🌱 Beginner
Protocols & Ports
Ports are the doors into a system. Protocols are the languages spoken through those doors. Master both.
TCP vs UDP
TCP (Transmission Control Protocol)
- Connection-oriented: Establishes a session before sending data.
- Reliable: Guarantees delivery via acknowledgments (ACKs).
- Ordered: Packets arrive in sequence (sequence numbers).
- Error-checked: Corrupted packets are retransmitted.
- Flow control: Prevents overwhelming the receiver.
Used for: HTTP, SSH, FTP, SMTP, databases
UDP (User Datagram Protocol)
- Connectionless: Fire and forget - no session setup.
- Unreliable: No delivery guarantee, no retransmission.
- Unordered: Packets may arrive out of sequence.
- No error recovery: Application must handle errors.
- Lightweight: Minimal overhead, very fast.
Used for: DNS, VoIP, streaming, gaming, DHCP
Pentest Insight
UDP services are often overlooked in scans because they're slower to enumerate. Always scan UDP ports (
nmap -sU) - you might find SNMP, TFTP, or NFS hiding there.
The TCP 3-Way Handshake
Before any data is sent over TCP, a connection must be established. This is the foundation of TCP's reliability.
Client Server
SYN
seq=100
→
"I want to connect"
"OK, acknowledged"
←
SYN-ACK
seq=300, ack=101
ACK
ack=301
→
"Connection established!"
✓ ESTABLISHED
⚠️ Attack: SYN Flood (DoS)
An attacker sends thousands of SYN packets with spoofed source IPs. The server allocates resources for each half-open connection, eventually exhausting memory.
# Using hping3
hping3 -S --flood -V -p 80 <target>
hping3 -S --flood -V -p 80 <target>
Common Ports Reference
Memorize these. On every engagement, you'll encounter them.
🔴 High-Value Targets
| Port | Service | Protocol | Why It Matters |
|---|---|---|---|
| 21 | FTP | TCP | Anonymous login, cleartext creds |
| 22 | SSH | TCP | Bruteforce, key-based auth bypass |
| 23 | Telnet | TCP | Cleartext everything - sniff it all |
| 445 | SMB | TCP | EternalBlue, null sessions, relay attacks |
| 3389 | RDP | TCP | BlueKeep, NLA bypass, credential spray |
| 1433 | MSSQL | TCP | xp_cmdshell, sa account |
| 3306 | MySQL | TCP | Root no password, UDF exploitation |
🌐 Web Services
| Port | Service | Notes |
|---|---|---|
| 80 | HTTP | Standard web - always enumerate |
| 443 | HTTPS | Check for SSL vulns, virtual hosts |
| 8080 | HTTP Proxy | Tomcat, Jenkins, dev servers |
| 8443 | HTTPS Alt | Management interfaces |
🏰 Active Directory / Windows
| Port | Service | Attack Surface |
|---|---|---|
| 88 | Kerberos | AS-REP Roasting, Kerberoasting |
| 135 | RPC | Enumeration, DCOM attacks |
| 389 | LDAP | Anonymous bind, user enumeration |
| 636 | LDAPS | Encrypted LDAP |
| 5985 | WinRM HTTP | Remote PowerShell access |
| 5986 | WinRM HTTPS | Encrypted remote PowerShell |
Quick Scan Commands
Quick TCP scan (top 1000 ports)
nmap -sT -T4 <target> Full TCP scan with service detection
nmap -sV -sC -p- <target> UDP scan (slow but important)
nmap -sU --top-ports 100 <target> Check specific high-value ports
nmap -sV -p 21,22,23,25,80,443,445,3389 <target>