Explaining Transport Layer Protocols

# Compare and Contrast Transport Protocols (layer 4) PORTS, each port has an API for it. An API is like a language to speak to comunicate using that port. 65535 ports in total. 1023 "known" ports [[Comparing OSI Model Network Functions]] ## Transport Layer Ports and Connections - Identify individual applications as port numbers - 443 -> https - 22 -> ssh - 25 -> email - 53 -> DNS - 67 -> DHCP Server - 80 -> HTTP - 445 -> SMB over TCP - socket - source IP plus port bound to software process - 192.168.1.1:22 - Connection - Client IP and port connected to server IP and port ![[Pasted image 20230525074820.png]] ## Transmission Control Protocol (TCP) - Connection-oriented, guarantied delivery - if anything looks wrong, packet is dropped - Segments with header fields to track sequence and acknowledgements ## TCP Handshake and Teardown - 3 way handshake -> agreeing on a port to communicate on - Client SYN - Server SYN/ACK - Client ACK - Graceful Teardown -> send done communicating to terminate, client sends the FIN twice - FIN - ACK - FIN - ACK - Session termination - RST - useful for.... - files ## User Datagram Protocol (UDP) - connectionless, non-guarantied communication - Fewer header fields required - Used by protocols that can tolerate lost or out-of-order packets - used for... - broadcasts - video - voice ## Common TCP and UDP Ports ![[commonTCPUDPports.png]] # Use Appropriate Tools to Scan Network Ports ## IP Scanners - Perform host and topology discovery to maximize network visibility - standalone tools - IP address management (IPAM) - they scan an IP and find what ports are open -- can even give info as to what is running on the port - Determining "up" status - ping, arp, traceroute - Simple Network Management Protocol (SNMP) - Query DHCP/DNS ## Nmap [[Port Scanning]], Zenmap is the GUI nmap on the CLI ## netstat - reports local port status / local network config - TCP vs UDP - Local IP and port - Remote IP and port - State (listening, established, ...) - Options - Skip name resolution, show process, report statistics - windows vs linux syntax - iproute2 ss and nstat commands replace netstat ## Remote Port Scanners Where the scan originates from determines this (internal DMZ or remote host) - Report status from a remote host - Scan types: - half open, full connect, UDP, port range - Host and service fingerprinting ## Protocol Analyzers Think.... WireShark - Decode frames captured by sniffer - Live capture or saved capture file (pcap) - parse header fields to reveal packet metadata - reconstruct TCP streams - Analyze traffic statistics - Per-host utilization - Per-protocol utilization