Network Protocols Explained (ESP)

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Multicast DNS (mDNS)

The mDNS protocol is designed for IP address resolution within small, local networks without a dedicated name server. It operates by multicasting a query within the subnet, prompting the host with the specified name to respond with its IP address. All devices in the subnet can then update their mDNS caches with this information.

Key points to note:

  • Domain Name Relinquishment: A host can release its domain name by sending a packet with a TTL of zero.

  • Usage Restriction: mDNS typically resolves names ending in .local only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments.

  • Networking Details:

    • Ethernet multicast MAC addresses: IPv4 - 01:00:5E:00:00:FB, IPv6 - 33:33:00:00:00:FB.

    • IP addresses: IPv4 -, IPv6 - ff02::fb.

    • Operates over UDP port 5353.

    • mDNS queries are confined to the local network and do not cross routers.

DNS-SD (Service Discovery)

DNS-SD is a protocol for discovering services on a network by querying specific domain names (e.g., _printers._tcp.local). A response includes all related domains, such as available printers in this case. A comprehensive list of service types can be found here.

SSDP (Simple Service Discovery Protocol)

SSDP facilitates the discovery of network services and is primarily utilized by UPnP. It's a text-based protocol using UDP over port 1900, with multicast addressing. For IPv4, the designated multicast address is SSDP's foundation is HTTPU, an extension of HTTP for UDP.

Web Service for Devices (WSD)

Devices connected to a network can identify available services, like printers, through the Web Service for Devices (WSD). This involves broadcasting UDP packets. Devices seeking services send requests, while service providers announce their offerings.

OAuth 2.0

OAuth 2.0 is a protocol facilitating secure, selective sharing of user information between services. For instance, it enables services to access user data from Google without multiple logins. The process involves user authentication, authorization by the user, and token generation by Google, allowing service access to the specified user data.


RADIUS (Remote Authentication Dial-In User Service) is a network access protocol primarily used by ISPs. It supports authentication, authorization, and accounting. User credentials are verified by a RADIUS server, potentially including network address verification for added security. Post-authentication, users receive network access and their session details are tracked for billing and statistical purposes.


SMB (Server Message Block)

SMB is a protocol for sharing files, printers, and ports. It operates directly over TCP (port 445) or via NetBIOS over TCP (ports 137, 138). This dual compatibility enhances connectivity with various devices.

NetBIOS (Network Basic Input/Output System)

NetBIOS manages network sessions and connections for resource sharing. It supports unique names for devices and group names for multiple devices, enabling targeted or broadcast messaging. Communication can be connectionless (no acknowledgment) or connection-oriented (session-based). While NetBIOS traditionally operates over protocols like IPC/IPX, it's commonly used over TCP/IP. NetBEUI, an associated protocol, is known for its speed but was also quite verbose due to broadcasting.

LDAP (Lightweight Directory Access Protocol)

LDAP is a protocol enabling the management and access of directory information over TCP/IP. It supports various operations for querying and modifying directory information. Predominantly, it's utilized for accessing and maintaining distributed directory information services, allowing interaction with databases designed for LDAP communication.

Active Directory (AD)

Active Directory is a network-accessible database containing objects like users, groups, privileges, and resources, facilitating centralized management of network entities. AD organizes its data into a hierarchical structure of domains, which can encompass servers, groups, and users. Subdomains allow further segmentation, each potentially maintaining its own server and user base. This structure centralizes user management, granting or restricting access to network resources. Queries can be made to retrieve specific information, like contact details, or to locate resources, like printers, within the domain.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated