Protocols and Servers TryHackMe

Overview

This room explains how several common application protocols work at a practical level: Telnet, HTTP, FTP, SMTP, POP3, and IMAP. The focus is understanding what these services do, how a client talks to them, and why cleartext protocols are risky from a security perspective.

Core idea: if you understand how a protocol normally behaves, you can recognize weak defaults, insecure usage, and useful enumeration opportunities much faster.

1) Telnet

Telnet is an application-layer protocol for remote terminal access over TCP port 23.

Used for remote console access and administration.
Prompts for username and password, then provides a shell.
All traffic is sent in cleartext.

telnet MACHINE_IP

Security problem: anyone who can capture the traffic can recover usernames, passwords, and session content. SSH replaced Telnet for secure remote administration.

2) HTTP

HTTP is the protocol behind the web. Browsers use it to request pages, images, scripts, and submit forms. By default it listens on TCP port 80.

telnet MACHINE_IP 80
GET / HTTP/1.1
host: telnet

This can reveal useful server information such as:

Server: nginx/1.18.0 (Ubuntu)

PT1 relevance: this is basic banner grabbing and protocol interaction. HTTP is cleartext unless TLS is added, in which case it becomes HTTPS on port 443.

3) FTP

FTP is used for file transfer and listens on TCP port 21 for its control connection.

Control channel: commands like USER, PASS, LIST, RETR.
Data channel: separate connection used for actual file transfer.
Modes: active and passive.

telnet MACHINE_IP 21
USER frank
PASS password

Security problem: credentials and traffic are cleartext. This makes FTP easy to sniff and a common source of weak authentication exposure.

4) SMTP

SMTP is used to send email between clients and mail servers or between mail servers themselves. It usually listens on TCP port 25.

telnet MACHINE_IP 25
helo telnet
mail from:
rcpt to:
data

SMTP is used by:

MSA: Mail Submission Agent
MTA: Mail Transfer Agent

Practical value: SMTP banners and supported commands can reveal hostnames, mail software, TLS support, and occasionally user-enumeration opportunities depending on configuration.

5) POP3

POP3 is used by mail clients to download messages from a Mail Delivery Agent and usually listens on TCP port 110.

telnet MACHINE_IP 110
USER frank
PASS password
STAT
LIST
RETR 1

Simple protocol for retrieving mail.
Messages are commonly downloaded and optionally removed from the server.
Not ideal when the same mailbox is accessed from multiple devices.

Security problem: POP3 in this form is cleartext, so login credentials and message content can be exposed in transit.

6) IMAP

IMAP is a more advanced mail retrieval protocol than POP3 and usually listens on TCP port 143.

telnet MACHINE_IP 143
c1 LOGIN frank password
c2 LIST "" "*"
c3 EXAMINE INBOX

Keeps mail synchronized across multiple devices.
Tracks read/unread state and folder structure on the server.
More practical for modern multi-device usage than POP3.

Security problem: like the others in this room, baseline IMAP traffic here is shown in cleartext. That means credentials and mailbox commands are visible to packet capture.

7) Why These Protocols Matter

These services matter in security work because they are common, easy to fingerprint, and often reveal useful operational details.

Service banners reveal software and versions.
Cleartext protocols expose credentials if traffic is captured.
Protocol behavior reveals authentication flow and access patterns.
Knowing the default ports speeds up both scanning and interpretation.

Default Ports Cheat Sheet

Telnet  23/tcp
FTP     21/tcp
SMTP    25/tcp
HTTP    80/tcp
POP3    110/tcp
IMAP    143/tcp

Exam Notes (PT1)

Telnet, FTP, SMTP, POP3, and IMAP are shown here in cleartext form, which is the main security takeaway.
HTTP is also cleartext unless wrapped in TLS as HTTPS.
You should know the default TCP ports for these common services.
Simple manual interaction with Telnet or Netcat is often enough to grab banners and understand protocol flow.
Understanding client-server workflow helps you interpret what Nmap and banner grabbing are actually telling you.