Protocols and Servers 2 TryHackMe

Overview

This room shifts from how protocols work to how they get attacked and protected. The focus is on sniffing, man-in-the-middle attacks, TLS, SSH, and password attacks with Hydra, all framed through the CIA triad and real protocol weaknesses.

Core idea: once you understand which protocols transmit in cleartext and how authentication works, the natural next step is understanding disclosure, alteration, and how encryption changes the picture.

1) CIA vs DAD

The room maps defensive goals to attack outcomes:

Confidentiality: keep data private.
Integrity: keep data accurate and unaltered.
Availability: keep services reachable.

From an attacker perspective, this often becomes:

Disclosure
Alteration
Destruction

Examples: sniffing attacks break confidentiality, MITM attacks break integrity, and DoS-style attacks threaten availability.

2) Sniffing Attacks

A sniffing attack captures traffic traveling across the network. If the protocol uses cleartext, credentials and content can often be recovered directly.

Tools: tcpdump, Wireshark, tshark.
Example target: POP3 on port 110.
Goal: recover commands, usernames, passwords, and message contents.

sudo tcpdump port 110 -A

Example result: credentials like USER frank and PASS D2xc9CgD are visible in captured POP3 traffic because the session is unencrypted.

3) MITM Attacks

A man-in-the-middle attack happens when the victim thinks they are talking directly to the real destination, while an attacker sits in between and relays or alters traffic.

Can silently modify cleartext traffic.
Can target HTTP, FTP, SMTP, POP3, and similar protocols.
Tools such as Ettercap and Bettercap are commonly associated with this style of attack.

Main impact: MITM is not just about reading data. It is also about altering what each side sees, which directly breaks integrity.

4) TLS as the Fix

The core mitigation for sniffing and MITM on application protocols is Transport Layer Security (TLS). It adds encryption and integrity protection on top of otherwise cleartext protocols.

HTTP → HTTPS: 80 → 443
FTP → FTPS: 21 → 990
SMTP → SMTPS: 25 → 465
POP3 → POP3S: 110 → 995
IMAP → IMAPS: 143 → 993

Conceptually: the client first establishes TCP, then negotiates TLS, then sends the application protocol across the encrypted channel.

5) TLS Handshake at a High Level

You do not need to memorize every handshake message, but you should understand the flow:

Client says what it supports.
Server selects parameters and presents its certificate.
Client and server derive shared key material.
Both sides switch to encrypted communication.

Why certificates matter: they help the client verify it is talking to the real server, which is what prevents straightforward MITM attacks in normal HTTPS usage.

6) SSH

SSH replaced Telnet as the secure choice for remote administration and also supports secure file transfer.

Default port: 22
Authentication: password or key-based
Security goals: confidentiality, integrity, and server identity checking

ssh mark@MACHINE_IP
scp document.txt mark@MACHINE_IP:/home/mark

Practical value: SSH encrypts credentials and terminal activity, and SCP/SFTP provide safer alternatives to plain FTP-style transfer.

7) Password Attacks

Password attacks target “something you know” authentication. The room focuses on three common approaches:

Password guessing: based on target knowledge.
Dictionary attacks: try passwords from a wordlist.
Brute force: exhaustively try combinations.

Reality: dictionary attacks are often the sweet spot because real users pick weak and common passwords far more often than they admit.

8) Hydra

THC Hydra is the room’s main tool for password attacks across many protocols including FTP, POP3, IMAP, SMTP, SSH, and HTTP-related logins.

hydra -l mark -P /usr/share/wordlists/rockyou.txt MACHINE_IP ftp
hydra -l frank -P /usr/share/wordlists/rockyou.txt MACHINE_IP ssh

Useful options:

-l: username
-P: password wordlist
-s: non-default port
-V / -vV: show attempted credentials
-t: parallel connections
-d: debugging output

PT1 use: Hydra is straightforward and effective when you have authorization, a target service, and a realistic wordlist.

9) Password Attack Mitigations

Password policy: enforce stronger passwords.
Account lockout: stop repeated failures.
Throttling: slow down repeated attempts.
CAPTCHA: hinder automation on web forms.
Public-key authentication: especially effective for SSH.
Two-factor authentication: require a second factor beyond the password.

Best defense: combine multiple controls instead of relying on one. Strong passwords alone are not enough if there is no rate limiting or MFA.

Default Ports Cheat Sheet

FTP     21/tcp   cleartext
FTPS    990/tcp  encrypted
HTTP    80/tcp   cleartext
HTTPS   443/tcp  encrypted
IMAP    143/tcp  cleartext
IMAPS   993/tcp  encrypted
POP3    110/tcp  cleartext
POP3S   995/tcp  encrypted
SFTP    22/tcp   encrypted
SSH     22/tcp   encrypted
SMTP    25/tcp   cleartext
SMTPS   465/tcp  encrypted
Telnet  23/tcp   cleartext

Exam Notes (PT1)

Sniffing attacks succeed whenever credentials or data travel in cleartext and the attacker can observe the traffic.
MITM attacks threaten both confidentiality and integrity, not just secrecy.
TLS upgrades cleartext application protocols into encrypted variants such as HTTPS, IMAPS, POP3S, and SMTPS.
SSH is the secure replacement for Telnet and also underpins SCP/SFTP.
Hydra is a standard tool for password attacks, and MFA plus rate limiting are key mitigations.