Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md
Carlos Polop 05d24df968 ARTE
2024-01-13 23:03:42 +01:00

9.7 KiB
Raw Blame History

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Multicast DNS mDNS

The multicast DNS **mDNS** protocol resolves host names to IP addresses within small networks that do not include a local name server.

When an mDNS client needs to resolve a host name, it sends an Ip Multicast query message that asks the host having that name to identify itself. That target machine then multicasts a message that includes its IP address. All machines in that subnet can then use that information to update their mDNS caches.

Any host can relinquish its claim to a domain name by sending a response packet with a Time To Live(TTL) equal to zero.

By default, mDNS only and exclusively resolves host names ending with the .local top-level domain TLD. This can cause problems if that domain includes hosts which do not implement mDNS but which can be found via a conventional unicast DNS server. Resolving such conflicts requires network-configuration changes.

  • When using Ethernet frames, the standard multicast MAC address 01:00:5E:00:00:FB for IPv4 or 33:33:00:00:00:FB for IPv6.
  • IPv4 address 224.0.0.251 or IPv6 address ff02::fb.
  • UDP port 5353.

mDNS queries will not pass through routers broadcast in ethernet only.

DNS-SD Service Discovery

This protocol can be used to discover hosts in the network. To do that you can requests special domain names e.g. _\_printers\_tcp.local_ and all the domains rlated with that name will answer in this cases, printers. A complete list with this special names can be found here.

SSDP

The Simple Service Discovery Protocol is used to discover services in a network mainly for using the protocol UPnP.

SSDP is a text-based protocol based on HTTPU. It uses UDP as the underlying transport protocol. Services are advertised by the hosting system with multicast addressing to a specifically designated IP multicast address at UDP port number 1900. In IPv4, the multicast address is 239.255.255.250

WSD

Web Service for Devices.
This service allow the a device connected in a network to discover which services like printers are available in the network.

The client can send a broadcast UDP packet asking for some kind of service or the service provider can send a broadcast packet saying that it is offering a service.

OAuth2.0

Protocol that allows you to share your information, for example, from Google with other services.

Basically allows you to share the fair and necessary information that is stored in one service, with another. This way you can log in faster and your data is only stored in one place and you don't have to put usernames/passwords everywhere.

This works like this:

First you have to be already logged into google or a window will open for you to log in. Immediately afterwards, the service will ask the google server for a token to access your info. Google will drop one of those screens of "The application XXXXX wants to access this information of yours: ..." when you click on accept, google will respond to the application with a code which the application will use to request a token with which google will respond. Once the application has a token, it can be used with the Google API to obtain the information it requested.

RADIUS

Authentication and authorization protocol to access a network. Uses UDP port 1813

It is mainly used by internet service providers to manage network access for their customers.

Allows Authentication, Authorization and Annotation.

How does it work:

The user first talks to the NAS gateway to the server, it checks that the name and password sent to it are valid by asking the RADIUS server.

Optionally for greater security you can check the network address or phone number of the server to see if it matches.

Both the RADIUS server and the user that tries to connect have a "shared secret", in this way the RADIUS server sends a challenge to the NAS that it forwards to the user that is logging in, this encrypts it with said secret and forwards it to the NAS and if it matches with the encryption that RADIUS has done, the user has proven his identity.

Once the identity is proven, the RADIUS user instructs the NAS to assign the user an IP address. Also, when this is done, the NAS sends a start message to RADIUS for it to record. When the user logs out, the NAS sends a termination message. In this way, RADIUS records the consumption of the session to be able to bill accordingly \ (this data is also used for statistical reasons )

SMB and NetBIOS

SMB

It's a file/printer/port sharing protocol...

This can run directly over TCP on port 445 which if you do a windows scan you see that it is called by microsoft-ds

Or over UDP 137, 138 or TCP 137, 138 which uses NetBIOS over TCP named netbios -ssn

The objective of SMB being implemented over only TCP or over NetBIOS + TCP is to increase the communication capacity with more equipment that only supports one or the other.

NetBIOS

Its function is to establish sessions and maintain connections in order to share network resources, but to send packets from one site to another it requires IPC/IPX or NetBEUI or TCP/IP.

Every machine using NetBIOS must have a unique name that distinguishes it from the rest. So when a new machine comes in, it's first checked that no one is using the name it's requesting to use. there are also group names that can be used by as many stations as they want but there can't be two groups with the same name. It is a way to be able to send messages to several machines. So you can send messages to a user, a group or broadcast.

The connection can be connectionless or connection-oriented:

connectionless: A datagram is sent to the destination but there is no form of hello or message received. The destination machine must be configured to be able to receive datagrams.

connection-orineted: A session is created between two names it can even be between two names of the same machine if a received or error message is sent.

NetBEUI really consists of NetBIOS over NetBEUI which is a network and transport protocol that leads to NetBIOS, it was fast but very noisy because it broadcast a lot, you can also have SMB over NetBEUI but it's more normal than NetBIOS run over TCP.

LDAP

Protocol that allows managing directories and accessing user information bases through TCP/IP.

It allows both extracting information and introducing it through different commands.

Therefore, it is a protocol that is used to access various databases that are prepared to speak this protocol.

Active Directory

It is basically a database of objects with information such as users, groups, privileges and resources that is accessible from the network through a domain so that said information can be accessed and managed centrally.

Server that saves objects. These objects are visible on the network through a domain. A domain can have within it its server where it is implemented, groups, users...

You can also have subdomains that have their own server associated with their groups, users...

In this way, the management of users of a network is centralized, since the users that can be logged in can be generated on this server, with the permissions they have to know if they can access certain network resources and thus all this can be controlled a simple way.

In this way you can consult the directory with a username and obtain information such as email or phone number. You can also make general inquiries such as: where are the printers? What are the domain names?

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: