Hack Tech

:: YOUR SOURCE FOR CYBER INTELLIGENCE ::

Network Protocols Field Guide

Knowing how data moves lets you defend it. Each protocol brief below mirrors the format of a classic field card— purpose, ports, mechanics, and a tangible use case. Keep it on hand when planning network segmentation, hardening ingress controls, or spotting suspicious traffic on the wire. All testing guidance presumes written authorization and is framed for defensive assessment.

1. FTP (File Transfer Protocol)

Purpose: Move files between client and server systems.

  • Port: TCP 21 (control channel) with TCP 20 (active data) or high ports (passive).
  • How it works: Clients authenticate, open a control session, and then spin up a secondary data channel to push or pull files—unencrypted by default.
  • Real-life example: A web developer uploads site assets to a hosting provider using an FTP client.
  • Ethical hacker tactics: Probe for anonymous logins, weak credentials, and cleartext credentials via passive sniffing before escalating to directory traversal or data exfiltration tests.
  • Assessment toolkit: Use nmap --script ftp* for enumeration and Hydra for credential testing, capturing traffic with Wireshark to evidence encryption gaps.

2. SSH (Secure Shell)

Purpose: Provide encrypted remote login and command execution.

  • Port: TCP 22.
  • How it works: Uses key exchange and strong ciphers to establish a secure channel, then transports shell access, file copy (SCP/SFTP), and tunneling.
  • Real-life example: An engineer manages Linux servers from a laptop over an encrypted SSH session.
  • Ethical hacker tactics: Enumerate banner info, attempt key or password brute force, and hunt for agent or jump-host misconfigurations that enable lateral movement or port forwarding abuse.
  • Assessment toolkit: Run ssh-audit for cipher hygiene, ncrack for credential resilience checks, and BloodHound when SSH ties into Active Directory trust paths.

3. Telnet

Purpose: Offer legacy remote terminal access (insecure).

  • Port: TCP 23.
  • How it works: Sends keystrokes and responses in cleartext over a simple command-line session.
  • Real-life example: Older network appliances that still expose Telnet for maintenance (best disabled or firewalled).
  • Ethical hacker tactics: Capture credentials in transit, replay captured sessions, and exploit default accounts to demonstrate downgrade risks versus SSH.
  • Assessment toolkit: Validate exposure with nmap -sV, script credential tests with Medusa, and document sniffed sessions via tcpdump.

4. SMTP (Simple Mail Transfer Protocol)

Purpose: Relay and deliver outbound email between mail servers.

  • Port: TCP 25 (standard), TCP 587 (submission with STARTTLS), TCP 465 (legacy SSL/TLS).
  • How it works: Uses store-and-forward messaging with optional TLS to transfer mail from clients to servers and between MTAs.
  • Real-life example: When you send an email, your client hands it to an SMTP server that routes it toward the recipient's domain.
  • Ethical hacker tactics: Test for open relays, spoofing weaknesses, command injection in mail handlers, and downgrade attacks on STARTTLS to expose credential leakage.
  • Assessment toolkit: Leverage swaks for scripted SMTP conversations, smtp-user-enum for controlled user enumeration, and STARTTLS scanning with testssl.sh.

5. HTTP (Hypertext Transfer Protocol)

Purpose: Deliver web pages, APIs, and assets over the open internet.

  • Port: TCP 80.
  • How it works: Stateless request/response protocol where clients ask for resources and servers respond with headers and content.
  • Real-life example: Browsing an internal wiki hosted over plain HTTP on a segmented intranet.
  • Ethical hacker tactics: Perform reconnaissance for outdated frameworks, inject payloads (XSS, SQLi), and sniff unencrypted sessions to harvest tokens or credentials.
  • Assessment toolkit: Combine Burp Suite or OWASP ZAP for proxy analysis, DirBuster for content discovery, and sqlmap to validate injection exposures with change control.

6. HTTPS (Hypertext Transfer Protocol Secure)

Purpose: Protect web traffic with TLS encryption and certificate-based trust.

  • Port: TCP 443.
  • How it works: Wraps HTTP inside TLS, negotiating keys and ciphers so data and authentication remain confidential and tamper-evident.
  • Real-life example: Secure online banking sessions that display the browser lock icon.
  • Ethical hacker tactics: Enumerate certificate flaws, attempt TLS stripping via captive portals, and target application-layer bugs after decrypting traffic with authorized proxy certificates.
  • Assessment toolkit: Run sslyze or testssl.sh for cipher sweeps, bettercap for lab-based downgrade demonstrations, and Burp Suite for authenticated fuzzing.

7. DNS (Domain Name System)

Purpose: Translate human-readable domain names into IP addresses.

  • Port: UDP 53 for queries, TCP 53 for zone transfers and large responses.
  • How it works: Recursive resolvers query authoritative servers, caching answers and returning the matching resource records.
  • Real-life example: Every time you visit a website, your resolver asks DNS which IP address to contact.
  • Ethical hacker tactics: Attempt zone transfers, seed cache-poison payloads in lab settings, and map subdomains to inform phishing or attack surface reduction exercises.
  • Assessment toolkit: Use dig/nslookup for record pulls, dnsenum for structured discovery, and dnstwist to highlight typosquat risks.

8. DHCP (Dynamic Host Configuration Protocol)

Purpose: Automatically assign IP configuration to network clients.

  • Port: UDP 67 (server) and UDP 68 (client).
  • How it works: Clients broadcast discovery, servers offer addressing info, and leases define how long the assignment lasts.
  • Real-life example: A laptop joins an office Wi-Fi network and immediately receives an IP, gateway, and DNS settings via DHCP.
  • Ethical hacker tactics: Launch rogue DHCP servers, exhaustion attacks, or option spoofing to demonstrate how clients can be redirected to malicious gateways.
  • Assessment toolkit: Monitor offers with Wireshark, emulate rogue servers via Yersinia, and visualize lease activity through RogueDHCPDetector.

9. SNMP (Simple Network Management Protocol)

Purpose: Monitor and manage network devices via structured queries.

  • Port: UDP 161 for polling, UDP 162 for traps/notifications.
  • How it works: Managers query agents using MIB object identifiers; traps signal asynchronous events.
  • Real-life example: A NOC dashboard polls switches and routers for interface statistics using SNMPv3.
  • Ethical hacker tactics: Enumerate community strings, brute force SNMPv1/v2c, and pull configuration data to illustrate why SNMPv3 with ACLs and encryption is mandatory.
  • Assessment toolkit: Query MIBs with snmpwalk, leverage onesixtyone for community discovery, and audit trap destinations via snmp-check.

10. IMAP (Internet Message Access Protocol)

Purpose: Synchronize email between clients and mailboxes on a server.

  • Port: TCP 143 (STARTTLS), TCP 993 (IMAPS).
  • How it works: Keeps mail on the server while clients maintain folder state, enabling multi-device access with near real-time updates.
  • Real-life example: Checking corporate email from phone and laptop while keeping folders aligned.
  • Ethical hacker tactics: Assess brute-force protections, downgrade STARTTLS when misconfigured, and script mailbox enumeration to prove the need for MFA and rate limits.
  • Assessment toolkit: Use imap-open-relay NSE scripts, Hydra for throttled credential testing, and imap-tools to confirm data at rest controls.

11. POP3 (Post Office Protocol v3)

Purpose: Download email from server mailboxes to a single client.

  • Port: TCP 110 (STARTTLS), TCP 995 (POP3S).
  • How it works: Client connects, authenticates, retrieves messages, and typically deletes them from the server after download.
  • Real-life example: Legacy desktop mail clients configured to pull mail to an offline archive.
  • Ethical hacker tactics: Attempt credential stuffing, intercept cleartext logins on unsecured links, and replay message retrieval to demonstrate confidentiality gaps.
  • Assessment toolkit: Test controls with nmap --script pop3*, validate TLS strength using openssl s_client, and corroborate logging with SIEM queries.

12. SFTP (SSH File Transfer Protocol)

Purpose: Securely move files over the SSH transport layer.

  • Port: TCP 22 (piggybacks on SSH).
  • How it works: Provides file operations—list, upload, download, permissions—inside an SSH session with encryption and integrity.
  • Real-life example: A security team exchanges forensic images with a partner via SFTP to maintain confidentiality.
  • Ethical hacker tactics: Reuse compromised SSH keys, abuse weak chroot setups, and test for command execution via restricted file subsystem misconfigurations.
  • Assessment toolkit: Inspect server configs with ssh -vvv, emulate restricted user paths through sftp batch scripts, and monitor uploads with auditd.

13. SMB (Server Message Block)

Purpose: Share files, printers, and named pipes across LANs.

  • Port: TCP 445 (modern), TCP 139 (NetBIOS session).
  • How it works: Provides authenticated file operations and inter-process communication using negotiated dialects (SMBv1–v3).
  • Real-life example: Windows file servers delivering departmental shares with access control lists.
  • Ethical hacker tactics: Identify legacy SMBv1, hunt for null sessions, relay captured hashes, and validate patch posture against known vulnerabilities.
  • Assessment toolkit: Enumerate shares via smbclient and enum4linux, simulate relay chains with Impacket, and scan signing status using crackmapexec.

14. RDP (Remote Desktop Protocol)

Purpose: Deliver graphical remote access to Windows systems.

  • Port: TCP 3389.
  • How it works: Encapsulates keyboard, mouse, and display data within an encrypted channel supporting Network Level Authentication (NLA).
  • Real-life example: Helpdesk technicians connecting to end-user workstations for support.
  • Ethical hacker tactics: Detect exposed RDP gateways, review NLA enforcement, and test blue team monitoring of brute-force guardrails.
  • Assessment toolkit: Audit cipher suites with rdp-sec-check, perform safe password spray tests via crowbar, and capture session telemetry with rdpscan.

15. LDAP / LDAPS

Purpose: Query and modify directory services like Active Directory.

  • Port: TCP 389 (LDAP), TCP 636 (LDAPS), TCP 3268/3269 (Global Catalog).
  • How it works: Clients bind to directory servers and perform searches or updates using a hierarchical namespace.
  • Real-life example: Single sign-on workflows validating user credentials against Active Directory.
  • Ethical hacker tactics: Investigate anonymous binds, misconfigured ACLs, and data exposure that fuels privilege escalation.
  • Assessment toolkit: Employ ldapsearch, SharpHound, and ADExplorer to chart permissions while validating TLS enforcement.

16. Kerberos

Purpose: Provide ticket-based authentication for domain services.

  • Port: UDP/TCP 88.
  • How it works: Clients obtain ticket-granting tickets (TGTs) from the Key Distribution Center (KDC) and request service tickets for resources.
  • Real-life example: Domain-joined Windows hosts authenticating to file shares without prompting for passwords.
  • Ethical hacker tactics: Review pre-authentication policies, analyze service principal names for Kerberoasting exposure, and monitor golden ticket detection coverage.
  • Assessment toolkit: Capture metadata with Rubeus, enumerate SPNs via setspn, and validate detections using Mimikatz in a controlled lab.

17. NTP (Network Time Protocol)

Purpose: Synchronize clocks across networked systems.

  • Port: UDP 123.
  • How it works: Clients exchange timestamps with time servers to adjust local clocks.
  • Real-life example: Security appliances aligning log timestamps to support forensic correlation.
  • Ethical hacker tactics: Check for monlist amplification, spoof upstream sources, and validate tamper detection on time skews.
  • Assessment toolkit: Query with ntpq, simulate anomalies via ntpclient, and graph drift in monitoring platforms.

18. SIP (Session Initiation Protocol)

Purpose: Set up, modify, and terminate VoIP sessions.

  • Port: UDP/TCP 5060 (plaintext), TCP/TLS 5061 (SIPS).
  • How it works: Exchanges INVITE and ACK messages to negotiate RTP media streams for voice or video.
  • Real-life example: Corporate PBX systems routing desk phone calls.
  • Ethical hacker tactics: Enumerate extensions, test call routing abuse, and validate SRTP enforcement.
  • Assessment toolkit: Utilize sip-cli, sipvicious (friendly scanning mode), and Wireshark VoIP analysis to audit call setup.

19. MQTT (Message Queuing Telemetry Transport)

Purpose: Lightweight pub/sub messaging for IoT and IIoT devices.

  • Port: TCP 1883 (plaintext), TCP 8883 (TLS).
  • How it works: Clients publish and subscribe to broker topics, exchanging telemetry with minimal overhead.
  • Real-life example: Building automation sensors reporting status to a central broker.
  • Ethical hacker tactics: Review anonymous or wildcard topic access, monitor QoS downgrade, and inspect retained messages for sensitive data.
  • Assessment toolkit: Connect using mosquitto_sub/mosquitto_pub, map topics with MQTT Explorer, and analyze TLS with testssl.sh.

20. Redis

Purpose: In-memory data structure store for caching and message brokering.

  • Port: TCP 6379 (default), TLS via 6380+.
  • How it works: Clients issue commands to manipulate key-value data, lists, sets, and pub/sub channels.
  • Real-life example: High-performance web apps caching session data in Redis clusters.
  • Ethical hacker tactics: Identify unauthenticated instances, inspect CONFIG exposure, and validate sandbox escapes in testing sandboxes.
  • Assessment toolkit: Use redis-cli for audit queries, nmap --script redis-info for fast triage, and RedisCommander to visualize key hygiene.

21. MySQL / MariaDB

Purpose: Relational database management for applications and analytics.

  • Port: TCP 3306.
  • How it works: Clients authenticate and issue SQL queries to manipulate structured data.
  • Real-life example: Web CMS platforms persisting user data in a MySQL backend.
  • Ethical hacker tactics: Review authentication methods, privilege separation, and replication channels for leakage.
  • Assessment toolkit: Verify exposure with mysql client, review permissions via sqlmap --os-shell only in labs, and baseline CIS compliance using Lynis.

22. RADIUS (Remote Authentication Dial-In User Service)

Purpose: Centralize AAA (authentication, authorization, accounting) for network access.

  • Port: UDP 1812 (authentication), UDP 1813 (accounting), legacy UDP 1645/1646.
  • How it works: Network devices forward credentials to a RADIUS server, which responds with access decisions and logs session usage.
  • Real-life example: Enterprise Wi-Fi enforcing 802.1X authentication against central identity stores.
  • Ethical hacker tactics: Validate shared secret complexity, examine PAP versus EAP-TLS usage, and test redundant server failover.
  • Assessment toolkit: Generate requests with radtest, sniff control traffic via freeradius-wpe in lab builds, and audit accounting records through SIEM dashboards.

Field Notes: Investigation Workflow

Structured approach to analyzing newly discovered services.

  • Fingerprint: Start with nmap -sS -sV -O (or passive Zeek logs) to catalog open ports, products, and operating systems without overwhelming the target.
  • Validate scope: Confirm the asset is in your rules of engagement before testing deeper functionality.
  • Layered inspection: Move from unauthenticated checks to credentialed reviews, logging every action for replay.
  • Escalation matrix: Pair technical findings with business impact—who owns the system, what data it touches, and how you will coordinate remediation.

Toolbox Quick Reference

Common assessment utilities and the protocols they illuminate.

  • Discovery: nmap, masscan, and NAABU to quickly map exposed surfaces while respecting rate limits.
  • Traffic capture: Wireshark, tcpdump, and Arkime for packet-level review and PCAP preservation.
  • Credential testing: Hydra, ncrack, and Medusa with throttled settings plus MFA awareness.
  • Service-specific: Impacket (SMB, RDP, Kerberos), sqlmap (databases), Bettercap (network manipulation) — always operate within a legal assessment window.

Reference only share with authorized teams. Harden legacy services, prefer encrypted transports, and always document change windows. Testing guidance is solely for sanctioned security assessments.