Networking Concepts
Networking Concepts
Networking is the backbone of all digital communication. Understanding how systems connect, route data, and expose services is foundational for both attackers and defenders.
Core Concepts
- OSI Model and TCP/IP Stack
- IP Addressing (IPv4 vs IPv6), CIDR Notation, Subnets
- MAC Addressing and ARP Protocol
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
- NAT, PAT, and Routing Basics
- TCP Three-Way Handshake and connection teardown
- UDP Protocol communication and stateless behavior
- ICMP Protocol packets and common diagnostic tools (ping, traceroute)
- MTU and Packet Fragmentation
- Common transport-layer attacks (SYN Flood, RST Injection)
Transport & Application Protocols
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- TLS 1.3 handshake flow, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media streams
- DNSSEC, DNS over TLS (DoT), DNS over HTTPS (DoH)
IPv6 Considerations
- IPv6 Addressing: link-local vs global unicast
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their security impact
- Dual Stack Networking and IPv4 Tunneling (6in4, Teredo)
- IPv6 Attack Surface – RA spoofing, fragmented headers
Port Overview
Understanding ports and services is critical for network reconnaissance and service identification. Each service typically runs on a well-defined port.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Dynamic Host Configuration Protocol – assigns IP addresses |
| 80 | TCP | HTTP | HyperText Transfer Protocol – standard web traffic |
| 110 | TCP | POP3 | Post Office Protocol – retrieving emails |
| 123 | UDP | NTP | Network Time Protocol – clock synchronization |
| 143 | TCP | IMAP | Internet Message Access Protocol – email retrieval |
| 161, 162 | UDP | SNMP | Simple Network Management Protocol – device monitoring |
| 443 | TCP | HTTPS | Encrypted HTTP using TLS |
| 445 | TCP | SMB | Server Message Block – file and printer sharing on Windows |
| 3306 | TCP | MySQL | Database service for MySQL |
| 3389 | TCP | RDP | Remote Desktop Protocol – Windows remote access |
| 8080 | TCP | HTTP-Alt | Often used for proxy or secondary web services |
Diagnostic & Monitoring Tools
- ping (test reachability using ICMP echo requests)
- traceroute / tracert (track packet route to target)
- netstat / ss (view open ports and active connections)
- ip / ifconfig (view and configure IP settings)
- dig / nslookup (query DNS records)
- tcpdump (capture and analyze network packets)
- Wireshark (GUI-based packet analysis)
- nmap / masscan (port and service scanners)
- nc / netcat (TCP/UDP data transfer and listening)
- hping3 / scapy (craft custom packets for testing and evasion)
Packet Crafting & Manipulation
- TCP/UDP Floods – custom packet generation
- Fragmentation Attacks to bypass simple filters
- Packet Replay for credential or session hijacking
- TTL Analysis to map filtered paths
- Tools: scapy, hping3, nping
Tunneling & Encapsulation
- SSH Tunneling (local, remote, dynamic SOCKS)
- VPN protocols: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- GRE, VXLAN, and GENEVE overlays
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- Web Application Firewall (WAF)
- Proxy Servers: forward, reverse, transparent
- VLAN Segmentation and Zero Trust Networking
- Load Balancers – L4 vs L7
Protocol References
Packet Capture & Analysis
- tcpdump (command-line packet sniffer)
- Wireshark (detailed packet-level inspection)
- pcap files and offline analysis
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization
- Nmap for topology and host discovery
- Netdiscover for ARP-based LAN host identification
- Traceroute graphs
- Zenmap GUI for network scans