Understanding the mechanics of TCP (Transmission Control Protocol) is crucial in grounding your knowledge for pentesting.
I wrote so many notes on the course and underlined several lines that I knew I’d need to research in more detail. One of those was the definition of the initial steps that TCP uses to create a connection.
This has clearly been documented many times before and I found a great reference at https://www.sciencedirect.com/topics/computer-science/three-way-handshake
The process is pretty straight forward and reading the notes on that site has helped me no end in further understanding SEQuence numbers, SYNchronising and ACKnowledgement.
There are other flags apart from SEQ, SYN and ACK: FINish would end the active session tidily and RESet infers a more abrupt termination of the session.
The process of establishing a successful connection is this:
- Client sends a SYN to the server
- Server responds with SYN and an ACKnowledgement
- Client responds with its own ACKnowledgement
- The connection is established and transport begins with incremental SEQuence numbers assigned to each packet
It’s not uncommon to see SYN – SYN/ACK – ACK in TCP reference material.
You sometimes see other parameters such as ECN and CWR that are passed between client and server. These are used to indicate congestion. I need to research this in more detail.
Since TCP uses this style of connectivity it is easy to monitor traffic using tools such as WireShark. And this is the point. I want to get familiar with what I’m seeing in WireShark.
This is just a brain dump from my notebook which works as a refresher as I type. Repetition and all that.