THE NETWORK PROTOCOL

CHEATSHEET
Riddhi Suryavanshi
1
University of Delhi, 2Lucideus Technologies
[email protected]

I. INTRODUCTION
This document is intended for students and security professionals as a quick reference for networking
protocols. It covers 50 protocols classified according to the OSI Layer they operate on. The
corresponding RFC has been provided to further check for parameters/commands of a particular
protocol. From security perspective, the corresponding attacks/vulnerabilities are also included in this
cheatsheet.

II. KEY TERMS

Protocol, Port, RFC, OSI Layer, Attack, Vulnerability

III. DEFINITIONS

[1] Protocol- A protocol is a standard set of rules that allow electronic devices to communicate with
each other.
[2] Port- A logical construct that identifies a specific process or a type of network service.
[3] RFC- A formal document from the Internet Engineering Task Force that is the result of committee
drafting and subsequent review by interested parties.
[4] OSI Layer- One of the seven layers of the Open Systems Interconnection Model that describes how
information from a software application in one computer moves through a physical medium to the
software application in another computer.
[5] Attack: An information security threat that involves an attempt to obtain, alter, destroy, remove,
implant or reveal information without authorized access or permission.
[6] Vulnerability: A flaw in a system that can leave it open to attack.

IV. ABBREVIATIONS

DoS – Denial of Service

MitM – Man in the Middle
b/w – between
MAC – Media Access Control
VPN – Virtual Private Network
N/W – Network
VoIP – Voice over IP
Aka – Also known as
DROWN – Decrypting RSA using Obsolete and Weakened Encryption
DDoS – Distributed Denial of Service
S PROTOCOL PORT(s) TCP/UDP RFC OSI LAYER DESCRIPTION ATTACKS/
No. port VULNERABILI
TES
1 IEEE 802.11 - - - Physical  Specifies MAC &  DoS by MAC
physical layer protocols for address spoofing
implementing WLAN Wi-
Fi.
2 PPTP (Point- 1723 Both 2637 Data Link  Implements VPN  MitM
to-Point  Uses TCP control channel  Bit flipping
Tunneling and Generic Routing
Protocol) Encapsulation(GRE)
3 L2TP (Layer 2 1701 Both 2661, Data Link  Extension of PPP  DoS
Tunneling 3931  Uses UDP to avoid TCP
Protocol) meltdown problem.
4 PPP (Point to - - 1661 Data Link  Provides communication  Format string
Point Protocol) b/w 2 routers directly attack
without any host or
networking.
 Provides connection
authentication, transmission
encryption & compression.
5 ARP (Address - - 826 Layer 2.5  Discovers the MAC  ARP cache
Resolution address. poisoning
Protocol)  Creates a communication
in internal N/W.
6 RARP - - 903 Layer 2.5  Resolves MAC address to  ARP Poisoning
(Reverse an IP address.
Address
Resolution
Protocol)
7 ICMP - - 792 Network  Used by ping & traceroute  Ping sweep
(Internet utility to report info. about  Ping flood
Control network connectivity.  ICMP tunneling
Message  Uses a data packet with 8-  Forged ICMP
Protocol) byte header. redirects
 Each packet has a Type &
Code.
 No port used as N/W
software itself interprets all
ICMP messages.
8 IGMP - - 3376 Network  Used by TCP/IP suite to  DoS
(Internet achieve dynamic
Group multicasting.
Management  Class D IP addresses are
Protocol) used.
9 OSPF (Open - - Network  Routing protocol for IP  DoS
Shortest Path 2328, networks.  Local
First) 2740  Uses link state routing authentication
algorithm. bypass
 Part of interior gateway
protocols (IGPs).
10 NAT - - 3022 Network  Maps one IP address space  DoS
(Network to another.  Interception of
Address  Modifies network address internal &
Translation) in IP header of packets. external traffic
 Helps to conserve global due to improper
address space. configuration.
 Requires 1-to-1
relationship.
11 PAT (Port - - - Network  Aka NAT overloading.  Discovery of
Address  Permits multiple devices intranet IP
Translation) on a LAN to be mapped to a addresses.
single public IP address.
 Provides many-to-one
relationship.
12 IP (Internet - - 791, Network  Provides the functions  IP Spoofing
Protocol) 2460 necessary to deliver a
datagram from a source to a
destination over an
interconnected system of
networks.
 No reliability, flow control
& sequencing.
13 RIP (Routing 520 UDP 1058, Network  Dynamic routing protocol.  DDoS reflection
Information 2080,  Uses hop count to find the attacks.
Protocol) 2453 best path b/w source &
destination.
14 IPSEC (IP 1293 Both 2407 Network  Provides data  Bleichenbacher
Security) authentication, integrity, and attack
confidentiality.
 3 components:
Encapsulating Security
Payload, Authentication
Header & Internet Key
Exchange.
15 TCP 0-65535 TCP 793 Transport  Connection oriented.  SYN flooding
(Transmission  Error checks & reporting.  TCP Reset
Control  Acknowledgement.  TCP Session
Protocol)  20 byte header. hijacking
16 UDP (User 0-65535 UDP 768 Transport  Connectionless.  UDP flood
Datagram  Error checks but no attack.
Protocol) reporting.
 No acknowledgement.
 8 byte header.
17 NETBIOS 137,138 Both 1001, Session  Allows applications on  Information
(N/W Basic 1002, separate computers to disclosure
Input Output 1088 communicate over a local  Connection
System) area network. using null
 Relies on API. sessions
18 RPC (Remote 530 Both 1057 Session  Used for interprocess  XML-RPC
Procedure communication in client- attacks.
Call) server based applications.
19 SMB (Server 139,445 Both - Session  Enables user to access file  Eternal Blue
Message on a server, or other attack
Block) application.  Gives remote
 CIFS was its early access
version.  WannaCry &
Petya.
20 SOCKS 1080 Both 1928 Session  Exchanges network  Arbitrary
(Socket packets between a client and command
Secure) server through a proxy execution.
server.  DoS
 No compatibility issues
unlike HTTP proxy.
21 RTP (Real- 16384- Both 3550, Session  VoIP protocol.  RTP flooding
time Transport 32767 3711  Delivers audio & video attack
Protocol) , over IP networks.  RTP bleed
SRTP
22 SSL (Secure - - 6101 Presentation  Establishes encrypted  BEAST
Sockets Layer) communication b/w client &  SSL
server. Renegotiation
 Created by Netscape.
23 TLS - - 2246 Presentation  Establishes encrypted  DROWN
(Transport communication b/w client &  ROBOT
Layer server.  POODLE
Security)  Created by IETF.  Heartbleed
24 Kerberos 88 Both 1964 Presentation  Provides security &  DoS
authentication.  Arbitrary code
 Uses symmetric key execution.
distribution using symmetric  Buffer
encryption to access file Overflow.
server.
 Helps nodes to prove their
identity to one another.
25 WPA (Wi-Fi - - - Presentation  Security standard that  KRACK
Protected provides better encryption
Access) & authentication than WPA.
26 MIME - - 1521, Presentation  Supports text in multiple  XSS using
(Multipurpose 1522 character sets; as well as MIME Sniffing
Internet Mail attachments of audio, video,
Extensions) apps & images.
27 ECHO 7 Both 862 Application  Used for testing &  Can perform
measurement of round trip DoS
timings in IP networks.
 Server sends back
identical copy of the data it
received.
28 DHCP 67 UDP 2131, Application  A network management  Remote code
(Dynamic 3315 protocol used to automate execution
Host the process of configuring  Bogus DHCP
Configuration devices on IP networks. client & server
Protocol)
29 BOOTP 67,68 Both 951 Application  Older version of DHCP.  BootpD
(Bootstrap  Automatically assigns IP  BOOTP server
Protocol) address to network devices impersonation
from a configuration server.
30 HTTP (Hyper 80 Both 1945 Application  Used for communication  MitM attack
Text Transfer over World Wide Web.
Protocol)
31 HTTPS 443 Both - Application  HTTPS with SSL for  SSL Stripping
(Hyper Text security.  DROWN attack
Transfer
Protocol
Secure)
32 FTP (File 20,21 Both 959, Application  File transfer  Brute force
Transfer 2228  Uses TCP, hence file attack
Protocol) delivery is guaranteed.  Packet capture
 Anonymous
authentication
 Directory
traversal attack
33 FTPS (FTP 989,990 Both 4217 Application  Uses command channel &  MitM
with SSL) opens new connections for
data transfer.
 Requires a certificate.
34 SFTP (SSH 22 Both 913 Application  Uses encrypted credentials  Brute force
File Transfer to authenticate. attack
Protocol)  SSH keys can also be used
to authenticate.
35 POP3 (Post 110,995 Both 937, Application  Store-and-forward  Buffer overflow
Office 1939 client/server protocol. in POP3 servers
Protocol)  Deletes mail on server as can cause DoS.
soon as user has
downloaded it.
36 SSH (Secure 22 Both 4251 Application  Cryptographic network  Static SSH keys
Shell) protocol for operating  Embedded SSH
network services securely keys can provide
over an unsecured network. backdoor.
37 Telnet 23 Both 15, Application  Allows to connect to  Brute force
(TELecommun 854, remote computers over a attack
ication 855 TCP/IP network.  Stealing
NETwork) credentials by
sniffing.
 SSH and SMTP
banner grabbing.
38 NTP (Network 123 Both 1059, Application  Synchronizes clock among  NTP
Time Protocol) 1119, devices. Amplification
1305 DDoS attack.
39 IMAP/S 143; Both 1176, Application  Allows user to create  Password
(Internet 993 1730 folders & assign messages spraying attacks.
Message to folders.
Access  User can obtain just the
Protocol) message header (useful in
low-bandwidth connection).
40 DNS (Domain 53 Both 1034, Application  Resolute names in TCP/IP  Typosquatting
Name System) 1035 network.  DNS Poisoning.
41 SOAP (Simple 80 Both - Application  XML based messaging  SOAP injection
Object Access protocol to exchange info.  Unauthenticated
Protocol)  Characteristics: romote access
extensibility, neutrality &
independence.
42 SNMP/S 161; Both 1157, Application  Allows network manager  Sniffing of plain
(Simple 162 1441, to monitor networking text password.
Network 2570 equipment & remotely  Modification of
Management modify settings & packet header.
Protocol) configuration.
43 SMTP/S 25; Both; 5321 Application  Transfers mail from  Account
(Simple Mail 465 TCP sender’s mail server to enumeration.
Transfer recipient’s mail server.  E-mail header
Protocol) disclosures.
 Helps find
internal IPs.
44 SNTP (Simple 123 2030, Application  Used when full  DoS via a
Network Time 4330 implementation of NTP is crafted NTP
Protocol) not needed. packet.
 Synchronizes a computer's
system time with a server
that has already been
synchronized by a source
such as a radio, satellite
receiver or modem.
 Supports unicast,
multicast and anycast
operating modes.
45 RFB (Remote 5900 Both 6143 Application  Used by VNC (Virtual  Stack buffer
Frame Buffer) N/W computing) [only TCP overflow.
port used]  Information
 Graphical desktop sharing disclosure.
system.
 Used in technical support.
46 RDP (Remote 3389 Both - Application  Provides GUI to connect  Reverse RDP
Desktop to another computer. attack.
Protocol)  Sabotage
sandboxes.
47 TFTP (Trivial 69 Both 1350 Application  A lockstep FTP.  No encryption
File Transfer  Allows a client to get a & authentication.
Protocol) file from or put a file onto a  TFTP server
remote host. spoofing.
 Simpler than FTP.
48 NFS (Network 2049 Both 3530 Application  Allows a user to access  Elevation of
File System) files over a computer privilege.
network much like local  Arbitrary code
storage is accessed. execution.
49 SIP/S (Session 5060; Both; 3261 Application  Used for initiating,  Registration
Initiation 5061 TCP maintaining & terminating hijacking.
Protocol) real-time sessions.  Message
 VoIP protocol. tampering.
50 LDAP/S 389; Both 1777, Application  An open, vendor-neutral,  LDAP injection
(Lightweight 636 2253 industry standard  DoS
Directory application protocol for  NULL Base
Access accessing and maintaining querying
Protocol) distributed directory
information services over an
IP network.

REFERENCES
[1] https://www.cvedetails.com/
[2] https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
[3] https://www.rfc-editor.org/
[4] https://resources.infosecinstitute.com/nat-pmp-vulnerability/#gref
[5] https://cve.mitre.org/
[6] https://www.f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security
[7] https://www.infoworld.com/article/2942749/obsolete-internet-protocol-once-again-becomes-an-attack-vector.html
[8] https://www.geeksforgeeks.org/ip-security-ipsec/
[9] https://www.sciencedaily.com/releases/2018/08/180814134201.htm
[10] http://www.cis.syr.edu/~wedu/seed/Book/book_sample_tcp.pdf
[11] https://en.wikipedia.org/wiki/UDP_flood_attack
[12] https://www.techrepublic.com/blog/it-security/the-problem-with-netbios/
[13] https://www.netsparker.com/blog/web-security/xml-rpc-protocol-ip-disclosure-attacks/
[14] https://www.synopsys.com/blogs/software-security/attacks-on-tls-vulnerabilities/
[15] http://riseandhack.blogspot.com/2015/02/xml-injection-soap-injection-notes.html
[16] https://nvd.nist.gov/vuln/detail/CVE-2019-1660#vulnCurrentDescriptionTitle
[17] https://www.techopedia.com/definition/4539/simple-network-time-protocol-sntp
[18] https://beyondsecurity.com/scan-pentest-network-vulnerabilities-ldap-null-directory-bases.html?cn-reloaded=1