SOCC01 - Networking and PCAPs

IP/TCP Headers and Ports

General discussion of the IP header
- Routers predominately are the devices that only look at the IP Header
IP Header
- BGP Hijacking
  - APT/Nation-state actor can compromise an ASN and redirect traffic to another destination
  - Traffic is routed to the most specific address
- Fragmentation flags
  - x - bit 0
    - "the evil bit"
    - Reserved, but be 0
  - D (DF) - bit 1
    - Don't fragment
  - M (MF) - bit 2
    - More Fragments
TCP Header
- Describes the ports for the packets
  - Ports are generally used by certain protocols, but generally, ports can be used by any service
  - Port 0 can be used, and has been used as a
- NAT/PAT
- RFC 793 describes the 3-way handshake
  - Originally, it was a 4-way handshake, but most modern OS's send a 3-way instead.

OWASP Top 10 ports

Port	Protocol	Interesting Links
80	HTTP
23	Telnet
22	SSH
443	HTTPS
3389	ms-term-serv (RDP)
445	microsoft-ds (SMB)	SMB is synonymous in my head with EternalBlue EternalBlue - Wikipedia
139	netbios-ssn	137,138,139 - Pentesting NetBios - HackTricks
21	FTP
135	MSRPC	Microsoft RPC - Wikipedia
25	SMTP

Shodan top ports

Port	Protocol	Notes
80, 8080, 443, 8443	HTTP/S
21	FTP
22	SSH
23	Telnet
161	SNMP
143, 993	IMAP/Encrypted
25	SMTP
5060	SIP
554	RTSP (Real Time Streaming Protocol)

tcpdump

Lab: tcpdump

Wireshark Lab

We then did a Wireshark lab, but there really wasn't anything new compared to the Wireshark Udemy course with Chris Greer that I took earlier, so I didn't take any notes at the time. There were two key takeaways though that I forgot or wasn't covered in the Udemy course: