Study-Notes on May Meow

TCP/IP Three-Way Handshake

Sun, 31 May 2026 15:18:07 +0200

🤝 TCP/IP Three-Way Handshake

TCP stands for transmission Control Protocol
similar to OSI model
Consist 4 layers
- Application
- Transport
- Internet
- Network Interface
Information is added to each layer (similar to OSI) in process called encapsulation
it is connection-based - must establish connection before can send data
guarantees that sent data will be received on the other end in process named Three-way handshake

Some most important TCP packet headers

Header	Description
Source Port	This value is the port opened by the sender to send the TCP packet from. This value is chosen randomly (out of the ports from 0-65535 that aren’t already in use at the time).
Destination Port	This value is the port number that an application or service is running on the remote host (the one receiving data); for example, a webserver running on port 80. Unlike the source port, this value is not chosen at random.
Source IP	This is the IP address of the device that is sending the packet.
Destination IP	This is the IP address of the device that the packet is destined for.
Sequence Number	When a connection occurs, the first piece of data transmitted is given a random number. We’ll explain this more in-depth further on.
Acknowledgement Number	After a piece of data has been given a sequence number, the number for the next piece of data will have the sequence number + 1. We’ll also explain this more in-depth further on.
💡 Checksum	This value is what gives TCP integrity. A mathematical calculation is made where the output is remembered. When the receiving device performs the mathematical calculation, the data must be corrupt if the output is different from what was sent.
Data	This header is where the data, i.e. bytes of a file that is being transmitted, is stored.
Flag	This header determines how the packet should be handled by either device during the handshake process. Specific flags will determine specific behaviours, which is what we’ll come on to explain below.

Three-way handshake

communicates using few special messages

Step	Message	Description
1	SYN	A SYN message is the initial packet sent by a client during the handshake. This packet is used to initiate a connection and synchronise the two devices together (we’ll explain this further later on).
2	SYN/ACK	This packet is sent by the receiving device (server) to acknowledge the synchronisation attempt from the client.
3	ACK	The acknowledgement packet can be used by either the client or server to acknowledge that a series of messages/packets have been successfully received.
4	DATA	Once a connection has been established, data (such as bytes of a file) is sent via the “DATA” message.
5	FIN	This packet is used to cleanly (properly) close the connection after it has been complete.
#	RST	This packet abruptly ends all communication. This is the last resort and indicates there was some problem during the process. For example, if the service or application is not working correctly, or the system has faults such as low resources.

When one device send data with random number sequence other device need to agree with same number sequence for data to be send in correct order. Order is assinged after three steps

OSI Model

Sun, 31 May 2026 14:02:48 +0200

OSI Model

Open Systems Interconnection Model
dictating how all networked devices will send, receive and interpret data
consists of 7 layers

The model (layers)

7. Application
- determine how the user interact with the data
- Email clients, file browsers or chat application belongs here
- 💡 Users interact with data trough GUI (Graphical user interface)
- DNS (Domain Name System) protocol also belongs here
  - Translates web addresses to the IP addresses
6. Presentation
- standardization - the data of one application needs to be handled the same way
- 💡acts as translator for data and from the application layer
- data encryption occur here
5. Session
- create and maintain the connection to other computer (When a connection is established, a session is created)
- responsible for closing the connection
- session can contain “checkpoints”
  - save bandwidth by only requiring send newest pieces of data
- data cannot travel over different sessions
4. Transport
- plays important part in transmitting data across network
- Data sent between devices follows 2 protocols
  - TCP
  - UDP
3. Network
- routing & re-assembly of data is part of this layer
- 💡protocol of this layer determine what’s the “optimal” path for data to reach device
- 💡 e.g. OSPF (Open Shortest Path First) and RIP (Routing Information Protocol)
- Deciding is based on the following
  - What path is the shortest? I.e. has the least amount of devices that the packet needs to travel across.
  - What path is the most reliable? I.e. have packets been lost on that path before?
  - Which path has the faster physical connection? I.e. is one path using a copper connection (slower) or a fibre (considerably faster)?
- 💡 everything here is dealt with via IP addresses
2. Data Link
- focuses of the physical adresing of the transmission
- adds MAC address to the packet
  - Mac addresses are unique, set by manufacturer and can be spoofed
  - 💡 MAC address belongs to the network cards. Devices need network cards to connect to the network
- present the data in format suitable for transmission
1. Physical
- physical components of hardware
- 💡 Devices uses electrical signals to transfer data in a binary system
- 💡 For example, ethernet cables are part of this layer

Transport Protocols

TCP

💡Transmission Control protocol
designed with reliabailit and guarantee in mind
reserves constant connection between devices for the ammout of time it takes for the data to be send and received
incorporates error checking
can guarantee that data sent from the small chunks in the session layer (layer 5) has then been received and reassembled in the same order.
stateful - 3-way handshake

Pros

Honeypots

Sun, 31 May 2026 11:15:24 +0200

🍯 Honeypots

vulnerable security tool designed to attract attackers and record the actions of adversaries
can be used in a defensive role to alert administrators of potential breaches
and/or to distract attackers away from real infrastructure
collects data, tools and techniques

Classification

by Interactivity

Low-Interaction
- only capable of simulating the functions that are required to simulate a service and capture attacks against it
- Adversaries are not able to perform any post-exploitation activity
- Example: mailoney, dionaea.
Medium Interaction
- emulating both vulnerable services as well as the underlying OS, shell, and file systems
- ℹ️ the system presented to adversaries is a simulation,
  - it is usually not possible for to complete full range of post-exploitation activity
- allows adversaries to complete initial exploits and carry out post-exploitation activity
- For example: Cowrie
High-Interaction
- fully complete systems that are usually Virtual Machines that include deliberate vulnerabilities
- Adversaries should be able (but not necessarily allowed) to perform any action against the honeypot as it is a complete system
- ⚠️ Needs to be carefully managed, otherwise they can be used to attack other systems
- For example Cowrie as an SSH Proxy

by Deployment location

Internal Honeypots
- deployed inside LAN
- for threats originating from the inside, for example, attacks originating from trusted personnel or attacks that by-parse firewalls like phishing attack
- ⚠️ should never be compromised
External Honeypots
- Deployed on the internet
- Monitor attacks outside LAN
- Collects much more data since they are effectively guaranteed to be under attack at all times

Typical behavior of bots

ℹ️ Majority of typical SSH deployemnts are automated. Most of the post-exploitation activity that takes place after a bot gains initial access to the honeypot will follow a broad pattern.