Lesson Notes
Intro to Networks
Module 2: Networking Basics. Pure theory—networks and CIA triad, OSI 7-layer model, TCP/IP stack, IP addressing and subnetting, ARP/DNS/ICMP, topologies and devices, attack surface and pentest mindset. Essential for MITM, scanning, and threat modeling.
Module 2: Intro to Networks — Comprehensive Theoretical Guide
This lesson is a beginner-friendly deep dive in pure theory (no labs or commands). For authorized cybersecurity pros: master network foundations before pentesting. These concepts are essential for understanding MITM, scanning, and threat modeling. Builds on prior lessons (CIA, MITM, passwords/MFA/encryption).
1. Core Concepts: What Is a Network?
A network is a collection of interconnected devices—computers, servers, routers, phones, IoT—that communicate to share resources, data, and services. Your home Wi-Fi, the office LAN, and the internet are all networks. Networks enable the internet and cloud services but also introduce attack surfaces: an attacker can intercept traffic (MITM), spoof identities (ARP, DNS), or flood links (DDoS). Understanding how data moves and how layers interact lets you spot where confidentiality, integrity, or availability are at risk.
CIA Triad in Networking
Confidentiality: Data in transit must be protected from eavesdropping. Encryption (e.g. TLS) ensures only the endpoints can read it. Access control (firewalls, VLANs) limits who can reach which segments. The threat: MITM sniffing on unencrypted or weakly protected links. Integrity: Data must not be altered in transit or by unauthorized devices. Checksums and cryptographic hashes detect tampering. ACLs and proper routing protect against unauthorized changes. The threat: ARP or DNS poisoning can redirect or alter traffic. Availability: Services and links must be reachable when needed. QoS and bandwidth management help; redundancy (backup paths, load balancing) improves resilience. The threat: DDoS floods can saturate links or servers. Real-world impact: A large share of breaches exploit network misconfigurations or weak perimeter controls (e.g. Verizon DBIR). Understanding layers and addressing helps you spot vulnerabilities ethically.
2. OSI Model: The Seven-Layer Framework
The OSI (Open Systems Interconnection) model is a conceptual framework that divides network communication into seven abstraction layers. Each layer has a specific function; attacks often target one layer or the interaction between layers. Data flows down the stack when sending (each layer adds its header or processing) and up when receiving (each layer strips its part and passes the rest up).
Layer 7 — Application
The top layer: user-facing services and applications. Protocols include HTTP/HTTPS (web), DNS (name resolution), SMTP (email), and FTP. This is where users interact—clicking a link, sending an email. Common attacks: cross-site scripting (XSS), phishing, insecure APIs, and application-level injection. Security here means secure coding, input validation, and using encrypted protocols (HTTPS, not HTTP).
Layer 6 — Presentation
Data formatting, encoding, and encryption. This layer translates between application data and a form suitable for transmission (e.g. character encoding, compression, TLS/SSL encryption). JPEG, SSL/TLS (in its presentation role), and serialization formats live here. Attacks include MIME sniffing exploits and protocol downgrade if encryption is negotiated at this layer. TLS properly implemented protects the payload that lower layers carry.
Layer 5 — Session
Session management: establishing, maintaining, and tearing down sessions between applications. Examples: RPC (Remote Procedure Call), NetBIOS. Sessions keep state so that a series of exchanges is treated as one logical conversation. Session hijacking attacks steal or reuse session identifiers (e.g. cookies) so the attacker can impersonate the user without the password. Defenses include secure session tokens, short timeouts, and binding sessions to IP or other factors.
Layer 4 — Transport
End-to-end reliability and delivery. TCP (Transmission Control Protocol) is connection-oriented: handshake, sequence numbers, acknowledgments, retransmission. UDP (User Datagram Protocol) is connectionless and fast, with no guarantee of delivery. TCP is used for web (HTTP/HTTPS), email, and file transfer; UDP for DNS, streaming, and real-time traffic. Attacks: SYN floods (exhaust server with half-open TCP connections), port scanning (discovering open services), and UDP amplification in DDoS. Ports (0–65535) identify which application on a host should receive the data.
Layer 3 — Network
Logical addressing and routing. IP (IPv4 and IPv6) assigns addresses to devices; routers forward packets based on the destination IP. ICMP is used for diagnostics (e.g. ping). This layer is where the “path” across the internet is determined. Attacks: IP spoofing (forging source IP), routing attacks (BGP hijacking, rogue routes), and fragmentation abuse. Understanding IP and routing is essential for threat modeling and for tools that do ping sweeps or traceroute.
Layer 2 — Data Link
Physical (hardware) addressing and local delivery. Ethernet and Wi-Fi operate here. MAC (Media Access Control) addresses identify network interfaces on the local segment. ARP (Address Resolution Protocol) maps IP addresses to MAC addresses so that a packet can be put in an Ethernet frame and sent to the right device on the LAN. Attacks: ARP poisoning (sending fake IP–MAC mappings so traffic flows through the attacker), MAC flooding (overwhelming a switch’s MAC table). These are the classic MITM enablers at the local network level.
Layer 1 — Physical
The actual transmission of bits over a medium—copper cable, fiber, or radio (Wi-Fi). Signals are sent and received; this is where wiretapping (tapping the cable) or jamming (disrupting wireless signals) would occur. Encryption and higher-layer defenses protect data so that even if the physical layer is intercepted, the content is unreadable.
Data Flow: Encapsulation and Decapsulation
When sending, data starts at the application layer and moves down. Each layer adds its own header (and sometimes trailer): application data is wrapped by presentation/session logic, then by a TCP or UDP segment (Layer 4), then by an IP packet (Layer 3), then by an Ethernet frame (Layer 2), and finally sent as bits on the wire (Layer 1). On receipt, the process reverses: each layer strips its header and passes the payload up. This encapsulation is why we speak of “packets” at Layer 3 and “frames” at Layer 2; understanding this helps you interpret captures and see where crypto (e.g. TLS) fits in.
3. TCP/IP Model: The Practical Four-Layer Stack
The TCP/IP model is the real-world standard used on the internet. It collapses OSI into roughly four layers. Application (TCP/IP) maps to OSI 5–7: HTTP, DNS, FTP, and application logic. Transport maps to OSI 4: TCP and UDP. Internet maps to OSI 3: IP, ICMP. Link (or Network Access) maps to OSI 1–2: Ethernet, Wi-Fi, ARP. Pentest relevance: you enumerate services at the application layer, scan ports at the transport layer, do ping sweeps and routing analysis at the internet layer, and perform ARP spoofing or MAC-level attacks at the link layer.
TCP vs UDP (Transport Layer Detail)
TCP uses a three-way handshake (SYN, SYN-ACK, ACK) to establish a connection. It provides reliability: sequence numbers, acknowledgments, and retransmission of lost segments. Common TCP ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP). UDP has no handshake and no guarantee of delivery; it is used when speed or low overhead matters more than reliability. Common UDP ports: 53 (DNS), 123 (NTP), and many gaming or streaming protocols. UDP is easier to spoof and is often used in amplification attacks (e.g. DNS or NTP reflection). Ports theory: there are 65,535 logical ports (0–65535). Well-known ports (0–1023) are assigned to standard services; registered (1024–49151) and dynamic (49152–65535) are used for other or temporary connections.
4. IP Addressing and Subnetting (Core Mechanics)
IPv4 addresses are 32 bits, written in dotted decimal (e.g. 192.168.1.100). Each octet is 0–255. The address space is divided into networks using a subnet mask. A mask of 255.255.255.0 (or /24 in CIDR notation) means the first 24 bits are the network part and the last 8 bits are the host part—so one /24 subnet has 256 addresses, typically 254 usable for hosts (one for the network ID, one for the broadcast). Private IPv4 ranges (not routed on the public internet) are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16; these are used in homes and enterprises. IPv6 uses 128 bits (hex notation, e.g. 2001:db8::1), providing a huge address space and reducing the need for NAT.
Subnetting and CIDR
CIDR (Classless Inter-Domain Routing) notation expresses the subnet mask as a prefix length: /24 means 24 bits for the network, so 2^(32-24) = 256 addresses. Subnetting segments the network into smaller broadcast domains. Benefits: isolation (a compromise in one subnet has a limited blast radius), easier access control, and better use of address space. DHCP (Dynamic Host Configuration Protocol) assigns IP addresses automatically: the client broadcasts a DISCOVER, the server responds with an OFFER, the client sends a REQUEST, and the server confirms with an ACK. A rogue DHCP server can poison clients by offering them malicious gateway or DNS addresses—a common tactic in MITM or phishing on local networks.
5. Key Protocols Deep Dive
ARP (Address Resolution Protocol) runs at the data link layer. A device that needs to send a packet to an IP address asks, “Who has this IP?” via a broadcast. The owner replies with its MAC address. ARP has no authentication—any device can send a “gratuitous” reply claiming “I have that IP” and associate it with its own MAC. That is ARP poisoning: the victim sends traffic to the attacker’s MAC, and the attacker can sniff or relay it. DNS (Domain Name System) resolves human-readable names (e.g. example.com) to IP addresses. It is hierarchical (root, TLD, authoritative servers) and typically uses UDP port 53. DNS responses are often not cryptographically signed (unless DNSSEC is used), so cache poisoning or forged responses can redirect users to malicious IPs. ICMP (Internet Control Message Protocol) is used for diagnostics: ping sends Echo Request (type 8, code 0), the target replies with Echo Reply. Traceroute uses ICMP or UDP to discover the path. Routing protocols (e.g. BGP, OSPF) let routers learn and advertise paths; they can be abused (e.g. BGP hijacking) to redirect traffic at scale.
6. Network Topologies and Devices
In a bus or star topology, devices connect to a central hub or switch. A hub (Layer 1) broadcasts every frame to all ports—anyone can sniff everything. A switch (Layer 2) learns MAC addresses and forwards frames only to the correct port, reducing promiscuous sniffing unless the switch is compromised (e.g. MAC flooding, STP manipulation) or the attacker is in the path. A router (Layer 3) forwards IP packets between networks and often performs NAT. Weak default credentials or misconfigurations on routers are common. A firewall (Layer 3–7) filters traffic by rules; next-generation firewalls add application-aware rules. Misconfigurations can leave dangerous ports open. IDS/IPS (Intrusion Detection/Prevention) monitor for anomalies or known attack patterns; evasion techniques exist. Wireless (802.11): WEP is broken; WPA2 had KRACK; WPA3 improves. Rogue access points (evil twin) that broadcast the same or similar SSID can attract clients and capture or manipulate their traffic.
7. Attack Surface and Pentest Mindset
Reconnaissance often starts at the network layer: ping sweeps to find live hosts, then port scans (transport layer) to enumerate services. Positioning for MITM uses ARP or DNS spoofing (link and network layers). Exploitation then targets what is exposed: unencrypted protocols (HTTP, Telnet, FTP), weak authentication, or misconfigured services. Defenses are layered: VLANs segment broadcast domains, ACLs and firewalls filter traffic, encryption (TLS) protects data in transit. A significant portion of breaches involve the network perimeter or misconfiguration (e.g. DBIR). IPv6 is increasingly deployed and introduces new configuration and filtering challenges. As an authorized tester, you use this model to map the network, identify which layer each finding belongs to, and recommend controls (encryption, segmentation, hardening) accordingly.
Key Takeaway for Lesson 11
Networks connect devices and enable communication but create attack surfaces. The OSI and TCP/IP models organize functions into layers; each layer has typical protocols and attacks (application: XSS/phishing; transport: SYN flood/port scans; network: spoofing/routing; data link: ARP poisoning). IP addressing and subnetting define how traffic is routed and segmented; DHCP and DNS are critical and can be abused. Understanding topologies and devices (hub vs switch vs router, firewall, wireless) helps you see where confidentiality, integrity, and availability are at risk. Use this foundation for MITM, scanning, and ethical pentesting. Next: TCP/IP and OSI in more depth, with focus on where crypto (TLS) fits in the stack.