SOCC01 - Networking and PCAPs
IP/TCP Headers and Ports
- General discussion of the IP header
- Routers predominately are the devices that only look at the IP Header
- IP Header
- BGP Hijacking
- APT/Nation-state actor can compromise an ASN and redirect traffic to another destination
- Traffic is routed to the most specific address
- Fragmentation flags
- x - bit 0
- "the evil bit"
- Reserved, but be 0
- D (DF) - bit 1
- Don't fragment
- M (MF) - bit 2
- More Fragments
- x - bit 0
- BGP Hijacking
- TCP Header
- Describes the ports for the packets
- Ports are generally used by certain protocols, but generally, ports can be used by any service
- Port 0 can be used, and has been used as a
- NAT/PAT
- RFC 793 describes the 3-way handshake
- Originally, it was a 4-way handshake, but most modern OS's send a 3-way instead.
- Describes the ports for the packets
OWASP Top 10 ports
| Port | Protocol | Interesting Links |
|---|---|---|
| 80 | HTTP | |
| 23 | Telnet | |
| 22 | SSH | |
| 443 | HTTPS | |
| 3389 | ms-term-serv (RDP) | |
| 445 | microsoft-ds (SMB) | SMB is synonymous in my head with EternalBlue EternalBlue - Wikipedia |
| 139 | netbios-ssn | 137,138,139 - Pentesting NetBios - HackTricks |
| 21 | FTP | |
| 135 | MSRPC | Microsoft RPC - Wikipedia |
| 25 | SMTP |
Shodan top ports
| Port | Protocol | Notes |
|---|---|---|
| 80, 8080, 443, 8443 | HTTP/S | |
| 21 | FTP | |
| 22 | SSH | |
| 23 | Telnet | |
| 161 | SNMP | |
| 143, 993 | IMAP/Encrypted | |
| 25 | SMTP | |
| 5060 | SIP | |
| 554 | RTSP (Real Time Streaming Protocol) |
tcpdump
Lab: tcpdump
Wireshark Lab
We then did a Wireshark lab, but there really wasn't anything new compared to the Wireshark Udemy course with Chris Greer that I took earlier, so I didn't take any notes at the time. There were two key takeaways though that I forgot or wasn't covered in the Udemy course:
called windump on Windows ↩︎