// Challenge 03 — Transport Layer

TCP / IP Deep Dive

Go beneath the surface of TCP and IP. The three-way handshake, control flags, TTL values, and protocol behaviors form the backbone of every connection you will ever attack or defend.

5 challenges 450 pts available Difficulty: Medium
// TCP THREE-WAY HANDSHAKE REFERENCE
CLIENT
[ CLOSED ]
[ SYN_SENT ]
[ ESTABLISHED ]
──── SYN ────→
←── SYN-ACK ───
──── ACK ────→
SERVER
[ LISTEN ]
[ SYN_RCVD ]
[ ESTABLISHED ]
0 of 5 solved 0%
#01Handshake — First Step
50 ptsOPEN

The TCP three-way handshake establishes a reliable connection between client and server. What is the very first packet (flag) sent by the client to initiate a TCP connection?

# Wireshark capture:
192.168.1.5 → 93.184.216.34 TCP ??? sport=49152 dport=80
93.184.216.34 → 192.168.1.5 TCP SYN-ACK sport=80 dport=49152
192.168.1.5 → 93.184.216.34 TCP ACK sport=49152 dport=80
Synchronize. Three letters. It sets the SYN bit in the TCP header.
Flag Captured
NET{syn_1n1t14t3s_c0nn3ct}
#02Abrupt Connection Reset
75 ptsOPEN

Unlike FIN which gracefully closes a connection, one TCP flag immediately aborts it — no waiting, no acknowledgment. Firewalls use this flag to reject connections. Port scanners identify closed ports by receiving this response.

# Nmap output — closed port:
Sending SYN to port 8080...
Received: TCP ??? (connection refused)
# Port is CLOSED — what flag did the server send?
SYNACK??? FINPSHURG
Think "reset". Three letters. Like pressing the emergency stop button on a connection.
Flag Captured
NET{rst_k1lls_c0nn3ct10n}
#03Linux Default TTL
75 ptsOPEN

TTL (Time To Live) is an IP header field that decrements by 1 at each router hop. It prevents packets from looping forever. Different operating systems use different default TTL values. What is the default TTL for Linux?

# OS fingerprinting via TTL:
$ ping 8.8.8.8
64 bytes from 8.8.8.8: icmp_seq=1 ttl=??? time=12.3ms

# Hint: Windows = 128, Cisco = 255, Linux = ?
It's a power of 2. Between 32 and 128. Exactly half of Windows default TTL.
Flag Captured
NET{ttl64_l1nux_f1ngr}
#04SSH Default Port
100 ptsOPEN

SSH (Secure Shell) is the standard protocol for encrypted remote terminal access, replacing the insecure telnet. Knowing default service ports is essential for both attackers and defenders. What is the default port for SSH?

# Connect to remote server via SSH:
$ ssh user@192.168.1.100 -p ???

# /etc/services excerpt:
ssh ???/tcp # Secure Shell
It's a well-known port below 1024. Between 20 and 25.
Flag Captured
NET{p0rt22_ssh_3ncrypt3d}
#05ICMP Protocol Type
150 ptsOPEN

The ping command sends ICMP Echo Request messages and waits for Echo Reply. ICMP is also used by traceroute and is the target of ICMP flood attacks. What protocol acronym does ping use? (4 letters)

# Wireshark filter for ping traffic:
$ wireshark -f "????"

Frame: 74 bytes
Internet Protocol Version 4
Protocol: ???? (1)
???? Echo Request, id=0x0001, seq=1/256
Internet Control Message Protocol. Used for diagnostics. IP protocol number 1.
Flag Captured
NET{1cmp_p1ng_3ch0_r3qu3st}
MODULE COMPLETE

TCP/IP mastered. Your packets flow true.
All flags captured. 450 points earned.

NEXT: PORT SCANNING →