Tryhackme Notes.pdf

Full Transcript

Tryhackme Notes
September 2024
**
TRYHACKME NOTES - SEPTEMBER 2024 - KIVANC
Ping uses ICMP (Internet Control Message Protocol) packets to determine the
performance of a connection between devices, for example, if the connection exists
or is reliable.
The time taken for ICMP packets travelling between devices is measured by ping, such as
in the screenshot below. This measuring is done using ICMP's echo packet and then
ICMP's echo reply from the target device.

Star Topology
The main premise of a star topology is that devices are individually connected via a
central networking device such as a switch or hub. This topology is the most commonly
found today because of its reliability and scalability - despite the cost.
Because more cabling and the purchase of dedicated networking equipment is required
for this topology, it is more expensive than any of the other topologies. However, despite
the added cost, this does provide some significant advantages. For example, this
topology is much more scalable in nature, which means that it is very easy to add more
devices as the demand for the network increases.

What is a Switch?
Switches are dedicated devices within a network that are designed to aggregate multiple
other devices such as computers, printers, or any other networking-capable device using
ethernet.
Switches are much more efficient than their lesser counterpart (hubs/repeaters).
Switches keep track of what device is connected to which port. This way, when they
receive a packet, instead of repeating that packet to every port like a hub would do, it just
sends it to the intended target, thus reducing network traffic.
Both Switches and Routers can be connected to one another. The ability to do this
increases the redundancy (the reliability) of a network by adding multiple paths for data
to take. If one path goes down, another can be used. Whilst this may reduce the overall
performance of a network because packets have to take longer to travel, there is no
downtime -- a small price to pay considering the alternative.

What is a Router?
It's a router's job to connect networks and pass data between them. It does this by using
routing (hence the name router!).
Subnetting is the term given to splitting up a network into smaller, miniature networks
within itself.
Subnetting is achieved by splitting up the number of hosts that can fit within the network,
represented by a number called a subnet mask. Let's refer back to our diagram from the
first room in this module:

As we can recall, an IP address is made up of four sections called octets. The same goes
for a subnet mask which is also represented as a number of four bytes (32 bits), ranging
from 0 to 255 (0-255).
Subnets use IP addresses in three different ways:
 Identify the network address
Identify the host address
Identify the default gateway
Let's split these three up to understand their purposes into the table below:
Type Purpose Explanation Example
Network This address identifies For example, a device with the 192.168.1.0
Address the start of the actual IP address of 192.168.1.100 will
network and is used to be on the network identified by
identify a network's 192.168.1.0
existence.
Host An IP address here is For example, a device will have 192.168.1.100
Address used to identify a the network address of
device on the subnet 192.168.1.1
Default The default gateway Any data that needs to go to a 192.168.1.254
Gateway address is a special device that isn't on the same
address assigned to a network (i.e. isn't on
device on the network 192.168.1.0) will be sent to this
that is capable of device. These devices can use
sending information to any host address but usually use
another network either the first or last host
address in a network (.1 or.254)
Subnetting provides a range of benefits, including:
Efficiency
Security
Full control

How many bits are in a subnet mask? 32
What is the range of a section (octet) of a subnet mask? 0-255
What address is used to identify the start of a network? Network Address
What address is used to identify devices within a network? Host Address
What is the name used to identify the device responsible for sending data to another
network? Default Gateway
The ARP Protocol
the Address Resolution Protocol or ARP for short, is the technology that is responsible for
allowing devices to identify themselves on a network.
Simply, the ARP protocol allows a device to associate its MAC address with an IP address
on the network. Each device on a network will keep a log of the MAC addresses
associated with other devices.
When devices wish to communicate with another, they will send a broadcast to the entire
network searching for the specific device. Devices can use the ARP protocol to find the
MAC address (and therefore the physical identifier) of a device for communication.
How does ARP Work?
Each device within a network has a ledger to store information on, which is called a
cache. In the context of the ARP protocol, this cache stores the identifiers of other
devices on the network.
In order to map these two identifiers together (IP address and MAC address), the ARP
protocol sends two types of messages:
1. ARP Request
2. ARP Reply
When an ARP request is sent, a message is broadcasted on the network to other devices
asking, "What is the mac address that owns this IP address?" When the other devices
receive that message, they will only respond if they own that IP address and will send an
ARP reply with its MAC address. The requesting device can now remember this mapping
and store it in its ARP cache for future use.
The DHCP Protocol
IP addresses can be assigned either manually, by entering them physically into a device,
or automatically and most commonly by using a DHCP (Dynamic Host Configuration
Protocol) server. When a device connects to a network, if it has not already been
manually assigned an IP address, it sends out a request (DHCP Discover) to see if any
DHCP servers are on the network. The DHCP server then replies back with an IP address
the device could use (DHCP Offer). The device then sends a reply confirming it wants the
offered IP Address (DHCP Request), and then lastly, the DHCP server sends a reply
acknowledging this has been completed, and the device can start using the IP Address
(DHCP ACK).
What is the OSI Model?
The OSI model (or Open Systems Interconnection Model) is an absolute fundamental
model used in networking. This critical model provides a framework dictating how all
networked devices will send, receive and interpret data.

DNS - layer 7
HTTPS - layer 6
tcp/udp - layer 4
Devices such as routers capable of delivering packets using IP addresses are known as
Layer 3 devices — because they are capable of working at the third layer of the OSI
model.
Packets and frames are small pieces of data that, when forming together, make a larger
piece of information or message. However, they are two different things in the OSI model.
A frame is at layer 2 - the data link layer, meaning there is no such information as IP
addresses. Think of this as putting an envelope within an envelope and sending it away.
The first envelope will be the packet that you mail, but once it is opened, the envelope
within still exists and contains data (this is a frame).
A packet using this protocol will have a set of headers that contain additional pieces of
information to the data that is being sent across a network.
Some notable headers include:
Header Description
Time to Live This field sets an expiry timer for the packet to not clog up your
network if it never manages to reach a host or escape!
Checksum This field provides integrity checking for protocols such as TCP/IP. If
any data is changed, this value will be different from what was
expected and therefore corrupt.
Source The IP address of the device that the packet is being sent from so
Address that data knows where to return to.
Destination The device's IP address the packet is being sent to so that data
Address knows where to travel next.
What is the name for a piece of data when it does have IP addressing information?
Packet
What is the name for a piece of data when it does not have IP addressing information?
Frame
TCP/IP (The Three-Way Handshake)
TCP (or Transmission Control Protocol for short) is another one of these rules used in
networking.
This protocol is very similar to the OSI model that we have previously discussed in room
three of this module so far. The TCP/IP protocol consists of four layers and is arguably
just a summarised version of the OSI model. These layers are:
Application
Transport
Internet
Network Interface
Very similar to how the OSI model works, information is added to each layer of the TCP
model as the piece of data (or packet) traverses it. As you may recall, this process is
known as encapsulation - where the reverse of this process is decapsulation.
One defining feature of TCP is that it is connection-based, which means that TCP must
establish a connection between both a client and a device acting as a server before data
is sent.
Because of this, TCP guarantees that any data sent will be received on the other end.
This process is named the Three-way handshake, which is something we'll come on to
discuss shortly. A table comparing the advantages and disadvantages of TCP is located
below:
Advantages of TCP Disadvantages of TCP
Guarantees the integrity of data. Requires a reliable connection between the two
devices. If one small chunk of data is not
received, then the entire chunk of data cannot
be used and must be re-sent.
Capable of synchronising two A slow connection can bottleneck another
devices to prevent each other from device as the connection will be reserved on the
being flooded with data in the other device the whole time.
wrong order.
Performs a lot more processes for TCP is significantly slower than UDP because
reliability more work (computing) has to be done by the
devices using this protocol.
TCP packets contain various sections of information known as headers that are added
from encapsulation. Let's explain some of the crucial headers in the table below:
Header Description
Source Port This value is the port opened by the sender to send the TCP
packet from. This value is chosen randomly (out of the ports
from 0-65535 that aren't already in use at the time).
Destination Port This value is the port number that an application or service is
running on the remote host (the one receiving data); for
example, a webserver running on port 80. Unlike the source
port, this value is not chosen at random.
Source IP This is the IP address of the device that is sending the packet.
 Destination IP This is the IP address of the device that the packet is destined
for.
Sequence Number When a connection occurs, the first piece of data transmitted
is given a random number. We'll explain this more in-depth
further on.
Acknowledgement After a piece of data has been given a sequence number, the
Number number for the next piece of data will have the sequence
number + 1. We'll also explain this more in-depth further on.
Checksum This value is what gives TCP integrity. A mathematical
calculation is made where the output is remembered. When
the receiving device performs the mathematical calculation,
the data must be corrupt if the output is different from what
was sent.
Data This header is where the data, i.e. bytes of a file that is being
transmitted, is stored.
Flag This header determines how the packet should be handled by
either device during the handshake process. Specific flags will
determine specific behaviours, which is what we'll come on to
explain below.
Next, we'll come on to discuss the Three-way handshake - the term given for the process
used to establish a connection between two devices. The Three-way handshake
communicates using a few special messages - the table below highlights the main ones:
Step Message Description
1 SYN A SYN message is the initial packet sent by a client during the
handshake. This packet is used to initiate a connection and
synchronise the two devices together (we'll explain this further
later on).
2 SYN/ACK This packet is sent by the receiving device (server) to
acknowledge the synchronisation attempt from the client.
3 ACK The acknowledgement packet can be used by either the client or
server to acknowledge that a series of messages/packets have
been successfully received.
4 DATA Once a connection has been established, data (such as bytes of a
file) is sent via the "DATA" message.
5 FIN This packet is used to cleanly (properly) close the connection
after it has been complete.
 # RST This packet abruptly ends all communication. This is the last
resort and indicates there was some problem during the process.
For example, if the service or application is not working correctly,
or the system has faults such as low resources.
The diagram below shows a normal Three-way handshake process between Alice and
Bob. In real life, this would be between two devices.

\
Any sent data is given a random number sequence and is reconstructed using this
number sequence and incrementing by 1. Both computers must agree on the same
number sequence for data to be sent in the correct order. This order is agreed upon
during three steps:
1. SYN - Client: Here's my Initial Sequence Number(ISN) to SYNchronise with (0)
2. SYN/ACK - Server: Here's my Initial Sequence Number (ISN) to SYNchronise with
(5,000), and I ACKnowledge your initial number sequence (0)
3. ACK - Client: I ACKnowledge your Initial Sequence Number (ISN) of (5,000), here is
some data that is my ISN+1 (0 + 1)
Device Initial Number Sequence (ISN) Final Number Sequence
Client (Sender) 0 0+1=1
Client (Sender) 1 1+1=2
Client (Sender) 2 2+1=3
TCP Closing a Connection:
Let's quickly explain the process behind TCP closing a connection. First, TCP will close a
connection once a device has determined that the other device has successfully
received all of the data.
Because TCP reserves system resources on a device, it is best practice to close TCP
connections as soon as possible.
To initiate the closure of a TCP connection, the device will send a "FIN" packet to the
other device. Of course, with TCP, the other device will also have to acknowledge this
packet.
Let's show this process using Alice and Bob as we have previously.
In the illustration, we can see that Alice has sent Bob a "FIN" packet. Because Bob
received this, he will let Alice know that he received it and that he also wants to close the
connection (using FIN). Alice has heard Bob loud and clear and will let Bob know that she
acknowledges this.
What is the header in a TCP packet that ensures the integrity of data? Checksum
Provide the order of a normal Three-way handshake (with each step separated by a
comma) SYN,SYN/ACK,ACK
UDP/IP
The User Datagram Protocol (UDP) is another protocol that is used to communicate data
between devices.
Unlike its brother TCP, UDP is a stateless protocol that doesn't require a constant
connection between the two devices for data to be sent. For example, the Three-way
handshake does not occur, nor is there any synchronisation between the two devices.
Recall some of the comparisons made about these two protocols in Room 3: "OSI
Model". Namely, UDP is used in situations where applications can tolerate data being lost
(such as video streaming or voice chat) or in scenarios where an unstable connection is
not the end-all. A table comparing the advantages and disadvantages of UDP is located
below:
Advantages of UDP Disadvantages of UDP
UDP is much faster than TCP. UDP doesn't care if the data is
received or not.
UDP leaves the application (user software) to It is quite flexible to software
decide if there is any control over how quickly developers in this sense.
packets are sent.
UDP does not reserve a continuous This means that unstable
connection on a device as TCP does. connections result in a terrible
experience for the user.
As mentioned, no process takes place in setting up a connection between two devices.
Meaning that there is no regard for whether or not data is received, and there are no
safeguards such as those offered by TCP, such as data integrity.
UDP packets are much simpler than TCP packets and have fewer headers. However, both
protocols share some standard headers, which are what is annotated in the table below:
Header Description
Time to Live This field sets an expiry timer for the packet, so it doesn't clog up
(TTL) your network if it never manages to reach a host or escape!
Source The IP address of the device that the packet is being sent from, so
Address that data knows where to return to.
Destination The device's IP address the packet is being sent to so that data
Address knows where to travel next.
Source Port This value is the port that is opened by the sender to send the UDP
packet from. This value is randomly chosen (out of the ports from 0-
 65535 that aren't already in use at the time).
Destination This value is the port number that an application or service is running
Port on the remote host (the one receiving the data); for example, a
webserver running on port 80. Unlike the source port, this value is not
chosen at random.
Data This header is where data, i.e. bytes of a file that is being transmitted,
is stored.
Next, we'll come on to discuss how the process of a connection via UDP differs from that
of something such as TCP. We should recall that UDP is stateless. No acknowledgement
is sent during a connection.
The diagram below shows a normal UDP connection between Alice and Bob. In real life,
this would be between two devices.
Ping
Uses ICMP (Internet Control Message Protocol) to determine the performance of a
connection between devices or the connection exists or reliable

Star Topology
the most common
the most reliable and scalable
 more cable and device needed

Switch
aggregate multiple other devices such as computers, printers
more efficient than hubs/repeaters
doesn't repeat the packet to every port like hubs
it just sends it to the intended target, so reduces the network traffic

Router
Note
connects networks and pass data between them
Subnetting
splitting up a network into smaller networks with itself

Subnet use IP addresses in 3 different ways
identify the network address
identify the host address
identify the default gateway
Note
Default Gateway:
special address assigned to a device on the network that is capable of sending
information to another network
these devices can use any host address but usually use either the first or last host
address in the network[.1 or.254]
Subnetting provides these benefits:
efficiency, security, full control
Question
What address is used to identify the start of a network? (Network Address)
Question
What address is used to identify devices within a network? (Host Address)
ARP Protocol
Address Resolution Protocol
allows devices identify themselves on a network
allows devices to associate its MAC address with an IP address on the network
devices can use the ARP protocol to find the MAC address of a device for
communication
Important
Each device within a network has a ledge to store information, which is called a cache.
In the context of the ARP protocol, this cache stores the identifiers of the other devices
on the network

In order to map these 2 identifiers together(IP address and MAC
address), thje ARP protocol sends 2 types of messages:

1. ARP request
2. ARP reply
Attention
When an ARP request is sent, a message is broadcasted on the network to the other
devices asking, "What is the MAC address that own this is IP address?"
When the other devices receive that message, they will only respond if they have own
that IP address and will send ARP reply with its MAC address. The requesting device
can now remember this mapping and store its ARP cache for future use
DHCP protocol
IP addresses are assigned manually or automatically
Mostly they are assigned automatically by using DHCP
When a new device attends to the network, this new device sends a request to the
network to ask whether there is any DHCP server
Then DHCP server replies it with a IP address that this new device can use
Then the new device confirms this and then DHCP server acknowledges and
confirms that it completed the process
Then this new device starts to use this IP address
Question
What type of DHCP packet is used by a device to retrieve an IP address? (DHCP
discover)
Question
What type of DHCP packet does a device send once it has been offered an IP address
by the DHCP server? (DHCP request)
Question
What is the last DHCP packet that is sent to a device from a DHCP server? (DHCP Ack)
PACKETS AND FRAMES
Packet + Frame --> Large Piece of Information
When we are talking about anything about IP addresses, we are talking about
packets
A packet using IP will have a set of headers

FIREWALLS
Stateful Firewalls:
- uses entire information from connection
- rather than inspecting individual packets, stateful firewalls
determines behaviors of device
- consumes very resources
- dynamic decision making

Stateless Firewalls:
- uses set of rules to determine individual packets are acceptable or
not
- uses fewer resources
- dumber/less intelligent
- great when receiving large amount of traffic from a set of hosts
[DDOS attacks]

Important
Firewalls operate at Layer 3 and Layer 4
VPN BASICS
Virtual Private Network
VPN is a technology that allows devices on separate networks to communicate securely
by creating a dedicated path between each other over Internet (known as tunnel)

VPN Technologies:
PPP
allows for authentication and provide encryption of data
VPNs work by using private key and public certificate -similar to SSH
A private key and public certificate must match for you
 This technology is not capable to connect or leave network by itself (non
routable)
PPTP (point to point tunnelling protocol)
allows data from PPP to travel and leave a network
very easy to setup and supported by most devices. But, weakly encrypted in
comparison to alternatives
the oldest and most common VPN protocol. PPTP is based on the Point-to-
Point Protocol (PPP), which is typically used for dial-up connections. PPTP
encapsulates PPP frames into IP packets, encrypts the data, and transmits
them over the Internet
IPSec
encrypts data by using existing IP framework
IPSec is difficult to setup in comparison to alternatives; but if successful, it
boats strong encryption and supported by many devices

ROUTER
connects networks and pass data between them
operate at Layer 3

SWITCH
connects multiple devices
Switches can facilitate many devices using Ethernet cables
operate at Layer 2 and Layer 3
Layer 2 Switches uses MAC address to forward frames. These switches are solely
responsbile for sending frames to the correct device
Layer 3 Switches are more sophisticated than Layer 2 switches. They can perform
some of the responsibilities of a Router. They will send frames to devices as Layer 2
does and route packets to other devices by using IP protocol

DNS (Domain Name System)
 provides a simple way to us to communicate with devices on the internet without
remembering complex numbers
when you want to visit a website, its not convenient to remember IP addresses. So,
DNS remembers which domain has which IP

Domain Hierarchy
TLD(Top Level Domain)
tryhackme.com.com = TLD
2 types of TLD:
gTLD - generic top level domain
ccTLD - country code top level domain such as.ca.co.uk. com.tr

Second Level Domain
tryhackme.com un tryhackme kismi
max 63 characters
Important
maximum length of a domain name = 253
DNS Record Types
A Record: IPV4 address
AAAA Record: IPV6 address
C Name Record: these records resolve to another domain name
(for example store.tryhackme.com returns a CName record shops.shopify.com)
MX Record: these records resolve to the address of the servers that handle email for
the domain you are querying.
TXT Record: free text fields where any text based data can be stored
There are 3 basic levels of DNS servers:
1. Root name server (.). It stores the IP addresses of Top Level Domain (TLD) name
servers. There are 13 logical root name servers globally.
2. TLD name server. It stores the IP addresses of authoritative name servers. There
are several types of TLD names. For example, generic TLD (.com,.org), country
code TLD (.us), test TLD (.test).
3. Authoritative name server. It provides actual answers to the DNS query. You can
register authoritative name servers with domain name registrar such as GoDaddy,
Namecheap, etc.
The diagram below illustrates howDNS lookupworks under the hood: (this section is
added from other sites!)

1. google.com is typed into the browser, and the browser sends the domain name to the
DNS resolver.
2. The resolver queries a DNS root name server.
3. The root server responds to the resolver with the address of a TLD DNS server. In
this case, it is.com.
4. The resolver then makes a request to the.com TLD.
5. The TLD server responds with the IP address of the domain’s name
server, google.com (authoritative name server).
6. The DNS resolver sends a query to the domain’s nameserver.
7. The IP address for google.com is then returned to the resolver from the nameserver.
 8. The DNS resolver responds to the web browser with the IP address
(142.251.46.238) of the domain requested initially.
DNS lookups on average take between 20-120 milliseconds to complete (according to
YSlow).
1. Your laptop does not actually make a DNS query every time it must resolve a domain
name. It caches previous queries to improve latency and decrease traffic over the
internet. So first, your laptop will check to see if it has an answer for google.com
cached before performing the query. Each DNS query is stored in the cache for a
finite amount of time called the TTL, “time to live”. DNS records change for a variety
of reasons and the TTL mitigates the risk of using stale values in a DNS cache.
2. If there is no answer for google.com cached, your laptop will send the DNS query for
google.com to first DNS server in the chain — this is frequently your home router.
3. The router will check its DNS cache.
4. If there is no answer in the router’s cache, the router will forward the request to the
next DNS Server — this is typically provided by your ISP (i.e., Comcast, Verizon,
Cox).
5. Your ISP’s DNS Server will check its DNS cache. Depending on the flow, there may
be multiple DNS servers in this step where each one will check its cache and
forward to the next server in the flow. Either way the concept is the same
6. When your laptop, home router, and ISP’s DNS Server(s) do not have an answer, it
sends the request to the root dns servers. The root server would return the Name
Server for the com top-level domain. This is where it can confuse people so let’s
take a step back.

HTTPS REQUEST AND RESPONSES
When we access a website, your website will need request to a web server for assets
such as HTML, images and download the responses. Before that, you need to tell the
browser specifically how and where to access these resources, this is where URLs will
help. (this section is added from other sites)
Note
A URL is predominantly an instruction on how to access a resource on the internet
MAKING A REQUEST
It is possible to make a request to a web server with just one line "GET/HTTP/1.1". But, for
a much richer web experience, you will need to send other data as well.
This other data is sent in what is called headers.

HTTP Request Methods
The HTTP request method defines what action will be performed on the identified
resource. The most commonly used HTTP methods
are GET, POST, PUT, DELETE and PATCH which correspond to read, create, update and
delete (or CRUD) operations, respectively.
Idempotency and safety are properties of HTTP methods.
Safe methods can only be used for read-only operations since they do not alter the
server state. Using GET or HEAD on a resource URL, for example, should never change
the resource. Safe methods are considered GET, HEAD, TRACE and OPTIONS.
Idempotent methods can send multiple identical requests to the server and the
outcome will always be the same and it does not matter how many times the requests
will be sent. This does not mean, however, that the server has to respond in the same
way to each request. For example, if we want to delete a resource we send a DELETE
request. The first time the server returns a response that the file has been deleted. If you
try to send the same request again the server will respond that the file has already been
deleted. Here we have two different responses but the second request did not alter the
server state. In this case, the DELETE operation is idempotent.
The following HTTP methods are idempotent: GET, HEAD, OPTIONS, TRACE, PUT and
DELETE. All safe HTTP methods are idempotent. PUT and DELETE are idempotent but
not safe.
You can see all methods and their function in the graphic below.

The main HTTP methods corresponding to the CRUD operations are POST, GET,
PUT/PATCH and DELETE.
The GET method retrieves a specified resource (a list or a single resource). If there
are no errors the method returns a representation of the resource in XML or JSON.
GET is used to download a Web page, CSS file, script, document or other resources
from a Web site. For example, a Web page’s content (fonts, images, etc.) is loaded
using HTTP GET requests. This does not modify the state at the server-side, it only
‘reads’ it.
The POST method modifies the state of the server since it creates new
resources. For example, when you login into a website, the login sends your
credentials to the server using a POST request.
 DELETE is used to delete (or remove) an existing resource. An example of an
HTTP DELETE request is for deleting an item from the shopping cart in an e-
commerce Web application.
The PATCH method updates an existing resource partially. It is used to modify a
field of a given object. An example is an HTTP PATCH request for updating the
quantity of an order item in the shopping cart in an e-commerce Web application.
The HTTP HEAD method retrieves the resource’s headers, without the resource
itself. HEAD is used rarely, for example, to check for modifications on the server-
side.

HTTP Response Structure
After receiving and interpreting a request message, the server sends an HTTP response
message. You can see an example below.

The response message gives information on whether our request has been
successfully executed or has failed. It consists of a status line, response headers and a
response body.
The HTTP response status line starts with the protocol version, followed by the
response status code, followed by a human-readable text explanation of the status
code.
The status code tells the client whether the requested operation was successful or not.
It is a three-digit integer whose first digit defines the response class.
Status codes are:
Informational responses (100–199)
Successful responses (200–299)
Redirection messages (300–399)
Client error responses (400–499)
Server error responses (500–599)
You can check the graphic below to see the most common status codes.

After the HTTP status line come the HTTP response headers that provide metadata for
the returned resource (or the returned error), such as content-encoding, content size in
bytes, content last-modify date and many others.
After the response headers and the empty line separator, the HTTP response
body comes. This is the requested resource that can be text, binary data or it can be
empty. In the example we used above, the Web server returns a CSS script for styling a
navigation bar.

Content-Type and Disposition Headers
HTTP headers play an important role in modern Web development.
The “Content-Type” and the “Content-Disposition” headers specify how to process the
data in the HTTP request or in the HTTP response body. These headers can be used
both in the HTTP requests and in the HTTP responses.
In the HTTP requests, the “Content-Type” header specifies what kind of data the client
sends to the server, for example, a JSON document or URL-encoded form data or a
plain-text document or a JPEG image. In the HTTP responses, the “Content-Type”
header specifies what kind of data the server returns to the client, for example an HTML
document or a JPEG image.
For example, the header “Content-Type: application/json” specifies a JSON-encoded
data (a JSON object). By default, the UTF-8 encoding is used.
The “Content-Type: text/html; charset=utf-8” specifies an HTML document with UTF-8
encoding. Note that the encoding (or the charset) specified in the HTTP headers has
a higher priority than the encoding specified in the header of the HTML document (using
the “meta charset” HTML tag).
What is a Web Server?

A web server is a computer system or software that hosts and delivers web pages, files,
and related content to clients over the internet, typically via the Hypertext Transfer
Protocol (HTTP) or its secure version HTTPS.
One example of web server software is Apache HTTP Server. Apache web server
supports multiple operating systems and is often used to host and deliver websites and
web applications, which are built using a web application architecture.
A web server acts as a central hub that processes requests from web browsers and
serves the requested content back to the clients. They play a crucial role in enabling the
availability and accessibility of websites and web applications.

What are the Components of a Web Server?
The components of a web server include:
HTTP Server: This component handles incoming HTTP requests from clients and
manages the communication between the client and the server. It interprets the
client’s request and formulates the appropriate response.
TCP/IP: The Transmission Control Protocol/Internet Protocol (TCP/IP) is the
underlying protocol suite used for communication over the Internet. It enables the
 exchange of data packets between the client and the server, ensuring reliable
delivery.
File System: The web server has a file system where it stores the web content,
including HTML files, images, scripts, and other files. The file system allows the
server to locate and serve the requested files to the clients.
Web Server Software: The web servers software, such as Apache, Nginx, or
Microsoft IIS, is responsible for handling incoming requests, processing them, and
delivering the appropriate response back to the clients. It acts as the engine that
powers the web server’s functionality.
Application Server Integration: In some cases, the web server may interact with an
application server to process dynamic content and execute the application’s
business logic. This interaction enables the generation of dynamic responses based
on user input, data processing, or interaction with external systems. Since an
application server is the key component of a web server, you might want to know in
detail about the application server. Knowing the brief explanation of an application
server, you will know the components and workings of the application server.
Security Mechanisms: Web servers often implement security measures to protect
the server and the data being transmitted. This includes features like SSL/TLS
encryption, which ensures the confidentiality and integrity of the communication
between the server and the clients.
Logging and Monitoring: Web servers typically have logging and monitoring
capabilities to track and record important events, such as client requests, server
errors, and resource usage. These logs provide valuable insights for
troubleshooting, analysis, and performance optimization.
Caching and Load Balancing: Most web servers offer caching capabilities to store
and serve frequently accessed content more efficiently, reducing the load on the
server. Load balancing features distribute incoming traffic across multiple servers to
ensure optimal resource utilization and improve scalability.
These components work together to enable the web server’s functionality. The dynamic
web server generates and serves dynamic content and interacts with databases or other
data sources. On the other hand, the static web server includes pre-existing HTML files
and serves requested static content without any additional processing. Both types of
servers contribute to receiving and processing client requests. They ensure smooth
communication between the server and the clients by delivering the requested content
promptly.
What are the Types of Web Server?
Traditional Web Servers: These dedicated servers handle HTTP requests and serve
web content. Examples include Apache HTTP Server, Nginx, LiteSpeed, and
Cherokee.
Application Servers: Designed for hosting web applications and executing server-
side code. Examples are Microsoft Internet Information Services (IIS) for.NET apps
and Apache Tomcat for Java apps.
Reverse Proxy Servers: Some traditional web servers, like Nginx and Apache, also
serve as intermediaries between clients and application servers, enhancing security,
load balancing, and performance.
Specialized Servers: Servers like Node.js and CherryPy have specific purposes.
Node.js runs JavaScript on the server side, while CherryPy acts as a server for
Python applications.

How Does a Web Server Work?
When it comes to understanding how a web server works, it operates on a client-server
model where the client (usually a web browser) sends a request to the server for a
specific web resource, such as a web page or a file. The server then processes the
request and responds with the requested content, which is displayed on the client’s
browser.
Here’s a breakdown of the process of how web servers work:
Client Sends a Request: The client, which can be a web browser, sends an HTTP
request to the web server. The request includes information such as the requested
URL, request method (e.g., GET, POST), headers, and optional data.
Web Server Receives the Request: The web server, listening on a specific port
(usually port 80 for HTTP and port 443 for HTTPS), receives the incoming request
from the client. It examines the request to determine the action it needs to take.
Processing the Request: The web server processes the client’s request based on
the specific configuration and logic defined in its settings. This may involve locating
the requested resource, retrieving data from databases or other sources, and
performing any necessary operations or computations.
Generating the Response: Once the request has been processed, the web server
generates an appropriate response. This includes constructing an HTTP response
 message that contains the requested content, status codes, headers, and any
additional data.
Sending the Response: The web server sends the response back to the client over
the network. The response typically includes the requested web page, file, or any
other resource, along with appropriate HTTP status codes and headers.
Client Receives and Renders the Response: The client (web browser) receives the
response from the web server. It interprets the response, rendering the web page or
handling the requested resource as per its capabilities. The client may also send
subsequent requests for additional resources embedded within the page, such as
images, scripts, or stylesheets.
This client-server interaction happens continuously as users navigate through websites
and interact with web applications. Web servers, which include both dynamic web
servers and static web servers, play a crucial role in handling and responding to client
requests for various web resources. They ensure the timely and accurate delivery of the
requested web pages to users, enabling a seamless browsing experience.
Database servers, in collaboration with web servers and application servers, store,
process, and retrieve data, making it an essential component of many web applications. If
you would like to learn more about database servers, you can go through the definition of
a database server, which will help you understand about how it works with a web server.
Web servers, both in terms of software and hardware, are the backbone of the Internet,
facilitating the accessibility and availability of online resources. The web server software
controls the processing and delivery of web content, while the web server hardware
provides the necessary computing power and infrastructure to support the server’s
operations.
Note
a web server delivers files from its root directory
Nginx and Apache share the same default location of /var/www/html in Linux
IIS uses C:\inetpub\wwwroot for Windows

Introduction to Virtual Host
In its initial days, a virtual host started to host more than the website (e.g.,
website1.example.com, website2.example.com, etc.) on a single machine. That would
also mean sharing single machine resources such as memory and CPU. The resources
are shared and utilized so that maximum efficiency is achieved.
With the invention of cloud computing, virtual now serves more purposes than ever, such
as solutions like virtual application hosting, virtual server hosting, virtual storage hosting,
and sometimes virtual/entire data center hosting.

Working of a Virtual Host
There are many ways to configure a virtual host, and most of the ways that are used
today are given below:
IP Based
Port-Based
Name Based

WINDOWS FUNDAMENTALS
This poster is from SANS:
WINDOWS LEGITIMATE PROCESSES
Process Hacker is a free and open source tool. It helps to monitor all processes running
in the Windows operating system.

wininit.exe (windows initialization process)
responsible for starting these processes:
services.exe (service control manager)
lsass.exe (local security authority process)
lsm.exe (local session manager)
located under C:\Windows\System32 folder
works with the privileges of the most authorized user ( NT AUTHORITY\SYSTEM )

SERVICES.exe
SERVICES.exe is responsible for initiating of services, starting, stopping and
suspending services activities
Service Control Manager task is loading services and drivers to the the memory.
It’s parent process for
svchost.exe, dllhost.exe, taskhost.exe and spoolsv.exe.
Its registery path is HKLM\SYSTEM\CurrentControlSet\Services.
Note
It’s path “%SystemRoot%System32\services.exe”.
SERVICES.exe has just only one instance in a process tree.
Its SID is NT AUTHORITY\SYSTEM ( S-1–5–18).
Parent process: None (the System process is created by the Windows kernel at boot
time)
Spawned processes: The System process launches the Session Manager Subsystem
(smss.exe).
Start time: The System process is started at boot time, before any other user-mode
processes.