Highlight

Understanding Internet Protocols | TryHackMe Protocols and Servers
CTF Writeups Walkthrough CyberSecurity Articles , , , , , , , ,

Understanding Internet Protocols | TryHackMe Protocols and Servers

Introduction

We covered basic foundation on internet protocols such as telnet, HTTP, FTP, IMAP, POP3, SMTP and SSH. We also talked about protocol encryption using TLS as a method to protect data from sniffing and MITM attacks. This was part of TryHackMe Jr Penetration Tester Pathway.

Protocols Covered

Telnet

I learned that Telnet is a protocol used to connect to the terminal of another computer, letting me execute commands remotely. While its default port is 23, I can use it to connect to other ports and interact with different protocols, like HTTP. I even demonstrated connecting to a machine on port 80 (HTTP) using Telnet and retrieving page content with the GET / HTTP/1.1 command followed by Host: telnet. The crucial takeaway is that Telnet is not secure because it transmits data in plain text, making it vulnerable to sniffing.

  • Command: telnet [IP_ADDRESS] [PORT] (e.g., telnet 10.10.10.10 80)
  • Command: GET / HTTP/1.1 (followed by Host: telnet on a new line)

HTTP (Hypertext Transfer Protocol)

I described HTTP as the protocol for transferring web pages. It uses methods like GET to retrieve content (like HTML pages or images) from a server. I also mentioned common web server software such as Apache, Nginx, and IIS, and client browsers like Chrome, Edge, and Firefox.

FTP (File Transfer Protocol)

FTP is used for transferring files between a client and a server (both downloading and uploading). Just like Telnet, FTP transmits data in clear text, making it insecure if the network isn’t hardened. I showed how to connect to an FTP server using ftp [IP_ADDRESS]. Its default port is 21. Once connected, I could list files with ls, switch to ASCII mode with ascii for text files, and download files with get [FILENAME]. To upload, the command is put [FILENAME]. I also noted that some FTP servers allow anonymous logins (username: anonymous, password: anonymous).

  • Command: ftp [IP_ADDRESS]
  • Command: ls
  • Command: ascii
  • Command: get [FILENAME]
  • Command: put [FILENAME]

SMTP (Simple Mail Transfer Protocol)

I defined SMTP as the protocol for sending emails, which defaults to port 25. I briefly touched on the roles of Mail User Agent (MUA), Mail Submission Agent (MSA), and Mail Delivery Agent (MDA). I demonstrated connecting to an SMTP server using Telnet: telnet [IP_ADDRESS] 25.

  • Command: telnet [IP_ADDRESS] 25

POP3 (Post Office Protocol version 3)

I explained that POP3 is used for receiving/downloading emails. By default, POP3 deletes emails from the server after downloading them to the client, meaning emails aren’t synchronized across devices. It runs on port 110. I showed connecting using Telnet: telnet [IP_ADDRESS] 110. After authenticating (e.g., USER flag, PASS [password]), the STAT command shows inbox statistics.

  • Command: telnet [IP_ADDRESS] 110
  • Command: USER [username]
  • Command: PASS [password]
  • Command: STAT

IMAP (Internet Message Access Protocol)

IMAP is another protocol for receiving/downloading emails, similar to POP3. The key difference is that IMAP synchronizes emails across multiple devices and doesn’t delete them from the server by default. It runs on port 143. I demonstrated connecting via Telnet: telnet [IP_ADDRESS] 143. IMAP commands often have a tracking string prefix (e.g., C1, C2), like C1 LOGIN [username] [password] and C2 LIST "" "*".

  • Command: telnet [IP_ADDRESS] 143
  • Command: C1 LOGIN [username] [password]
  • Command: C2 LIST "" "*"

Security Implications

I then moved on to the security implications of these protocols:

Sniffing Attacks

Because protocols like Telnet, FTP, SMTP, POP3, and IMAP transmit data in clear text, they are vulnerable to sniffing if an attacker is on the same network. Tools like tcpdump (command line) and Wireshark (GUI) can capture this unencrypted traffic.

  • Command (tcpdump): tcpdump port 110 -A

MITM (Man-in-the-Middle) Attacks

I described MITM attacks where an attacker positions themselves between the user and the destination, again requiring them to be on the same network. Methods include setting up rogue access points or using tools like Bettercap and Ettercap for ARP poisoning or DNS poisoning.

Securing Protocols with TLS/SSL

I introduced TLS (Transport Layer Security) and SSL (Secure Sockets Layer) as solutions to encrypt data transfer. Secure versions of the protocols exist:

  • HTTPS (port 443)
  • FTPS (port 990)
  • SMTPS (port 465)
  • POP3S (port 995)
  • IMAPS (port 993) I also mentioned DNS over TLS (DoT).

SSH (Secure Shell)

I presented SSH as a secure alternative to FTP for file transfer and Telnet for remote command execution. SSH encrypts communication, making it immune to MITM attacks.

  • Command (connect): ssh [username]@[IP_ADDRESS] (e.g., ssh mark@10.10.10.10)
  • Command (file download using SCP): scp [username]@[IP_ADDRESS]:/path/to/remote/file /path/to/local/destination (e.g., scp mark@10.10.10.10:book.txt .)

Password Attacks

I briefly touched upon password attacks, explaining they rely on using a wordlist of possible passwords against a known username. I introduced Hydra as a tool for this.

  • Command (Hydra example for FTP): hydra -l [username] -P [path_to_password_list] ftp://[IP_ADDRESS] (e.g., hydra -l mark -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.10)

TryHackMe Protocols and Servers Answers

 
To which port will the telnet command with the default parameters try to connect?
Launch the attached VM. From the AttackBox terminal, connect using Telnet to MACHINE_IP 80 and retrieve the file flag.thm. What does it contain?

Using an FTP client, connect to the VM and try to recover the flag file. What is the flag?

  • Username: frank
  • Password: D2xc9CgD
Using the AttackBox terminal, connect to the SMTP port of the target VM. What is the flag that you can get?
Connect to the VM (MACHINE_IP) at the POP3 port. Authenticate using the username frank and password D2xc9CgD. What is the response you get to STAT?
 

How many email messages are available to download via POP3 on MACHINE_IP?

What is the default port used by IMAP?
What do you need to add to the command sudo tcpdump to capture only Telnet traffic?
 

What is the simplest display filter you can use with Wireshark to show only IMAP traffic?

How many different interfaces does Ettercap offer?
 

In how many ways can you invoke Bettercap?

DNS can also be secured using TLS. What is the three-letter acronym of the DNS protocol that uses TLS?
Use SSH to connect to MACHINE_IP as mark with the password XBtc49AB. Using uname -r, find the Kernel release?
 

Use SSH to download the file book.txt from the remote system. How many KBs did scp display as download size?

We learned that one of the email accounts is lazie. What is the password used to access the IMAP service on MACHINE_IP?
 

Video Walkthrough(s)

Getting Started in CyberSecurity? Get Your Free Infosec 101 Guide !

We don’t spam! Read our privacy policy for more info.

Getting Started in CyberSecurity? Get Your Free Infosec 101 Guide !

We don’t spam! Read our privacy policy for more info.

Share on Facebook
Post on X
Save
Share
Share
Share
Tag

Related Posts

Post Comment

You May Have Missed

Follow by Email
Facebook
X (Twitter)
Youtube
Instagram
Reddit
LinkedIn
SOCIALICON