Network Protocols Field Guide
Knowing how data moves lets you defend it. Each protocol brief below mirrors the format of a classic field card—purpose, ports, mechanics, and a tangible use case. Keep it on hand when planning network segmentation, hardening ingress controls, or spotting suspicious traffic on the wire.
- Port: TCP 21 (control channel) with TCP 20 (active data) or high ports (passive).
- How it works: Clients authenticate, open a control session, and then spin up a secondary data channel to push or pull files—unencrypted by default.
- Real-life example: A web developer uploads site assets to a hosting provider using an FTP client.
- Ethical hacker tactics: Probe for anonymous logins, weak credentials, and cleartext credentials via passive sniffing before escalating to directory traversal or data exfiltration tests.
- Port: TCP 22.
- How it works: Uses key exchange and strong ciphers to establish a secure channel, then transports shell access, file copy (SCP/SFTP), and tunneling.
- Real-life example: An engineer manages Linux servers from a laptop over an encrypted SSH session.
- Ethical hacker tactics: Enumerate banner info, attempt key or password brute force, and hunt for agent or jump-host misconfigurations that enable lateral movement or port forwarding abuse.
- Port: TCP 23.
- How it works: Sends keystrokes and responses in cleartext over a simple command-line session.
- Real-life example: Older network appliances that still expose Telnet for maintenance (best disabled or firewalled).
- Ethical hacker tactics: Capture credentials in transit, replay captured sessions, and exploit default accounts to demonstrate downgrade risks versus SSH.
- Port: TCP 25 (standard), TCP 587 (submission with STARTTLS), TCP 465 (legacy SSL/TLS).
- How it works: Uses store-and-forward messaging with optional TLS to transfer mail from clients to servers and between MTAs.
- Real-life example: When you send an email, your client hands it to an SMTP server that routes it toward the recipient's domain.
- Ethical hacker tactics: Test for open relays, spoofing weaknesses, command injection in mail handlers, and downgrade attacks on STARTTLS to expose credential leakage.
- Port: TCP 80.
- How it works: Stateless request/response protocol where clients ask for resources and servers respond with headers and content.
- Real-life example: Browsing an internal wiki hosted over plain HTTP on a segmented intranet.
- Ethical hacker tactics: Perform reconnaissance for outdated frameworks, inject payloads (XSS, SQLi), and sniff unencrypted sessions to harvest tokens or credentials.
- Port: TCP 443.
- How it works: Wraps HTTP inside TLS, negotiating keys and ciphers so data and authentication remain confidential and tamper-evident.
- Real-life example: Secure online banking sessions that display the browser lock icon.
- Ethical hacker tactics: Enumerate certificate flaws, attempt TLS stripping via captive portals, and target application-layer bugs after decrypting traffic with authorized proxy certificates.
- Port: UDP 53 for queries, TCP 53 for zone transfers and large responses.
- How it works: Recursive resolvers query authoritative servers, caching answers and returning the matching resource records.
- Real-life example: Every time you visit a website, your resolver asks DNS which IP address to contact.
- Ethical hacker tactics: Attempt zone transfers, seed cache-poison payloads in lab settings, and map subdomains to inform phishing or attack surface reduction exercises.
- Port: UDP 67 (server) and UDP 68 (client).
- How it works: Clients broadcast discovery, servers offer addressing info, and leases define how long the assignment lasts.
- Real-life example: A laptop joins an office Wi-Fi network and immediately receives an IP, gateway, and DNS settings via DHCP.
- Ethical hacker tactics: Launch rogue DHCP servers, exhaustion attacks, or option spoofing to demonstrate how clients can be redirected to malicious gateways.
- Port: UDP 161 for polling, UDP 162 for traps/notifications.
- How it works: Managers query agents using MIB object identifiers; traps signal asynchronous events.
- Real-life example: A NOC dashboard polls switches and routers for interface statistics using SNMPv3.
- Ethical hacker tactics: Enumerate community strings, brute force SNMPv1/v2c, and pull configuration data to illustrate why SNMPv3 with ACLs and encryption is mandatory.
- Port: TCP 143 (STARTTLS), TCP 993 (IMAPS).
- How it works: Keeps mail on the server while clients maintain folder state, enabling multi-device access with near real-time updates.
- Real-life example: Checking corporate email from phone and laptop while keeping folders aligned.
- Ethical hacker tactics: Assess brute-force protections, downgrade STARTTLS when misconfigured, and script mailbox enumeration to prove the need for MFA and rate limits.
- Port: TCP 110 (STARTTLS), TCP 995 (POP3S).
- How it works: Client connects, authenticates, retrieves messages, and typically deletes them from the server after download.
- Real-life example: Legacy desktop mail clients configured to pull mail to an offline archive.
- Ethical hacker tactics: Attempt credential stuffing, intercept cleartext logins on unsecured links, and replay message retrieval to demonstrate confidentiality gaps.
- Port: TCP 22 (piggybacks on SSH).
- How it works: Provides file operations—list, upload, download, permissions—inside an SSH session with encryption and integrity.
- Real-life example: A security team exchanges forensic images with a partner via SFTP to maintain confidentiality.
- Ethical hacker tactics: Reuse compromised SSH keys, abuse weak chroot setups, and test for command execution via restricted file subsystem misconfigurations.
Reference only share with authorized teams. Harden legacy services, prefer encrypted transports, and always document change windows.