TryHackMe: Introductory Networking  - Walkthrough

Hey there! Let’s tackle the awesome Introductory Networking room on THM. Ready to dive in?

Room URL: https://tryhackme.com/room/introtonetworking

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Part 1: Introduction to Networking

The topics covered in this room are as follows:

• The OSI Model
• The TCP/IP Model
• How these models look in practice
• An introduction to basic networking tools

TryHackMe does a good job of explaining concepts, and I won’t go into many details. However, I will try to highlight the important points.

Part 2: Networking OSI Model

The OSI model is a standardised model used to explain concepts behind networking. It contains of seven layers:

• 7. Application — Provides networking options to programs running on a system. Gives them an interface in order to transmit data.
• 6. Presentation — Receives data from application layer. Ensures that the data is standardised before sending it further along to the receives. This layer is also responsible for encryption, compression and other transformations.
• 5. Session — The session layer receives the formatted data from the presentation layer. It then tries to establish a session, and is afterwards responsible of maintaining it. It works together with the session layer of the computer on the other side. When the session layer has successfully logged a connection between the host and remote computer the data is passed down to the next layer.
• 4. Transport — The transport layer serves different functions. It selects the protocol over which the data is transmitted, TCP or UDP. TCP is connection-based and focuses on reliable connections, and any lost data is resent. UDP is selected when speed is more important than reliability.
• 3. Network — The network layer is responsible for locating the destination of your request. It is this layer that looks at the IP address and selects the best route to take.
• 2. Data Link — This layer focuses on the physical addressing of the transmission. It receive a packet from the network layer with a IP address, but adds the MAC address (unique address to identify a network enabled machine with a Network Interface Card) of the receiving machine. In addition, the data link layer check that data has not been corrupted during transmission, and when moving to a receiver if ensures the data is presented in a format suitable for transmission.
• 1. Physical — The physical layer is all about the hardware of the computer. It ensures that the binary data of the transmission are converted into signals, and the other way around.

Questions

Which layer would choose to send data over TCP or UDP?

The transport layer decided which of the two protocols to send data over. This is layer four.

Answer: 4

Which layer checks received packets to make sure that they haven’t been corrupted?

The second layer, the data link layer, adds a MAC address to a packet and also ensures that the data has not been corrupted.

Answer: 2

In which layer would data be formatted in preparation for transmission?

The data layer is also responsible for the data formatting, so the answer is again layer number two.

Answer: 2

Which layer transmits and receives data?

The first layer (Physical layer) is responsible for transmitting and receiving data.

Answer: 1

Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardised format?

The presentation layer ensures that the data is standardised before sending it further along to the receives

Answer: 6

Which layer tracks communications between the host and receiving computers?

The session layer creates a session to track communication between the host and receiving machines.

Answer: 5

Which layer accepts communication requests from applications?

The application layer provides an interface to programs running on a machine to send networking requests.

Answer: 7

Which layer handles logical addressing?

The network layer looks at the target IP address and selects the best route to the target destination.

Answer: 3

When sending data over TCP, what would you call the “bite-sized” pieces of data?

The “bite-sized” pieces of data sent over TCP are called segments. (When sending data over UDP they are called datagrams.

Answer: Segments

[Research] Which layer would the FTP protocol communicate with?

The File Transfer Protocol (FTP) operates at the Application Layer (Layer 7) of the OSI model. This layer is responsible for providing network services directly to end-user applications, facilitating file transfers between client and server systems.

Answer: 7

Which transport layer protocol would be best suited to transmit a live video?

Live video is best transmitted over UDP, as speed is more important than reliability. It is acceptable to miss a few packets when seeing a Netflix movie, but you want it to go fast 🙂

Answer: UDP

Part 3: Encapsulation

Data passes from each layer to the next, and with each step more information is added to the transmission. We call this process encapsulation.

Note that in each layer we give a different name to the encapsulated data. In layers 7,6 and 5, the data is referred to as data. In the transport layer the encapsulated data is referred to as a segment or a datagram (depending on wether TCP or UDP is used). At the Network Layer, the data is referred to as a packet. In the Data Link layer it becomes a frame, and finally in the Physical Layer we refer to the data as bits.

When the data is received by the destination, the whole process is reversed. We call this de-encapsulation. The process goes from the physical layer towards the application layer. During each step it remove a piece of the added information.

Questions

How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?

If you look at the above figure, you will see that data in layer two are called frames.

Answer: Frames

How would you refer to data at layer 4 of the encapsulation process (with the OSI model), if the UDP protocol has been selected?

We covered this in the previous section. Data at layer 4 is called Datagrams if we are referring to the UDP protocol.

Answer: Datagrams

What process would a computer perform on a received message?

When a computer receives a message over a network, it goes through a process to interpret and handle the data. This process is called de-encapsulation and it ensures that the message is processed and understood properly at each layer.

Answer: De-encapsulation

Which is the only layer of the OSI model to add a trailer during encapsulation?

Refer to the above image again. In the data link layer (number 6) we add a trailer.

The trailer is added to the end of the frame, and it typically contains error-checking information, such as a Cyclic Redundancy Check (CRC) or Frame Check Sequence (FCS), to ensure data integrity during transmission. This helps the receiving system detect errors in the transmitted frame.

Answer: Data link

Does encapsulation provide an extra layer of security (Aye/Nay)?

This is true. By encapsulating data with headers and sometimes encryption at different layers, sensitive information can be segmented and less visible to unauthorized entities.

Answer: Aye

Part 4: TCP/IP model

There exists another model similar to the OSI model, which we refer to as the TCP/IP model. The TCP/IP model is actually slightly older.

Instead of the seven layers of the OSI model, the TCP/IP model only has four:

• Application Layer
• Transport Layer
• Internet Layer
• Network Interface Layer

The two models match up like this:

Why do we use two similar models? The OSI model is easier to learn because the different steps are split up, while the TCP/IP model is more practical and used in real life.

How data actually moves through a network

TCP/IP consists of a variety of protocols. TCP/IP takes its name from the two most important of these: the Transmission Control Protocol which controls the flow of data between two endpoints, and the Internet Protocol, which controls how packets are addressed and sent.

TCP is a connection-based protocol. This means that there has to be a stable connection between two computers. The creation of this connection is called the three-way handshake.

The process goes like this:

1. When attempting to make a connection, your computers sends a request to a remote computer indicating it wants to establish a connection. The important part is that this request contains something called a SYN (synchronise) bit.
2. The remote computer responds with a packet which also contains the SYN bit, but also contains a ACK (acknowledgement) bit.
3. Finally, your computer sends a packet with a ACK bit to confirm that a connection has been created. Now data can be transmitted in a reliable manner.

Questions

Which model was introduced first, OSI or TCP/IP?

The TCP/IP  was developed by the United States Department of Defense (DoD) as part of research for ARPANET, the precursor to the internet. The OSI model came 10 years later.

Answer: TCP/IP

Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?

Answer: Transport

Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?

Answer: Application

The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?

Answer: Physical

Which layer of the TCP/IP model handles the functionality of the OSI network layer?

Answer: Internet

What kind of protocol is TCP?

TCP is a connection-based protocol, which means that there has to be a stable connection between two computers. The creation of this connection is called the three-way handshake.

Answer: Connection-based

What is SYN short for?

SYN is short for synchronise.  When attempting to make a connection, your computers sends a request to a remote computer indicating it wants to establish a connection. This request contains a SYN bit.

Answer: Synchronise

What is the second step of the three way handshake?

In the second second the remote computer responds with a packet which contains the SYN bit, as well as a ACK (acknowledgement) bit.

Answer: SYN/ACK

What is the short name for the “Acknowledgement” segment in the three-way handshake?

The short name for the acknowledgement segment is ACK.

Answer: ACK

Part 5: Ping

Now it is time to look at some network related command-line tools. We start with the ping tool. This simple tool is used to test whether a connection to a remote system is possible. It can also be used to determine the ip address of the server hosting a website.

Ping uses the ICMP protocol, which is one of the slightly less well-known TCP/IP protocols that were mentioned earlier. The ICMP protocol works on the Network layer of the OSI Model, and the Internet layer of the TCP/IP model. The basic syntax for ping is ping <target>.

Questions

ping bbc.co.uk

What command would you use to ping the bbc.co.uk website?

The relevant command is “ping” followed by the url:

Answer: ping bbc.co.uk

Ping muirlandoracle.co.uk. What is the IPv4 address?

This can be answered by looking the output of the previous command:

Answer: 217.160.0.152

What switch lets you change the interval of sent ping requests?

We can find the answer on the man page of the ping command. Run the following command:

man ping

Here you can see in the top that the -i flag can be used to specify the interval. You can also see this page:

https://linux.die.net/man/8/ping

-i interval: Wait interval seconds between sending each packet. The default is to wait for one second between each packet normally, or not to wait in flood mode. Only super-user may set interval to values less 0.2 seconds.

Answer: -i

What switch would allow you to restrict requests to IPv4?

See the above screenshot.

Answer: -4

What switch would give you a more verbose output?

For this answer you have to scroll a bit down when looking at the man page.

The answer is the -v flag.

Answer: -v

Part 6: Traceroute

Traceroute can be used to map the path your request takes as it heads to the target machine. Since the internet is made up of a plethora of different servers which are all network up to each other, a request needs to take a path across a variety of them. Traceroute shows this path by listing all systems that are between your computer and the destination. The basic syntax for traceroute on Linux is this: traceroute <destination>

Questions

Use traceroute on tryhackme.com. Can you see the path your request has taken?

Use the following command:

traceroute <destination>

You will see something similar as this:

Answer: No answer needed.

What switch would you use to specify an interface when using Traceroute?

Time to look at a man page again:

man traceroute

The -i flag allows us to specify the interface through which traceroute should send packets.

Answer: -i

What switch would you use if you wanted to use TCP SYN requests when tracing the route?

Have another look at the man page. This time scroll a bit up.

Answer: -T

[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?

In Windows, traceroute operates primarily at the Internet Layer of the TCP/IP model by default.

Traceroute works by sending ICMP Echo Requests (Internet Control Message Protocol) and analyzing the Time-to-Live (TTL) field in the packet header. ICMP is part of the Internet Layer in the TCP/IP model, used for diagnostics and network communication.

Answer: Internet

Part 7: WHOIS

Domain names are transferred into IP addresses by a domain name system. This means you can write medium.com instead of writing a difficult to remember IP address. Domains are leased out by companies called Domain Registrars.

The command line tool called whois allows you get information on the owner of a domain name. Just use whois <domain> to get a list of available information about the domain registration.

Questions

Perform a whois search on facebook.com

Let’s move on. Run the following command:

whois facebook.com

Answer: No answer needed

What is the registrant postal code for facebook.com?

You will find the postal code in the output.

Answer: 94025

When was the facebook.com domain first registered (Format: DD/MM/YYYY)?

Look at the output again. Scroll to the top to find the following data:

Answer: 29/03/1997

Perform a whois search on microsoft.com.

whois facebook.com

Answer: No answer needed

Which city is the registrant based in?

Look in the output from the previous command:

Answer: Redmond

[OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?

I searched for “One Microsoft Way” on Google Maps, and could easily identify a golf course nearby by looking at satellite imagery.

Answer: Bellevue Golf Course

What is the registered Tech Email for microsoft.com?

A little bit down in the output:

Answer: msnhst@microsoft.com

Part 8: Dig

I mentioned DNS before. Let’s discuss what they are and how try work. At the most basic level, DNS allows us to ask a special server to give us the IP address of the website we’re trying to access. For example, if we made a request to www.google.com, our computer would first send a request to a special DNS server (which your computer already knows how to find). The server would then go looking for the IP address for Google and send it back to us. Our computer could then send the request to the IP of the Google server.

Let’s say you write a domain name in your browser. Let’s discuss more details by have a look at the steps that occur:

1. Your PC checks its local cache if it knows the IP address of the domain name. If it does the website gets loaded and the next steps are not required.
2. If your PC does not have the IP address of the domain in its cache, it will send a request to a recursive DNS server. These servers are known by your router, and are most likely maintained by your Internet Service Provide (ISP). These recursive servers maintains a cache of IP addresses for popular domain names. If they do not know the domain, your request gets send to a root name server instead.
3. The root name servers keep track of the DNS servers in the next level down. These lower level servers are called Top-Level Domain (TLD) servers. The root name servers basically just shows pinpoints your request to a another server further down.
4. Top-Level Domain (TLD) servers are split up into extensions. If you search for medium.com, your request would be redirected to a TLD server that handles .com domains. Similarly to root name server, TLD servers send your request the next level down: Authoritative name servers.
5. Authoritative name servers are used to store DNS records for domains directly. In other words, every domain in the world will have its DNS records stored on an Authoritative name server. It will send the relevant information back to you, allowing your computer to connect to the IP address behind the domain you requested.

This all happens automatically.

The tool dig allows manual querying of DNS servers for domain information, often used for network troubleshooting. It works by querying recursive DNS servers with a command like dig <domain> @<dns-server-ip>. When performing a DNS lookup, such as on google.com, the ANSWER section is the most important, showing the IP address associated with the domain. Another key piece of information is the TTL (Time To Live), which tells your computer how long to cache the DNS result before querying the server again. TTL is measured in seconds, and in the example, the TTL is 157 seconds (2 minutes and 37 seconds).

The command to use would be like so:

 dig <domain> @<dns-server-ip>

Questions

What is DNS short for?

Answer: Domain Name System

What is the first type of DNS server your computer would query when you search for a domain?

If the required info is not in your local info, your computer would query a recursive DNS server.

Answer: Recursive

What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.

Domain extensions are handled by top-level domain DNS servers.

Answer: Top-level domain

Where is the very first place your computer would look to find the IP address of a domain?

As mentioned before, your computer looks into your local cache. If the IP address of a domain is saved there, it does not have to communicate with a DNS server.

Answer: local cache

[Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?

Some simple googling lead me to the answer here:

https://developers.google.com/speed/public-dns

Answer: 8.8.4.4

If a DNS query has a TTL of 24 hours, what number would the dig query show?

TTL is measured in seconds, and since every hour has 3600 seconds, 24 hours would equal 86400 seconds.

Answer: 86400

Part 9: Conclusion

We are done with the Introductory Networking room on THM! I hope you learned a lot about networking and some essential Linux command line tools to gain information about networks.
It was great fun to write this summary of the TryHackMe: Introductory Networking room of TryHackMe, so thank you for reading.

Find more of my walkthroughs here.

Like my articles?

You are welcome to support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg