Introduction to Networking - Common Protocols

#readwise # Introduction to Networking - Common Protocols ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article1.be68295a7e40.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Introduction to Networking - Common Protocols - URL: https://academy.hackthebox.com/module/34/section/1872 ## Summary Networking involves standardized protocols that help devices communicate effectively. Common protocols include TCP for reliable connections and UDP for faster, less reliable connections. Various protocols serve different purposes, like HTTP for web browsing and ICMP for error reporting. Understanding these protocols is essential for managing and troubleshooting networks. ## Highlights ### Transmission Control Protocol `TCP` is a `connection-oriented` protocol that establishes a virtual connection between two devices before transmitting data by using a [Three-Way-Handshake](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment). This connection is maintained until the data transfer is complete, and the devices can continue to send data back and forth as long as the connection is active. ([View Highlight](https://read.readwise.io/read/01jnjp5678286942mjt90py5gc)) --- `TCP` is reliable but slower than UDP because it requires additional overhead for establishing and maintaining the connection. ([View Highlight](https://read.readwise.io/read/01jnjp5qkh5d4yr21jgs2k4fkg)) --- ### User Datagram Protocol On the other hand, `UDP` is a `connectionless` protocol, which means it does not establish a virtual connection before transmitting data. Instead, it sends the data packets to the destination without checking to see if they were received. ([View Highlight](https://read.readwise.io/read/01jnjp62w0ygwp3ekbc6tmf4xx)) --- This makes `UDP` faster than TCP but less reliable because there is no guarantee that the packets will reach their destination. ([View Highlight](https://read.readwise.io/read/01jnjp684hppj856en15rnaggb)) --- ### ICMP [Internet Control Message Protocol](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) (`ICMP`) is a protocol used by devices to communicate with each other on the Internet for various purposes, including error reporting and status information. It sends requests and messages between devices, which can be used to report errors or provide status information. #### ICMP Requests A request is a message sent by one device to another to request information or perform a specific action. An example of a request in ICMP is the `ping` request, which tests the connectivity between two devices. When one device sends a ping request to another, the second device responds with a `ping reply` message. | Request Type | Description | | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Echo Request` | This message tests whether a device is reachable on the network. When a device sends an echo request, it expects to receive an echo reply message. For example, the tools `tracert` (Windows) or `traceroute` (Linux) always send ICMP echo requests. | | `Timestamp Request` | This message determines the time on a remote device. | | `Address Mask Request` | This message is used to request the subnet mask of a device. | #### ICMP Messages A message in ICMP can be either a request or a reply. In addition to ping requests and responses, ICMP supports other types of messages, such as error messages, `destination unreachable`, and `time exceeded` messages. These messages are used to communicate various types of information and errors between devices on the network. For example, if a device tries to send a packet to another device and the packet cannot be delivered, the device can use ICMP to send an error message back to the sender. ([View Highlight](https://read.readwise.io/read/01jnjp7zn4bee52v0nwgb6tsgb)) | Message Type | Description | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | `Echo reply` | This message is sent in response to an echo request message. | | `Destination unreachable` | This message is sent when a device cannot deliver a packet to its destination. | | `Redirect` | A router sends this message to inform a device that it should send its packets to a different router. | | `time exceeded` | This message is sent when a packet has taken too long to reach its destination. | | `Parameter problem` | This message is sent when there is a problem with a packet's header. | | `Source quench` | This message is sent when a device receives packets too quickly and cannot keep up. It is used to slow down the flow of packets. | ([View Highlight](https://read.readwise.io/read/01jnjpajpz30ja3y62fk7ctp1t)) --- Another crucial part of ICMP for us is the [Time-To-Live](https://en.wikipedia.org/wiki/Time_to_live) (`TTL`) field in the ICMP packet header that limits the packet's lifetime as it travels through the network. It prevents packets from circulating indefinitely on the network in the event of routing loops. Each time a packet passes through a router, the router decrements the `TTL value by 1`. When the TTL value reaches `0`, the router discards the packet and sends an ICMP `Time Exceeded` message back to the sender. We can also use `TTL` to determine the number of hops a packet has taken and the approximate distance to the destination. For example, if a packet has a `TTL` of 10 and takes 5 hops to reach its destination, it can be inferred that the destination is approximately 5 hops away. ([View Highlight](https://read.readwise.io/read/01jnjpde5njr8rnr9myzch9n9a)) --- it is also possible to guess the operating system based on the default `TTL` value used by the device. Each operating system typically has a default `TTL` value when sending packets. This value is set in the packet's header and is decremented by 1 each time the packet passes through a router. Therefore, examining a device's default `TTL` value makes it possible to infer which operating system the device is using. For example: Windows systems (`2000/XP/2003/Vista/10`) typically have a default `TTL` value of 128, while macOS and Linux systems typically have a default `TTL` value of 64 and Solaris' default `TTL` value of 255. However, it is important to note that the user can change these values, so they should be independent of a definitive way to determine a device's operating system. ([View Highlight](https://read.readwise.io/read/01jnjpe95dm477e53yck47wwgb)) --- ### VoIP [Voice over Internet Protocol](https://www.fcc.gov/general/voice-over-internet-protocol-voip) (`VoIP`) is a method of transmitting voice and multimedia communications. For example, it allows us to make phone calls using a broadband internet connection instead of a traditional phone line, like Skype, Whatsapp, Google Hangouts, Slack, Zoom, and others. The most common VoIP ports are `TCP/5060` and `TCP/5061`, which are used for the [Session Initiation Protocol](https://en.wikipedia.org/wiki/Session_Initiation_Protocol) (SIP). However, the port `TCP/1720` may also be used by some VoIP systems for the [H.323 protocol](https://en.wikipedia.org/wiki/H.323), a set of standards for multimedia communication over packet-based networks. Still, SIP is more widely used than H.323 in VoIP systems. Nevertheless, SIP is a signaling protocol for initiating, maintaining, modifying, and terminating real-time sessions involving video, voice, messaging, and other communications applications and services between two or more endpoints on the Internet. Therefore, it uses requests and methods between the endpoints. The most common SIP requests and methods are: | Method | Description | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `INVITE` | Initiates a session or invites another endpoint to participate. | | `ACK` | Confirms the receipt of an INVITE request. | | `BYE` | Terminate a session. | | `CANCEL` | Cancels a pending INVITE request. | | `REGISTER` | Registers a SIP user agent (UA) with a SIP server. | | `OPTIONS` | Requests information about the capabilities of a SIP server or user agent, such as the types of media it supports. ([View Highlight](https://read.readwise.io/read/01jnjpg64m23wtpvxkw6gkzhdy)) | --- SIP allows us to enumerate existing users for potential attacks. This can be done for various purposes, such as determining a user's availability, finding out information about the user's capabilities or services, or performing brute-force attacks on user accounts later on. One of the possible ways to enumerate users is the SIP `OPTIONS` request. It is a method used to request information about the capabilities of a SIP server or user agents, such as the types of media it supports, the codecs it can decode, and other details. The `OPTIONS` request can probe a SIP server or user agent for information or test its connectivity and availability. ([View Highlight](https://read.readwise.io/read/01jnjphjdbd0q7br9yqvhh3mfv)) --- During our analysis, it is possible to discover a `SEPxxxx.cnf` file, where `xxxx` is a unique identifier, is a configuration file used by Cisco Unified Communications Manager, formerly known as Cisco CallManager, to define the settings and parameters for a Cisco Unified IP Phone. The file specifies the phone model, firmware version, network settings, and other details. ([View Highlight](https://read.readwise.io/read/01jnjphvk6ta3c4xj4bf144swm)) ---