In ProgressDifficulty: 2/5

Networking Fundamentals

Understand network protocols, architecture, and security concepts.

75 minutes
Module 2

Networking Fundamentals for Cybersecurity

Why Networking Matters

Understanding networks is crucial for cybersecurity because:

  • Most attacks happen over networks
  • Penetration testing requires network knowledge
  • Security tools operate at network level
  • Incident response involves network analysis

OSI Model

The Open Systems Interconnection model has 7 layers:

Layer 7: Application

  • Purpose: User interface and application services
  • Protocols: HTTP, HTTPS, FTP, SMTP, DNS, SSH
  • Attacks: Phishing, SQL injection, XSS
  • Tools: Burp Suite, Wireshark

Layer 6: Presentation

  • Purpose: Data translation, encryption, compression
  • Functions: SSL/TLS, data formatting
  • Security: Encryption protocols

Layer 5: Session

  • Purpose: Establish, manage, terminate connections
  • Examples: NetBIOS, RPC
  • Attacks: Session hijacking

Layer 4: Transport

  • Purpose: End-to-end communication, reliability
  • Protocols: TCP (reliable), UDP (fast)
  • Attacks: SYN flood, port scanning
  • Tools: Nmap, Hping3

Layer 3: Network

  • Purpose: Routing, logical addressing
  • Protocol: IP (IPv4, IPv6), ICMP
  • Devices: Routers
  • Attacks: IP spoofing, routing attacks
  • Tools: Traceroute, ping

Layer 2: Data Link

  • Purpose: Physical addressing, error detection
  • Protocol: Ethernet, ARP
  • Addressing: MAC addresses
  • Devices: Switches, bridges
  • Attacks: ARP spoofing, MAC flooding

Layer 1: Physical

  • Purpose: Physical transmission of bits
  • Media: Cables, wireless, fiber
  • Devices: Hubs, repeaters
  • Attacks: Physical tapping, jamming

TCP/IP Model

Simplified 4-layer model:

  1. Application: HTTP, DNS, FTP, SSH
  2. Transport: TCP, UDP
  3. Internet: IP, ICMP, ARP
  4. Network Access: Ethernet, WiFi

IP Addressing

IPv4

  • Format: 32-bit (4 octets)
  • Example: 192.168.1.1
  • Classes:
    • Class A: 1.0.0.0 - 126.255.255.255 (large networks)
    • Class B: 128.0.0.0 - 191.255.255.255 (medium)
    • Class C: 192.0.0.0 - 223.255.255.255 (small)

Private IP Ranges

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

Subnetting

Network: 192.168.1.0/24
Subnet Mask: 255.255.255.0
Usable IPs: 192.168.1.1 - 192.168.1.254
Broadcast: 192.168.1.255
Total Hosts: 254

IPv6

  • Format: 128-bit (8 groups of 4 hex digits)
  • Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
  • Advantages: Larger address space, better security

Common Protocols

HTTP/HTTPS (Ports 80/443)

  • Purpose: Web traffic
  • Security: HTTPS adds TLS encryption
  • Attacks: Man-in-the-middle, session hijacking
  • Testing: Burp Suite, OWASP ZAP

DNS (Port 53)

  • Purpose: Domain name resolution
  • Types: A, AAAA, MX, CNAME, TXT
  • Attacks: DNS spoofing, cache poisoning, tunneling
  • Tools: dig, nslookup, dnsrecon
# DNS enumeration
dig example.com
nslookup example.com
host example.com

SSH (Port 22)

  • Purpose: Secure remote access
  • Security: Encrypted communication
  • Attacks: Brute force, key theft
  • Best practices: Key-based auth, disable root login

FTP (Ports 20/21)

  • Purpose: File transfer
  • Security: Unencrypted (use SFTP/FTPS)
  • Attacks: Credential sniffing, anonymous access

SMTP (Port 25, 587, 465)

  • Purpose: Email transmission
  • Attacks: Email spoofing, spam relay
  • Tools: Swaks, sendEmail

SMB (Ports 139/445)

  • Purpose: File/printer sharing
  • Attacks: EternalBlue, pass-the-hash
  • Tools: smbclient, enum4linux

TCP Three-Way Handshake

Client                  Server
  |                       |
  |----SYN (SEQ=100)----->|
  |                       |
  |<---SYN-ACK (SEQ=300,--|
  |        ACK=101)       |
  |                       |
  |----ACK (ACK=301)----->|
  |                       |
  |   Connection Established

Port Scanning

Port States

  • Open: Service accepting connections
  • Closed: No service, but reachable
  • Filtered: Firewall blocking

Scan Types

# TCP SYN scan (stealth)
nmap -sS target.com

# TCP connect scan
nmap -sT target.com

# UDP scan
nmap -sU target.com

# Service version detection
nmap -sV target.com

# OS detection
nmap -O target.com

# Aggressive scan
nmap -A target.com

# Scan specific ports
nmap -p 80,443,8080 target.com

# Scan port range
nmap -p 1-1000 target.com

Network Devices

Router

  • Connects different networks
  • Routes traffic based on IP
  • Layer 3 device

Switch

  • Connects devices in same network
  • Forwards based on MAC address
  • Layer 2 device

Firewall

  • Filters traffic based on rules
  • Can operate at multiple layers
  • Types: Packet filtering, stateful, application

Load Balancer

  • Distributes traffic across servers
  • Improves availability and performance

Network Security Concepts

Firewall Rules

# UFW (Uncomplicated Firewall)
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw deny 23/tcp
sudo ufw status

# iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -P INPUT DROP

VPN (Virtual Private Network)

  • Purpose: Secure remote access
  • Protocols: OpenVPN, IPSec, WireGuard
  • Benefits: Encryption, privacy, bypass restrictions

IDS/IPS

  • IDS: Intrusion Detection System (monitors)
  • IPS: Intrusion Prevention System (blocks)
  • Tools: Snort, Suricata, Zeek

NAT (Network Address Translation)

  • Translates private IPs to public
  • Provides basic security
  • Conserves IPv4 addresses

Network Reconnaissance

Passive Reconnaissance

# WHOIS lookup
whois example.com

# DNS enumeration
dig example.com ANY
fierce -dns example.com

# Search engines
site:example.com
intitle:"index of"

Active Reconnaissance

# Ping sweep
nmap -sn 192.168.1.0/24

# Port scanning
nmap -p- target.com

# Service enumeration
nmap -sV -sC target.com

# Traceroute
traceroute target.com

Packet Analysis with Wireshark

Capture Filters

host 192.168.1.1
port 80
tcp
udp
icmp

Display Filters

ip.addr == 192.168.1.1
tcp.port == 80
http
dns
arp

Common Tasks

  1. Capture HTTP traffic
  2. Analyze TCP handshakes
  3. Detect ARP spoofing
  4. Find cleartext passwords
  5. Identify suspicious traffic

Network Attacks

ARP Spoofing

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# ARP spoof
arpspoof -i eth0 -t victim gateway
arpspoof -i eth0 -t gateway victim

DNS Spoofing

  • Redirect DNS queries
  • Phishing attacks
  • Man-in-the-middle

Port Scanning Detection

  • Monitor for scan patterns
  • Use IDS/IPS
  • Implement rate limiting

Best Practices

  1. Segment networks: VLANs, DMZ
  2. Monitor traffic: IDS/IPS, SIEM
  3. Encrypt communications: VPN, TLS
  4. Regular updates: Patch network devices
  5. Strong authentication: Multi-factor
  6. Least privilege: Minimal access
  7. Backup configurations: Regular backups

Practice Exercises

  1. Set up a home lab with multiple VMs
  2. Perform network reconnaissance on your lab
  3. Capture and analyze traffic with Wireshark
  4. Configure firewall rules
  5. Practice ARP spoofing (ethically, in your lab)
  6. Scan for vulnerabilities with Nmap
  7. Set up and test a VPN

Next Module

Ready for Introduction to Penetration Testing!