Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸ“š Network Protocols

πŸ“š Session, Presentation, Application Layer

Authentication Protocols

Crypto Protocols

This section encompasses all the protocols that aim to ensure confidentiality by encrypting the traffic.

Video and Audio

πŸ› οΈ dshell can be used to analyse a pcap file for the specific traffic types. Please refer to the Toolkit sections, Forensics Lab Setup for installation steps.

decode -p rtp -i wlan0 # see all auido and video traffic

References

Expand… Something here

RDP

RDP Bitmap Cache. Windows developed RDPβ€”small chunks of screenshots. The size of each is 64x64 bit. And also, there is 1 huge sprite with all of them.

%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache
  • older - .bmc
  • newer - Cache####.bin where # is a number starting from 0

In case you investigate a successful RDP login to a specific machine, note that only in the case of the RDP login the β€œWorkstation Name” field in the β€œNetwork Information” section does not refer to the source machine name instead it refers to the name of the machine that recorded the event log (Target machine). be careful because such wrong information may miss leading your incident investigations. For the example in the screenshot, the β€œpbeesly” account logged on the β€œSCARNTON” hostname from the 172.18.39.2 source machine IP. If you want to find the source machine name you can use the Event IDs 4778 or 4779 recorded in the security events instead. https://www.linkedin.com/posts/mostafa-yahia-701b4b15a_in-case-you-investigate-a-successful-rdp-activity-7004505487912112130-W6Oo?utm_source=share&utm_medium=member_desktop

Telnet

Ports: 23

πŸ“• RTFM

# If the Telnet port is open, you might try to log in with a user. If the user doesn't have a password set up, you might even be able to log in without a password.

telnet <IP> <port>
root # or any other username that you think is there
Password: # leave blank

FTP and sFTP

This is about … .

πŸ“š DHCP

Dynamic Host Configuration Protocol. Listening on 67 port. Sending from 68.

Mechanism

DHCP Discover (Broadcast) C-> S

[new PC] 🧸 “I need an IP, I am new here. Only have this stupid useless 169.254.X.X address. Where do I register? Guys! Who knows where the DHCP is?”

DHCPDISCOVER is broadcasted in the network. Every machine, even non-DHCP once, hear this message.

DHCP Offer (Broadcast/Unicat) S -> C

[DHCP server] πŸ₯Έ “I’m DHCP. How can I help?”

πŸ“š DNS

Domain Name System. Translates IPs to domain names like 192.168.1.1 to router.lan and visa versa.

DNS querying can be either recursive or non-recursive.

Recursive. ISP DNS server queries other DNS servers until it finds the answer. Once it’s found, it’s returned by the ISP DNS to the client.

Non-recursive. ISP DNS is not involved? Response comes directly from the DNS server queried the last. So, who has asked initially, would be shown in the last DNS server’s logs πŸ“.

πŸ“š IRC

IRC stands for Internet Relay Chat. Used for instant messaging. Usually sits at port 6667. On Linux can be installed and run with sudo invoke-rc.d inspircd.

πŸ“š SMB

  1. Over TCP - 445 port
  2. Over NetBIOS API
    1. UDP - ports 137, 138
    2. TCP - ports 137, 139
    3. NBF (legacy)

Powershell command + win reg for SMB 1,2,3.

πŸ“• RTFM

nmap -p 139,445 --script smb-enum-shares <target>

brew install samba
smbclient -U username -W workgroup -c 'ls' //server/share