Chapter 9 Explaining Transport Layer Protocol
IP Scanners
Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. Perform host discovery. Performs hosts and topology discover to maximize network visibility. IP Address Management (IPAM)
NetStat
A TCP/IP troubleshooting utility that displays statistics and the state of current TCP/IP connections. It also displays ports, which can signal whether services are using the correct ports. Using a switch includes ports in the listening state in the output. Skip name resolutions, show process, report statistics. Windows versus Linux syntax differences. iproute2 ss and nstat commands replace netstat
Stateful DHCPv6
A method of obtaining an IPv6 address and other configuration values from a DHCPv6 server. Provides routable IPv6 address
User Datagram Protocol (UDP)
A protocol for sending packets quickly with minimal error-checking and no resending of dropped packets. Connectionless, non guaranteed (best effect) communication. Used by protocol that can tolerate lost or out of order packets.
Transmission Control Protocol (TCP)
A protocol for sending packets that does error-checking to ensure all packets are received and properly ordered. Connection oriented guaranteed delivery. Segments win head fields to track sequence and acknowledgements.
WireShark conversation
Allow the analyst to look at various protocol statistics: Ethernet, IPv4, IPv6, TCP, and UDP
DHCP Server Configuration
Appliance versus NOS implementation
Session Termination (Steps)
RST
IP helper
Cisco command supporting operation of DHCP relay. Can forward various types of broadcast traffic (not just DHCP).
Connection
Client IP and port connected to server IP and port
Three Way Handshake (TCP)
Client SYN, Server SYN/ACK, Client ACK
DHCPv6 Server Configuration
Client uses multicast ff:02::1:2 to locate server over port UDP/ Port 546 (client) and UDP/ Port 547 (server)
UDP / Port 546
DHCPv6-Client
UDP/ Port 547
DHCPv6-Server
TCP/UDP/ Port 53
DNS
Protocol Analyzer
Decode frames captured by sniffer. Live capture or saved capture file (PCAP). Parse header field to reveal packet metadata. Reconstruct TCP streams
TCP/ Port 20
FTP data. File transfer protocol.
Wireshark
Follow TCP stream contest command to reconstruct the packet contents for TCP session. Statistic menu to access traffic analysis tools
DHCP Relay
Forwards DHCP packets between clients and servers. Forwards responses from server back to appropriate client subnet
TCP/ Port 80
HTTP (Hypertext Transfer Protocol)
Scope
Range of IP addresses available to lease to clients on a particular subnet. Defined by start and end IP addresses and netmask. Redundant DHCP services should use non-overlapping address pools
TCP/ Port 443
HTTPS (Hypertext Transfer Protocol Secure)
Scan types
Half Open, Full connect, UDP, Port range
Stateless DHCP v6
Host obtains prefix from router advertisement(RA). RA advertises presence of DHCPv6 server to provide additional options.
TCP 143
IMAP (Internet Message Access Protocol)
Transport layer ports and connections
Identify individual applications as port number
TCP Connect (-sT)
Is a half-open scan that reuqires Nmap to have privileged access to the Network driver so that it can craft packets
TCP SYN (-sS)
Is fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledge it
TCP Window
Is the amount of data the host is willing to receive before sending acknowledgement
TCP/UDP/ Port 389
LDAP (Lightweight Directory Access Protocol)
UDP/ Port 123
NTP (Network Time Protocol)
DHCP Options
Options that are assigned when the addresses are assigned or renewed, including the default gateway and the primary and secondary DNS servers. IP address(es) of DNS servers. DNS suffix(domain name) to be used by the client. Time synchronization (NTP), file transfer(TFTP), voIP Proxy
Analyze Traffic Stream
Per-host utilization. Per protocol utilization
Determining "up" status
Ping, arp, traceroute. Simple network management protocol (SNMP). Query DHCP/ DNS
TCP 3389
RDP (Remote Desktop Protocol)
Remote Port Scanner
Report port status from a remote host
UDP/ Port 161
SNMP (Simple Network Management Protocol)
TCP / Port 22
SSH (Secure Shell), SCP (Secure Copy), SFTP (Secure File Transfer Protocol)
The ack number
Sequence number of the next segment expected from the other hosts, that is, the sequence number of the last segments received plus 1
TCP 25
Simple Mail Transfer Protocol (SMTP), which the network administrator should include when searching for email traffic.
Socket
Source IP plus port located to software process
DHCP Reservation and Exclusions
Static assignments and exclusions. Use IP address outside address pool. Exclude specific IP address from pool range MAC/ IP reservation. Always allocate a device the same pre-selected IP Automatic allocation. Lease any IP address from the pool to the same client persistently
TCP
System sending urgent printer data, specifies the end of that data in the segments
UDP / Port 69
TFTP (Trivial File Transfer Protocol)
TCP /Port 23
Telnet
-sV Switch
To probe a host more intensively to discover the software or software version operating each port
Protocol Hierarchy Tool
To view the most active protocols on a network link
Graceful Teardown
Uses a four-way handshake, with each side of the connection terminating independently. FIN, ACK, FIN, ACK
UDP scans (-sU)
scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.