Hackers Rest
  • Hacker's Rest
  • Tools & Cheatsheets
    • Cybersecurity YouTube Channels
  • Hacking Methodology
  • Hands-on Practice
  • Fundamentals
    • Network Fundamentals
    • Computer Fundamentals
  • Unix
    • Unix Fundamentals
    • Hardening & Setup
      • TMUX/Screen Cheatsheet
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Data Exfiltration
      • Persistence
    • Vim
  • Windows
    • Windows Fundamentals
    • PowerShell
    • Hardening & Setup
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Pivoting/Lateral Movement
      • Persistence
      • Data Exfiltration
      • Active Directory
        • Enumeration
        • Getting Access
        • Privilege Escalation
        • Persistence
      • Kerberos
      • Impacket
  • MacOS
    • MacOS Basics
    • Hardening & Configuration
    • Red Team Notes
      • Enumeration
      • Getting Access
      • Privilege Escalation
      • Persistence
  • Web
    • Burp Suite
    • DNS
    • Web Notes
      • Enumeration
      • Web Filter Bypass
      • Command Injection
      • Subdomain/Virtual Host Enumeration
      • The Web Application Hacker's Handbook
  • Mobile
    • iOS
    • Android
  • OS Agnostic
    • Basic Enumeration
    • Cryptography & Encryption
    • Network Hardware
    • OS Agnostic
    • OSINT
    • Password Cracking
      • Gathering the Hashes
      • Wordlist Manipulation
      • Cracking the Hashes
    • Pivoting
      • Chisel
      • Plink.exe
      • SSH
      • Sshuttle
      • Socat
    • Reverse Engineering & Binary Exploitation
      • Buffer Overflow
    • Scripting
      • Script Language Syntax
    • SQL
    • SSH & SCP
    • Steganography
    • Wireless
  • Unsorted
Powered by GitBook
On this page
  • The OSI Model
  • Layer 1: Physical Layer
  • Layer 2: Data Link Layer
  • Ethernet
  • Physical Addressing - "MAC" Addresses
  • Switching
  • Layer 3: Network Layer
  • Key Functions of the Network Layer
  • Common Protocols at the Network Layer
  • Logical Addressing - "IP" Addresses
  • ARP (Address Resolution Protocol)
  • ICMP
  • Routing
  • Network Address Translation (NAT)
  • Layer 4: Transport Layer
  • Key Functions of the Transport Layer
  • TCP vs UDP
  • The TCP Protocol
  • The User Datagram Protocol (UDP)
  • Common TCP and UDP Ports
  • Port Scanning
  • Layer 5: Session Layer
  • Key Functions of the Session Layer
  • Protocols Associated with the Session Layer
  • Circuit-Level Firewalls and the Session Layer
  • Layer 6: Presentation Layer
  • Key Functions of the Presentation Layer
  • Examples of Presentation Layer Protocols
  • Encryption and Cryptography Fundamentals
  • Key Concepts
  • Common Encryption Tools and Protocols
  • Encryption and its OSI Layer Relationships
  • Layer 7: Application Layer
  • Overview
  • Key Functions
  • Common Layer 7 Protocols
  • Importance of Layer 7
  • Example Protocols
  • Windows Networking
  • Network Types in Windows
  • Key Windows Networking Protocols
  • Additional Notes
  • Common Windows Networking Commands
  • Ports and Protocols: User Workstation vs. Windows Server
  • Unix Networking
  • Key Concepts
  • Key Features of SSHD
  • SSHD Configuration
  • Common Unix Networking Commands
  • Unix Ports and Protocols
  • Key Unix Networking Protocols and Services
  • Unix Networking Best Practices
  • Cisco Router Administration and Configuration
  • Overview of Cisco Router CLI
  • Common Cisco Router Commands

Was this helpful?

Edit on GitHub
  1. Fundamentals

Network Fundamentals


The OSI Model

The Open Systems Interconnection (OSI) model is a fundamental concept in networking, providing a structured framework to standardize communication processes across diverse systems. It consists of seven layers, each responsible for specific network functions. This modular design enables interoperability between hardware and software from different vendors, streamlining troubleshooting, optimizing performance, and supporting scalability.

The OSI model is indispensable for network professionals and cyber specialists alike, offering a clear methodology for analyzing, designing, and maintaining networks. Whether managing large-scale enterprise systems or configuring home setups, understanding the layered architecture is crucial for efficient network communication and data flow management.

This page will delve into the OSI model layer by layer, dissecting its components and exploring its application in modern networking practices. Through a technical breakdown, we'll illustrate how each layer contributes to the overall architecture, ensuring seamless data transmission in today's interconnected world.

Each layer has specific functions that help networks communicate effectively:

Layer

Role

Example

1. Physical Layer

Deals with the physical connection between devices.

Cables, switches, and electrical signals

2. Data Link Layer

Ensures error-free data transfer between adjacent nodes.

Ethernet, MAC addresses, and switches

3. Network Layer

Handles routing and forwarding of data packets.

IP addresses and routers

4. Transport Layer

Ensures reliable data transfer with error checking and flow control.

TCP and UDP protocols

5. Session Layer

Manages and controls connections between devices.

Setting up, maintaining, and terminating sessions

6. Presentation Layer

Translates data into a format the application layer can understand.

Encryption, decryption, and data compression

7. Application Layer

Interfaces with end-user applications.

Web browsers, email clients, and file transfer applications

The TCP/IP (DoD) Model

The Department of Defense (DoD) model, also known as the TCP/IP model, simplifies network communication into four layers:

  1. Network Interface Layer: This corresponds to the Physical and Data Link layers in the OSI model. It manages the hardware and physical transmission of data.

  2. Internet Layer: Comparable to the OSI Network layer, it handles IP addressing and routing of packets between devices across networks.

  3. Transport Layer: Aligns closely with the OSI Transport layer, managing end-to-end communication, error checking, and flow control (e.g., using TCP or UDP).

  4. Application Layer: Combines the functionalities of the OSI Session, Presentation, and Application layers, facilitating interaction with software applications.

Comparison:

  • Layer Consolidation: The DoD model condenses the OSI model’s 7 layers into 4, making it simpler and more directly aligned with TCP/IP protocols.

  • Focus: While the OSI model is a conceptual framework, the DoD model is more practical and focused on actual implementation in real-world networking.

  • Popularity: The DoD model is widely used because it is directly tied to the protocols that run the internet, such as TCP, IP, and UDP.

This table highlights how the DoD model simplifies and condenses the layers from the OSI model, combining certain functionalities into fewer layers for practical implementation.

OSI Model Layer

DoD (TCP/IP) Model Layer

Key Comparison

1. Physical Layer

1. Network Interface Layer

Handles physical transmission of data, including hardware like cables and signals.

2. Data Link Layer

1. Network Interface Layer

Combined with the Physical Leyer in the DoD model, manages hardware-level addressing and data transfer.

3. Network Layer

2. Internet Layer

Focuses on routing and forwarding data, with IP addressing as a core function.

4. Transport Layer

3. Transport Layer

Common to both models, ensures reliable data transfer with protocols like TCP and UDP.

5. Session Layer

4. Application Layer

Consolidated in the DoD model, manages sessions and connections for applications.

6. Presentation Layer

4. Application Layer

Responsible for data formatting, encryption, and compression.

7. Application Layer

4. Application Layer

Provides an interface for software applications to access network services.


Layer 1: Physical Layer

The Physical Layer, the foundation of the OSI model, focuses on the hardware and physical means of transmitting raw binary data between devices. It governs the transmission of electrical, optical, or radio signals over mediums like cables, fiber optics, or wireless connections. This layer is responsible for specifications such as voltage levels, transmission rates, connectors, pin layouts, and the physical aspects of network interfaces. Its effectiveness and setup can have a direct impact on network performance and reliability. Networks are also organized into logical structures, based on the arangement of devices, called the Network Topology.

Network Topology

A Network Topology defines the physical or logical arrangement of devices within a network. Here’s a breakdown of some common topologies:

Topology

Characteristics

Bus

A single cable connects all hosts. Cost-effective but prone to data reflection and collision problems.

Star

(Most Common for LANs) All hosts connect to a central hub or switch. Easy to manage but has a single point of failure.

Tree

Hierarchical structure with a main root node connecting to servers via point-to-point links.

Ring

Data travels in one direction through a closed loop. Each node has a repeater, ensuring the signal is maintained. Critical ring failure can disrupt the network.

Mesh

All devices are interconnected. Offers maximum reliability and fault tolerance but is highly complex and costly.

Each topology serves specific needs and environments, with trade-offs in cost, complexity, and redundancy. The choice of topology often depends on the scale, required reliability, and budget of the network setup.

Network Types

Networks are categorized based on their size, reach, and purpose. Here are some common types:

  • LAN (Local Area Network): Covers a small area like a home, office, or school. It is cost-effective and offers high-speed data transfer.

  • WAN (Wide Area Network): Spans large geographical areas, connecting multiple LANs. The internet is the largest example of a WAN.

  • MAN (Metropolitan Area Network): Covers a city or metropolitan area, larger than LAN but smaller than WAN.

  • PAN (Personal Area Network): A very small network for personal devices, typically within a 10-meter range (e.g., Bluetooth connections).

  • CAN (Campus Area Network): Connects multiple LANs within a campus, such as a university or corporate premises.

  • SAN (Storage Area Network): Dedicated to providing access to consolidated storage devices.

  • WLAN (Wireless Local Area Network): A wireless version of LAN, using technologies like Wi-Fi.

  • VPN (Virtual Private Network): Creates a secure network connection over a public network, often used for privacy and security.

Network Type

Coverage Area

Purpose

Example

LAN

Small (home, office)

High-speed local communication

Office network

WAN

Large (global)

Connects multiple LANs

The internet

MAN

Medium (city)

Regional connectivity

Cable TV network

PAN

Very small (personal)

Connects personal devices

Bluetooth devices

CAN

Campus-wide

Connects LANs within a campus

University network

SAN

Storage-specific

Provides access to storage devices

Data center storage network

WLAN

Small (wireless LAN)

Wireless local communication

Home Wi-Fi

VPN

Variable (virtual)

Secure connection over public networks

Remote work network

Network Devices

While all network devices exist in the physical layer topology-wise, each logically operates at a different layer depending on their function. Here are some of the most common network devices.

Device

Function

Layer

Key Features

Hub

Connects devices within a network but broadcasts data to all ports.

Physical Layer

Simple and inexpensive, prone to collisions, largely obsolete.

Modem

Converts digital signals to analog for internet access via ISPs.

Physical Layer

Interfaces with DSL, cable, or fiber connections, often integrated with routers.

Switch

Connects devices within a single network and forwards data based on MAC addresses.

Data Link Layer

Reduces network collisions, creates virtual LANs (VLANs), and improves efficiency.

Wireless Access Point (WAP)

Provides wireless connectivity to devices within a network.

Data Link Layer

Extends network coverage, supports Wi-Fi standards, and connects wired networks to wireless devices.

Router

Connects multiple networks and routes data packets between them.

Network Layer

Uses IP addresses, enables internet access, supports NAT and firewall features.

Firewall

Monitors and controls incoming and outgoing network traffic based on security rules.

Network Layer (or multiple layers)

Protects against unauthorized access, blocks malicious traffic, and enforces security policies.

Gateway

Acts as a bridge between different network protocols or architectures.

Application Layer

Translates data formats, manages protocol conversions, and connects dissimilar networks.

Proxy Server

Acts as an intermediary for requests between clients and servers.

Application Layer

Provides anonymity, content filtering, and caching for improved performance.

VPN Concentrator

Manages and establishes secure VPN connections for multiple users.

Network and Application Layers

Provides encryption, authentication, and secure remote access for users.


Layer 2: Data Link Layer

The Data Link Layer is the second layer of the OSI model. It is responsible for node-to-node data transfer, ensuring reliable communication over the physical medium. This layer provides error detection (but not correction), manages physical addressing, and organizes data into frames for transmission. It also facilitates communication between higher-layer protocols and physical hardware.

Ethernet

Ethernet is a widely used networking technology that operates primarily at the Data Link Layer (Layer 2) of the OSI model. It is the backbone of most local area networks (LANs) and provides a reliable and efficient method for devices to communicate within a network. Its sublayers, protocols, and mechanisms such as CSMA/CD, make Ethernet one of the most efficient standards for network communication.

Key Features of Ethernet

  • Frame Structure: Ethernet organizes data into frames for transmission. Each frame includes:

    • Preamble (8 bytes): Synchronizes communication between devices.

    • Destination MAC Address (6 bytes): Identifies the receiving device.

    • Source MAC Address (6 bytes): Identifies the sending device.

    • Type/Length Field (2 bytes): Specifies the protocol or payload size.

    • Data (46-1500 bytes): Contains the actual payload.

    • Frame Check Sequence (FCS, 4 bytes): Ensures error detection.

  • Access Method:

    • Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) in half-duplex mode to manage data transmission and handle collisions. In full-duplex mode, collisions are avoided entirely.

  • Sublayers:

    • Media Access Control (MAC): Handles physical addressing, frame transmission, and reception.

    • Logical Link Control (LLC): Manages error detection and communication between higher-layer protocols and the MAC sublayer.

  • Speed and Standards:

    • Ethernet supports various speeds, from 10 Mbps (Ethernet) to 100 Gbps (Gigabit Ethernet and beyond). The modern version is defined by the IEEE 802.3 standard.

  • Topology:

    • Ethernet networks typically use a star topology, where devices connect to a central switch or hub. However, it can also support other topologies like bus or tree.

  • Error Handling:

    • While Ethernet allows for error detection using the FCS, it does not provide error correction. Frames with errors are discarded, and higher-layer protocols handle retransmissions.

Feature

Description

Frame

Frames are the units of data in this layer, allowing for error detection but not error correction.

Ethernet MTU

The maximum transmission unit (MTU) for Ethernet is 1518 bytes, while the minimum frame size is 64 bytes.

Sublayers

The Data Link Layer consists of two sublayers: MAC and LLC

Media Access Control (MAC)

Detects the carrier, handles transmission (TX) and reception (RX), and passes data to/from the Logical Link Control (LLC) sublayer. Operates at the physical layer and supports half or full-duplex communication.

Logical Link Control (LLC)

Handles error detection and facilitates communication between networking protocols and the MAC sublayer.

CSMA/CD

The access method for Ethernet in half-duplex mode uses Carrier Sense Multiple Access with Collision Detection to manage data collisions.

Collision Handling

Utilizes truncated binary exponential backoff to schedule retransmissions after collisions.

Ethernet II vs 802.3

Differ in Preamble and Control fields.

Physical Addressing - "MAC" Addresses

Physical addressing in the Data Link Layer is achieved through Media Access Control (MAC) addresses, which are unique identifiers assigned to network interface cards (NICs).

  • A MAC address is a 48-bit identifier, typically represented as six pairs of hexadecimal digits (e.g., 00:1A:2B:3C:4D:5E).

  • The first three pairs are the OUI (Organizationally Unique Identifier), which identify the manufacturer, while the last three pairs are specific to the device.

A MAC address is "burned in", or permanently assigned, to the network interface card (NIC) by the manufacturer. This assignment is done during the manufacturing process and is stored in the hardware's read-only memory (ROM) or firmware. Since it's hardwired into the device, the MAC address is unique to each NIC and cannot be permanently changed.

Some devices allow you to override the burned-in address temporarily through software, a process known as MAC address spoofing. However, even with this override, the original "burned-in" address remains embedded in the hardware.

MAC Role in Communication:

MAC addresses are used to identify devices within the same LAN segment. When a device sends a frame, it includes the source MAC address and the destination MAC address in the frame header. The header ensures that frames are delivered to the correct device within the network. The MAC sublayer also works closely with the Logical Link Control (LLC) sublayer, which handles communication between different network protocols and the MAC sublayer.

MAC addresses are also used in Collision Handling:

  • In half-duplex Ethernet networks, the MAC sublayer uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to manage collisions.

  • Devices listen for a carrier signal before transmitting and use a backoff algorithm to retry transmission after a collision.

Switching

Switching is a process in networking that involves directing data packets between devices within the same network. Switches operate primarily at the Data Link Layer (Layer 2) of the OSI model, using MAC addresses to forward frames to the correct destination. Unlike hubs, which broadcast data to all connected devices, switches intelligently forward data only to the intended recipient, reducing collisions and improving efficiency.

Key Concepts in Switching

  • MAC Address Table:

    • Switches maintain a table mapping MAC addresses to specific ports. This allows them to forward frames directly to the correct device.

  • Collision Domains:

    • A network segment where data packets can collide if two devices attempt to send data at the same time.

    • Collisions are common in hubs and half-duplex communication, but switches isolate each port into its own collision domain.

  • Broadcast Domains:

    • A network segment where devices can receive broadcast messages sent by any device within the domain.

    • Routers separate broadcast domains, ensuring broadcasts are limited to specific segments.

    • Switches do not break broadcast domains; all devices connected to a switch can receive broadcast frames unless VLANs are configured.

  • Full-Duplex Communication:

    • Modern switches support full-duplex communication, allowing simultaneous transmission and reception of data.

VLANS

VLANs, or Virtual Local Area Networks, serve as a method for logically segmenting a physical network into multiple isolated networks. This segmentation helps improve efficiency and security by separating traffic based on specific criteria, such as device function, department, or application. VLANs allow devices within the same VLAN to communicate directly, while communication between different VLANs requires a Layer 3 device like a router or a Layer 3 switch.

One key benefit of VLANs is traffic isolation. By creating separate VLANs, broadcast traffic is restricted to devices within the same VLAN, reducing unnecessary traffic across the network. This not only improves performance but also minimizes the risk of interference or congestion.

VLANs utilize 802.1Q tagging to manage traffic across trunk ports that connect switches. This tagging ensures that data packets can be appropriately identified and routed within the network. Additionally, each VLAN constitutes its own broadcast domain, allowing administrators to control and limit the scope of broadcast communication for better network management.

Common Switching Protocols

Switching is essential for efficient network communication, and protocols like Spanning Tree Protocol (STP) ensure stability and reliability in complex network environments. Here are a few of the common switching protocols used today:

Protocol

Function

Key Features

Spanning Tree Protocol (STP)

Prevents loops in a network by disabling redundant paths.

Ensures a single active path, improves network stability, and uses BPDUs to detect/manage loops.

Rapid Spanning Tree Protocol (RSTP)

Enhanced version of STP for faster convergence times.

Ideal for modern networks that require quick recovery from topology changes.

Multiple Spanning Tree Protocol (MSTP)

Allows multiple VLANs to share a single spanning tree instance.

Optimizes resource usage and is effective for extensive VLAN configurations.

VLAN Trunking Protocol (VTP)

Simplifies and centralizes VLAN management across switches.

Propagates VLAN information, reducing administrative overhead in large networks.

Link Aggregation Control Protocol (LACP)

Combines multiple physical links into one logical link for greater reliability.

Provides increased bandwidth, redundancy, and efficient load balancing across aggregated links.

Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol (CDP) is a proprietary protocol developed by Cisco Systems. It operates at the Data Link Layer (Layer 2) of the OSI model and is used to discover and share information about directly connected Cisco devices. CDP helps network administrators manage and troubleshoot networks by providing details about neighboring devices.

Key Features of CDP

  1. Device Discovery:

    • CDP allows devices to discover information about directly connected neighbors, such as device type, IP address, operating system version, and port details.

  2. Multicast Communication:

    • CDP packets are sent to the multicast MAC address 01:00:0C:CC:CC:CC.

    • These packets are transmitted every 60 seconds by default and have a hold time of 180 seconds.

  3. Versions:

    • CDPv1: The initial version, capable of basic device discovery.

    • CDPv2: Adds advanced features like detecting mismatched VLANs and duplex settings.

  4. Protocol Independence:

    • CDP operates at Layer 2, meaning it can function regardless of the network-layer protocol (e.g., IPv4 or IPv6).

  5. On-Demand Routing (ODR):

    • CDP can be used to propagate routing information in simple hub-and-spoke networks without requiring a full routing protocol.

  6. Management Tools:

    • Network administrators can view CDP information using commands like show cdp neighbors and show cdp entry.

CDP Use Cases

  • Identifying misconfigurations, such as mismatched VLANs or duplex settings.

  • Mapping network topology by discovering connected devices.

  • Simplifying network troubleshooting and management.

CDP is a powerful tool for Cisco environments, but it is limited to directly connected devices and does not work across non-Cisco equipment. For multi-vendor environments, the Link Layer Discovery Protocol (LLDP) is often used as an alternative.


Layer 3: Network Layer

The Network Layer is the third layer of the OSI model, responsible for enabling communication between devices across different networks. It plays a critical role in routing, addressing, and forwarding data packets to their destination, ensuring efficient and reliable communication.

Key Functions of the Network Layer

  • Logical Addressing:

    • The Network Layer assigns unique logical addresses (e.g., IP addresses) to devices, enabling identification and communication across networks.

    • These addresses are essential for routing and distinguishing devices in different network segments.

  • Routing:

    • Determines the best path for data packets to travel from the source to the destination.

    • Utilizes routing protocols like RIP, OSPF, and BGP to dynamically update and optimize routes.

  • Packet Forwarding:

    • Ensures data packets are forwarded to the correct destination based on routing tables and logical addressing.

    • Routers, operating at this layer, play a key role in forwarding packets between networks.

  • Fragmentation and Reassembly:

    • Splits large packets into smaller fragments to match the Maximum Transmission Unit (MTU) of the underlying network.

    • Reassembles fragments at the destination to reconstruct the original data.

  • Error Handling:

    • Detects and manages errors in packet transmission, ensuring reliable delivery.

    • Protocols like ICMP (Internet Control Message Protocol) assist in error reporting and diagnostics.

Common Protocols at the Network Layer

  • IPv4 and IPv6: Internet Protocols for logical addressing and routing.

  • ICMP: Used for error reporting and network diagnostics.

  • RIP, OSPF, BGP: Routing protocols for determining optimal paths.

  • NAT: Network Address Translation for mapping private IP addresses to public ones.

Here is a full list of IP Protocols for reference:

  • https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Logical Addressing - "IP" Addresses

IP addressing is a core function of the Network Layer (Layer 3), enabling devices to identify and communicate with each other across networks. It provides logical addresses to devices, ensuring data packets are routed correctly to their destinations. Here's a detailed look at IPv4 and IPv6 addressing:

IPv4 Addressing

  • Address Format:

    • IPv4 addresses are 32-bit binary numbers, typically represented in dotted decimal format (e.g., 192.168.1.1).

    • Each address consists of four octets, separated by periods, with values ranging from 0 to 255.

  • IP Header:

    • The IPv4 header is 20 bytes long and contains fields for source and destination addresses, as well as routing and error-checking information.

  • Private Network Addresses:

    • Reserved for internal use and not routable on the public internet:

      • 10.0.0.0/8

      • 172.16.0.0/12

      • 192.168.0.0/16

    • APIPA (Automatic Private IP Addressing): 169.254.0.0/16 is used when a device cannot obtain an IP address from a DHCP server.

    • Loopback Address: 127.0.0.0/8 is reserved for testing and communication within the same device.

Subnetting:

Subnetting divides a network into smaller segments, with the host bit length determining the subnet size. For example, a /24 subnet mask allows for 256 addresses, with 254 usable for hosts (subtract one for the network id (o) and one for the broadcast address (255).

IPv4 addresses were originally divided into classes (A, B, C, etc.) based on their range and intended use.

Class

CIDR Notation

Address Range

Purpose

Class A

/8

1.0.0.0 to 126.0.0.0

Used for large networks, typically public.

Class B

/16

128.0.0.0 to 191.255.0.0

Medium-sized networks, often used by organizations.

Class C

/24

192.0.0.0 to 223.255.255.0

Small networks like homes or small businesses.

Class D

Not Applicable

224.0.0.0 to 239.255.255.255

Reserved for multicast communication.

Class E

Not Applicable

240.0.0.0 to 255.255.255.255

Experimental use, not assigned for general use.

CIDR

Modern networks use Classless Inter-Domain Routing (CIDR) for more efficient allocation. CIDR simplifies IP address allocation and routing by allowing variable-length subnet masks rather than fixed classes (A, B, or C).

  • Format: Written as an IP address followed by a slash (e.g., 192.168.1.0/24), where the number after the slash represents the number of bits used for the network portion.

  • Efficiency: CIDR improves IP address utilization by splitting networks into smaller subnets or aggregating them into larger blocks.

  • Subnet Mask Representation: For example, /24 corresponds to a subnet mask of 255.255.255.0.

  • Aggregation: CIDR enables route summarization, reducing the size of routing tables and improving network performance.

ARP (Address Resolution Protocol)

The Address Resolution Protocol (ARP) is a network protocol used to map an IPv4 address (Layer 3) to a MAC address (Layer 2) within a local network. It is essential for enabling communication between devices on the same subnet in an Ethernet-based network.

How ARP Works

  1. ARP Request:

  • When a device wants to communicate with another device on the same network, it first checks its ARP cache to see if the MAC address corresponding to the target IP address is already known.

  • If the MAC address is not found in the ARP cache, the device broadcasts an ARP request to all devices on the local network (MAC Address FF:FF:FF:FF:FF:FF). This request contains the sender's IP and MAC addresses, as well as the target IP address.

  1. ARP Reply:

  • The device with the matching IP address responds with an ARP reply. This reply is unicast directly to the requesting device and contains the MAC address of the target device.

  • The requesting device updates its ARP cache with the newly learned MAC address for future communication.

  1. Communication: Once the MAC address is resolved, the requesting device can encapsulate the data in an Ethernet frame and send it directly to the target device using its MAC address.

Reverse ARP (RARP)

Reverse ARP (RARP) is a protocol used to map a MAC address to an IP address. It is the reverse of ARP and is typically used by diskless workstations or devices during boot-up to request their IP address from a RARP server. However, RARP has largely been replaced by more modern protocols like DHCP.

ARP in the OSI Model

ARP operates at Layer 3 (Network Layer) of the OSI model because it uses IP addresses to determine the corresponding MAC addresses. However, its functionality bridges Layer 2 (Data Link Layer) and Layer 3, as it facilitates the translation between these layers.

Types of ARP

  • Proxy ARP: Allows a router to respond to ARP requests on behalf of another device, enabling communication across different subnets.

  • Gratuitous ARP: A device sends an ARP request for its own IP address to detect IP conflicts or update other devices' ARP caches.

  • Inverse ARP (InARP): Used in Frame Relay and ATM networks to map Layer 2 addresses to Layer 3 addresses dynamically.

ARP Cache

  • Devices maintain an ARP cache to store recently resolved IP-to-MAC address mappings. This reduces the need for repeated ARP requests.

  • Entries in the ARP cache have a time-to-live (TTL) and are removed after a certain period unless refreshed.

Security Considerations

  • ARP Spoofing/Poisoning: Attackers can send fake ARP replies to associate their MAC address with a legitimate IP address, enabling man-in-the-middle attacks or denial-of-service (DoS) attacks.

  • Mitigation: Use techniques like Dynamic ARP Inspection (DAI) and static ARP entries to prevent ARP spoofing.

IPv6

IPv6 (Internet Protocol Version 6) is the successor to IPv4, designed to address the limitations of the older protocol. It provides a vastly larger address space, improved efficiency, and enhanced security features. IPv6 uses 128-bit addresses, allowing for approximately 340 undecillion unique addresses, compared to IPv4's 32-bit addresses, which support around 4.3 billion unique addresses. This expansion accommodates the growing number of internet-connected devices, especially with the rise of IoT (Internet of Things).

  • Address Format:

    • IPv6 addresses are 128-bit binary numbers, represented as 8 groups of 2 bytes written in hexadecimal format (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

    • To simplify, leading zeros can be omitted, and consecutive groups of zeros can be truncated and replaced with :: (e.g., 2001:db8::1) - but only once in a single address.

  • Address Space:

    • IPv6 provides a vastly larger address space compared to IPv4, supporting approximately 340 undecillion unique addresses.

    • Eliminates the need for NAT (Network Address Translation) in most cases.

  • Header:

    • The IPv6 header is simpler than IPv4, improving efficiency. It includes fields for source and destination addresses, traffic class, and flow label.

IPv6 Address Types:

The three most common address types in IPv6 are:

  • Unicast: One-to-one communication.

  • Multicast: One-to-many communication.

  • Anycast: One-to-nearest communication (based on routing distance).

IPv6 does away with the concept of a "broadcast" address, and instead uses a variety of specific anycast and multicast addresses to fit these use cases.

Address Type

Description

Example

Global Unicast

Used for one-to-one communication across the internet.

2001:db8::/32

Link-Local

Automatically assigned for communication within a single link or network segment.

fe80::/10

Unique Local

Private addresses for internal networks, similar to IPv4 private addresses.

fc00::/7

Multicast

Enables one-to-many communication, delivering packets to multiple interfaces.

ff00::/8

Anycast

Assigned to multiple interfaces, but packets are delivered to the nearest one.

No specific range; depends on configuration.

Loopback

Used for testing and communication within the same device.

::1

Unspecified

Represents the absence of an address, often used during initialization.

::

Solicited-Node Multicast

Used for Neighbor Discovery Protocol (NDP) to resolve MAC addresses.

ff02::1:ffXX:XXXX

Reserved

Reserved for future use or special purposes.

Various ranges, e.g., ::/128

IPv4 vs. IPv6

IPv6 introduces features like Neighbor Discovery Protocol (NDP), which replaces ARP in IPv4, and eliminates the need for NAT (Network Address Translation) due to its vast address space.

Feature

IPv4

IPv6

Address Length

32 bits

128 bits

Address Format

Dotted decimal (e.g., 192.168.1.1)

Hexadecimal (e.g., 2001:db8::1)

Address Space

~4.3 billion unique addresses

~340 undecillion unique addresses

Header Size

20 bytes

40 bytes

Header Complexity

Simple, but less efficient

Simplified for better performance

Security

Optional (IPSec is not mandatory)

IPSec is built-in and mandatory

Broadcast

Supported

Replaced by multicast and anycast

Address Resolution

ARP

NDP

Address Configuration

Manual or via DHCP

Automatic via SLAAC (Stateless Address Autoconfiguration)

Fragmentation

Performed by routers and hosts

Performed only by the sender

Checksum

Required in headers

Not required

ICMP

The Internet Control Message Protocol (ICMP) is a network layer protocol used for error reporting, diagnostics, and operational queries in IP networks. It is primarily utilized by devices like routers, hosts, and gateways to communicate issues or provide feedback about network conditions. ICMP is not used for data transmission but rather for control and error messages, helping to maintain and troubleshoot network connectivity.

Uses of ICMP

  1. Error Reporting: ICMP notifies the sender when issues like unreachable destinations, timeouts, or routing problems occur.

  2. Diagnostics: Tools like ping and traceroute rely on ICMP to test connectivity and measure latency.

  3. Network Management: ICMP assists in managing and optimizing network performance by providing feedback on packet delivery.

ICMP Types and Codes

This table highlights the most commonly used ICMP types and codes, which are essential for network troubleshooting and management.

Type

Code

Description

Use Case

0

0

Echo Reply

Response to a ping request.

3

0-15

Destination Unreachable

Indicates issues like unreachable host, network, or port.

5

0-3

Redirect

Suggests a better route for packets.

8

0

Echo Request

Used by ping to test connectivity.

11

0-1

Time Exceeded

Indicates packet TTL (Time to Live) expired.

12

0-2

Parameter Problem

Reports issues with header fields.

13

0

Timestamp Request

Requests time synchronization.

14

0

Timestamp Reply

Responds to a timestamp request.

Routing

IP Routing is the process of determining the best path for data packets to travel from a source to a destination across interconnected networks. Routers, operating at the Network Layer (Layer 3) of the OSI model, use routing tables and protocols to make forwarding decisions. Routing ensures efficient and reliable communication between devices in different networks.

Key Concepts in Routing

  • Routing Tables:

    • Routers maintain routing tables that store information about available routes, their metrics, and next-hop addresses.

    • These tables are dynamically updated by routing protocols or manually configured for static routes.

  • Path Selection:

    • Routing protocols use algorithms to select the best path based on metrics and policies.

    • Examples include Dijkstra's algorithm (OSPF) and Bellman-Ford algorithm (RIP).

  • Metrics:

    • Metrics are values used by routing protocols to determine the best path.

    • Common metrics include hop count (RIP), bandwidth (OSPF), delay, reliability, and cost.

  • Route Summarization:

    • Combines multiple routes into a single summary route to reduce the size of routing tables and improve efficiency.

    • Often used in hierarchical networks.

  • Default Routes:

    • A route used when no specific match is found in the routing table.

    • Configured with a destination of 0.0.0.0/0 in IPv4 or ::/0 in IPv6.

  • Load Balancing:

    • Distributes traffic across multiple paths to optimize resource utilization and prevent congestion.

    • Can be equal-cost (paths with the same metric) or unequal-cost (supported by protocols like EIGRP).

  • Route Redistribution:

    • Allows different routing protocols to share routing information.

    • For example, redistributing routes between OSPF and EIGRP in a mixed-protocol environment.

  • Routing Loops:

    • Occur when packets circulate endlessly due to incorrect routing information.

    • Prevented by mechanisms like split horizon, route poisoning, and hold-down timers.

  • Administrative Distance (AD):

    • Determines the trustworthiness of a route.

    • Lower AD values are preferred over higher ones when multiple routes to the same destination exist.

    • For example:

      • Directly Connected: AD = 0

      • Static Route: AD = 1

      • RIP: AD = 120

      • OSPF: AD = 110

  • Convergence Time:

    • The time it takes for all routers in a network to update their routing tables and agree on the network topology after a change.

    • Convergence occurs when all routers in a network learn about changes (e.g., link failures) and agree on the updated topology.

    • Faster convergence is critical for maintaining network stability.

Routing Protocols

Here is a list of some of the most common routing protocols and their features, including Administrative Distance (AD):

Protocol

Description

Key Features

RIP (Routing Information Protocol)

A distance-vector protocol that uses hop count as its metric.

- RIPv1: Broadcasts routing tables every 30 seconds. - RIPv2: Supports multicast updates sent to multicast 224.0.0.9, and CIDR notation. - AD = 120

OSPF (Open Shortest Path First)

A link-state protocol that uses bandwidth to determine the best path.

- Protocol number: 89 - Uses Multicast addresses: 224.0.0.5 (normal communication), 224.0.0.6 (updates to designated routers). - AD = 110

EIGRP (Enhanced Interior Gateway Routing Protocol)

A hybrid protocol combining distance-vector and link-state features.

- AD = 5 (summary routes), 90 (internal), 170 (external). - Uses metrics like bandwidth, delay, and reliability

BGP (Border Gateway Protocol)

A path-vector protocol used for routing between autonomous systems (AS).

- eBGP: AD = 20 (external). - iBGP: AD = 200 (internal).

ISIS (Intermediate System to Intermediate System)

A link-state protocol used in large networks, especially ISPs.

- AD = 115.

Static Routing

Manually configured routes for specific destinations.

- AD = 1.

Directly Connected

Routes automatically added for directly connected interfaces.

- AD = 0.

The Administrative Distance (AD) of an unknown network is 255, which is the highest AD value. When a route has an AD of 255, it is considered unreachable or invalid, and it will not be included in the routing table or used for packet forwarding. This ensures that the router avoids routes from unknown or unreliable sources.

On-Demand Routing (ODR)

On-Demand Routing (ODR) is a lightweight routing solution designed for simple hub-and-spoke network topologies. It is not a full-fledged routing protocol but rather an enhancement to the Cisco Discovery Protocol (CDP). ODR is particularly useful in scenarios where spoke routers are stub routers (connected only to the hub router) and do not require a dynamic routing protocol.

  • CDP-Based: ODR relies on CDP to propagate IP prefixes from spoke routers to the hub router.

  • Stub Networks: Ideal for networks where spoke routers have no other router connections.

  • Dynamic Yet Simple: Provides dynamic route updates without the complexity of full routing protocols.

  • Default Route: The hub router sends a default route to the spoke routers, simplifying their configuration.

  • Administrative Distance: ODR has an Administrative Distance (AD) of 160, making it less preferred than most dynamic routing protocols.

How It Works

  • Hub Router: Configured with the router odr command to enable ODR.

  • Spoke Routers: Do not run any dynamic routing protocols but advertise their directly connected networks via CDP.

  • Route Propagation: The hub router learns the IP prefixes from the spokes and installs them in its routing table.

  • Default Route: The hub router sends a default route to the spokes, ensuring they can reach external networks.

Advantages of ODR

  • Minimal configuration and resource requirements.

  • Suitable for low-spec routers in simple topologies.

  • Reduces the need for static routes in hub-and-spoke networks.

Routing Metrics and Protocol Behavior

  • RIP: Simple but limited by a maximum hop count of 15, making it unsuitable for large networks.

  • OSPF: Uses the Dijkstra algorithm to calculate the shortest path based on link cost (bandwidth).

  • EIGRP: Employs the Diffusing Update Algorithm (DUAL) for fast convergence and supports unequal-cost load balancing.

  • BGP: Critical for internet routing, using attributes like AS-path and next-hop for path selection.

  • ISIS: Similar to OSPF but operates independently of IP, making it versatile for both IPv4 and IPv6.

Network Address Translation (NAT)

Network Address Translation (NAT) is a process used in networking to map private IP addresses within a local network to a public IP address for communication over the internet. NAT operates at the Network Layer (Layer 3) and is typically implemented on routers or firewalls. It helps conserve the limited pool of IPv4 addresses and provides an additional layer of security by hiding internal network structures from external networks.

Key Features of NAT

  • Address Translation:

    • NAT translates private IP addresses (e.g., 192.168.0.1) to a public IP address when packets leave the local network.

    • When packets return, NAT translates the public IP back to the corresponding private IP.

  • Types of NAT:

    • Static NAT: Maps a single private IP address to a single public IP address.

    • Dynamic NAT: Maps private IP addresses to a pool of public IP addresses on a first-come, first-served basis.

    • Port Address Translation (PAT): Also known as NAT Overload, it maps multiple private IP addresses to a single public IP address by using different port numbers.

    • Bidirectional NAT: Allows translation in both directions, enabling communication between two networks with overlapping IP ranges.

  • Security Benefits:

    • NAT hides internal IP addresses from external networks, reducing the attack surface.

    • External devices cannot directly initiate communication with internal devices unless explicitly allowed.

  • IPv6 Transition:

    • NAT can facilitate the coexistence of IPv4 and IPv6 networks using techniques like NAT64, which translates IPv6 addresses to IPv4 and vice versa.

Advantages of NAT

  • Conserves public IPv4 addresses by allowing multiple devices to share a single public IP.

  • Enhances security by masking internal network details.

  • Simplifies network management in private networks.


Layer 4: Transport Layer

The Transport Layer is the fourth layer of the OSI model, responsible for ensuring reliable data transfer between devices. It acts as an intermediary between the Network Layer (Layer 3) and the Session Layer (Layer 5), providing end-to-end communication and managing data flow. The Transport Layer ensures that data is delivered accurately, in the correct sequence, and without errors.

Key Functions of the Transport Layer

  • Segmentation and Reassembly:

    • Divides large data streams into smaller segments for transmission.

    • Reassembles segments at the destination to reconstruct the original data.

  • Error Detection and Correction:

    • Ensures data integrity by detecting and correcting errors during transmission.

  • Flow Control:

    • Manages the rate of data transmission to prevent overwhelming the receiving device.

  • Connection Management:

    • Establishes, maintains, and terminates connections between devices.

    • Supports both connection-oriented and connectionless communication.

  • Multiplexing and Demultiplexing:

    • Allows multiple applications to share the same network connection by assigning unique port numbers.

TCP vs UDP

The two main protocols that function at the Transport Layer are TCP and UDP.

Protocol

Description

Key Features

TCP (Transmission Control Protocol)

A connection-oriented protocol that ensures reliable data delivery.

- Provides error checking, retransmission, and flow control. - Used for applications like web browsing (HTTP/HTTPS) and email (SMTP, IMAP).

UDP (User Datagram Protocol)

A connectionless protocol that prioritizes speed over reliability.

- No error checking or retransmission, making it faster but less reliable. - Used for real-time applications like video streaming and online gaming.

The TCP Protocol

Transmission Control Protocol (TCP) is a connection-oriented protocol that operates at the Transport Layer (Layer 4) of the OSI model. It ensures reliable, ordered, and error-checked delivery of data between devices. TCP is widely used for applications requiring guaranteed delivery, such as web browsing (HTTP/HTTPS), email (SMTP, IMAP), and file transfers (FTP).

Key Features of TCP

  • Connection-Oriented: Establishes a connection before data transfer using the three-way handshake.

  • Reliable Delivery: Ensures data is delivered without errors, in the correct order, and without duplication.

  • Flow Control: Manages the rate of data transmission to prevent overwhelming the receiver.

  • Error Detection: Uses checksums to detect errors in transmitted data.

  • Congestion Control: Adjusts the transmission rate based on network conditions.

TCP Flags

TCP uses "flags" (bits assigned a special meaning if they are set to '1') in its header to manage connections and data transfer. Here are the most common flags:

Flag

Description

SYN

Synchronize: Used to initiate a connection and synchronize sequence numbers.

ACK

Acknowledgment: Confirms receipt of data or connection requests.

FIN

Finish: Indicates the sender wants to terminate the connection.

RST

Reset: Abruptly terminates a connection due to errors or unexpected conditions.

PSH

Push: Instructs the receiver to process data immediately without buffering.

URG

Urgent: Indicates that the data in the packet should be prioritized.

ECE

Explicit Congestion Notification Echo: Indicates the TCP peer is ECN-capable.

CWR

Congestion Window Reduced: Indicates congestion management.

The Three-Way Handshake

The three-way handshake is a process used by TCP to establish a reliable connection between a client and a server. It involves three steps:

  1. SYN (Synchronize):

    • The client sends a SYN packet to the server, indicating its intent to establish a connection and providing an initial sequence number (ISN).

  2. SYN-ACK (Synchronize-Acknowledge):

    • The server responds with a SYN-ACK packet, acknowledging the client's SYN and providing its own ISN.

  3. ACK (Acknowledge):

    • The client sends an ACK packet, acknowledging the server's SYN-ACK.

    • At this point, the connection is established, and data transfer can begin.

Connection Termination

TCP connections are normally terminated using a graceful four-step process:

  1. FIN (Finish):

    • The sender initiates the connection termination by sending a FIN flag, indicating that it has no more data to send.

  2. ACK (Acknowledgment):

    • The receiver acknowledges the FIN with an ACK flag, signaling it has received the termination request.

  3. FIN:

    • The receiver sends its own FIN flag once it is ready to close its side of the connection.

  4. ACK:

    • The original sender responds with an ACK, confirming the termination of the connection.

At this point, the connection is fully closed, and no further communication can occur between the two devices.

Connection Reset

A connection reset occurs when a TCP session is abruptly terminated, often due to errors or unexpected conditions. This is handled using the RST (Reset) flag.

  • Reasons for Reset:

    • A packet is sent to a host that is not expecting it (e.g., an unsolicited SYN packet).

    • Application crashes or abnormal terminations.

    • Firewall or security policies interrupting the connection.

  • Impact:

    • Resets bypass the normal four-step termination process, immediately tearing down the connection.

    • Both endpoints are notified, and any unacknowledged data is discarded.

The use of RST is less common but crucial for handling unexpected situations or maintaining network security.

TCP Chimney Offload

TCP Chimney Offload is a network performance feature that allows the networking subsystem to offload the processing of TCP/IP protocols from the system's processor (CPU) to the network adapter (NIC). This reduces CPU load and improves the overall efficiency of data transmission, especially in high-throughput environments.

The User Datagram Protocol (UDP)

The User Datagram Protocol (UDP) is a connectionless protocol that operates at the Transport Layer (Layer 4) of the OSI model and uses the concept of ports like TCP. Unlike its counterpart, however, UDP prioritizes speed and efficiency over reliability. It is often used for applications where low latency is crucial, such as video streaming, online gaming, voice over IP (VoIP), and DNS queries.

UDP Features

  • "Connectionless" Communication:

    • UDP does not establish a connection before transmitting data, allowing for faster communication.

  • Message-Oriented:

    • Data is sent in discrete packets, known as datagrams, without guaranteeing delivery, order, or integrity. These functions are handled by the sending/recieving applications instead.

  • Minimal Overhead:

    • UDP has a minimal header (just 8 bytes), making it lightweight and efficient.

  • Reliability Managed by Applications:

    • Applications needing reliability must handle error detection and retransmission, as UDP does not provide these.

Despite its lack of built-in reliability mechanisms, UDP's simplicity makes it ideal for scenarios where speed outweighs the need for guaranteed delivery.

Common TCP and UDP Ports

Here’s a list of some of the most common ports and protocols you should know:

Port(s)

Service/Protocol

Transport Protocol

Description

20, 21

FTP

TCP

File Transfer Protocol for data transfer (20) and control (21).

22

SSH

TCP

Secure Shell for encrypted remote access.

23

Telnet

TCP

Unencrypted text-based communication.

25

SMTP

TCP

Simple Mail Transfer Protocol for sending emails.

53

DNS

TCP/UDP

TCP: Zone transfer (server to server). UDP: Client to server and back.

67

DHCP Server

UDP

Dynamic Host Configuration Protocol for server-side IP assignment.

68

DHCP Client

UDP

Dynamic Host Configuration Protocol for client-side IP assignment.

69

TFTP

UDP

Trivial File Transfer Protocol for simple file transfers.

79

Finger Service

TCP

Provides user information.

80

HTTP

TCP

Hypertext Transfer Protocol for web communication.

88

Kerberos (Auth)

UDP (primary), TCP

Authentication protocol.

109

POPv2

TCP

Older version of Post Office Protocol.

110

POPv3

TCP

Post Office Protocol for retrieving emails.

119

NNTP

TCP

Network News Transfer Protocol for Usenet articles.

123

NTP

UDP

Network Time Protocol for clock synchronization.

137, 138, 139

NetBIOS

UDP/TCP

Name service (137 UDP), Datagram service (138), Session service (139 TCP).

143

IMAP

TCP

Internet Message Access Protocol for retrieving mail from servers.

161, 162

SNMP

UDP/TCP

Simple Network Management Protocol for monitoring and management.

179

BGP

TCP

Maintains large routing tables and processes traffic.

194

IRC

TCP

Internet Relay Chat for real-time messaging.

389

LDAP

TCP

Allows access to maintaining and accessing distributed directory information.

443

HTTPS

TCP

Secure HTTP over SSL/TLS.

636

LDAPS

TCP

Secure LDAP over SSL/TLS.

749

Kerberos (Admin Server)

TCP

Admin Server for Kerberos authentication protocol.

989, 990

FTPS

TCP/UDP

Secure FTP over SSL/TLS.

993

TLS-Wrapped IMAP

TCP

Secure IMAP over SSL/TLS.

Complete List of known ports: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Port Scanning

A port scanner sends TCP and/or UDP packets to query ports about their current status. The 3 types of responses are:

  • Filtered, Dropped, Blocked: No response.

  • Closed, Not Listening: The computer responded that the port is not in use or unavailable at this time.

  • Open, Accepted: The computer responded and is asking if there is anything it can do for you.

On a UDP scan, an ICMP unreachable response means the port is closed or filtered.

Common Port Scanners

Nmap (Network Mapper): Nmap is one of the most widely used open-source tools for network discovery and security auditing. It supports a variety of scan types and can detect open ports, services, operating systems, and vulnerabilities. Nmap is highly customizable and can be used for both simple and advanced scanning tasks. By understanding the different scan types and their purposes, you can effectively use tools like Nmap to gather information about a network and its devices while minimizing detection and disruption.

Features of Nmap:

  • Detects open, closed, and filtered ports.

  • Identifies services running on ports.

  • Performs OS detection and version detection.

  • Supports scripting for vulnerability scanning and advanced enumeration.

Other Common Port Scanners:

  • Masscan: Known for its speed, Masscan can scan the entire internet in minutes. It is less feature-rich than Nmap but excels in high-speed scanning.

  • Zenmap: A graphical user interface (GUI) for Nmap, making it easier for beginners to use.

  • Unicornscan: A tool designed for large-scale network reconnaissance and information gathering.

  • Netcat: A versatile networking tool that can also be used for port scanning.

  • Angry IP Scanner: A lightweight and fast scanner for scanning IP addresses and ports.

Types of Scans

Scan Type

Description

Response for Open Port

Response for Closed Port

SYN Scan

Sends SYN packets to initiate a connection (half-open scan).

SYN-ACK

RST

TCP Connect Scan

Completes the full TCP handshake. Louder and more likely to be logged.

SYN-ACK, then completes connection

RST

UDP Scan

Sends UDP packets to target ports. Slower than TCP scans.

No response or application-specific response

ICMP Port Unreachable

NULL Scan

Sends packets with no flags set.

No response

RST

FIN Scan

Sends packets with the FIN flag set.

No response

RST

Xmas Scan

Sends packets with FIN, URG, and PSH flags set.

No response

RST

ACK Scan

Used to map firewall rulesets by sending ACK packets.

RST

RST

Window Scan

Exploits TCP window size to differentiate open and closed ports.

Varies based on TCP window size

Varies based on TCP window size

Ping Scan

Sends ICMP Echo Requests to determine if a host is alive.

ICMP Echo Reply

No response

Idle Scan

Uses a third-party zombie host to perform a stealthy scan.

SYN-ACK

RST

Version Scan

Attempts to determine the version of the service running on an open port.

Service version information

No response

OS Detection

Uses various techniques to identify the operating system of the target.

TTL, TCP Header info, etc. (Responses from up to 16 TCP, UDP, and ICMP probes)

No response

Additional Notes on Scans

  • SYN Scan: Also called a "TCP Half-Open Scan," it is fast and stealthy because it does not complete the TCP handshake.

  • TCP Connect Scan: Requires less privilege than a SYN scan but is noisier and more likely to be logged.

  • UDP Scan: Works best when a specific payload is sent to the target, such as a DNS request to port 53.

  • NULL, FIN, and Xmas Scans: These scans are often used to bypass firewalls and intrusion detection systems (IDS) because they do not use SYN packets.

  • ACK Scan: Useful for determining firewall rules and whether a port is filtered or unfiltered.

  • Idle Scan: A stealthy scan that uses a third-party host to obscure the source of the scan.

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to automate a wide variety of networking tasks. NSE scripts are written in Lua and can perform tasks such as vulnerability detection, network discovery, and service enumeration. These scripts extend Nmap's capabilities, making it a versatile tool for network administrators and security professionals.

Key Features of NSE:

  • Extensibility: Users can write custom scripts to meet specific needs.

  • Categories: Scripts are organized into categories such as auth, vuln, discovery, and default.

  • Automation: Automates repetitive tasks, saving time and effort.

  • Integration: Works seamlessly with other Nmap features.

Common NSE Script Categories:

  • Auth: Scripts related to authentication mechanisms.

  • Discovery: Scripts for network discovery and information gathering.

  • Vuln: Scripts for detecting vulnerabilities in services and applications.

  • Default: Scripts that run with the -sC option, providing general-purpose functionality.

  • Intrusive: Scripts that may disrupt the target system or network.

Commonly Used NSE Scripts:

Script Name

Description

http-title

Retrieves the title of a web page.

ftp-anon

Checks for anonymous FTP login.

ssh-brute

Performs brute-force password guessing on SSH servers.

ssl-cert

Retrieves and displays SSL certificate information.

dns-brute

Performs DNS brute-forcing to find subdomains.

vuln/heartbleed

Checks for the Heartbleed vulnerability in SSL/TLS.

smb-os-discovery

Detects the operating system of SMB servers.

mysql-info

Gathers information about a MySQL database server.

snmp-brute

Attempts to guess SNMP community strings.

http-enum

Enumerates directories and files on a web server.

Example NSE Usage:

  • Run a specific script:

    nmap --script=http-title $target
  • Run multiple scripts:

    nmap --script="ftp-anon,ssl-cert" $target
  • Run all scripts in a category:

    nmap --script=vuln $target

For a full list of available scripts, refer to the Nmap script directory or use the --script-help option to get detailed information about a specific script.

Example Nmap Commands

Scan Type

Description

Example Command

Basic SYN Scan

Performs a stealthy TCP SYN scan to detect open ports.

UDP Scan

Scans for open UDP ports.

Version Detection

Detects the version of services running on open ports.

OS Detection

Identifies the operating system of the target.

Aggressive Scan

Combines OS detection, version detection, script scanning, and traceroute.

Scan Specific Ports

Scans specific ports on the target.

Scan Entire Subnet

Scans all devices in a subnet.

Ping Scan

Checks which hosts are online without scanning ports.

Scan with Scripts

Runs specific NSE (Nmap Scripting Engine) scripts for vulnerability detection.

Scan All Ports

Scans all 65,535 TCP ports.

Scan with Timing

Adjusts the timing template for faster or slower scans.

Scan for Firewall

Detects if a firewall is present and its rules.

Scan for Top Ports

Scans the top 1000 most common ports.

Scan for IPv6

Scans an IPv6 address.

Traceroute

Maps the network path to the target.

Save Output

Saves the scan results to a file.

Scan Multiple Targets

Scans multiple targets at once.

Exclude Targets

Excludes specific hosts from the scan.

Scan with Decoys

Uses decoy IPs to obscure the source of the scan.

Idle Scan

Performs a stealthy scan using a zombie host.

Scan for Vulnerabilities

Uses vulnerability detection NSE scripts.


Layer 5: Session Layer

The Session Layer is the fifth layer of the OSI model, positioned between the Transport Layer (Layer 4) and the Presentation Layer (Layer 6). Its primary role is to manage and control communication sessions between applications. A session refers to a semi-permanent dialogue or connection established between two devices or processes.

Key Functions of the Session Layer

  • Session Establishment:

    • Sets up the parameters and state for communication between devices.

    • Prepares both ends of the session for data exchange.

  • Session Maintenance:

    • Ensures the session remains stable and consistent during data transfer.

    • Manages session-level agreements and maintains session state.

  • Session Termination:

    • Properly closes sessions, ensuring all data is transmitted and resources are released.

  • Synchronization:

    • Implements synchronization points (checkpoints) in the data stream.

    • These checkpoints allow recovery from disruptions, enabling the session to resume from the last checkpoint rather than starting over.

  • Dialog Control:

    • Manages the dialog between processes, supporting both half-duplex (one direction at a time) and full-duplex (simultaneous two-way communication) modes.

Protocols Associated with the Session Layer

While the Session Layer does not have many dedicated protocols, it interacts with higher-layer protocols and services. Examples include:

  • NetBIOS: Provides session-level services for applications in Windows environments.

  • RPC (Remote Procedure Call): Facilitates inter-process communication across networks.

  • SQL: Manages database sessions for querying and data manipulation.

Circuit-Level Firewalls and the Session Layer

Circuit-level firewalls operate at the Session Layer (Layer 5) of the OSI model, where they monitor and manage communication sessions between devices. These firewalls focus on the setup and teardown of TCP or UDP connections, ensuring that only valid and authorized sessions are established. By inspecting the handshaking processes, circuit-level firewalls provide a layer of protection for network communication without analyzing individual data packets. Circuit-level firewalls are commonly used to provide session-level protection in enterprise networks, especially in scenarios where detailed packet inspection is unnecessary.

How Circuit-Level Firewalls Work

  • Monitoring Handshakes:

    • Circuit-level firewalls examine the three-way handshake in TCP connections or equivalent session initiation processes in UDP.

    • They allow or block connections based on session rules, ensuring that the handshake follows protocol standards.

  • Session Tracking:

    • Once a session is established, the firewall tracks the state of the connection.

    • It ensures the session remains valid and terminates unauthorized or malformed sessions.

  • Dynamic Port Allocation:

    • Circuit-level firewalls dynamically assign ports during session establishment, ensuring secure communication paths.

  • Protocol Independence:

    • They are protocol-agnostic and do not inspect the payload of packets, making them lightweight and efficient.

Advantages

  • Low Overhead: They are faster than packet-inspecting firewalls since they focus on sessions rather than individual packets.

  • Privacy-Friendly: They do not analyze the content of communications, reducing concerns about sensitive data exposure.

  • Simplicity: Ideal for protecting internal networks from unauthorized external access.


Layer 6: Presentation Layer

The Presentation Layer is the sixth layer of the OSI model, sitting between the Session Layer (Layer 5) and the Application Layer (Layer 7). Its primary role is to act as a translator, ensuring that data sent from one system is understandable by another, regardless of differences in data formats or encoding. The Presentation Layer plays a crucial role in ensuring that data is properly formatted, compressed, and secured for seamless communication between systems.

Key Functions of the Presentation Layer

  • Data Translation:

    • Converts data into a standard format that can be understood by the receiving system.

    • For example, it translates between different character encoding schemes like ASCII and EBCDIC.

  • Data Compression:

    • Reduces the size of data to optimize transmission speed and efficiency.

    • Commonly used in multimedia applications to compress images, audio, and video.

  • Data Encryption and Decryption:

    • Ensures secure communication by encrypting data before transmission and decrypting it upon receipt.

    • Protocols like SSL/TLS operate at this layer to provide secure communication.

  • Serialization:

    • Converts complex data structures into a format suitable for transmission, such as JSON or XML.

    • This process ensures compatibility between different systems.

Examples of Presentation Layer Protocols

  • SSL/TLS: Provides encryption for secure communication (e.g., HTTPS).

  • JPEG, GIF, PNG: Formats for compressing and transmitting images.

  • MPEG, MP3: Formats for compressing and transmitting audio and video.

  • ASCII, EBCDIC: Character encoding standards for text representation.


Encryption and Cryptography Fundamentals

Cryptography is the art of "writing in secret," ensuring that information is protected from unauthorized access or tampering. It involves techniques like encryption, hashing, and digital signatures to secure data. Encryption and cryptography are essential components of secure communication in modern networks. It fits within the Presentation Layer (Layer 6) and other closely-related layers of the OSI model and plays a crucial role in data encryption, decryption, and ensuring secure communication between systems.

Key Concepts

  • Plaintext: Plaintext refers to the original, readable data or message that needs to be protected. It is the input for encryption algorithms and is transformed into ciphertext to ensure confidentiality. Examples include emails, passwords, or any sensitive information before encryption.

  • Ciphertext: Ciphertext is the result of encrypting plaintext using an encryption algorithm and a key. It is unreadable to unauthorized parties and can only be converted back to plaintext through decryption using the appropriate key.

  • Hash Values: A hash value is a fixed-length string of characters generated by a hash function from input data of any size. Hashing is a one-way process, meaning it cannot be reversed to retrieve the original data. Hash values are commonly used to verify data integrity, ensuring that the data has not been altered during transmission or storage. Examples of hash functions include MD5, SHA-1, and SHA-256.

  • Public Key: In asymmetric cryptography, the public key is one half of a key pair and is used for encrypting data or verifying digital signatures. It is shared openly and does not need to be kept secret. Public keys are often distributed via digital certificates to ensure authenticity.

  • Private Key: The private key is the other half of the key pair in asymmetric cryptography and must be kept confidential. It is used for decrypting data encrypted with the corresponding public key or for creating digital signatures. The security of the private key is critical to the overall security of the encryption system.

  • Session Key: A session key is a temporary, symmetric key used to encrypt and decrypt data during a single communication session. It is typically generated for each session to ensure that even if one session key is compromised, other sessions remain secure. Session keys are often exchanged securely using asymmetric encryption during the initial handshake of a secure communication protocol, such as TLS.

  • Digital Signature: A digital signature is a cryptographic technique used to verify the authenticity and integrity of a message or document. It is created using the sender's private key and can be verified by anyone with the sender's public key. Digital signatures ensure that the message has not been tampered with and confirm the sender's identity.

  • Encryption Algorithm: An encryption algorithm is a mathematical procedure used to transform plaintext into ciphertext and vice versa. Examples include symmetric algorithms like AES (Advanced Encryption Standard) and asymmetric algorithms like RSA (Rivest-Shamir-Adleman).

  • Key Exchange: Key exchange is the process of securely sharing cryptographic keys between parties to enable encrypted communication. Common methods include the Diffie-Hellman key exchange and the use of public-key cryptography to exchange session keys.

  • Initialization Vector (IV): An initialization vector is a random or pseudo-random value used in conjunction with a key to ensure that identical plaintexts encrypt to different ciphertexts. It adds an additional layer of security by preventing patterns in the ciphertext.

  • Certificate Authority (CA): A certificate authority is a trusted entity that issues digital certificates to verify the ownership of public keys. These certificates are used to establish trust in secure communications, such as HTTPS.

  • Salt: Salt is a random value added to plaintext before hashing to ensure that identical inputs produce different hash values. It is commonly used to secure passwords against dictionary and rainbow table attacks.

  • Key Length: Key length refers to the size of the encryption key, typically measured in bits. Longer keys provide stronger security but may require more computational resources. For example, AES supports key lengths of 128, 192, and 256 bits.

  • Elliptic Curve Cryptography (ECC): ECC is a type of asymmetric cryptography that uses elliptic curves to provide strong security with smaller key sizes compared to traditional methods like RSA. It is widely used in modern secure communication protocols.

  • Entropy: Entropy in cryptography refers to the randomness or unpredictability of a key or data. High entropy ensures that keys are difficult to guess or brute-force, enhancing the security of the encryption system.

  • Encryption Key Lifecycle: Encryption keys go through several stages throughout their lifetime:

    • Key Generation: Creating the encryption key.

    • Pre-Activation: Preparing the key for use.

    • Activation: The key is actively used for encryption/decryption.

    • Expiration: The key is retired after its validity period.

    • Post-Activation: The key is archived for reference.

    • Escrow: Secure storage of keys for recovery purposes.

    • Destruction: Securely deleting the key to prevent misuse.

Hash Functions

Hash functions accept plaintext data of any length and produce a fixed-length hash. They are one-way functions, meaning they cannot be reversed to retrieve the original data.

  • Hash Usage in Applications:

    • Verifying File Integrity:

      • Hashes are used to ensure that files have not been tampered with or corrupted during downloads or backups. By comparing the hash value of the downloaded file with the hash provided by the source, users can verify the file's integrity.

    • Storing Hashed Passwords:

      • Passwords are stored in databases as hashed values rather than plaintext. This ensures that even if the database is compromised, the original passwords are not directly exposed. Salting is often used alongside hashing to further enhance security.

    • Generating Digital Signatures:

      • Hashes are used in digital signatures to authenticate the sender of a message and ensure the message's integrity. The hash of the message (message digest) is encrypted with the sender's private key, and the recipient can verify it using the sender's public key.

    • Data Deduplication:

      • Hashes are used to identify duplicate data in storage systems. By comparing hash values of data blocks, systems can avoid storing redundant copies.

    • Blockchain Technology:

      • Cryptographic hashes are fundamental to blockchain, ensuring data integrity and linking blocks securely in the chain.

  • Key Properties of Cryptographic Hash Functions:

    • Deterministic: The same input always produces the same hash output.

    • Fast Computation: Hash functions should be computationally efficient.

    • Pre-image Resistance: It should be computationally infeasible to reverse a hash to find the original input.

    • Collision Resistance: It should be computationally infeasible to find two different inputs that produce the same hash.

    • Avalanche Effect: A small change in the input should produce a significantly different hash output.

  • Practical Considerations:

    • Always use modern, secure hash functions for cryptographic purposes.

    • Avoid using hashes like MD5 or SHA-1 for sensitive applications.

    • Use salting and key stretching techniques (e.g., PBKDF2, Argon2) when hashing passwords to defend against brute-force and rainbow table attacks.

Hash Collisions

A hash collision occurs when two different inputs produce the same hash value. Collisions undermine the reliability of a hash function, especially in applications like digital signatures or file integrity checks.

Modern cryptographic hash functions, such as SHA-256 and SHA-3, are designed to minimize the likelihood of collisions. However, older algorithms like MD5 and SHA-1 are vulnerable to collision attacks and are no longer considered secure for cryptographic purposes.

The Birthday Paradox

The birthday paradox explains why collisions in hash functions can occur more frequently than intuition suggests. In a hash function with n possible outputs, the probability of a collision becomes significant after approximately √n inputs. For example, in a 128-bit hash function, there are 2^128 possible outputs. However, a collision is likely to occur after only about 2^64 inputs due to the birthday paradox. This principle highlights the importance of using hash functions with sufficiently large output sizes to reduce the risk of collisions in practical applications.

Common Hash Algorithms

Algorithm
Output Size (bits)
Speed
Security Status
Common Use Cases

MD5

128

Fast

Insecure (collision attacks)

File integrity checks (non-critical), legacy systems

SHA-1

160

Moderate

Insecure (collision attacks)

Legacy applications, digital signatures (deprecated)

SHA-256

256

Moderate

Secure

Digital signatures, certificates, blockchain

SHA-3

Variable (224, 256, 384, 512)

Moderate

Secure

Cryptographic applications, post-quantum security

SHA-512

512

Slower

Secure

High-security applications, password hashing

Blake2

Variable (up to 512)

Very Fast

Secure

General-purpose hashing, cryptographic applications

RIPEMD-160

160

Moderate

Secure (but less common)

Cryptographic applications, digital signatures

Whirlpool

512

Slower

Secure

High-security applications, archival systems

Argon2

Variable

Slower (memory-intensive)

Secure

Password hashing, key derivation

Tiger

192

Fast

Secure (less common)

Data integrity checks, cryptographic applications

HMAC

Variable

Moderate

Secure

Message authentication in networking protocols (e.g., TLS, IPsec)

PBKDF2

Variable

Slower

Secure

Password hashing, key derivation

Skein

Variable (up to 1024)

Moderate

Secure

Cryptographic applications, digital signatures

Poly1305

128

Very Fast

Secure

Message authentication in secure communication protocols (e.g., TLS, QUIC)

  • Note: Algorithms like MD5 and SHA-1 are no longer recommended for cryptographic purposes due to vulnerabilities to collision attacks. Modern applications should use SHA-2, SHA-3, or other secure algorithms like Blake2, Argon2, or HMAC for networking-related cryptographic needs.

Symmetric Encryption

Symmetric encryption uses a single key for both encryption and decryption. The same key must be securely shared between the communicating parties to ensure confidentiality.

  • Advantages:

    • Faster and more efficient than asymmetric encryption due to simpler mathematical operations.

    • Requires less computational power, making it suitable for resource-constrained environments such as IoT devices.

    • Provides high throughput for encrypting large volumes of data.

  • Disadvantages:

    • Key distribution can be challenging, as the same key must be securely shared between parties.

    • If the key is compromised, all encrypted data is at risk.

    • Does not provide non-repudiation, as the same key is used for both encryption and decryption.

  • Applications:

    • Data in Transit:

      • Securing network traffic in VPNs, ensuring confidentiality and integrity.

      • Encrypting communication in protocols like HTTPS (in combination with asymmetric encryption for key exchange).

    • Data at Rest:

      • Encrypting sensitive files stored on disk to prevent unauthorized access.

      • Used in full-disk encryption tools like BitLocker and VeraCrypt.

    • Messaging and Communication:

      • Protecting messages in secure communication apps like Signal and WhatsApp.

      • Ensuring real-time encryption for voice and video calls.

    • Database Encryption:

      • Encrypting sensitive data stored in databases to comply with regulatory requirements.

      • Often used in conjunction with key management systems.

  • Key Management:

    • Securely generating, storing, and distributing keys is critical for symmetric encryption.

    • Key management systems (KMS) are often used to automate and secure the lifecycle of encryption keys.

    • Techniques like key rotation and key expiration help mitigate risks associated with key compromise.

  • Best Practices:

    • Always use modern, secure algorithms like AES or ChaCha20.

    • Avoid using deprecated algorithms like DES, 3DES, or RC4.

    • Implement strong key management policies to ensure the secure handling of encryption keys.

    • Use unique keys for different encryption contexts to minimize the impact of a key compromise.

Symmetric encryption remains a cornerstone of modern cryptography, offering a balance of speed and security for a wide range of applications. However, its reliance on secure key distribution highlights the importance of combining it with robust key management practices.

Common Symmetric Encryption Algorithms

Algorithm
Key Size (bits)
Block Size (bits)
Security Status
Common Use Cases

AES

128, 192, 256

128

Secure

Data encryption, VPNs, file encryption

DES

56

64

Insecure

Legacy systems

3DES

112, 168

64

Marginally Secure

Legacy systems, compatibility requirements

Blowfish

32–448

64

Secure

Password hashing, file encryption

Twofish

128, 192, 256

128

Secure

File encryption, disk encryption

RC4

40–2048 (variable)

Stream cipher

Insecure

Legacy protocols (e.g., WEP, SSL)

ChaCha20

256

Stream cipher

Secure

Secure communication protocols (e.g., TLS)

IDEA

128

64

Secure (less common)

Email encryption, PGP

Camellia

128, 192, 256

128

Secure

Alternative to AES in cryptographic systems

  • Deprecated Algorithms:

    • DES (Data Encryption Standard):

      • Uses a 56-bit key, which is now considered insecure due to brute-force vulnerabilities.

    • 3DES (Triple DES):

      • An improvement over DES but still vulnerable to certain attacks and slower compared to modern algorithms.

    • RC4:

      • A stream cipher that is no longer recommended due to known vulnerabilities.

Asymmetric Encryption

Asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. These keys are mathematically related but cannot be derived from one another. This approach eliminates the need for securely sharing a single key and enables secure communication between parties who have never met. Asymmetric encryption is a cornerstone of modern cryptography, enabling secure communication, authentication, and data integrity across a wide range of applications. Its combination with symmetric encryption in hybrid systems ensures both security and performance.

  • Advantages:

    • Eliminates the need to securely share a single key.

    • Enables secure communication between parties who have never met.

    • Provides non-repudiation through digital signatures, ensuring that the sender cannot deny sending a message.

    • Allows for secure key exchange in combination with symmetric encryption.

  • Disadvantages:

    • Slower than symmetric encryption due to more complex mathematical operations.

    • Requires more computational resources, which can be a limitation for resource-constrained devices.

    • Not suitable for encrypting large amounts of data due to performance constraints.

  • Usage in Applications:

    • Secure Key Exchange:

      • Used in protocols like TLS to securely exchange session keys for symmetric encryption.

    • Digital Signatures:

      • Verifies the authenticity and integrity of documents, emails, or software.

      • Ensures that the message has not been tampered with and confirms the sender's identity.

    • Email Encryption:

      • Standards like PGP (Pretty Good Privacy) and S/MIME use asymmetric encryption to secure email communication.

    • Authentication:

      • Used in systems like SSH to authenticate users and devices.

    • Blockchain Technology:

      • Ensures the integrity and authenticity of transactions in blockchain networks.

    • Certificate Authorities (CAs):

      • Asymmetric encryption is the foundation of Public Key Infrastructure (PKI), enabling secure HTTPS connections.

  • Key Management:

    • Public keys can be freely shared, but private keys must be kept secure.

    • Digital certificates issued by trusted Certificate Authorities (CAs) are used to verify the authenticity of public keys.

    • Key rotation and revocation mechanisms are essential to maintain security.

  • Best Practices:

    • Use modern algorithms like ECC or RSA with sufficiently large key sizes (e.g., 2048 bits or higher for RSA).

    • Avoid deprecated algorithms like 1024-bit RSA or older implementations of Diffie-Hellman.

    • Regularly update and rotate keys to minimize the risk of compromise.

    • Use trusted Certificate Authorities (CAs) to manage and verify public keys.

Common Asymmetric Encryption Algorithms

Algorithm
Key Size (bits)
Security Status
Common Use Cases

RSA

1024, 2048, 3072, 4096

Secure (2048+ recommended)

Digital signatures, key exchange, certificates

ECC

160–521

Secure

Mobile devices, IoT, blockchain, TLS

DSA

1024, 2048, 3072

Secure (2048+ recommended)

Digital signatures

ElGamal

Variable

Secure

Key exchange, encryption

Diffie-Hellman

Variable

Secure (with large key sizes)

Key exchange

EdDSA

256, 448

Secure

Digital signatures, modern cryptographic systems

Paillier

Variable

Secure (less common)

Homomorphic encryption

NTRU

Variable

Secure (post-quantum)

Post-quantum cryptography

  • Note: RSA and ECC are the most widely used asymmetric algorithms. ECC is preferred for resource-constrained environments due to its smaller key sizes and faster computations. RSA remains popular for legacy systems and applications.

Public Key Infrastructure (PKI)

  • Definition: PKI is a framework for managing digital certificates and public-key encryption to enable secure communication.

  • Components:

    • Certification Authority (CA): A trusted entity that issues and verifies digital certificates.

    • Registration Authority (RA): Handles the verification of entities requesting certificates.

    • Digital Certificates: Bind public keys to entities, ensuring their authenticity.

    • Certificate Revocation List (CRL): A list of certificates that have been revoked before their expiration date.

  • Applications:

    • Enabling HTTPS for secure websites.

    • Managing digital signatures for documents and software.

    • Securing email communication using S/MIME.

    • Authenticating users and devices in enterprise environments.

  • Benefits:

    • Provides a scalable and standardized approach to managing encryption keys.

    • Enhances trust in online transactions and communications.

    • Supports compliance with security standards and regulations.

Common Encryption Tools and Protocols

SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a network. They are widely used to protect sensitive data and ensure privacy and integrity in online communications.

How SSL/TLS Works

  1. Handshake Process:

  • The handshake begins with the client and server exchanging information about supported cryptographic algorithms and protocols.

  • The server provides its digital certificate, which contains its public key and is signed by a trusted Certificate Authority (CA).

  • The client verifies the server's certificate to ensure its authenticity.

  • A secure session key is established using asymmetric encryption (e.g., RSA or Diffie-Hellman).

  • Once the session key is exchanged, symmetric encryption (e.g., AES or ChaCha20) is used for the actual data transfer to ensure efficiency.

  1. Session Establishment:

  • The session key is unique to each connection and is used to encrypt and decrypt data during the session.

  • The use of symmetric encryption ensures high performance and low computational overhead.

  1. Data Integrity:

  • Message Authentication Codes (MACs) are used to verify the integrity of transmitted data.

  • This ensures that any tampering or corruption during transmission is detected.

Key Features of SSL/TLS

  • Authentication:

    • Ensures the identity of the server using digital certificates issued by trusted Certificate Authorities (CAs).

    • Optionally, client authentication can also be performed using client certificates.

  • Encryption:

    • Protects data from being intercepted or read by unauthorized parties during transmission.

    • Supports a variety of encryption algorithms, including RSA, ECC, AES, and ChaCha20.

  • Integrity:

    • Ensures that data is not altered during transmission using cryptographic hash functions like SHA-256.

  • Forward Secrecy:

    • Modern implementations of TLS (e.g., TLS 1.2 and TLS 1.3) support forward secrecy, ensuring that even if the private key is compromised, past communications remain secure.

Applications of SSL/TLS

  • Web Traffic Security:

    • Used in HTTPS to secure websites and protect user data such as login credentials, payment information, and personal details.

  • Email Encryption:

    • Secures email communications using protocols like SMTPS, IMAPS, and POP3S.

  • VPN Connections:

    • Protects data transmitted over Virtual Private Networks (VPNs) by encrypting the communication between the client and the VPN server.

  • File Transfers:

    • Secures file transfers using protocols like FTPS and SFTP.

  • VoIP and Messaging:

    • Encrypts voice and video calls, as well as instant messaging, to ensure privacy.

  • IoT Devices:

    • Provides secure communication for Internet of Things (IoT) devices, protecting them from unauthorized access and data breaches.

TLS Versions

  • TLS 1.0:

    • Introduced as a replacement for SSL 3.0 but is now deprecated due to security vulnerabilities.

  • TLS 1.1:

    • Improved upon TLS 1.0 but is also deprecated.

  • TLS 1.2:

    • Widely used and considered secure, supporting modern cryptographic algorithms and forward secrecy.

  • TLS 1.3:

    • The latest version, offering improved performance, stronger security, and simplified handshake processes by removing outdated features.

Common SSL/TLS Vulnerabilities

  • Man-in-the-Middle (MITM) Attacks:

    • Occur when an attacker intercepts and manipulates communication between the client and server.

    • Mitigated by using strong encryption and certificate validation.

  • Certificate Spoofing:

    • Involves the use of fake certificates to impersonate a trusted server.

    • Prevented by verifying certificates against trusted Certificate Authorities.

  • Protocol Downgrade Attacks:

    • Exploit older, less secure versions of SSL/TLS.

    • Mitigated by disabling deprecated protocols like SSL 3.0 and TLS 1.0.

Best Practices for SSL/TLS

  • Use the latest version of TLS (preferably TLS 1.3) to ensure strong security.

  • Configure servers to use strong cipher suites and disable weak ones.

  • Regularly update and renew digital certificates to maintain trust.

  • Implement HTTP Strict Transport Security (HSTS) to enforce HTTPS connections.

  • Use Certificate Transparency logs to detect and prevent certificate misuse.

GPG (GNU Privacy Guard)

GPG is a free and open-source encryption software that implements the OpenPGP standard. It supports both asymmetric encryption (using a public-private key pair) and symmetric encryption (using a single shared key). GPG is commonly used for securing emails, files, and digital communications by encrypting data and digitally signing messages to ensure authenticity. Its flexibility and open-source nature make it highly customizable and accessible for personal and professional use.

PGP (Pretty Good Privacy)

PGP is an encryption program designed to secure data through encryption and digital signatures. It originally gained popularity for protecting email communications. PGP primarily uses symmetric encryption, which is simpler and faster for encrypting large amounts of data, but it also incorporates asymmetric encryption for key exchange and digital signatures. Now owned by Symantec, PGP is often used in commercial applications, although compatible tools like GPG provide a free alternative.

Both GPG and PGP aim to provide confidentiality, integrity, and authenticity for digital communications, and they can be used together due to their shared OpenPGP standard.

OpenSSL:

OpenSSL is a versatile tool that supports a wide range of cryptographic operations, making it essential for developers, system administrators, and security professionals.

Common uses:

Use Case

Command

Generate private keys

Extract public key from private key

Create a self-signed certificate

Encrypt a file (Symmetric)

Decrypt a file (Symmetric)

Encrypt a file (Asymmetric)

Decrypt a file (Asymmetric)

Sign a file

Verify a signature

Generate a CSR

Convert to PEM format

Convert to DER format

Check certificate details

Test SSL/TLS connections

Generate random string

Create a PKCS#12 file

Verify a certificate chain

Benchmark AES-256-CBC

Decode and inspect JWT tokens

Other Encryption and encoding tools

These tools are essential for encryption, hashing, and encoding tasks, providing a foundation for secure data handling and verification.

  • md5sum:

    • A utility to compute and verify MD5 hash values.

    • Commonly used to check file integrity.

    • Example: md5sum file.txt

  • sha256sum:

    • Similar to md5sum, but computes SHA-256 hash values for stronger security.

    • Example: sha256sum file.txt

  • Base64:

    • Encodes and decodes data in Base64 format (not encryption!).

    • Useful for encoding binary data into text for safe transmission.

    • Example: echo "Hello, World!" | base64

  • GPG (GNU Privacy Guard):

    • A tool for secure communication and data encryption.

    • Supports signing, encrypting, and decrypting files and emails.

    • Example: gpg --encrypt --recipient user@example.com file.txt

  • bcrypt:

    • A password hashing tool designed for secure password storage.

    • Example: echo "password" | bcrypt

  • pbkdf2:

    • A key derivation function used to securely hash passwords.

    • Often implemented in libraries or tools for password management.

  • xxd:

    • A utility to create a hexdump or reverse a hexdump back to binary.

    • Example: xxd -p file.bin

Encryption and its OSI Layer Relationships

  • Layer 4 (Transport): Establishes reliable connections (e.g., TCP handshake).

  • Layer 5 (Session): Manages secure sessions (e.g., TLS handshake).

  • Layer 6 (Presentation): Handles encryption, decryption, and data integrity (e.g., symmetric/asymmetric encryption, hashing).

  • Layer 7 (Application): Manages user-facing security mechanisms (e.g., PKI, digital certificates).

Example: Steps of an HTTPS Connection

  1. TCP Handshake (OSI Layer 4 - Transport):

  • The client and server establish a reliable connection using the TCP three-way handshake (SYN, SYN-ACK, ACK). This ensures that both parties are ready to communicate.

  1. Client → Server: ClientHello (OSI Layer 5 - Session):

  • The client initiates the TLS handshake by sending a ClientHello message. This includes supported TLS versions, cipher suites, and random data for key generation.

  1. Client ← Server: ServerHello + ServerKeyExchange (OSI Layer 5 - Session):

  • The server responds with a ServerHello message, selecting the TLS version and cipher suite. It also sends its digital certificate (containing its public key) to authenticate itself.

  1. Client → Server: ClientKeyExchange (OSI Layer 5 - Session):

  • The client generates a pre-master secret (shared secret) and encrypts it using the server's public key. This ensures that only the server can decrypt it using its private key.

  1. Key Generation and Symmetric Encryption (OSI Layer 6 - Presentation):

  • Both the client and server compute the session key (master key) from the pre-master secret. This session key is used for symmetric encryption, which is faster and more efficient for ongoing communication.

  1. Begin Symmetrically Encrypted Data Transfer (OSI Layer 6 - Presentation):

  • The server and client confirm the encryption parameters and switch to symmetric encryption for the remainder of the session. This ensures secure and efficient data transfer.

Example: Email Encryption and Digital Signatures

Email encryption and digital signatures are essential components of secure communication, ensuring that messages remain confidential, authentic, and tamper-proof. By encrypting a message, the sender ensures that only authorized parties can access the content, protecting it from unauthorized interception or eavesdropping. Below is an expanded explanation of how these mechanisms work and their role in maintaining security.

Encrypting an Email

To encrypt an email, a combination of asymmetric encryption and symmetric encryption is typically used for efficiency and security. This process ensures the confidentiality of the message while leveraging the strengths of both encryption types.

  1. Generate a Symmetric Key:

  • The sender generates a temporary symmetric key (also known as a session key) using a secure algorithm like AES (Advanced Encryption Standard). This key is used to encrypt the email content because symmetric encryption is faster and more efficient for large amounts of data.

  1. Encrypt the Email Content:

  • The email content is encrypted using the symmetric key. This ensures that the message is protected from unauthorized access.

  1. Encrypt the Symmetric Key:

  • The sender uses the recipient's public key (asymmetric encryption) to encrypt the symmetric key. This ensures that only the recipient, who has the corresponding private key, can decrypt the symmetric key.

  1. Send the Encrypted Email:

  • The encrypted email content and the encrypted symmetric key are sent to the recipient.

  1. Decryption by the Recipient:

  • The recipient uses their private key to decrypt the symmetric key.

  • The decrypted symmetric key is then used to decrypt the email content, allowing the recipient to read the message.

Why Use Both Asymmetric and Symmetric Encryption?

  • Asymmetric Encryption: Ensures secure key exchange. The recipient's public key is used to encrypt the symmetric key, guaranteeing that only the recipient can decrypt it with their private key.

  • Symmetric Encryption: Provides efficient encryption for the email content, especially for large messages, as it is computationally faster than asymmetric encryption.

This hybrid approach combines the strengths of both encryption methods, ensuring secure and efficient email communication.

Digital Signatures

Digital signatures rely on asymmetric encryption, which uses a pair of keys.

A digital signature is created by the sender using their private key. This process involves generating a hash of the message and encrypting the hash with the sender's private key. The resulting digital signature is attached to the message.

When the recipient receives the message, they use the sender's public key to decrypt the digital signature and retrieve the hash. The recipient then generates a hash of the received message and compares it to the decrypted hash. If the two hashes match, it confirms that the message has not been tampered with and verifies the sender's identity.

Digital signatures enhance email security by addressing the following key aspects:

  • Authentication: Verifies the sender's identity, ensuring that the email truly originates from the claimed source.

  • Integrity: Confirms that the email content has not been altered during transmission.

  • Non-Repudiation: Prevents the sender from denying that they sent the email, as the digital signature is uniquely tied to their private key.

How Do Digital Signatures Work?

  1. Creating a Digital Signature:

  • The sender generates a hash of the email content using a cryptographic hash function (e.g., SHA-256).

  • The hash is then encrypted with the sender's private key, creating the digital signature.

  • The digital signature is attached to the email along with the original message.

  1. Verifying a Digital Signature:

  • The recipient uses the sender's public key to decrypt the digital signature, retrieving the original hash.

  • The recipient generates a new hash of the received email content.

  • The two hashes are compared:

    • If they match, the email is verified as authentic and unaltered.

    • If they do not match, the email may have been tampered with or the sender's identity is not valid.

By combining digital signatures with encryption and hashing, email communication achieves a robust level of security, protecting sensitive information and ensuring trust between the sender and recipient.


Layer 7: Application Layer

Overview

The Application Layer is the topmost layer of the OSI model and serves as the interface between the end-user and the network. It provides the protocols and services that enable users to interact with networked applications. This layer is responsible for ensuring that communication between applications on different devices is seamless and meaningful.

Key Functions

  • User Interface: Provides the interface for users to interact with applications.

  • Data Formatting: Ensures that data is presented in a format that the application can understand.

  • Application Services: Offers services such as file transfers, email, and remote access.

  • Session Management: Establishes, manages, and terminates sessions between applications.

  • Error Handling: Provides mechanisms for error detection and recovery at the application level.

  • Authentication and Authorization: Ensures secure access to resources and services.

Common Layer 7 Protocols

The Application Layer supports a wide range of protocols, each designed for specific use cases. Below is a table of common Layer 7 protocols and their purposes:

Protocol

Use Case

HTTP

Used for browsing the web and transferring hypertext documents.

HTTPS

Secure version of HTTP, encrypts data for secure web communication.

FTP

Transfers files between systems over a network.

SFTP

Secure version of FTP, uses SSH for encryption.

SMTP

Sends emails from clients to mail servers.

IMAP

Retrieves emails from a mail server, allowing synchronization across devices.

POP3

Retrieves emails from a mail server, typically downloads and deletes them.

DNS

Resolves domain names into IP addresses for network routing.

Telnet

Provides remote access to devices over an unencrypted connection.

SSH

Securely accesses remote devices and systems.

SNMP

Monitors and manages network devices.

LDAP

Accesses and maintains distributed directory information.

RDP

Provides remote desktop access to Windows systems.

NFS

Shares files and directories over a network.

TFTP

Simplified file transfer protocol, often used for bootstrapping devices.

SIP

Manages multimedia communication sessions, such as VoIP calls.

IRC

Facilitates real-time text-based communication (chat).

MQTT

Lightweight messaging protocol for IoT devices.

SOAP

Protocol for exchanging structured information in web services.

REST

Architectural style for designing networked applications using HTTP.

Importance of Layer 7

The Application Layer is critical because it directly interacts with the end-user and ensures that the network delivers the services and data required by applications. It abstracts the complexities of lower layers, allowing users to focus on their tasks without needing to understand the underlying network operations.

Example Protocols

DNS and Name Resolution

DNS (Domain Name System) is a hierarchical and distributed naming system that translates human-readable domain names (e.g., example.com) into IP addresses (e.g., 192.168.1.1) that computers use for network communication. This process is essential for enabling users to access websites, services, and other resources on the internet or private networks without needing to remember numerical IP addresses.

How DNS Works

  1. User Request:

  • A user enters a domain name (e.g., www.example.com) into a web browser or application.

  • The system initiates a query to resolve the domain name into an IP address.

  1. Local Cache Check:

  • The operating system first checks its local DNS cache to see if the domain name has already been resolved recently. If a cached entry exists and is still valid, the IP address is returned immediately.

  1. Hosts File Check:

  • If the local cache does not contain the required information, the system checks the hosts file:

    • Windows: Located at C:\Windows\System32\drivers\etc\hosts.

    • Unix/Linux: Located at /etc/hosts.

  • The hosts file contains static mappings of hostnames to IP addresses. If a match is found, the IP address is returned.

  1. DNS Resolver Query:

  • If the hosts file does not contain the required information, the system queries the configured DNS resolver (usually provided by the network or ISP). The resolver is specified in:

    • Windows: Network adapter settings or via DHCP.

    • Unix/Linux: /etc/resolv.conf.

  1. Recursive DNS Resolution:

  • The DNS resolver performs a recursive query to resolve the domain name:

    • Root Servers: The resolver contacts a root DNS server to find the authoritative server for the top-level domain (TLD) (e.g., .com).

    • TLD Servers: The root server directs the resolver to the TLD server responsible for the domain (e.g., .com TLD server).

    • Authoritative DNS Server: The TLD server directs the resolver to the authoritative DNS server for the specific domain (e.g., example.com).

    • The authoritative server provides the IP address for the requested domain.

  1. Response to Client:

  • The DNS resolver returns the resolved IP address to the client system, which can then use it to establish a connection to the target resource.

  1. Caching:

  • The resolved IP address is cached locally for a specified time (determined by the DNS record's Time-To-Live, or TTL) to speed up future queries.

Name Resolution in Windows

Windows systems follow these steps to resolve hostnames:

  1. Local DNS Cache: Windows checks its local DNS cache for a matching entry. Use the ipconfig /displaydns command to view the cache and ipconfig /flushdns to clear it.

  2. Hosts File: If the cache does not contain the required information, Windows checks the hosts file located at C:\Windows\System32\drivers\etc\hosts.

  3. DNS Resolver: If the hosts file does not resolve the hostname, Windows queries the configured DNS resolver.

  4. NetBIOS Name Resolution (Optional): If DNS fails, Windows may use NetBIOS to resolve the hostname within the local network. This is typically used in legacy environments.

  5. LLMNR (Link-Local Multicast Name Resolution): If NetBIOS fails, Windows may use LLMNR to resolve hostnames on the local subnet.

  6. WINS (Windows Internet Name Service) (Optional): In some environments, Windows may query a WINS server for NetBIOS name resolution.

Name Resolution in Unix/Linux

Unix/Linux systems follow these steps to resolve hostnames:

  1. Local DNS Cache: Some Unix/Linux systems use a caching service like systemd-resolved or nscd (Name Service Cache Daemon) to check for cached entries.

  2. Hosts File: If the cache does not contain the required information, Unix/Linux systems check the hosts file located at /etc/hosts.

  3. DNS Resolver: If the hosts file does not resolve the hostname, the system queries the DNS resolver specified in /etc/resolv.conf.

  4. NSS (Name Service Switch): The system uses the Name Service Switch configuration file (/etc/nsswitch.conf) to determine the order of resolution methods (e.g., hosts, dns, etc.).

  5. Multicast DNS (mDNS) (Optional): If DNS fails, some Unix/Linux systems may use mDNS to resolve hostnames on the local network.

  6. Custom Name Resolution Services: Additional services like LDAP or NIS (Network Information Service) may be used in specific environments.

BIND (Berkeley Internet Name Domain)

  • What is BIND?

    • BIND is the most widely used implementation of DNS on Unix/Linux systems. It provides both recursive and authoritative DNS services.

  • Key Process:

    • The distinct process that a BIND server runs is named (short for "name daemon").

  • Configuration Files:

    • /etc/named.conf: Main configuration file for the BIND server.

    • Zone files: Contain DNS records for specific domains.

  • Common Use Cases:

    • Hosting authoritative DNS zones.

    • Acting as a caching DNS resolver for a network.

Key Files and Tools for Name Resolution

  • Windows:

    • C:\Windows\System32\drivers\etc\hosts: Static hostname-to-IP mappings.

    • ipconfig /displaydns: Displays the local DNS cache.

    • ipconfig /flushdns: Clears the local DNS cache.

  • Unix/Linux:

    • /etc/hosts: Static hostname-to-IP mappings.

    • /etc/resolv.conf: Specifies DNS resolver settings.

    • /etc/nsswitch.conf: Configures the order of name resolution methods.

    • dig or nslookup: Tools for querying DNS servers.

    • host: A simple DNS lookup utility.

HTTP

HTTP (Hypertext Transfer Protocol) is an application-layer protocol used for transmitting hypermedia documents, such as HTML. It is the foundation of data communication on the World Wide Web, enabling the transfer of resources between clients (e.g., web browsers) and servers. By understanding HTTP's structure, headers, versions, and tools, developers and administrators can effectively interact with web servers and troubleshoot issues.

Steps to Connect to a Server Using HTTP

  1. DNS Resolution:

  • The client resolves the domain name (e.g., example.com) to an IP address using DNS.

  1. Establish a Connection:

  • The client establishes a TCP connection to the server on port 80 (default for HTTP) or port 443 (default for HTTPS).

  1. Send an HTTP Request:

  • The client sends an HTTP request to the server. This includes the request method (e.g., GET, POST), the target resource (e.g., /index.html), and optional headers.

  1. Server Processes the Request:

  • The server processes the request, retrieves the requested resource, and prepares an HTTP response.

  1. Receive an HTTP Response:

  • The server sends an HTTP response back to the client. This includes a status code (e.g., 200 OK, 404 Not Found), headers, and optionally the requested resource (e.g., HTML content).

  1. Render or Process the Response:

  • The client processes the response. For example, a web browser renders the HTML content, while a tool like curl displays it in the terminal.

Common HTTP Headers

HTTP headers provide additional information about the request or response. They are key-value pairs sent in the HTTP message.

Header

Description

Host

Specifies the domain name of the server (e.g., Host: example.com).

User-Agent

Identifies the client software making the request (e.g., browser or tool).

Accept

Indicates the media types the client can process (e.g., Accept: text/html).

Content-Type

Specifies the media type of the request or response body (e.g., application/json).

Authorization

Contains credentials for authenticating the client with the server.

Cache-Control

Directs caching behavior (e.g., no-cache, max-age=3600).

Cookie

Sends cookies from the client to the server.

Set-Cookie

Sets cookies in the client's browser.

Referer

Indicates the URL of the referring page.

Location

Used in redirection responses to specify the new URL.

Content-Length

Specifies the size of the request or response body in bytes.

Connection

Controls whether the connection is kept alive or closed (e.g., keep-alive).

HTTP Versions

Version

Description

HTTP/0.9

The first version, designed for simple HTML retrieval.

HTTP/1.0

Introduced headers, status codes, and support for different media types.

HTTP/1.1

Added persistent connections, chunked transfer encoding, and caching improvements.

HTTP/2

Improved performance with multiplexing, header compression, and binary framing.

HTTP/3

Uses QUIC instead of TCP for faster and more reliable connections, reducing latency and head-of-line blocking.

Common Applications to Interact with HTTP

Application

Description

Common Options

Web Browsers

Graphical tools like Chrome, Firefox, and Edge for browsing web pages.

Developer tools (F12) for inspecting HTTP requests and responses.

curl

Command-line tool for transferring data using various protocols, including HTTP.

-X to specify the request method, -H to add headers, -d to send data.

wget

Command-line tool for downloading files over HTTP, HTTPS, and FTP.

-O to specify output file, --mirror for recursive downloads.

Postman

GUI application for testing and debugging HTTP APIs.

Supports creating and saving requests, adding headers, and viewing responses.

httpie

Command-line HTTP client with a user-friendly syntax.

--json to send JSON data, --form to send form data.

REST clients

Tools like Insomnia and Thunder Client for testing RESTful APIs.

Provide GUI interfaces for crafting requests and analyzing responses.

Burp Suite

Security tool for intercepting and analyzing HTTP traffic.

Used for penetration testing and debugging HTTP requests.

Mail Protocols

Email communication relies on several protocols to send and retrieve messages. The most commonly used protocols are SMTP, POP3, and IMAP.

Sending Mail with SMTP

SMTP (Simple Mail Transfer Protocol) is used to transmit email messages from a client to a mail server or between mail servers. The process of sending an email using SMTP involves the following steps:

  1. Establish a Connection:

  • The client connects to the SMTP server on port 25 (default), 587 (submission), or 465 (secure SMTP over SSL).

  1. SMTP Commands:

  • The client and server communicate using a series of commands and responses. Below is an example of the SMTP conversation:

    HELO example.com
    MAIL FROM:<sender@example.com>
    RCPT TO:<recipient@example.com>
    DATA
    Subject: Test Email
    From: sender@example.com
    To: recipient@example.com
    
    This is the body of the email.
    .
    QUIT
  • Explanation of Commands:

    • HELO or EHLO: Identifies the client to the server.

    • MAIL FROM: Specifies the sender's email address.

    • RCPT TO: Specifies the recipient's email address.

    • DATA: Indicates the start of the email content (headers and body). The email ends with a single period (.) on a line by itself.

    • QUIT: Terminates the session.

  1. Headers:

  • Email headers provide metadata about the message. Common headers include:

    • From: The sender's email address.

    • To: The recipient's email address.

    • Subject: The subject of the email.

    • Date: The date and time the email was sent.

    • Message-ID: A unique identifier for the email.

  1. Transmission:

  • The SMTP server processes the email and either delivers it to the recipient's mail server or relays it to another SMTP server.

Retrieving Mail: POP3 vs. IMAP

Both POP3 (Post Office Protocol version 3) and IMAP (Internet Message Access Protocol) are used to retrieve emails from a mail server, but they differ significantly in functionality and use cases.

Feature

POP3

IMAP

Purpose

Downloads emails from the server to the client and optionally deletes them from the server.

Synchronizes emails between the server and client, leaving messages on the server.

Storage

Emails are typically stored locally on the client after download.

Emails remain on the server, allowing access from multiple devices.

Offline Access

Provides offline access to downloaded emails.

Requires an internet connection for most operations, but some clients cache emails.

Folder Management

Does not support server-side folder management.

Supports server-side folder management and organization.

Use Case

Suitable for users who access email from a single device.

Ideal for users who access email from multiple devices.

Key Differences Between POP3 and IMAP

  1. Email Retrieval:

  • POP3 downloads the entire email to the client and optionally deletes it from the server.

  • IMAP allows users to view and manage emails directly on the server without downloading them.

  1. Synchronization:

  • POP3 does not synchronize email states (e.g., read/unread) across devices.

  • IMAP synchronizes email states and folders across all devices accessing the account.

  1. Server Storage:

  • POP3 is designed to minimize server storage by transferring emails to the client.

  • IMAP retains emails on the server, which can lead to higher storage usage.

  1. Flexibility:

  • IMAP provides more advanced features, such as searching emails on the server and partial email retrieval (e.g., headers only).

Summary

  • SMTP is used for sending emails, while POP3 and IMAP are used for retrieving them.

  • POP3 is simple and efficient for single-device access but lacks synchronization features.

  • IMAP is more versatile, supporting multi-device access and server-side email management.


Windows Networking

Windows networking encompasses various network types, protocols, and services that enable communication and resource sharing between devices.

Network Types in Windows

  • Home: A private network where computers are members of a homegroup and not directly connected to the public Internet.

  • Public: A network in public places (e.g., coffee shops, airports) where computers are connected to an external network.

  • Work: A private network where computers are members of a workgroup and not directly connected to the public Internet.

  • Domain: A corporate network where computers are joined to a centralized domain for management and authentication.

  • Workplace: A private network where devices connect over the public Internet (Windows 8.1 only).

Key Windows Networking Protocols

  • NetBIOS/SMB: Used for file and printer sharing on Windows.

  • WINS (Windows Internet Name Service): Maps NetBIOS names to IP addresses, primarily for legacy systems.

  • LLMNR (Link-Local Multicast Name Resolution): Resolves names on a local subnet without requiring DNS or WINS.

  • W32Time (Windows Time Service): Synchronizes time across devices using NTP (Network Time Protocol).

Additional Notes

  • Hosts File: Located at C:\Windows\System32\drivers\etc\hosts, it maps hostnames to IP addresses.

  • Loopback Address: 127.0.0.1 is used to test local network interfaces.

Common Windows Networking Commands

Command

Description

Example

ping

Tests connectivity to a host by sending ICMP Echo Requests.

ping google.com

-t: Sends continuous pings until stopped.

ping -t google.com

-n: Specifies the number of echo requests to send.

ping -n 5 google.com

tracert

Traces the route packets take to a network host.

tracert 8.8.8.8

-d: Prevents DNS resolution for faster results.

tracert -d 8.8.8.8

nslookup

Diagnoses DNS issues and queries DNS records.

nslookup example.com

Queries a specific DNS server.

nslookup example.com 8.8.8.8

ipconfig

Displays or configures IP configuration.

ipconfig /all

Releases the current IP address.

ipconfig /release

Renews the IP address from the DHCP server.

ipconfig /renew

Flushes the DNS resolver cache.

ipconfig /flushdns

netstat

Displays active connections and listening ports.

netstat -anob

Displays statistics by protocol.

netstat -s

Displays the routing table.

netstat -r

route

Displays or modifies the routing table.

route print

Adds a static route.

route add 192.168.1.0 mask 255.255.255.0 192.168.1.1

Deletes a specific route.

route delete 192.168.1.0

net use

Maps a network drive or connects to a shared resource.

net use Z: \\server\share

Disconnects a mapped network drive.

net use Z: /delete

net share

Displays or creates shared resources on the local computer.

net share

Creates a new shared folder.

net share MyShare=C:\SharedFolder

net view

Displays shared resources on a remote computer.

net view \\computername

netsh

Configures and displays network settings.

netsh interface ip show config

Configures a static IP address.

netsh interface ip set address name="Ethernet" static 192.168.1.100 255.255.255.0 192.168.1.1

Enables or disables a network interface.

netsh interface set interface "Ethernet" admin=enabled

arp

Displays or modifies the ARP cache.

arp -a

Deletes a specific ARP entry.

arp -d 192.168.1.1

getmac

Displays the MAC address of network adapters.

getmac

Displays MAC addresses for a remote computer.

getmac /s computername

wmic

Retrieves system and network information.

wmic nic get name,macaddress

Displays IP configuration details.

wmic nicconfig get ipaddress,defaultipgateway

telnet

Connects to a remote host using the Telnet protocol.

telnet 192.168.1.1 23

ftp

Connects to an FTP server for file transfers.

ftp ftp.example.com

Downloads a file from the server.

get file.txt

Uploads a file to the server.

put file.txt

netdom

Manages domain relationships and joins computers to a domain (part of RSAT).

netdom join computername /domain:example.com

Renames a computer in a domain.

netdom renamecomputer oldname /newname:newname /domain:example.com

sc

Manages Windows services.

sc query w32time

Starts a specific service.

sc start w32time

Stops a specific service.

sc stop w32time

powershell

Executes PowerShell commands for advanced networking tasks.

Get-NetIPAddress

Displays all network adapters.

Get-NetAdapter

Configures a static IP address.

New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 192.168.1.100 -PrefixLength 24 -DefaultGateway 192.168.1.1

tasklist

Displays a list of running processes, including network-related ones.

tasklist

Displays processes running on a remote computer.

tasklist /s computername

taskkill

Terminates a process by name or PID.

taskkill /im notepad.exe

Forces termination of a process.

taskkill /f /pid 1234

mstsc

Launches the Remote Desktop Connection client.

mstsc /v:192.168.1.1

Specifies screen resolution for the session.

mstsc /v:192.168.1.1 /w:1024 /h:768

powershell Test-Connection

Tests connectivity to a host, similar to ping.

Test-Connection google.com

Sends a specific number of echo requests.

Test-Connection google.com -Count 5

netcfg

Installs or removes network components.

netcfg -s n

Installs a network protocol.

netcfg -c p -i ms_tcpip

certutil

Manages certificates and performs encoding/decoding tasks.

certutil -ping

Displays details of a certificate.

certutil -store My

Ports and Protocols: User Workstation vs. Windows Server

Windows workstations and servers serve different roles in a network, and as such, they utilize distinct sets of ports and protocols. Below is a comparison of the typical ports and protocols used by user workstations and Windows servers.

User Workstation

User workstations are primarily designed for end-user activities such as browsing, email, and accessing shared resources. The ports and protocols used are generally client-focused.

Port(s)

Service/Protocol

Transport Protocol

Description

80, 443

HTTP/HTTPS

TCP

Web browsing and secure web communication.

53

DNS

TCP/UDP

Resolves domain names to IP addresses for browsing and other network activities.

67, 68

DHCP

UDP

Automatically assigns IP addresses to the workstation.

445

SMB

TCP

Accesses shared files and printers on the network.

3389

RDP

TCP

Remote Desktop Protocol for remote access (if enabled).

123

NTP

UDP

Synchronizes the workstation's clock with a time server.

25, 110, 143, 587, 993

SMTP, POP3, IMAP

TCP

Email communication protocols for sending and receiving emails.

137

NetBIOS Name Service

UDP

Resolves NetBIOS names to IP addresses.

138

NetBIOS Datagram Service

UDP

Supports connectionless communication for file and printer sharing.

139

NetBIOS Session Service

TCP

Establishes sessions for file and printer sharing.

Windows Server

Windows servers, particularly those running Active Directory or other enterprise services, require additional ports and protocols to support their roles in authentication, directory services, and resource management.

Port(s)

Service/Protocol

Transport Protocol

Description

53

DNS

TCP/UDP

Provides domain name resolution for the network.

88

Kerberos

TCP/UDP

Authentication protocol for secure identity verification.

389, 636

LDAP/LDAPS

TCP

Directory services for querying and managing Active Directory.

3268, 3269

Global Catalog

TCP

Provides LDAP directory services for forest-wide searches.

135

Microsoft RPC

TCP/UDP

Facilitates remote procedure calls for distributed applications.

445

SMB

TCP

File and printer sharing, as well as Group Policy distribution.

3389

RDP

TCP

Remote Desktop Protocol for server management.

5985, 5986

WinRM

TCP

Windows Remote Management for remote administration.

1812, 1813

RADIUS

UDP

Centralized authentication and accounting for network access.

1701, 500, 4500

L2TP/IPsec

UDP

Secure VPN connections for remote access.

49152-65535

Dynamic RPC Ports

TCP/UDP

Used for Active Directory replication and other RPC-based services.

Key Differences

  • Authentication and Directory Services: Servers use Kerberos, LDAP, and Global Catalog services for authentication and directory management, which are not typically required on workstations.

  • Dynamic RPC Ports: Servers often use a range of dynamic ports for services like Active Directory replication, which are unnecessary on workstations.

  • File and Printer Sharing: While both workstations and servers use SMB, servers are more likely to host shared resources.

  • Remote Management: Servers rely on protocols like WinRM and RDP for administration, whereas workstations may only use RDP occasionally.


Unix Networking

Unix networking encompasses a variety of tools, protocols, and services that enable communication and resource sharing between devices. Below is an overview of key Unix networking concepts, commands, and services.

Key Concepts

Sockets

Sockets are endpoints for communication between two systems or processes. They provide a programming interface for network communication, supporting protocols like TCP, UDP, and raw sockets.

  • Types of Sockets:

    • Stream Sockets (SOCK_STREAM): Used for reliable, connection-oriented communication (e.g., TCP).

    • Datagram Sockets (SOCK_DGRAM): Used for connectionless communication (e.g., UDP).

    • Raw Sockets (SOCK_RAW): Provide direct access to lower-level protocols, often used for custom protocol implementation or packet analysis.

  • Socket API: The socket API provides functions for creating, binding, listening, connecting, sending, and receiving data. Common functions include:

    • socket(): Creates a socket.

    • bind(): Binds a socket to a specific IP address and port.

    • listen(): Marks a socket as passive, ready to accept connections.

    • accept(): Accepts an incoming connection.

    • connect(): Establishes a connection to a remote socket.

    • send() and recv(): Send and receive data over a socket.

xinetd and inetd

inetd (Internet Daemon) and xinetd (Extended Internet Daemon) are super-servers that manage incoming network connections for various services. They act as intermediaries between clients and the actual service daemons, listening for incoming requests and launching the appropriate service when needed. These daemons are particularly useful for managing lightweight or infrequently used services, as they reduce the overhead of running multiple service daemons continuously.

  • Use Case: xinetd and inetd are commonly used to manage services such as FTP, Telnet, TFTP, and others. Instead of running these services as standalone daemons, they are started on demand when a connection request is received, conserving system resources.

  • Key Features:

    • On-Demand Service Management: Services are started only when a request is received, reducing resource usage.

    • Access Control: Provides mechanisms to restrict access based on IP addresses, time of day, or other criteria.

    • Logging: Logs connection attempts and service usage for auditing and troubleshooting.

    • Security: Supports TCP Wrappers for additional access control and security.

  • Configuration:

    • inetd: Configuration is typically stored in /etc/inetd.conf. Each line in the file specifies a service, the protocol it uses, the socket type, and the program to execute.

    • xinetd: Configuration is more flexible and is stored in /etc/xinetd.conf or individual service files in /etc/xinetd.d/. Each service can have its own configuration file with options for access control, logging, and resource limits.

  • Example Configuration for xinetd:

    service ftp
    {
        disable         = no
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/sbin/vsftpd
        log_on_success  += USERID
        log_on_failure  += HOST
        only_from       = 192.168.1.0/24
    }
  • Key Differences Between xinetd and inetd:

    • xinetd offers more advanced features, such as fine-grained access control, resource limits, and better logging capabilities.

    • inetd is simpler and lighter but lacks the flexibility and security features of xinetd.

Key Files in Unix Networking

  • /etc/hosts: Maps hostnames to IP addresses for local name resolution. Example:

    127.0.0.1   localhost
    192.168.1.10   myserver.local
  • /etc/resolv.conf: Specifies DNS servers for name resolution. Example:

    nameserver 8.8.8.8
    nameserver 8.8.4.4
  • /etc/services: Maps service names to port numbers and protocols. Example:

    http    80/tcp
    https   443/tcp
    ftp     21/tcp
  • /etc/inetd.conf or /etc/xinetd.d/: Configuration files for inetd or xinetd, specifying services to manage.

  • /var/log/messages or `/var/log/syslog**: Logs system and network events, useful for troubleshooting.

SSHD

SSHD (Secure Shell Daemon) is the server-side component of the SSH protocol, responsible for handling incoming SSH connections. It provides secure remote login, command execution, and file transfer capabilities over an encrypted channel.

Key Features of SSHD

  • Secure Communication: Encrypts all data transmitted between the client and server.

  • Authentication: Supports multiple authentication methods, including password-based, public key, and multi-factor authentication.

  • Port Forwarding: Allows tunneling of network traffic through the SSH connection.

  • Access Control: Provides mechanisms to restrict access based on user, IP address, or other criteria.

  • Logging: Logs connection attempts and activities for auditing and troubleshooting.

SSHD Configuration

The SSHD configuration file is typically located at /etc/ssh/sshd_config. This file controls the behavior of the SSH server. After making changes to the configuration, restart the SSHD service to apply them.

Common Configuration Options

Option

Description

Port

Specifies the port SSHD listens on (default is 22).

PermitRootLogin

Controls whether the root user can log in via SSH (yes, no, or prohibit-password).

PasswordAuthentication

Enables or disables password-based authentication (yes or no).

PubkeyAuthentication

Enables or disables public key authentication (yes or no).

AllowUsers

Specifies which users are allowed to log in (e.g., AllowUsers user1 user2).

DenyUsers

Specifies which users are denied access.

AllowGroups

Specifies which groups are allowed to log in.

DenyGroups

Specifies which groups are denied access.

MaxAuthTries

Limits the number of authentication attempts per connection.

PermitEmptyPasswords

Controls whether empty passwords are allowed (yes or no).

ClientAliveInterval

Sets the interval (in seconds) for sending keepalive messages to clients.

ClientAliveCountMax

Specifies the number of keepalive messages sent before disconnecting an unresponsive client.

X11Forwarding

Enables or disables X11 forwarding (yes or no).

LogLevel

Sets the verbosity of logging (QUIET, INFO, VERBOSE, DEBUG, etc.).

Banner

Specifies a file to display a custom login banner.

Example SSHD Configuration

# Change the default port to enhance security
Port 2222

# Disable root login for security
PermitRootLogin no

# Enable public key authentication and disable password authentication
PubkeyAuthentication yes
PasswordAuthentication no

# Allow only specific users to log in
AllowUsers admin user1

# Set keepalive interval and maximum count
ClientAliveInterval 300
ClientAliveCountMax 2

# Enable logging at INFO level
LogLevel INFO

# Display a custom login banner
Banner /etc/ssh/ssh-banner

Managing SSHD Service

Use the following commands to manage the SSHD service:

  • Restart SSHD: sudo systemctl restart sshd

  • Check SSHD Status: sudo systemctl status sshd

  • Reload Configuration: sudo systemctl reload sshd

  • Enable SSHD on Boot: sudo systemctl enable sshd

Security Best Practices for SSHD

  • Change the Default Port: Use a non-standard port to reduce automated attacks.

  • Disable Root Login: Prevent direct root access to enhance security.

  • Use Key-Based Authentication: Disable password authentication and use SSH keys.

  • Restrict Access: Use AllowUsers or AllowGroups to limit access to specific users or groups.

  • Enable Firewall Rules: Allow SSH traffic only from trusted IP addresses.

  • Monitor Logs: Regularly check /var/log/auth.log (or equivalent) for suspicious activity.

Unix Networking Best Practices

  • Use firewalls (e.g., iptables or nftables) to secure network traffic.

  • Regularly monitor logs for suspicious activity.

  • Use secure protocols (e.g., SSH, HTTPS) instead of insecure ones (e.g., Telnet, HTTP).

  • Restrict access to services using tools like xinetd or TCP Wrappers.

  • Keep software and services up to date to mitigate vulnerabilities.

Common Unix Networking Commands

Command

Description

Example

ping

Checks if a host is reachable and alive.

-c: Specifies the number of packets to send.

-i: Sets the interval between packets in seconds.

traceroute

Displays the route packets take to a network host.

-n: Prevents DNS resolution for faster results.

-I: Uses ICMP packets instead of UDP.

netstat

Displays network connections, routing tables, and protocol statistics.

-tuln: Shows listening ports with protocol details.

-i: Displays network interface statistics.

ss

Displays detailed socket statistics and network connections.

-s: Shows summary statistics for sockets.

-p: Displays processes using sockets.

arp

Displays or modifies the ARP cache.

-d: Deletes a specific ARP entry.

ip

Configures and displays network interfaces and routing.

link set: Brings an interface up or down.

route add: Adds a new route to the routing table.

ip route

Displays or modifies the routing table.

add default: Sets the default gateway.

del: Removes a specific route.

ip neigh

Displays or modifies the neighbor cache (ARP table).

add: Adds a static ARP entry.

del: Deletes a specific ARP entry.

ifconfig

Configures or displays network interfaces (deprecated in favor of ip).

eth0 up: Brings the interface up.

eth0: Assigns an IP address and netmask to the interface.

host

Resolves domain names to IP addresses.

-t MX: Queries for mail exchange records.

-a: Displays all available DNS records.

dig

Queries DNS servers for domain information.

+short: Displays concise output.

@8.8.8.8: Uses a specific DNS server for the query.

whois

Retrieves domain registration information.

-h: Specifies a specific WHOIS server to query.

route

Displays or modifies the routing table.

add default: Adds a default gateway.

del: Removes a specific network route.

iptables

Configures firewall rules for packet filtering.

-A: Appends a rule to a chain.

-D: Deletes a rule from a chain.

nft

Configures firewall rules using nftables (successor to iptables).

add rule: Adds a rule to a chain.

delete rule: Removes a specific rule by handle.

netcat (nc)

A versatile tool for network debugging and testing.

-l: Listens for incoming connections.

echo: Sends data to a remote host.

scp

Securely copies files between systems over SSH.

-r: Recursively copies directories.

Copies a remote file to the local system.

sftp

Securely transfers files using SSH.

put: Uploads a file to the remote server.

get: Downloads a file from the remote server.

ssh

Securely connects to a remote system.

-p: Specifies a custom port for the connection.

-i: Uses a specific private key for authentication.

Unix Ports and Protocols

Port(s)

Service/Protocol

Transport Protocol

Description

21

FTP

TCP

File Transfer Protocol for transferring files between systems.

22

SSH (Secure Shell)

TCP

Provides secure remote login and command execution.

25

SMTP

TCP

Simple Mail Transfer Protocol for sending emails.

25, 587

SMTP (Mail Submission)

TCP

Used for sending emails securely with authentication.

53

DNS

TCP/UDP

Resolves domain names to IP addresses for network routing.

69

TFTP

UDP

Trivial File Transfer Protocol for simple file transfers.

111

RPC (Remote Procedure Call)

TCP/UDP

Enables client-server communication by allowing remote code execution.

123

NTP (Network Time Protocol)

UDP

Synchronizes system clocks over a network.

137-139, 445

Samba/SMB

TCP/UDP

Provides file and printer sharing between Unix and Windows systems.

162

SNMP Trap

UDP

Receives notifications from SNMP-enabled devices.

514

syslog

UDP

Logs system messages and events for monitoring and troubleshooting.

631

CUPS

TCP

Common Unix Printing System for managing print jobs and printers.

873

rsync

TCP

Synchronizes files and directories between systems over a network.

993

IMAP (Secure)

TCP

Internet Message Access Protocol over SSL/TLS for retrieving emails.

995

POP3 (Secure)

TCP

Post Office Protocol over SSL/TLS for retrieving emails.

2048

Radius

UDP

Authentication, authorization, and accounting for network access.

2049, 4045

NFS (Network File System)

UDP

Allows file sharing between Unix systems over a network.

3306

MySQL

TCP

Database service for managing relational databases.

3389

RDP

TCP

Remote Desktop Protocol for remote graphical interface access.

5000

Docker

TCP

Docker daemon API for container management.

5432

PostgreSQL

TCP

Database service for managing relational databases.

5900-5999

VNC

TCP

Virtual Network Computing for remote desktop access.

6667

IRC

TCP

Internet Relay Chat for real-time text communication.

8080

HTTP-Alt

TCP

Alternative port for HTTP services.

8081

HTTP Proxy

TCP

Proxy server for HTTP traffic.

80, 443

HTTP/HTTPS

TCP

Web communication protocols for unencrypted and encrypted traffic.

Key Unix Networking Protocols and Services

Protocol/Service

Port(s)

Transport Protocol

Description

NFS

2049

UDP

Network File System for file sharing on Unix systems.

RPC

111

TCP/UDP

Remote Procedure Call for client-server communication.

rsync

873

TCP

Synchronizes files between systems over a network.

syslog

514

UDP

Logs system messages and events.

rwho

513

UDP

Provides information about logged-in users on a network.

DTSPCD

6112

TCP

Desktop Subprocess Control Daemon for Unix CDE window manager.

NFS mountd

4045

UDP

Handles NFS mount requests.

Samba/SMB

137-139, 445

TCP/UDP

Provides file and printer sharing between Unix and Windows systems.

Unix Networking Best Practices

  • Use iptables or nftables to secure network traffic.

  • Regularly monitor logs using syslog or centralized logging solutions.

  • Use scp or sftp for secure file transfers.

  • Configure NFS and Samba with appropriate permissions to prevent unauthorized access.

  • Use dig and host for DNS troubleshooting and verification.

Cisco Router Administration and Configuration

Cisco routers use a Command-Line Interface (CLI) for configuration and management. The CLI is a powerful tool that allows network administrators to interact with the router, configure settings, and retrieve information about the device and its network. Below is an overview of the Cisco router CLI and some basic commands for obtaining useful information.

Overview of Cisco Router CLI

  1. Accessing the CLI:

  • Console Access: Direct connection using a console cable.

  • Telnet/SSH: Remote access over the network.

  • Auxiliary Port: Dial-up access using a modem.

  1. CLI Modes:

  • User EXEC Mode: Limited access for basic monitoring. Prompt: Router>

  • Privileged EXEC Mode: Full access to view and modify configurations. Prompt: Router#

  • Global Configuration Mode: Used to configure the router. Prompt: Router(config)#

  • Interface Configuration Mode: Used to configure specific interfaces. Prompt: Router(config-if)#

  1. Navigating the CLI:

  • Use ? to display available commands.

  • Use Tab to auto-complete commands.

  • Use Ctrl+C to cancel a command.

  • Use Ctrl+Z to exit configuration mode.

Common Cisco Router Commands

The table below lists some basic commands for retrieving useful information from a Cisco router:

Command

Description

Displays a summary of all interfaces, their IP addresses, and status.

Displays the current configuration in RAM.

Displays the configuration stored in NVRAM (used on reboot).

Displays system information, including IOS version, uptime, and hardware.

Displays the routing table.

Displays the ARP table.

Displays detailed information about all interfaces.

Displays the status of configured Layer 3 protocols on all interfaces.

Sends ICMP echo requests to test connectivity to a specific IP address.

Traces the route packets take to reach a specific IP address.

Displays information about directly connected Cisco devices.

Displays the router's log messages.

Displays information about the router's flash memory.

Displays the NAT translation table (if NAT is configured).

Tips for Using the CLI

  • Always verify your changes using show commands before and after making modifications.

  • Use write memory or copy running-config startup-config to save changes to the startup configuration.

  • Use reload to reboot the router if necessary, but ensure configurations are saved beforehand.

PreviousHands-on PracticeNextComputer Fundamentals

Last updated 19 days ago

Was this helpful?

nmap -sS $target
nmap -sU $target
nmap -sV $target
nmap -O $target
nmap -A $target
nmap -p 22,80,443 $target
nmap 192.168.1.0/24
nmap -sn $target
nmap --script=$script_name $target
nmap -p- $target
nmap -T4 $target
nmap -sA $target
nmap --top-ports 1000 $target
nmap -6 $target
nmap --traceroute $target
nmap -oN $output_file $target
nmap $target1 $target2
nmap $subnet --exclude $excluded_host
nmap -D $decoy1,$decoy2,$target
nmap -sI $zombie_host $target
nmap --script=vuln $target
 openssl genrsa -out $private.key 2048 
 openssl rsa -in $private.key -pubout -out $public.key
 openssl req -x509 -new -nodes -key $private.key -sha256 -days 365 -out $certificate.crt
 openssl enc -aes-256-cbc -in $file.txt -out $file.enc
 openssl enc -aes-256-cbc -d -in $file.enc -out $file.txt
 openssl rsautl -encrypt -inkey $public.key -pubin -in $file.txt -out $file.enc
 openssl rsautl -decrypt -inkey $private.key -in $file.enc -out $file.txt
 openssl dgst -sha256 -sign $private.key -out $signature.bin $file.txt
 openssl dgst -sha256 -verify $public.key -signature $signature.bin $file.txt
 openssl req -new -key $private.key -out $request.csr
 openssl x509 -in $certificate.crt -outform PEM -out $certificate.pem
 openssl x509 -in $certificate.pem -outform DER -out $certificate.der
 openssl x509 -in $certificate.crt -text -noout
 openssl s_client -connect $example.com:443
 openssl rand -base64 32
 openssl pkcs12 -export -out $certificate.pfx -inkey $private.key -in $certificate.crt -certfile $ca-bundle.crt
 openssl verify -CAfile $ca-bundle.crt $certificate.crt
 openssl speed aes-256-cbc
 echo "$eyJhbGciOi..." | base64 -d | openssl asn1parse -inform DER
ping example.com
ping -c 4 example.com
ping -i 0.5 example.com
traceroute example.com
traceroute -n example.com
traceroute -I example.com
netstat -a
netstat -tuln
netstat -i
ss -tuln
ss -s
ss -p
arp -a
arp -d 192.168.1.1
ip addr show
ip link set eth0 up
ip route add 192.168.1.0/24 via 192.168.1.1
ip route show
ip route add default via 192.168.1.1
ip route del 192.168.1.0/24
ip neigh show
ip neigh add 192.168.1.2 lladdr 00:11:22:33:44:55 dev eth0
ip neigh del 192.168.1.2 dev eth0
ifconfig
ifconfig eth0 up
ifconfig eth0 192.168.1.100 netmask 255.255.255.0
host example.com
host -t MX example.com
host -a example.com
dig example.com
dig +short example.com
dig @8.8.8.8 example.com
whois example.com
whois -h whois.verisign-grs.com example.com
route -n
route add default gw 192.168.1.1
route del -net 192.168.1.0/24
iptables -L
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
nft list ruleset
nft add rule ip filter input tcp dport 22 accept
nft delete rule ip filter input handle 10
nc -zv example.com 80
nc -l 1234
echo "Hello" | nc example.com 1234
scp file.txt user@example.com:/path/to/destination
scp -r /local/dir user@example.com:/remote/dir
scp user@example.com:/remote/file.txt /local/dir
sftp user@example.com
put localfile.txt
get remotefile.txt
ssh user@example.com
ssh -p 2222 user@example.com
ssh -i /path/to/key.pem user@example.com
show ip interface brief
show running-config
show startup-config
show version
show ip route
show arp
show interfaces
show protocols
ping $IP_Address
traceroute $IP_Address
show cdp neighbors
show logging
show flash
show ip nat translations