Networking Basics

For Cybersecurity & Pentesting

Topics Covered:
• IP Addresses
• Classes of IP Addresses
• Public vs. Private IP Addresses
• DHCP
• NAT (Network Address Translation)
• Ports & Common Port Numbers
• TCP/IP Protocol Suite
• The OSI Model
• OSI Model from a Cybersecurity Perspective
IP Addresses
1. Definition and Purpose
• An Internet Protocol (IP) address is a unique identifier assigned to each digital device on a
network.
• It functions similarly to a street address, allowing other devices to locate and communicate
with it.
• IP addresses are essential for accessing services such as email, video conferencing, web
browsing, and more.

2. IPv4: The Current Standard

• The most widely used IP addressing system today is IPv4 (Internet Protocol version 4).
• IPv4 uses a 32-bit structure, divided into four octets (groups of 8 bits).
• Each octet is written in decimal form and separated by dots (e.g., 192.168.1.101).

• Each octet can represent values ranging from 0 to 255 (2⁸ possible values).

3. Binary and Decimal Representation

• While computers interpret IP addresses in binary (base-2), they are typically displayed in
decimal form for human readability.
• This conversion bridges the gap between machine-level data processing and user-friendly
interfaces.
4. The Emergence of IPv6
• As the number of connected devices increases, IPv4 address exhaustion has become a
concern.
• IPv6 (Internet Protocol version 6) was introduced to address this limitation, offering a 128-
bit address format.
• Although IPv6 adoption is gradually increasing, IPv4 remains the dominant protocol in most
networks today.

Classes of IP Addresses
IP addresses are traditionally categorized into three primary classes: Class A, Class B, and Class C.
These classifications are based on the range of IP addresses and are designed to accommodate
different sizes of networks.

1. Class A
• Range: 0.0.0.0 to 127.255.255.255

• Intended for very large networks, typically used by large organizations or internet service
providers.

2. Class B
• Range: 128.0.0.0 to 191.255.255.255

• Designed for medium-sized networks, such as universities or large companies.

3. Class C
• Range: 192.0.0.0 to 223.255.255.255

• Suitable for small networks, including home networks and small businesses.
These address classes provide structure to IP address allocation and help organize networks based
on their size and requirements.

Public vs. Private IP Addresses

The IPv4 address system, while fundamental to modern networking, has inherent limitations —
most notably, the finite number of available addresses. IPv4 provides approximately 4.3 billion
unique IP addresses. With a global population exceeding 7.5 billion and the rapid growth of
internet-connected devices, this number is insufficient to assign a unique IP address to every device.
1. Private IP Addressing
To address this shortage, a system was developed that allows specific ranges of IP addresses to be
used repeatedly within private networks. These private IP addresses are intended for use within
Local Area Networks (LANs) and are not routable over the public internet.
The recognized private IP address ranges are:
• 192.168.0.0 to 192.168.255.255
• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
Private IP addresses are commonly assigned to devices such as computers, routers, and mobile
phones within homes, businesses, or organizational networks. These addresses can be reused across
different LANs without conflict, conserving the global pool of public IP addresses.

2. Public IP Addressing
For a device to communicate directly over the internet, it must be assigned a public IP address.
These addresses are globally unique and are managed by internet authorities to ensure proper
routing and connectivity. Devices within a private network communicate with the internet through a
Network Address Translation (NAT) device, typically a router. The NAT device translates private
IP addresses into a single public IP address, allowing multiple devices to share one public-facing
address.

Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to
assign IP addresses to devices dynamically. This means devices do not retain a fixed IP address
permanently but receive a temporary assignment each time they connect to a network.

1. Dynamic IP Address Assignment

In most cases, DHCP operates within Local Area Networks (LANs), where devices use private IP
addresses. When a device connects to a LAN, it sends a request for an IP address to the DHCP
server. The DHCP server responds by assigning an available IP address to the device for a limited
period of time, known as a lease.
2. Lease Renewal and IP Changes
Each time a device connects to the LAN, it may receive a different IP address, though typically
within the same address range. For example, a DHCP server operating on a typical home or office
network may assign addresses within the 192.168.0.0 to 192.168.255.255 range.
This dynamic approach simplifies network management by automatically assigning and tracking IP
addresses without requiring manual configuration for each device.

Network Address Translation (NAT)

Network Address Translation (NAT) is a protocol that allows devices within a private network
to communicate with systems on the public internet. Since private IP addresses are not globally
unique, they cannot be routed directly on the internet. NAT solves this problem by translating
internal private IP addresses into a public IP address.

1. Purpose and Functionality

NAT operates by assigning a public IP address to a router or gateway that sits at the boundary
between a private LAN and the internet. When a device on the internal network initiates a request to
an external server:
• The NAT device records the internal device’s private IP address and port in a translation
table.
• The NAT device replaces the source private IP address with its own public IP address and
sends the request to the internet.
• When the response arrives, NAT checks its table, finds the matching internal IP address,
and forwards the response to the correct device within the LAN.
2. Transparent Operation
This process is transparent to users and devices within the network. From their perspective,
communication with external systems appears seamless, even though address translation is taking
place behind the scenes.

3. Typical Use Case

A common setup involves multiple devices within a LAN (e.g., computers, phones, IoT devices) all
using private IP addresses. These devices communicate with the internet through a single NAT-
enabled router. The router translates their addresses into its public IP, enabling shared access to the
internet.
This mechanism allows many devices to share one public IP address, efficiently conserving the
limited number of IPv4 addresses available.

Ports
In networking, ports function as sub-addresses that help direct network traffic to the correct service
on a device. While the IP address identifies the device itself, the port specifies which service or
application on that device is being targeted.
1. Concept of Ports
A common analogy is to compare the IP address to a building's street address and the port to an
apartment number. The street address (IP address) gets you to the right building (device), while the
apartment number (port) directs you to the correct individual or service within that building.
For example, an IP address brings the traffic to the correct host, and the port determines the specific
service, such as HTTP traffic on port 80.

2. Port Range and Common Ports

There are a total of 65,536 ports, based on a 16-bit addressing system (2¹⁶ possible values). These
ports are divided into categories, with the first 1,024 ports known as common ports or well-known
ports.
While it is not practical to memorize all 65,536 ports, individuals working in Cybersecurity,
network engineering, or system administration should be familiar with the most commonly used
ports, as they are essential for understanding how network communication occurs and how potential
attacks may target specific services.

Port Number(s) Protocol Port Type

21 FTP TCP, UDP
22 SSH TCP, UDP
23 Telnet TCP, UDP
25 SMTP TCP, UDP
53 DNS TCP, UPD
67/68 DHCP UDP
80 HTTP TCP, UDP
110 POP3 TCP, UDP
137-139 NetBIOS/NetBT TCP, UDP
143 IMAP TCP
161/162 SNMP TCP, UDP
389 LDAP TCP, UDP
427 SLP TCP, UDP
443 HTTPS TCP, UDP
445 SMB/CIFS TCP
548 AFP TCP
3389 ROP TCP, UDP
TCP/IP Basics
• TCP/IP (Transmission Control Protocol/Internet Protocol) is the foundation for
communication over the internet.
• These protocols define how devices exchange data reliably across networks.
• A strong understanding of TCP/IP is essential for:
• Hackers
• Forensic investigators
• Network engineers
• Many professionals lack deep knowledge of TCP/IP, giving those who do a clear advantage.
• Knowledge of TCP/IP structure and protocol fields is crucial for:
• Developing effective hacking tools
• Investigating network attacks
• Without understanding these fundamentals, time spent on advanced techniques or tools is
often wasted.

What Are Protocols?

• A protocol is an agreed-upon method or set of rules for communication.
• Similar to how languages like English have grammar and rules, protocols ensure consistent,
understandable communication between systems.
• Protocol rules are typically defined by RFCs (Request for Comments) — publicly available
documents outlining technical standards.
 • The internet relies on numerous protocols, including:
• TCP (Transmission Control Protocol)
• IP (Internet Protocol)
• UDP (User Datagram Protocol)
• FTP (File Transfer Protocol)
• HTTP (Hypertext Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)

• Among these, IP and TCP are considered the two most critical protocols for internet
communication.

IP (Internet Protocol)
• IP (Internet Protocol) defines the source and destination IP addresses of a packet as it
travels across networks.
• IP is often used with other protocols, such as TCP, forming the common term TCP/IP.
• The IP Packet Header contains several fields critical for network communication, forensic
analysis, and hacking.
Structure of an IP Header:

Row 1: Basic Information

• Version: Specifies the IP version (IPv4 or IPv6).
• IHL (Internet Header Length): Defines the header length.
• Type of Service (TOS): Indicates service preferences such as:
• Minimize delay
• Maximize throughput
• Maximize reliability
• Minimize cost
• Total Length: Total size of the IP datagram, up to a maximum of 65,535 bytes.

Row 2: Fragmentation and Identification

• Identification: Uniquely identifies each packet, useful for reassembling fragmented packets.
• IP Flags:
• Indicates if a packet is fragmented or not.
• Can be manipulated to evade IDS (Intrusion Detection Systems) or firewalls.
• Used in OS fingerprinting techniques.
• Fragment Offset: Indicates where fragmented packets should be reassembled.

Row 3: Control and Error Checking

• TTL (Time to Live):
• Specifies how many hops the packet can take before expiration.
• TTL values vary by OS, useful for identifying the sender's OS.
• Protocol:
• Specifies the protocol encapsulated within the IP packet.
• Common values:
• 6 → TCP

• 1 → ICMP

• 17 → UDP

• Header Checksum:
• Performs error checking on the IP header to ensure data integrity.
Rows 4 & 5: Addressing
• Source IP Address: Origin of the packet.
• Destination IP Address: Final recipient of the packet.

Row 6: Optional Fields

• Options: Optional, variable-length field for additional settings.
• Padding: Ensures the header length aligns properly, if required.

TCP (Transmission Control Protocol)

• TCP is a reliable, connection-oriented protocol responsible for ensuring data is delivered
accurately and in the correct sequence.
• The TCP Header contains several critical fields essential for network communication,
security analysis, and forensics.

Structure of a TCP Header:

Row 1: Ports
• Source Port / Destination Port:
• Identify the port the communication originated from and the port it is destined for.

Row 2: Sequence Management

• Sequence Number:
 • Generated by the source system's TCP stack.
• Ensures packets are arranged in proper order upon arrival.
• Plays a role in defeating Man-in-the-Middle (MitM) attacks.

Row 3: Acknowledgments
• Acknowledgment Number:
• Echoes the Sequence Number to confirm successful packet receipt.
• If not acknowledged within a set time, the sender retransmits the packet.
• Provides reliability, unlike UDP, which does not guarantee delivery.

Row 4: Control Flags & Flow Control

• Flags (6 primary ones used in networking and scanning):
• SYN: Initiates a new connection.
• FIN: Graceful termination of a connection.
• ACK: Acknowledges received packets (set after handshake).
• RST: Abrupt connection termination (used if packet arrives at wrong port/IP).
• URG: Indicates urgent data follows.
• PSH: Pushes buffered data directly to the application.
• Recon Techniques:
• Custom flag combinations in tools like nmap or hping3 can elicit responses from
secure systems or evade detection.
• Window Size:
• Indicates buffer size available for incoming packets.
• Plays a role in flow control.
• Varies by OS and Service Pack, making it useful for OS fingerprinting.
• Tools like p0f use this and other fields (e.g., IP header TTL and DF) for passive OS
detection.

Row 5: Error Checking and Urgent Data

• Checksum:
• Simple algorithm for error checking and data integrity.
• URG Pointer:
 • Points to the last byte of urgent data, used with the URG flag.

Row 6: Optional Fields

• Options:
• Optional, variable-length field for additional TCP settings.
• Padding:
• Ensures TCP header length aligns to a multiple of 32 bits.

TCP Three-Way Handshake

• A three-way handshake initiates every TCP connection to establish a reliable
communication channel.
• The handshake sequence:
1. SYN: Client sends a packet with the SYN flag to request communication.
2. SYN-ACK: Server responds with SYN and ACK flags, indicating readiness to
communicate.
3. ACK: Client replies with an ACK flag, confirming receipt and completing the
handshake.
• After this process, data transfer can safely begin.

UDP (User Datagram Protocol)

• UDP is a connectionless protocol that does not require a handshake or connection setup.
• It is more lightweight than TCP, with minimal overhead.
• UDP does not guarantee delivery, ordering, or error checking of packets.
 • Ideal for applications prioritizing speed and efficiency over reliability, such as:
• DNS (Domain Name System) for simple queries
• SNMP (Simple Network Management Protocol) for managing network devices
• NTP (Network Time Protocol) for time synchronization
• Streaming audio and video, where occasional packet loss is acceptable

The OSI Model

• The OSI Model (Open Systems Interconnection Model) explains how different protocols
work together to enable network communication.
• It is one of the two most common models for understanding networking, alongside the
TCP/IP Model.
• While theoretical at first glance, knowledge of the OSI Model is essential for understanding
networking terminology used in real-world environments (e.g., “layer three switch”).
• A basic understanding of this model is expected for anyone pursuing careers in
networking, cybersecurity, or forensics.
• The OSI Model breaks network communication into seven distinct layers, each with
specific roles and responsibilities.
• A visual diagram of the seven layers will illustrate their order and functions.
OSI Model – The Seven Layers
• The OSI Model consists of seven distinct layers, each serving a specific role in network
communication:
1. Application Layer
2. Presentation Layer
3. Session Layer
4. Transport Layer
5. Network Layer
6. Data Link Layer
7. Physical Layer
• These layers work together to ensure smooth and reliable communication across networks.
• Each layer interacts with the one directly above and below it to pass information along the
communication process.

Mnemonic Devices to Remember the OSI Layers

• Top to Bottom (Layer 7 to Layer 1):
All People Seem To Need Data Processing
• Bottom to Top (Layer 1 to Layer 7):
Please Don’t Throw Sausage Pizza Away
• These memory aids help quickly recall the order of the layers during learning and
troubleshooting.
The OSI Model from a Cybersecurity Perspective
• Attacks targeting network systems can be categorized according to the seven layers of the
OSI Model.
• Understanding how attacks align with these layers provides clarity on both defensive and
offensive techniques.

Common Attacks by OSI Layer

1. Application Layer (Layer 7)
• Target: End-user applications such as browsers, word processors, etc.
• Common Attack: Exploits that embed malicious code within applications to
compromise the system.
2. Presentation Layer (Layer 6)
• Target: Data translation, encryption, and formatting processes.
• Common Attack: Phishing attacks via malicious emails or links.
3. Session Layer (Layer 5)
• Target: Establishment and management of communication sessions.
• Common Attack: Session Hijacking, where an attacker takes over an active,
legitimate session.
4. Transport Layer (Layer 4)
• Target: Reliable data transfer and error correction.
• Common Attack: Reconnaissance, where attackers analyze open ports and services.
5. Network Layer (Layer 3)
• Target: Routing and addressing of data packets.
• Common Attack: Man-in-the-Middle (MitM) attacks to intercept or alter traffic.
6. Data Link Layer (Layer 2)
• Target: Local network communication, including MAC addressing.
• Common Attack: MAC Address Spoofing, where attackers impersonate legitimate
devices on the network.
7. Physical Layer (Layer 1)
• Target: Hardware, cabling, and physical transmission mediums.
• Common Attack: Sniffing, monitoring network traffic through hardware taps or
compromised devices.