of-abusing-zerologon/
General Networking Tools - whois, dig, traceroute, ping