Networking Basics TCP/IP Essentials

Master the essential networking concepts! This guide covers the OSI and TCP/IP models, protocols, and common attacks!

Krit Karnjanakrajang

Krit Karnjanakrajang

|
Krit Karnjanakrajang

Krit Karnjanakrajang

Founder

A visionary leader with a passion for technology, He expertise in Business Analyst and AI integration helps the team deliver exceptional results on time, he leads the team towards transformative results.

Networking Basics for Pentesters: A Beginner's Guide
#Fundamental Concepts #Cybersecurity #Ethical Hacking #Networking Basics #TCPIP protocols

Networking Basics TCP/IP Essentials

1. Fundamentals of Computer Networks

1.1 Why Networking Matters in Cybersecurity

1.1.1 Importance of Networking for Threat Analysis, Penetration testing, and Defense

  1. Foundational Knowledge
    Networking underpins nearly every element of modern computing. Whether you’re updating your phone apps, streaming music, or launching an enterprise-level web server, these actions involve sending and receiving data across networks. If you’re a pentester—or aim to become one—you can’t escape networking. Understanding how devices connect, communicate, and transfer data is crucial to spotting potential vulnerabilities and exploitation avenues.

  2. Threat Analysis
    In cybersecurity, we often talk about the “attack surface.” This surface includes endpoints (computers, mobile devices, IoT equipment), servers, user accounts, and—vitally—the network pathways connecting everything together. When analyzing threats, knowing how network protocols and architectures function helps you identify where an attacker might intercept or modify data in transit, launch Denial-of-Service (DoS) attacks, or attempt man-in-the-middle intrusions.

  3. Penetration testing
    During penetration testing, your job could involve:

    • Scanning networks to discover live hosts and open ports.

    • Interrogating network services to identify potential vulnerabilities.

    • Analyzing network traffic to understand how data is being transmitted and whether it can be manipulated or injected with malicious payloads.

    Without a strong handle on networking basics, tools like Nmap, Wireshark, or Metasploit might feel too cryptic. And, more importantly, you risk misunderstanding the very environment you are testing.

  4. Defense
    A defensive cybersecurity posture starts with an understanding of what “normal” network traffic looks like. If you know how packets typically flow and how protocols are supposed to function, you can spot anomalies more quickly. This means you’ll have a better chance of detecting suspicious activities, like unexpected port scans, malicious IP addresses connecting, or malformed packets that could indicate an advanced attack.

1.1.2 Common Network-Based Attacks and Their Impact

  1. Distributed Denial of Service (DDoS)
    Attackers flood a target with excessive traffic, overwhelming servers or network devices. Recognizing unusual spikes in network load is easier when you understand normal network patterns.

  2. Man-in-the-Middle (MITM)
    In a MITM attack, the attacker secretly relays and potentially alters the communication between two parties. Understanding how ARP (Address Resolution Protocol) and DNS (Domain Name System) can be poisoned is key to defending against these attacks.

  3. Packet Sniffing
    Hackers might capture data packets traversing the network. If data is sent in plaintext (e.g., unencrypted protocols like HTTP, FTP in default configuration), sensitive info (usernames, passwords, session tokens) can be easily harvested.

  4. Replay and Injection Attacks
    Once you have access to data packets, you can replay them or modify them to exploit vulnerabilities. For instance, in older or improperly secured protocols, session tokens can be replayed to gain unauthorized access.

Understanding these attacks lays a foundation for both offensive and defensive strategies, showing how vulnerabilities manifest and how to mitigate them.

1.2 Key Networking Concepts

1.2.1 What Is a Network? (LAN, WAN, Internet)

  • Network: A network is simply a group of two or more devices (computers, servers, IoT devices, etc.) interconnected to exchange data.

  • LAN (Local Area Network): A smaller network, typically confined to a single building, campus, or home. Pentesters often start with LAN attacks (e.g., ARP poisoning) because local networks are usually within the same broadcast domain.

  • WAN (Wide Area Network): Spans a broader geographic area, connecting multiple LANs, sometimes across cities or countries. The largest WAN is the Internet itself—a global network interconnecting billions of devices.

In penetration testing, you often move between LAN reconnaissance (such as enumerating machines on an internal office network) and remote exploitation on systems over the wider internet.

1.2.2 OSI vs. TCP/IP Models (Brief Overview)

  • OSI Model (Open Systems Interconnection):
    A conceptual model with 7 layers:

    1. Physical (hardware, cables, electrical signals)

    2. Data Link (MAC addresses, Ethernet)

    3. Network (IP addresses, routing)

    4. Transport (TCP/UDP)

    5. Session (controls conversations between endpoints)

    6. Presentation (data translation, encryption/decryption)

    7. Application (user-facing services like HTTP, FTP)

    The OSI model is more of a teaching tool that helps break down how data flows through a network stack.

  • TCP/IP Model:
    A more practical model widely used on the internet. It compresses the 7 OSI layers into 4:

    1. Network Access (combines Physical + Data Link)

    2. Internet (equivalent to OSI’s Network layer)

    3. Transport (TCP, UDP)

    4. Application (session, presentation, and application combined)

Why does this matter for pentesters? It helps you dissect how data travels and where vulnerabilities might lie. For example, if you’re analyzing whether a vulnerability is transport-level (TCP handshake manipulation) or application-level (HTTP/HTTPS injection), referencing these layers clarifies which tools and techniques to use.

2. TCP/IP Essentials

2.1 TCP/IP Stack Overview

  1. Layering Concept

    • Network Access Layer: Deals with hardware, device drivers, and physical transmission of data. Includes Ethernet, Wi-Fi, etc.

    • Internet Layer: Where IP addressing and routing happen. Hosts are identified by IP addresses, and routers direct packets across networks.

    • Transport Layer: Manages end-to-end communication. Protocols like TCP (connection-oriented) and UDP (connectionless) live here.

    • Application Layer: Encompasses all the high-level protocols like HTTP, FTP, DNS, SSH, etc.

  2. IP Addressing: IPv4 vs. IPv6 Basics

    • IPv4: Uses 32-bit addresses (e.g., 192.168.1.10). As we run out of IPv4 addresses globally, organizations adopt measures like NAT (Network Address Translation) and private IP spaces to accommodate more devices.

    • IPv6: Uses 128-bit addresses (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334), vastly expanding the number of available addresses. Contains built-in security features (like IPSec) and better handling of large-scale networks.

When performing a pentest, you might encounter IPv6 networks. Some organizations neglect to secure or monitor IPv6 traffic because they still focus on IPv4, which can provide an attacker with an often-overlooked entry point.

2.2 Ports and Protocols

2.2.1 Concept of Ports and Port Numbering

  • Definition: A port is a logical channel or endpoint for network communications. When data arrives at a specific IP address, it’s directed to a port number that indicates which service or application should handle that data.

  • Range:

    • 0–1023 (Well-Known Ports)

    • 1024–49151 (Registered Ports)

    • 49152–65535 (Dynamic/Private Ports)

In penetration testing, discovering open ports helps you figure out which services are running. Tools like Nmap can quickly scan for open ports to see if a target is running a vulnerable version of, say, SSH or FTP.

2.2.2 Common Port Usage (e.g., 80 for HTTP, 443 for HTTPS)

  • HTTP: Port 80

  • HTTPS: Port 443

  • FTP: Port 21 (control port), often 20 for data transfer

  • SSH: Port 22

  • Telnet: Port 23 (insecure, rarely used in modern systems but still found in legacy networks)

  • SMTP: Port 25 (for email), though commonly replaced by 587 or 465 for encryption

  • DNS: Port 53

  • RDP: Port 3389

  • MySQL: Port 3306

  • PostgreSQL: Port 5432

As a pentester, you’ll often see these ports come up in vulnerability scans. One of your first tasks is to check if a service is out of date, misconfigured, or allowing insecure methods (e.g., old versions of SSL/TLS on port 443).

2.3 Core Protocols

2.3.1 HTTP/HTTPS – Web Traffic Fundamentals

  • HTTP (Hypertext Transfer Protocol): The foundation of data communication on the web. Operates over TCP, port 80 by default. Transmits data in plaintext.

  • HTTPS (HTTP Secure): HTTP + SSL/TLS encryption. Operates over TCP, port 443. Ensures data integrity and confidentiality.

Pentester Tips:

  • Packet Inspection: Tools like Wireshark can show you HTTP requests/responses if the traffic is unencrypted.

  • SSL Stripping: Attackers can attempt to downgrade HTTPS to HTTP, capturing sensitive data if the site’s SSL/TLS setup is weak.

2.3.2 FTP – File Transfer Protocol Basics

  • FTP: Designed for transferring files between client and server over port 21 (control) and an additional port for data.

  • Security Concern: By default, FTP transmits credentials in plaintext, making it susceptible to sniffing attacks.

  • Pentester Approach:

    • Check if anonymous login is allowed.

    • Try brute-forcing credentials if permitted by scope.

    • Look for unpatched FTP daemons with known vulnerabilities.

2.3.3 DNS – How Name Resolution Works

  • Domain Name System (DNS): Translates human-friendly domain names (e.g., google.com) to IP addresses (e.g., 8.8.8.8).

  • Attacks:

    • DNS Spoofing/Poisoning: Redirect users to malicious sites.

    • DNS Tunneling: Attackers can exfiltrate data by encoding it into DNS queries/responses, bypassing some firewalls.

Pentesters should understand DNS intricately, as it’s integral to how clients discover services on a network. DNS misconfigurations and old software can offer interesting footholds.

Step 1: Fundamentals (Module 1)

  1. Grasp the Big Picture

    • Understand why networking is crucial in cybersecurity.

    • Learn to identify common network-based attacks (DDoS, MITM, sniffing, injection).

    • Practice explaining these attacks to someone else. If you can teach it, you probably understand it.

  2. Network Basics

    • Focus on LAN vs. WAN vs. Internet.

    • Grasp the OSI model thoroughly—knowing each layer’s function helps you classify which part of a network or application stack you are analyzing or attacking.

Step 2: TCP/IP (Module 2)

  1. Layered Model

    • Transition the OSI knowledge to the more practical TCP/IP model.

    • Distinguish the roles of the Network Access, Internet, Transport, and Application layers.

  2. IP Addressing and Subnetting

    • Learn how to read IPv4 addresses and subnet masks (e.g., 192.168.1.0/24).

    • Familiarize yourself with IPv6 notation and common transitions between IPv4 and IPv6 networks.

  3. Ports and Protocols

    • Memorize the well-known ports for critical services. You don’t have to know them all, but be sure you know the main ones (80, 443, 22, 21, 53, 110, 25, 3306, etc.).

    • Understand how TCP establishes connections (the three-way handshake) vs. how UDP operates (connectionless).

  4. Core Protocols Deep Dive

    • HTTP/HTTPS: Understand request methods (GET, POST, PUT, DELETE) and how SSL/TLS works under the hood.

    • FTP: Practice connecting to an FTP server, uploading/downloading files. Notice how credentials are transmitted in plaintext unless encrypted alternatives are used (SFTP or FTPS).

    • DNS: Learn common DNS record types (A, AAAA, CNAME, MX, etc.) and how attackers can manipulate DNS.

  5. Hands-On Practice

    • Use Wireshark or tcpdump to analyze live traffic. Attempt to spot HTTP requests, DNS lookups, or other patterns.

    • Try scanning a local or test network with Nmap. Observe which ports are open and what services are discovered.

    • If possible, set up a small lab with multiple VMs to simulate attacks like ARP spoofing, DNS poisoning, or minimal scanning.

Beyond the Basics

  1. Security Tools

    • Nmap: Network scanning, OS detection, and service version enumeration.

    • Metasploit: Exploitation framework, though more advanced.

    • Wireshark: Packet capture, helping you see how data moves across the wire.

  2. Reading and Research

    • Follow reputable cybersecurity blogs, forums, and watch conference talks (e.g., DEF CON, Black Hat).

    • Stay updated on newly discovered vulnerabilities related to networking (e.g., vulnerabilities in TCP stacks, router firmware, etc.).

  3. Certifications

    • While not mandatory, pursuing certifications like CompTIA Network+ or Cisco’s CCNA can deepen your networking knowledge. Many pentesters start here before transitioning to specialized cybersecurity certifications like OSCP (Offensive Security Certified Professional).

  4. Practical Projects

    • Build your own custom networks in a virtual environment (VirtualBox, VMware, or cloud-based labs).

    • Practice configuring routers, firewalls, and intrusion detection systems.

    • Attempt capturing traffic and analyzing it for malicious patterns.

Putting It All Together

Networking is the foundation of almost every cyber-attack and defense strategy. As a pentester, your role is to leverage (or circumvent) network protocols and configurations to test security boundaries. By understanding how data travels from an application down to the physical layer—and back again—you can discover where the weak links might be.

  1. Identify Attack Points
    Once you know how a network is structured (LAN segments, WAN connections, etc.), you can better pinpoint potential pivot points or infiltration paths.

  2. Defense Perspective
    Knowledge of networking helps you not only break into systems but also fortify them. When you simulate attacks, you can also suggest specific mitigations like closing unnecessary ports, segmenting the network, or deploying intrusion detection systems.

  3. Adapt and Evolve
    Networks are constantly evolving—IPv6 adoption, SDN (Software-Defined Networking), the ever-growing IoT sphere. Stay curious, keep learning, and adapt to new technologies. Each new development can open up novel exploitation vectors or demand new defensive strategies.

Final Words of Encouragement

Starting your penetration testing journey with a solid grasp of networking is like learning the grammar of a language before forming sentences. You could memorize scripts or tools, but without foundational knowledge, you’d be lost when something unusual appears. By learning these basics—understanding protocols, port functions, how data flows—you become prepared to take on advanced topics (like malware analysis, exploit development, or cloud penetration testing) with confidence.

Embrace labs and hands-on experimentation. Make mistakes in a safe environment, read extensively, and continually apply what you learn. There’s no single “finish line” in cybersecurity; it’s an ongoing process of discovery and adaptation. With each network you analyze, each service you exploit, and each misconfiguration you spot, you’ll sharpen your skill set and mature as a pentester.

Good luck on your journey, and remember: keep exploring, keep breaking things (legally, of course!), and keep learning!

Test Your Knowledge

  • You are scanning a network and find that port 23 is open. What service is likely running?

  • What is a potential risk of improperly secured IPv6 networks?

  • What kind of attack is DNS Tunneling?

  • During a pentest, you discover a device responding on port 3306. What kind of service might it be?

  • Which of the following best illustrates a “replay attack”?
Share:
Tweet or X? Share on Facebook Share via WhatsApp Share via Telegram Share via email

← Previous Post

The OSI Model

Next Post →

Packet Analysis & Network Scanning

Latest Posts

See all posts