TryHackMe: Pre Security

author: Nathan Acks
date: 2021-09-13

Intro to LAN

Introducing LAN Topologies

Some common network topologies:

Key hardware terminology:

While switches don’t (necessarily) know about IP addresses, the correspondence here is fairly clear: Switches generally handle devices on the same subnet (since each device expects to be able to directly communicate with all subnet IPs), while routers bridge (provide the “gateway” to) different subnets. This starts to get a little muddled when dealing with things like VLANs, though if you think of a VLAN-aware switch as a stack of “virtual switches” it helps.

A Primer on Subnetting

Subnetting is typically used to segment networks by function.

The “network address” of a subnet is the first IP address available in the subnet, and is used to identify the network.

The ARP Protocol

The ARP (Address Resolution Protocol) protocol is used to associate IP addresses with MAC addresses. Devices use ARP to determine the machine that responds to a particular IP address. Doing this every time a packet needs to be sent would get costly both in terms of network bandwidth and compute power, so devices will cache MAC-to-IP relationships (physical-to-logical identifiers) for some time after initial discovery.

ARP uses a two-step exchange: The device looking for an IP address will broadcast an ARP request to the entire network looking for a machine that responds to a given IP address. Then only the machine with that IP address will send an ARP reply, however.

The DHCP Protocol

“DHCP” stands for “Dynamic Host Configuration Protocol”.

DHCP uses a four-step exchange:

OSI Model

What is the OSI Model?

OSI stands for “Open Systems Interconnection”; it is a seven-layer model that describes all parts of the network stack (though sometimes I’ve heard the user referred to as “layer 8”). The idea is that segmenting responsibilities by layer allows for more uniform network and device behavior.

Higher layers extend (“encapsulate”) lower layers.

Layer 7: Application

The application layer determines how the user interacts with data. This is where, well, user-facing applications live.

More or less anything goes at the application layer.

Layer 6: Presentation

The presentation layer is where data standards live. What does an email look like? How is HTTP structured? Etc.

In general, this is the layer where security features like SSL are layered on.

Layer 5: Session

The session layer is responsible for actually connecting two machines and transmitting the data between them. Data is transmitted in a “session” - a successful connection between two systems.

This is the layer where packets live.

Layer 4: Transport

The transport layer determines how data is sent in a session. This is where TCP and UDP (as protocols) live.

TCP stands for “Transmission Control Protocol”.

UDP stands for “User Datagram Protocol”. One of the key aspects of UDP is that the application layer gets to decide how quickly packets are sent in a given session. ARP and DHCP both operate over UDP.

Layer 3: Network

This is the layer routers live at, and is where packets of data are assembled and disassembled.

Two key routing protocols:

The network layer is (mostly) the one that uses IP addresses; typically it is in this layer that data is handed off from the computer to the larger network.

The data link layer translates the logical (IP) addresses of the network layer into physical (MAC) addresses. If data needs to be re-arranged to deal with physical limitations of the network, it happens here (so this is where things like MTUs come into play).

Because switches (generally) only care about MAC addresses, they live in this layer.

Layer 1: Physical

This is where actual physical cabling lives - the layer of atoms and electricity.

I suppose that a hub would be a layer 1 device, since it’s just shuffling actual (electrical) packets.

Packets & Frames

What are Packets and Frames?

Packet and frames are more-or-less the same idea, but at two different layers (transport and data link, respectively) of the OSI model. To expand upon the definition above, the network is the OSI layer with the responsibility of turning packets into frames (and vice versa). Alternately, packets encapsulate frames.

In general, we can think of a frame as the actual data, which is encapsulated by IP addressing information.

TCP/IP

A four-layer alternative to OSI!

Same approach to encapsulation as OSI.

Key TCP headers:

Key TCP flags:

TCP’s “three way handshake” opens a connection by establishing a random sequence number.

(Unfortunately, it’s still a little unclear to me how to think about the progression of sequence and acknowledgement numbers over the course of an entire connection. I did a little more searching around, but the other examples I’ve found are even more abbreviated and/or obtuse.)

Closing the connection uses a “four way handshake”: Client FIN > Server ACK > Server FIN > Client ACK

UDP/IP

UDP is stateless. It shares a few headers with TCP:

Since there are no handshakes in UDP, data transmission is fairly simple:

The connection ends when the server stops sending data or the client stops listening. In practice this means that the application layer does need to layer on some kind of client/server messaging system, but UDP does not concern itself with these details.

Ports 101

Ports identify applications (or services provided by an application). There are 2¹⁶ possible ports numbered 0 - 65535.

Ports 0 - 1023 are “common ports” (I’ve typically heard this block called “reserved” or “system”; Wikipedia calls them “well-known”).