top of page
Search

OSCP Guide - Networking

OSCP Guide — Part 2 ( Networking )

Hello Readers, As discussed in the previous part, we will go through each of the topics which are required to pass OSCP. Now, here we will go through some of the basics which I believe are required for understanding certain concepts in OSCP course, you are free to dig deeper into respective models on your own.


ree

IP Address and Subnetting

Every device in a network will have its own identifier which is a 32-bit number that will help us identify it in a network called an IPv4 address.

Now, to find your own ip address you can use below commands:

Windows:

ipconfig

Linux:

ifconfig
ip a

Now, you might find different interfaces here, such as eth0, lo etc. Incase of OSCP or solving other labs you might be using a vpn hence you will find a new interface such as tun0 or similar which would be the ip of your machine which you can use while constructing a listener payload for exploitation ( which we will discuss later ).

when you are using internet, you will be having a public ip, and when you are interacting in a internal network you would be having a private ip assigned to your machine which are in ranges such as :

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

Now the notation in which the above ip is defined is called a CIDR notation.

Lets say you get a target like 192.168.1.0/24:

here /24 -> subnet mask -> 255.255.255.0

in general it means that the range of ip’s in this cidr is from 192.168.1.1 to 192.168.1.254

here 192.168.1.0 -> router ip ( in general and not used for host)

192.168.1.255 -> Broadcast address ( not used for a host either )

So, when someone says scanning an entire network range or cidr network or if someone says that they are gonna check the live hosts on a network it essentially means that they are scanning the entire range from 192.168.1.1 to 192.168.1.255 to check which machines are up and running in a network.

This can be checked using below command using a tool called nmap ( which we will discuss in detail in tools chapter )

nmap -sn 192.168.1.0/24

nmap is basically a tool which scans an entire network for you to see which hosts are up and which ports are open on a machine based on the response it recieves from the host or its port.

To know if a host is alive or not you can also you the ping command below:

ping 10.10.10.10 # which sends ICMP requests and successful response shows if its up or not.

2. TCP/UDP Scanning

If you hear people asking you to perform a TCP scan or a UDP scan on a network you might wonder what those are?

In general when you want to interact with a service you need to first establish a connection to that. Now, this process is called a 3 way handshake which essentially involves 3 packets SYN, SYN/ACK and ACK. To explain it simpler consider below interaction with client and server.

  1. SYN — Client: “Hey, I wanna connect you there?” ( Client sends syn packet to server)

  2. SYN-ACK — Server : “Heard ya, I am ready to connect. Can we talk now?” ( Server replies with SYN-ACK to client)

  3. ACK — Client : “ Great, We can connect now. Let’s talk!” ( Client now sends ACK to server)

With this exchange we call a 3 way handshake to be completed where a trust is established, and we know that the server is active and responding and that both are synchronized. Now we can start sending data and receiving data.

TCP is connection-oriented which means it needs a connection ( i.e., 3 way handshake) to be established to send data. while UDP is connectionless, i.e., it does not require any 3 way handshake to be completed, it just sends data regardless of if there is a receiver at the other end. With this we can understand that TCP is more reliable when sending data than UDP, but UDP is much faster in transferring data hence used in streaming.

Examples of ports which use TCP [22(SSH), 80(HTTP), 443(HTTPS), FTP(21), 445(SMB)]

Examples of ports which use UDP in general [ 53(DNS), 161(SNMP), 123(NTP)]

Now, to scan a TCP network using nmap we use the option -sT or -sS and for UDP scan we use the option -sU ( takes way more time to complete )

below are sample nmap commands for reference on how it is used:

nmap -sS -p- 10.10.10.10 # TCP scan to scan all ports
nmap -sU -p 53,161 10.10.10.10 # UDP scan for DNS and SNMP ports.

3. Some Ports to remember when scanning:

  1. HTTP/HTTPS ( port 80, port 443 )


    when you scan a ip or domain using nmap and found port 80 or 443 open it means that it is running http or https protocol. Whenever you visit a website observe the url which shows that http://somesite.com (insecure) or https://somesite.com (secure) they are running on these ports.


    Here is where we find basic web vulnerabilities such as SQLI, LFI, Authentication or login bypass, template injection vulnerabilities etc.


    We use several tools for exploiting these ports such as burpsuite, ffuf, nikto etc.

  2. DNS ( port 53 )


    There are multiple sites on internet, and every different site has an ip address. So, remembering every host’s ip address is impossible for everyone, hence we have domain names for each ip’s i.e., google.com has its own ip address, and bing.com has its own ip address. So, remembering bing.com and google.com is more easy than remembering its ip address. So, how will the browser know which ip to tag to which domain name?


    this is done by something called dns servers which has address and resolves a ip to its own domain name or address and vice versa.


    We can enumerate subdomains, performing zone transfers, gather vhosts etc using this port.

  3. SMB ( port 445 )


    this is a file sharing protocol in windows. Using this protocol we can enumerate files on a machine in a network and download/upload the files based on the privileges we have. We can perform attacks on this port such as null/anonymous login attack, and eternal blue attacks etc.

  4. FTP ( port 21 )


    this is also file transfer protocol, where we can perform attacks such as anonymous login, file downloads/uploads etc. 

  5. SSH ( port 22 )


    this is secure shell mode allowing us to login remotely to a machine. If you find any credentials while testing a target, you can use those credentials to login to this port to compromise that user and execute commands on his behalf.

  6. telnet ( port 23 )


    this also helps in remote login but works in an unencrypted mode which is mostly used in old/legacy systems.

Now, we know some basics of networking, and ofcourse you are free to dig deeper. In the coming chapters I will explain how we can exploit each of these ports and what tools or commands we use for this, so stay tuned.

Hope you enjoyed this session. Thanks and lets meet in next chapter.

 
 
 

Comments

Drop Me a Line, Let Me Know What You Think

Thanks for submitting!

© 2035 by Train of Thoughts. Powered and secured by Wix

bottom of page