Networking Concepts
Networking Concepts
Understanding network fundamentals is essential for reconnaissance, lateral movement, and post-exploitation. Knowing how IP addressing, protocols, routing, and ports function allows attackers to discover services, manipulate traffic, tunnel covertly, and evade detection.
This section provides a structured overview of the core principles and tools used to analyze, interact with, and exploit networks in real-world offensive operations.
Network Fundamentals
- OSI Model and TCP/IP Stack
- IP Addressing (IPv4 vs IPv6), CIDR Notation, Subnets
- MAC Addressing and ARP Protocol
- NAT, PAT, and Routing Basics
- MTU and Packet Fragmentation
Protocol Behavior
- TCP Protocol and TCP Three-Way Handshake
- UDP Protocol and stateless behavior
- ICMP Protocol – echo requests, TTL, and diagnostics
- DNS Resolution and record types (A Record, CNAME, MX, TXT)
Transport & Application Protocols
- TCP vs UDP vs SCTP – flow control and reliability
- HTTP Protocols: HTTP/1.1, HTTP/2, HTTP/3 (QUIC)
- TLS 1.3, cipher suites, and Forward Secrecy
- SMB Protocol, LDAP, Kerberos Authentication
- SIP Protocol, RTP Protocol – VoIP signaling and media
- DNSSEC, DoT, DoH
Port Overview
Understanding ports and services is critical for network reconnaissance and service identification.
| Port | Protocol | Common Service | Description |
|---|---|---|---|
| 20, 21 | TCP | FTP | File Transfer Protocol – used for transferring files |
| 22 | TCP | SSH | Secure Shell – remote access to systems |
| 23 | TCP | Telnet | Unencrypted remote login service |
| 25 | TCP | SMTP | Simple Mail Transfer Protocol – sending emails |
| 53 | UDP/TCP | DNS | Domain Name System – resolves domain names to IP addresses |
| 67, 68 | UDP | DHCP | Assigns IP addresses automatically |
| 80 | TCP | HTTP | Standard web traffic |
| 110 | TCP | POP3 | Email retrieval |
| 123 | UDP | NTP | Clock synchronization |
| 143 | TCP | IMAP | Internet Message Access Protocol – email |
| 161, 162 | UDP | SNMP | Device monitoring |
| 443 | TCP | HTTPS | Encrypted HTTP via TLS |
| 445 | TCP | SMB | Windows file/printer sharing |
| 3306 | TCP | MySQL | MySQL database service |
| 3389 | TCP | RDP | Windows remote access |
| 8080 | TCP | HTTP-Alt | Proxy or alternate web services |
IPv6 Considerations
- IPv6 Addressing: link-local vs global
- Neighbor Discovery Protocol (NDP) and SLAAC
- IPv6 Extension Headers and their use in evasion
- Dual Stack Networking and Teredo
- IPv6 Attack Surface – RA spoofing, header chains
Diagnostic & Monitoring Tools
- ping, traceroute / tracert
- netstat / ss, ip / ifconfig
- dig / nslookup
- tcpdump, Wireshark, nmap, masscan
- nc / netcat, hping3, scapy
Packet Crafting & Manipulation
Tunneling & Encapsulation
- SSH Tunneling (local/remote/SOCKS)
- VPNs: IPsec, OpenVPN, WireGuard
- DNS Tunneling, ICMP Tunneling, HTTP Tunneling
- Overlay protocols: GRE, VXLAN, GENEVE
- Tools: ssh, stunnel, iodine, chisel
Network Security Devices & Controls
- Stateless vs Stateful Firewalls
- IDS / IPS (Snort, Suricata)
- WAFs and proxy filtering
- VLAN Segmentation, Zero Trust
- Load Balancers – L4 vs L7
Packet Capture & Analysis
- tcpdump, Wireshark, pcap files
- Common filters: `tcp.port == 80`, `ip.addr == 192.168.1.1`, `dns.qry.name`
Network Mapping & Visualization
- Nmap, Netdiscover, Zenmap
- Traceroute topology graphs