Upgrade to remove ads
Only $35.99/year

Lesson 9: Explaining Transport Layer Protocols

Terms in this set (107)

Port
In TCP and UDP applications, a unique number assigned to a particular application protocol. Server ports are typically assigned well known or registered numbers while client ports use dynamic or ephemeral numbering
Ports 0-1023
Preassigned by IANA to "well-known" server applications
Ports 1024-49151
Other server applications
Ports 49152-65535
Designated for private or dynamic use
Socket
Combination of a TCP/UDP port number and IP address. A client socket can form a connection with a server socket to exchange data
TCP
Transmission Control Protocol
Transmission Control Protocol
Protocol in the TCP/IP suite operating at the transport layer to provide connection-oriented, guaranteed delivery of packets
Can only be used for unicast transmission
Fields in the TCP header
Source port
Destination port
Sequence number
Ack number
Data length
Flags
Window
Checksum
Urgent pointer
Options
Source port
TCP port of sending host
Destination port
TCP port of destination host
Sequence number
The ID number of the current segment (the sequence number of the last byte in the segment). This allows the receiver to rebuild the message correctly and deal with out-of-order packets
Ack number
The sequence number of the next segment expected from the other host (the sequence number of the last segment received +1).
Data length
Length of the TCP segment
Flags
Type of content in the segment (ACK, SYN, FIN, and so on)
Window
The amount of data the host is willing to receive before sending another acknowledgement.
Checksum
Ensures validity of the segment. Calculated on the value of not only the TCP header and payload but also part of the IP header, notably the source and destination addresses.
Urgent Pointer
If urgent data is being sent, this specifies the end of that data in the segment
Options
Allows further connection parameters to be configured. The most important of these is the Maximum Segment Size. This allows the host to specify how large the segments it receives as the are transported over data link frames
Three-way handshake
Used to establish a connection
1. The client sends a segment with the TCP flag SYN set to the server with a randomly generated sequence number. The client enters the SYN-SENT state
2. The server, currently in the LISTEN state, responds with a SYN/ACK segment, containing its own randomly generated sequence number. The server enters the SYN-RECEIVED state
3. The client responds with an ACK segment. The client assumes the connection is ESTABLISHED
4. The server opens a connection with the client and enters the ESTABLISHED state
Connection teardown
1. The client sends a FIN segment to the server and enters the FIN-WAIT1 state
2. The server responds with an ACK segment and enters the CLOSE-WAIT state
3. The client receives the ACK segment and enters the FIN-WAIT2 state. The server sends its own FIN segment to the client and does to the LAST-ACK state
4. The client responds with an ACK and enters the TIME-WAIT state. After a defined period, the client closes its connection
5. The server closes the connection when it receives the ACK from the client
UDP
User Datagram Protocol
User Datagram Protocol
Protocol in the TCP/IP suite operating at the transport layer to provide connectionless, non-guaranteed communication
UDP datagram structure
Source port
Destination port
Sequence number
Message length
Flags
Checksum
Message length
Size of the UDP packet
Port 20
TCP
ftp-data
ftp-data
File Transfer Protocol-Data
Port 21
TCP
ftp
ftp
File Transfer Protocol-Control
Port 22
TCP
ssh/sftp
ssh/sftp
Secure Shell/FTP over SSH
Port 23
TCP
telnet
Port 25
TCP
smtp
smtp
Simple Mail Transfer Protocol
Port 53
TCP/UDP
domain
domain
Domain Name System
Port 67
UDP
bootps
bootps
BOOTP/DHCP Server
Port 68
UDP
bootpc
bootpc
BOOTP/DHCP Client
Port 69
UDP
tftp
tftp
Trivial File Transfer Protocol
Port 80
TCP
http
Port 110
TCP
pop
pop
Post Office Protocol
Port 123
UDP
ntp/sntp
ntp/sntp
Network Time Protocol/Simple NTP
Port 143
TCP
imap
imap
Internet Message Access Protocol
Port 161
UDP
snmp
snmp
Simple Network Management Protocol
Port 162
UDP
snmp-trap
snmp-trap
Simple Network Management Protocol Trap
Port 389
TCP/UDP
ldap
Port 443
TCP
https
ldap
Lightweight Directory Access Protocol
Port 445
TCP
smb
smb
Server Message Block over TCP/IP
Port 514
UDP
syslog
Port 546
UDP
dhcpv6-client
Port 547
TCP
dhcpv6-server
Port 587
TCP
smtps
smtps
SMTP-Secure
Port 636
TCP
ldaps
ldaps
LDAP-Secure
Port 993
TCP
imaps
imaps
IMAP-Secure
Port 995
TCP
pop3s
Port 1433
TCP
sql-server
sql-server
MS Structured Query Language (SQL) Server
Port 1521
TCP
sqlnet
sqlnet
Oracle SQL*Net
Port 3306
TCP
mysql
mysql
MySQL/MariaDB
Port 3389
TCP
rdp
rdp
Remote Desktop Protocol
Port 5004
UDP
rtp
rtp
Real-Time Protocol
Port 5005
UDP
rtcp
rtcp
Real-Time Control Protocol
Port 5060
TCP/UDP
sip
sip
Session Initiation Protocol
Port 5061
TCP/UDP
sips
IP scanner
A tool that performs host discovery and can establish the overall logical topology of the network in terms of subnets and routers
Nmap Security Scanner
A highly adaptable, open-source network scanner used primarily to scan hosts and ports to locate service and detect vulnerabilities
Nmap -sn
Ping Scan - disable port scan
nestat
Command allows you to check the state of ports on the local host
Windows-active TCP connections
Linux-active connections of any type
netstat -a
On Windows
Displays all open ports, including both active TCP and UDP connections and ports in the listening state
netstat -t
TCP connections in Linux
netstat -u
UDP connections in Linux
netstat -w
Raw connections in Linux
netstat -l
Linux
Shows only ports in the listening state, omitting established connections
-n
Displays ports and addresses in numerical format
-4 or -6
Linux
Filters sockets by IPv4 or IPv6 addresses
-p(protocol type)
Windows
Specify the protocol
-o
Windows
Shows the Process IP number that has opened the port
-b
Windows
Shows the process name
-p
Linux
Shows the PID and process name
netstat -s
Reports per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on
netstat -r
Displays the routing table
netstat nn
Windows
Run netstat continuously until stopped
netstat -c
Linux
Run netstat continuously until stopped
Remote port scanner
Performs the probes from another machine, or even a machine on another network
Nmap -sS
TCP SYN
A fast technique as the scanning host requests a connection without acknowledging it
-sT
TCP connect
A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets
-sU
UDP scans
Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time.
Fingerprinting
The process of identifying an OS or software application from its responses to probes
Protocol analyzer
Utility that can parse the header fields and payloads of protocols in captured frames for display and analysis
Other sets by this creator