CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Internal Networks
  • A Demilitarized Zone (DMZ)
  • IP Addresses
  • MAC Addresses
  • TCP, UDP and the Three way handshake
  • TCP
  • UDP
  • Common ports and protocol
  • The OSI Model
  • TCP header (RFC793)
  • Subnetting
  • End Device Addressing
  • Common ports and protocols
  • Differenciate active tun connections
  • VPN
  • The Concept of Attacks
  • Source
  • Processes
  • Privileges
  • Destination
  • Service Misconfigurations
  • Authentication
  • Unecessary defaults
  • Sensitive Information
  • Tools to interact with common services
  • Resources
  1. Networking, Protocols and Network pentest

Basics

PreviousWelcome to CSbyGB's PentipsNextDNS

Last updated 4 months ago

Notes from tryhackme, HTB Academy and my practice

Internal Networks

"Internal Networks are subnetworks that are segmented and separated based on the importance of the internal device or the importance of the accessibility of its data. The main purpose of the internal network(s) is to share information, faster and easier communications, collaboration tools, operational systems, and network services within an organization. In a corporate network, the network administrators intend to use network segmentation for various reasons, including controlling network traffic, optimizing network performance, and improving security posture."

Source: tryhackme

A Demilitarized Zone (DMZ)

"A DMZ Network is an edge network that protects and adds an extra security layer to a corporation's internal local-area network from untrusted traffic. A common design for DMZ is a subnetwork that sits between the public internet and internal networks.

Designing a network within the company depends on its requirements and need. For example, suppose a company provides public services such as a website, DNS, FTP, Proxy, VPN, etc. In that case, they may design a DMZ network to isolate and enable access control on the public network traffic, untrusted traffic."

Source: tryhackme

IP Addresses

  • Address to communicate on a network (Layer 3 of OSI model) = routing

Network class
Network numbers
Network mask
Nb. of networks
No. of hosts per network

Class A

10.0.0.0

255.0.0.0

126

12 646 144

Class B

172.16.0.0 to 172.31.0.0

255.255.0.0

16 383

65 024

Class C

192.168.0.0 to 192.168.255.255

255.255.255.0

2 097 151

254

Loopback (localhost)

127.0.0.0 to 127.0.0.7

255.255.255.0

MAC Addresses

  • Media Access Control, Physical address (Layer 2 of OSI model). Useful to know which device is which.

  • It looks like this 00:1a:3f:f1:4c:c6

TCP, UDP and the Three way handshake

TCP

  • Transmission Control Protocol. It is a connection oriented protocol. http, ftp, etc all utilize this.

Three way handshake

  • TCP uses 3 way handshake

  • SYN > SYN ACK > ACK : Asking to connect to a port > Port is open > connection occurs

UDP

  • User Datagram protocol. It is a connectionless protocol. Streaming service, voip etc. all utilize this.

Common ports and protocol

Source: TCM Security Academy - Course Practical Ethical Hacking

  • TCP

    • FTP = File Transfer protocol

    • SSH and Telnet: connect to a device remotely ssh is encrypted telnet is not

    • SMTP, POP3 and IMAP: related to mail protocol

    • DNS: resolves ip addresses to name

    • HTTP and HTTPS : websites. HTTPS is encrypted

    • SMB: file share (aka SAMBA)

  • UDP

    • DHCP: will assign IP address

    • TFTP = trivial FTP

    • SNMP: Simple Network Management Protocol

The OSI Model

Number
Layer
Examples or use

1

Physical layer

Data cables

2

Data

Switches, MAC Addresses

3

Network

IP addresses, routing

4

Transport

TCP/UDP

5

Session

Session management

6

Presentation

WMV, JPEG, MOV

7

Application

HTTP, SMTP

  • (Mnemonic: Please Do Not Throw Sausage Pizza Away)

Source:TryHackMe

TCP header (RFC793)

Source:TryHackme

Subnetting

Source: TCM Security Academy - Course Practical Ethical Hacking

End Device Addressing

  • IP address - This identifies the host on the network.

  • Subnet mask - This is used to identify the network on which the host is connected.

  • Default gateway - This identifies the networking device that the host uses to access the internet or another remote network.

Common ports and protocols

There are two categories of ports, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). TCP is connection-oriented, meaning that a connection between a client and a server must be established before data can be sent. The server must be in a listening state awaiting connection requests from clients. UDP utilizes a connectionless communication model. There is no "handshake" and therefore introduces a certain amount of unreliability since there is no guarantee of data delivery. UDP is useful when error correction/checking is either not needed or is handled by the application itself. UDP is suitable for applications that run time-sensitive tasks since dropping packets is faster than waiting for delayed packets due to retransmission, as is the case with TCP and can significantly affect a real-time system. There are 65,535 TCP ports and 65,535 different UDP ports, each denoted by a number.

Protocol
TCP/UDP Port
Application(s)
Data Security

FTP

20/21 (TCP)

File Transfer

Cleartext

SFTP

22 (TCP)

File Transfer

Encrypted

SSH

22 (TCP)

Remote Access and File Transfer

Encrypted

Telnet

23 (TCP)

Remote Access

Cleartext

SMTP

25 (TCP)

Email (MTA)

Cleartext

HTTP

80 (TCP)

Worldwide Web

Cleartext

POP3

110 (TCP)

Email (MDA)

Cleartext

IMAP

143

Email (MDA)

Cleartext

SNMP

161 (TCP/UDP)

LDAP

389 (TCP/UDP)

HTTPS

443 (TCP)

Worldwide Web

Encrypted

SMB

445 (TCP)

SMTPS

465

Email (MTA)

Encrypted

FTPS

990

File Transfer

Encrypted

IMAPS

993

Email (MDA)

Encrypted

POP3S

995

Email (MDA)

Encrypted

RDP

3398 (TCP)

RDP

Differenciate active tun connections

  • Sometimes when playing with multiple ovpn (I often use htb and thm and do not always reboot my vm) you might end up with 2 tun interface in your ip add

  • To know which one is the active one you just need to check the routes using ip route the one that has more routes is the one that is the current ovpn connection.

VPN

At a high-level, VPN works by routing our connecting device's internet connection through the target VPN's private server instead of our internet service provider (ISP). When connected to a VPN, data originates from the VPN server rather than our computer and will appear to originate from a public IP address other than our own. There are two main types of remote access VPNs: client-based VPN and SSL VPN. SSL VPN uses the web browser as the VPN client. The connection is established between the browser and an SSL VPN gateway can be configured to only allow access to web-based applications such as email and intranet sites, or even the internal network but without the need for the end user to install or use any specialized software. Client-based VPN requires the use of client software to establish the VPN connection. Once connected, the user's host will work mostly as if it were connected directly to the company network and will be able to access any resources (applications, hosts, subnets, etc.) allowed by the server configuration. Some corporate VPNs will provide employees with full access to the internal corporate network, while others will place users on a specific segment reserved for remote workers.

  • ifconfig or ip add we will see a tun adapter if we successfully connected to the VPN

  • netstat -rn will show us the networks accessible via the VPN.

  • ip -4 a show tun0 check tun0 address

  • ping -c 4 IP.1 (one is the gateway location)

  • We can not be connected from more than 1 device at the same time

Source Hackthebox Academy

The Concept of Attacks

The concept is based on four categories that occur for each vulnerability. First, we have a Source that performs the specific request to a Process where the vulnerability gets triggered. Each process has a specific set of Privileges with which it is executed. Each process has a task with a specific goal or Destination to either compute new data or forward it. However, the individual and unique specifications under these categories may differ from service to service.

Every task and piece of information follows a specific pattern, a cycle, which we have deliberately made linear. This is because the Destination does not always serve as a Source and is therefore not treated as a source of a new task.

For any task to come into existence at all, it needs an idea, information (Source), a planned process for it (Processes), and a specific goal (Destination) to be achieved. Therefore, the category of Privileges is necessary to control information processing appropriately.

Source

We can generalize Source as a source of information used for the specific task of a process. There are many different ways to pass information to a process.

Information
Source
Description

Code

This means that the already executed program code results are used as a source of information. These can come from different functions of a program.

Libraries

A library is a collection of program resources, including configuration data, documentation, help data, message templates, prebuilt code and subroutines, classes, values, or type specifications.

Config

Configurations are usually static or prescribed values that determine how the process processes information.

APIs

The application programming interface (API) is mainly used as the interface of programs for retrieving or providing information.

User Input

If a program has a function that allows the user to enter specific values used to process the information accordingly, this is the manual entry of information by a person.

The source is, therefore, the source that is exploited for vulnerabilities. It does not matter which protocol is used because HTTP header injections can be manipulated manually, as can buffer overflows. The source for this can therefore be categorized as Code.

Processes

The Process is about processing the information forwarded from the source. These are processed according to the intended task determined by the program code. For each task, the developer specifies how the information is processed. This can occur using classes with different functions, calculations, and loops. The variety of possibilities for this is as diverse as the number of developers in the world. Accordingly, most of the vulnerabilities lie in the program code executed by the process.

Process
Components
Description

PID

The Process-ID (PID) identifies the process being started or is already running. Running processes have already assigned privileges, and new ones are started accordingly.

Input

This refers to the input of information that could be assigned by a user or as a result of a programmed function.

Data processing

The hard-coded functions of a program dictate how the information received is processed.

Variables

The variables are used as placeholders for information that different functions can further process during the task.

Logging

During logging, certain events are documented and, in most cases, stored in a register or a file. This means that certain information remains in the system.

Privileges

Privileges are present in any system that controls processes. These serve as a type of permission that determines what tasks and actions can be performed on the system. In simple terms, it can be compared to a bus ticket. If we use a ticket intended for a particular region, we will be able to use the bus, and otherwise, we will not. These privileges (or figuratively speaking, our tickets) can also be used for different means of transport, such as planes, trains, boats, and others. In computer systems, these privileges serve as control and segmentation of actions for which different permissions, controlled by the system, are needed. Therefore, the rights are checked based on this categorization when a process needs to fulfill its task. If the process satisfies these privileges and conditions, the system approves the action requested. We can divide these privileges into the following areas:

Privileges
Description

System

These privileges are the highest privileges that can be obtained, which allow any system modification. In Windows, this type of privilege is called SYSTEM, and in Linux, it is called root.

User

User privileges are permissions that have been assigned to a specific user. For security reasons, separate users are often set up for particular services during the installation of Linux distributions.

Groups

Groups are a categorization of at least one user who has certain permissions to perform specific actions.

Policies

Policies determine the execution of application-specific commands, which can also apply to individual or grouped users and their actions.

Rules

Rules are the permissions to perform actions handled from within the applications themselves.

Destination

Every task has at least one purpose and goal that must be fulfilled. Logically, if any data set changes were missing or not stored or forwarded anywhere, the task would be generally unnecessary. The result of such a task is either stored somewhere or forwarded to another processing point. Therefore we speak here of the Destination where the changes will be made. Such processing points can point either to a local or remote process. Therefore, at the local level, local files or records may be modified by the process or be forwarded to other local services for further use. However, this does not exclude the possibility that the same process could reuse the resulting data too. If the process is completed with the data storage or its forwarding, the cycle leading to the task's completion is closed.

|Destination|Description| |Local|The local area is the system's environment in which the process occurred. Therefore, the results and outcomes of a task are either processed further by a process that includes changes to data sets or storage of the data.| |Network|The network area is mainly a matter of forwarding the results of a process to a remote interface. This can be an IP address and its services or even entire networks. The results of such processes can also influence the route under certain circumstances.|

Service Misconfigurations

Misconfigurations usually happen when a system administrator, technical support, or developer does not correctly configure the security framework of an application, website, desktop, or server leading to dangerous open pathways for unauthorized users.

Authentication

  • Default credentials

  • Weak passwords

  • No passwords

  • Anonymous Authentication

  • Misconfigured access rights

Unecessary defaults

Unnecessary defaults are those settings we need to change to secure a system by reducing its attack surface. It can happen on settings, features, files, credentials, etc.

Sensitive Information

Sensitive information may include, but is not limited to:

  • Usernames.

  • Email Addresses.

  • Passwords.

  • DNS records.

  • IP Addresses.

  • Source code.

  • Configuration files.

  • PII.

There are two key elements to finding sensitive information:

  1. We need to understand the service and how it works.

  2. We need to know what we are looking for.

Tools to interact with common services

SMB
FTP
Email
Databases

smbclient

ftp

Thunderbird

mssql-cli

CrackMapExec

lftp

Claws

mycli

SMBMap

ncftp

Geary

mssqlclient.py

Impacket

filezilla

MailSpring

dbeaver

psexec.py

crossftp

mutt

MySQL

smbexec.py

mailutils

SQL Server Management Studio or SSMS

sendEmail

swaks

sendmail

Resources

We can lookup the the OUI (3 first octets) to get find out the manufacturer of the device

Source:

Detailed info

image
image

Source HTB Academy course

Source HTB Academy course

What is a MAC Address - Lakshan Mamalgaha
here
Common ports MIT
Common ports cheat sheet by packetlife
Top 1000 TCP and UDP Port by nullsec
Attacking common services
Attacking common services
Professor Messer 7 second subnetting
Getting Started with Cisco Packet Tracer - Skills for All
Getting Started with Cisco Packet Tracer (this tool is very fun and useful to use when trying to understand networking)
Networking Essentials
Networking Essentials by Cisco
TryHackMe - The Lay of the land
Logo
Logo
TryHackMe | Cyber Security TrainingTryHackMe
PortsPentest Book
Pentest book Enumeration Ports - six2dez
Logo
internal network
dmz
OSI - TCP/IP
TCP Header
The concept of attacks
Logo