- Every network attack exploits a protocol — understanding protocols beats memorising tools
- The OSI model is a mental map, not a rulebook; use it to reason about where in the stack something breaks
- IP routes packets between networks; ARP resolves IPs to MAC addresses on the same network
- DNS is one of the richest attack surfaces in any environment — and one of the most overlooked
- TCP's three-way handshake is the basis for port scanning, session hijacking, and firewall evasion
The OSI Model — Your Mental Map
The OSI model describes network communication in 7 layers. You don't need to worship it — but you do need it to reason about where attacks happen.
When something doesn't work — or when you're planning an attack — ask "which layer is this happening at?" That question focuses your diagnosis immediately.
IP Addresses — The Routing System
Every device on a network has an IP address. IPv4 uses 32 bits (192.168.1.1). IPv6 uses 128 bits (fe80::1).
Public vs Private
| Range | Class | Common Use |
|---|---|---|
10.0.0.0/8 | Class A private | Large corporate networks |
172.16.0.0/12 | Class B private | Medium networks |
192.168.0.0/16 | Class C private | Home/small office |
127.0.0.0/8 | Loopback | Local machine only |
Private IPs don't route over the internet. NAT (Network Address Translation) translates them to a public IP at the router.
Subnets and CIDR
192.168.1.0/24 means: 192.168.1.x where x is 0–255. The /24 is the subnet mask — it defines how many bits belong to the network vs the host.
# See your IP and subnet
ip addr show
ip route show
# Calculate subnet ranges
ipcalc 192.168.1.0/24Knowing the subnet tells you exactly how many hosts exist on the network. /24 = 254 hosts. /16 = 65,534 hosts. That shapes your scanning strategy.
TCP — The Reliable Transport
TCP (Transmission Control Protocol) guarantees delivery and ordering. It's used by HTTP, HTTPS, SSH, FTP, SMB — most of what you'll attack.
The Three-Way Handshake
Nmap exploits this. A SYN scan (-sS) sends SYN and reads the response without completing the handshake:
- SYN-ACK > port open
- RST > port closed
- No response > port filtered (firewall)
TCP Flags
| Flag | Name | Meaning |
|---|---|---|
SYN | Synchronise | Initiate connection |
ACK | Acknowledge | Confirm receipt |
RST | Reset | Hard close connection |
FIN | Finish | Graceful close |
PSH | Push | Send data immediately |
URG | Urgent | Priority data |
UDP — The Fire-and-Forget Transport
UDP (User Datagram Protocol) sends packets without waiting for acknowledgement. Faster, but unreliable.
Used by: DNS (port 53), DHCP (67/68), SNMP (161), NTP (123), VoIP, game servers.
UDP services are often forgotten during hardening. SNMP with default community strings (public, private) is a classic find during recon.
Ports — The Application Addressing System
Ports are 16-bit numbers (0–65535) that direct traffic to the right service on a host.
| Range | Name | Who uses it |
|---|---|---|
| 0–1023 | Well-known ports | System services (HTTP=80, SSH=22, HTTPS=443) |
| 1024–49151 | Registered ports | Application servers |
| 49152–65535 | Dynamic/ephemeral | OS-assigned for outgoing connections |
Most Important Ports to Know
| Port | Protocol | Service | Attack relevance |
|---|---|---|---|
| 21 | TCP | FTP | Anonymous login, cleartext creds |
| 22 | TCP | SSH | Brute force, key exploitation |
| 23 | TCP | Telnet | Cleartext — sniff credentials |
| 25 | TCP | SMTP | Email relay, enumeration |
| 53 | TCP/UDP | DNS | Zone transfers, tunnelling |
| 80 | TCP | HTTP | Web application attacks |
| 110 | TCP | POP3 | Email credential harvesting |
| 139/445 | TCP | SMB | EternalBlue, Pass-the-Hash |
| 443 | TCP | HTTPS | Web + cert analysis |
| 1433 | TCP | MSSQL | DB attacks, xp_cmdshell |
| 3306 | TCP | MySQL | DB attacks |
| 3389 | TCP | RDP | Brute force, BlueKeep |
| 5985 | TCP | WinRM | PowerShell remoting |
| 8080/8443 | TCP | HTTP alt | Dev servers, admin panels |
ARP — Glue Between IP and MAC
ARP (Address Resolution Protocol) answers: "Who has IP 192.168.1.1? Tell me your MAC address."
Every device on the same network segment uses ARP before sending traffic. The responses are cached in an ARP table.
# View your ARP table
arp -a
ip neigh showARP Spoofing — Why This Matters
ARP has no authentication. Anyone can send a gratuitous ARP reply claiming any IP. This is the basis for:
- ARP Spoofing / Poisoning — tell host A you're the gateway; tell the gateway you're host A > MITM
- Tool:
arpspoof,ettercap,bettercap
# Tell 192.168.1.5 that you are the gateway (192.168.1.1)
arpspoof -i eth0 -t 192.168.1.5 192.168.1.1ARP spoofing is noisy and detectable. Modern managed switches with Dynamic ARP Inspection (DAI) block it. Wireless networks with client isolation block it too.
DNS — The Internet's Phone Book
DNS resolves domain names to IP addresses. It runs on port 53, usually UDP (TCP for large responses or zone transfers).
DNS Record Types
| Record | Purpose | Hacking value |
|---|---|---|
A | Domain > IPv4 | Maps hostnames to IPs |
AAAA | Domain > IPv6 | IPv6 infrastructure discovery |
CNAME | Alias > another domain | Subdomain takeover opportunities |
MX | Mail server | Email infrastructure mapping |
TXT | Arbitrary text | SPF, DKIM, internal info leaks |
NS | Name server | Zone transfer targets |
PTR | IP > domain (reverse) | Reverse DNS enumeration |
SRV | Service locator | Active Directory service discovery |
DNS Enumeration
# Query specific record types
dig A target.com
dig MX target.com
dig TXT target.com
dig NS target.com
# Attempt zone transfer (dumps all records if misconfigured)
dig axfr @ns1.target.com target.com
# Reverse DNS lookup
dig -x 93.184.216.34
# Brute-force subdomains
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtA zone transfer (AXFR) is supposed to be restricted to trusted secondary DNS servers. Misconfigured public DNS servers return the full zone — every hostname, IP, and record in the domain. Always try it.
Routing — How Packets Find Their Way
Routers forward packets between networks using routing tables. Each entry says: "for packets going to network X, send them out interface Y."
# View routing table
ip route show
route -n # older syntax
# Trace the path packets take
traceroute google.com
traceroute -T -p 443 google.com # TCP traceroute (bypasses ICMP blocks)Default Gateway
Your default gateway (0.0.0.0/0) is where packets go when no more specific route matches. In a pentest, compromising the gateway means all traffic flows through you.
ICMP — Network Diagnostics (and Recon)
ICMP (Internet Control Message Protocol) handles network error messages and diagnostics.
| ICMP Type | Name | Use |
|---|---|---|
| 0 | Echo Reply | Ping response |
| 3 | Destination Unreachable | Port/host not reachable |
| 8 | Echo Request | Ping |
| 11 | Time Exceeded | TTL expired (traceroute uses this) |
ping -c 4 target.com
ping -c 1 -W 1 192.168.1.1 # Quick alive checkMany firewalls block ICMP. A host that doesn't respond to ping might still be alive and running services. Always follow up failed pings with a port scan.
Practical: Reading a Packet Capture
Understanding packet structure lets you read Wireshark captures and tcpdump output fluently.
# Capture all traffic on interface eth0
tcpdump -i eth0
# Capture only HTTP traffic
tcpdump -i eth0 port 80
# Save to file for Wireshark analysis
tcpdump -i eth0 -w capture.pcap
# Read a capture file
tcpdump -r capture.pcapA packet = Headers + Payload. Each layer wraps the layer above:
- Ethernet frame wraps > IP packet wraps > TCP segment wraps > HTTP data
Operational Notes
- Subnetting in your head:
/24= 256 IPs,/25= 128,/26= 64,/27= 32,/28= 16. Halve it for each extra bit. - Wireshark filter syntax differs from tcpdump syntax —
tcp.port == 80vsport 80. Both are worth learning. - IPv6 is not optional — modern environments dual-stack. Many tools default to IPv4. Add
-6flags and check::1andfe80::ranges. - DNS over HTTPS (DoH) breaks traditional DNS sniffing — traffic goes to port 443, not 53.
What to Read Next
- Linux Fundamentals for Hackers — everything here runs from a Linux terminal
- Reconnaissance — apply this knowledge to systematically map a target's network
- Network Traffic Analysis — go deeper into reading and interpreting captures