Introductory Networking
Hi! Networking can be a tough nut to crack as a beginner. Let’s look at things together while finishing this great Introductory Networking room on THM.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Part 1 (Introduction to Networking)
The topics covered in this room are as follows:
- The OSI Model
- The TCP/IP Model
- How these models look in practice
- An introduction to basic networking tools
TryHackMe does a good job of explaining concepts, and I won’t go into many details. However, I will try to highlight the important points.
Part 2 (Networking OSI Model)
The OSI model is a standardised model used to explain concepts behind networking. It contains of seven layers:
- 7. Application — Provides networking options to programs running on a system. Gives them an interface in order to transmit data.
- 6. Presentation — Receives data from application layer. Ensures that the data is standardised before sending it further along to the receives. This layer is also responsible for encryption, compression and other transformations.
- 5. Session — The session layer receives the formatted data from the presentation layer. It then tries to establish a session, and is afterwards responsible of maintaining it. It works together with the session layer of the computer on the other side. When the session layer has successfully logged a connection between the host and remote computer the data is passed down to the next layer.
- 4. Transport — The transport layer serves different functions. It selects the protocol over which the data is transmitted, TCP or UDP. TCP is connection-based and focuses on reliable connections, and any lost data is resent. UDP is selected when speed is more important than reliability.
- 3. Network — The network layer is responsible for locating the destination of your request. It is this layer that looks and the IP address and selects the best route to take.
- 2. Data Link — This layer focuses on the physical addressing of the transmission. It receive a packet from the network layer with a IP address, but adds the MAC address (unique address to identify a network enabled machine with a Network Interface Card) of the receiving machine. In addition, the data link layer check that data has not been corrupted during transmission, and when moving to a receiver if ensures the data is presented in a format suitable for transmission.
- 1. Physical — The physical layer is all about the hardware of the computer. It ensures that the binary data of the transmission are converted into signals, and the other way around.
Questions
Which layer would choose to send data over TCP or UDP?
Answer: 4
Which layer checks received packets to make sure that they haven’t been corrupted?
Answer: 2
In which layer would data be formatted in preparation for transmission?
Answer: 2
Which layer transmits and receives data?
Answer: 1
Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardised format?
Answer: 6
Which layer tracks communications between the host and receiving computers?
Answer: 5
Which layer accepts communication requests from applications?
Answer: 7
Which layer handles logical addressing?
Answer: 3
When sending data over TCP, what would you call the “bite-sized” pieces of data?
Answer: Segments
[Research] Which layer would the FTP protocol communicate with?
Answer: 7
Which transport layer protocol would be best suited to transmit a live video?
Answer: UDP
Part 3 (Encapsulation)
Data passes from each layer to the next, and with each step more information is added to the transmission. We call this process encapsulation.
Note that in each layer we give a different name to the encapsulated data. In layers 7,6 and 5, the data is referred to as data. In the transport layer the encapsulated data is referred to as a segment or a datagram (depending on wether TCP or UDP is used). At the Network Layer, the data is referred to as a packet. In the Data Link layer it becomes a frame, and finally in the Physical Layer we refer to the data as bits.
When the data is received by the destination, the whole process is reversed. We call this de-encapsulation. The process goes from the physical layer towards the application layer. During each step it remove a piece of the added information.
Questions
How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?
Answer: Frames
How would you refer to data at layer 4 of the encapsulation process (with the OSI model), if the UDP protocol has been selected?
Answer: Datagrams
What process would a computer perform on a received message?
Answer: De-encapsulation
Which is the only layer of the OSI model to add a trailer during encapsulation?
Answer: Data link
Does encapsulation provide an extra layer of security (Aye/Nay)?
Answer: Aye
Part 4 (TCP/IP model)
There exists another model similar to the OSI model, which we refer to as the TCP/IP model. The TCP/IP model is actually slightly older.
Instead of the seven layers of the OSI model, the TCP/IP model only has four:
- Application Layer
- Transport Layer
- Internet Layer
- Network Interface Layer
The two models match up like this:
Why do we use two similar models? The OSI model is easier to learn because the different steps are split up, while the TCP/IP model is more practical and used in real life.
How data actually moves through a network
TCP/IP consists of a variety of protocols. TCP/IP takes its name from the two most important of these: the Transmission Control Protocol which controls the flow of data between two endpoints, and the Internet Protocol, which controls how packets are addressed and sent.
TCP is a connection-based protocol. This means that there has to be a stable connection between two computers. The creation of this connection is called the three-way handshake.
The process goes like this:
- When attempting to make a connection, your computers sends a request to a remote computer indicating it wants to establish a connection. The important part is that this request contains something called a SYN (synchronise) bit.
- The remote computer responds with a packet which also contains the SYN bit, but also contains a ACK (acknowledgement) bit.
- Finally, your computer sends a packet with a ACK bit to confirm that a connection has been created. Now data can be transmitted in a reliable manner.
Questions
Which model was introduced first, OSI or TCP/IP?
Answer: TCP/IP
Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?
Answer: Transport
Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?
Answer: Application
The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?
Answer: Physical
Which layer of the TCP/IP model handles the functionality of the OSI network layer?
Answer: Internet
What kind of protocol is TCP?
Answer: Connection-based
What is SYN short for?
Answer: Synchronise
What is the second step of the three way handshake?
Answer: SYN/ACK
What is the short name for the “Acknowledgement” segment in the three-way handshake?
Answer: ACK
Part 5 (Ping)
Now it is time to look at some network related command-line tools. We start with the ping tool. This simple tool is used to test whether a connection to a remote system is possible. It can also be used to determine the ip address of the server hosting a website.
Ping uses the ICMP protocol, which is one of the slightly less well-known TCP/IP protocols that were mentioned earlier. The ICMP protocol works on the Network layer of the OSI Model, and the Internet layer of the TCP/IP model. The basic syntax for ping is ping <target>
.
Questions
What command would you use to ping the bbc.co.uk website?
Answer: ping bbc.co.uk
What is the IPv4 address?
Answer: 217.160.0.152
What switch lets you change the interval of sent ping requests?
Answer: -i
What switch would allow you to restrict requests to IPv4?
Answer: -4
What switch would give you a more verbose output?
Answer: -v
Part 6 (Traceroute)
Traceroute can be used to map the path your request takes as it heads to the target machine. Since the internet is made up of a plethora of different servers which are all network up to each other, a request needs to take a path across a variety of them. Traceroute shows this path by listing all systems that are between your computer and the destination. The basic syntax for traceroute on Linux is this: traceroute <destination>
Questions
Use traceroute on tryhackme.com. Can you see the path your request has taken?
Answer: No answer needed.
What switch would you use to specify an interface when using Traceroute?
Answer: -i
What switch would you use if you wanted to use TCP SYN requests when tracing the route?
Answer: -T
[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?
Answer: Internet
Part 7 (WHOIS)
Domain names are transferred into IP addresses by a domain name system. This means you can write medium.com instead of writing a difficult to remember IP address. Domains are leased out by companies called Domain Registrars.
The command line tool called whois allows you get information on the owner of a domain name. Just use whois <domain>
to get a list of available information about the domain registration:
Questions
Perform a whois search on facebook.com.
What is the registrant postal code for facebook.com?
Answer: 94025
When was the facebook.com domain first registered (Format: DD/MM/YYYY)?
Answer: 29/03/1997
Perform a whois search on microsoft.com.
Which city is the registrant based in?
Answer: Redmond
[OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?
I searched for “One Microsoft Way” on Google Maps, and could easily identify a golf course nearby by looking at satellite imagery.
Answer: Bellevue Golf Course
What is the registered Tech Email for microsoft.com?
Answer: msnhst@microsoft.com
Part 8 (Dig)
I mentioned DNS before. In practice the process is slightly more complex. Let’s see you write a domain name in your browser. The following steps occur:
- Your PC checks its local cache if it knows the IP address of the domain name. If it does the website gets loaded and the next steps are not required.
- If your PC does not have the IP address of the domain in its cache, it will send a request to a recursive DNS server. These servers are known by your router, and are most likely maintained by your Internet Service Provide (ISP). These recursive servers maintains a cache of IP addresses for popular domain names. If they do not know the domain, your request gets send to a root name server instead.
- The root name servers keep track of the DNS servers in the next level down. These lower level servers are called Top-Level Domain (TLD) servers. The root name servers basically just shows pinpoints your request to a another server further down.
- Top-Level Domain (TLD) servers are split up into extensions. If you search for medium.com, your request would be redirected to a TLD server that handles .com domains. Similarly to root name server, TLD servers send your request the next level down: Authoritative name servers.
- Authoritative name servers are used to store DNS records for domains directly. In other words, every domain in the world will have its DNS records stored on an Authoritative name server. It will send the relevant information back to you, allowing your computer to connect to the IP address behind the domain you requested.
This all happens automatically. The dig command-line tool allows you to query recursive DNS servers for information about domains:
dig <domain> @<dns-server-ip>
Questions
What is DNS short for?
Answer: Domain Name System
What is the first type of DNS server your computer would query when you search for a domain?
Answer: Recursive
What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.
Answer: Top-level domain
Where is the very first place your computer would look to find the IP address of a domain?
Answer: local cache
[Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?
Answer: 8.8.4.4
If a DNS query has a TTL of 24 hours, what number would the dig query show?
Answer: 86400
Part 9
We are done! I hope you learned a lot about networking. It was great fun to write this summary. If you want you can leave me a clap or two 🙂
Like my articles?
You are welcome to support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: