INDEX
Networking enables communication between systems through various topologies (e.g., mesh, star), transmission mediums (e.g., Ethernet, fiber, wireless), and protocols (e.g., TCP, UDP). Security professionals must understand networking fundamentals, as misconfigurations or silent errors may lead to missed threats or visibility gaps.
Flat networks are easy to implement and operate, but they lack segmentation. Introducing multiple segmented networks adds defense-in-depth and restricts lateral movement. While pivoting within a network is feasible, doing so quickly and covertly is difficult, increasing attacker exposure.
Many networks default to a /24 subnet (255.255.255.0), allowing all hosts with the same
first
three IP octets to communicate (e.g., 192.168.1.0/24). Splitting this into a /25
(255.255.255.128) creates two segments, isolating communication between them.
A misconfigured pentester using /24 may assume they have full visibility but fail to reach
critical systems on a separate /25 subnet. For example:
Server Gateway: 10.20.0.1/25
Domain Controller: 10.20.0.10/25
Client Gateway: 10.20.0.129/25
Client Workstation: 10.20.0.200/25
Pentester IP: 10.20.0.252/24 (Gateway: 10.20.0.1)In this case, the pentester accessed client machines but failed to reach systems in a different subnet, missing high-value targets such as domain controllers.
The internet consists of interconnected networks such as "Home Networks" and "Company Networks." A router connects local devices and forwards traffic to the Internet Service Provider (ISP), which provides external connectivity.
Networking can be visualized like a postal system. The source sends a packet (like a letter) to a known address. The destination is resolved through a DNS server, which maps a Fully Qualified Domain Name (FQDN) to an IP address. For example:
www.hackthebox.eu — identifies the destination systemhttps://www.hackthebox.eu/example?floor=2&office=dev&employee=17 — specifies
exact
location within the system
The local router (post office) forwards the packet to the ISP (main post office). The ISP uses DNS (like an address registry) to resolve the FQDN into an IP address. Once resolved, the packet is routed to the webserver. The destination server responds by sending the requested data back to the original IP address through its router, completing the communication cycle.
Network types categorize how networks are structured, deployed, and used. These classifications help define physical scope, communication methods, and connectivity models. While some terms are widely used in practice, others are academic and more relevant in formal documentation or certification exams.
| Network Type | Definition |
|---|---|
| Wide Area Network (WAN) | Internet or interconnected large-scale LANs |
| Local Area Network (LAN) | Internal networks such as homes or offices |
| Wireless Local Area Network (WLAN) | LAN accessible via wireless technology |
| Virtual Private Network (VPN) | Securely connects remote users or sites to a LAN |
A Wide Area Network (WAN) typically refers to the Internet, but may also describe private global networks such as those maintained by governments or enterprises. WANs use public IP addressing and protocols like BGP. Internal WANs (Intranets or Air-Gapped Networks) may be isolated from the public Internet for security reasons.
LANs and WLANs commonly use RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). WLANs differ from LANs by offering wireless connectivity. These networks form the core of internal communications and are typically segmented by switches, routers, and VLANs.
VPNs simulate direct network access across untrusted networks. They provide confidentiality, integrity, and tunneling of traffic between endpoints. There are three main types:
Used to connect entire networks across locations via routers or firewalls. Enables seamless inter-branch communication by routing traffic through encrypted tunnels over the Internet.
Creates a virtual interface on the client device. For example, Hack The Box uses OpenVPN to provide access to labs via a TUN interface. Split-tunnel VPNs route only specific traffic (e.g., 10.10.10.0/24) through the VPN, while general Internet access remains local. Though beneficial for privacy, this limits network-based detection.
Uses web browsers to stream applications or desktop sessions securely. Increasingly used in corporate environments and exemplified by Hack The Box’s Pwnbox solution.
| Network Type | Definition |
|---|---|
| Global Area Network (GAN) | Worldwide network, including the Internet |
| Metropolitan Area Network (MAN) | Regional network interconnecting multiple LANs |
| Wireless Personal Area Network (WPAN) | Short-range wireless network, typically using Bluetooth |
Global Area Networks span international boundaries using undersea fiber, satellite links, or leased infrastructure. In addition to the Internet, some corporations maintain proprietary GANs for secure, isolated global communication.
Metropolitan Area Networks connect geographically distributed LANs within a city or region using high-speed links like fiber optics. Infrastructure is often leased from telecom providers. MANs may integrate into broader WAN or GAN structures.
Personal Area Networks (PAN) connect devices in close proximity using wired or wireless links. WPANs utilize technologies like Bluetooth or Wireless USB. A WPAN created via Bluetooth is called a Piconet. These networks typically serve IoT or smart-home devices using protocols such as ZigBee, Z-Wave, or Insteon.
A network topology defines the physical or logical arrangement of networked devices and how they communicate. Hosts such as clients and servers, as well as network components like switches, bridges, and routers, interact based on this structure to ensure connectivity and communication efficiency.
The physical topology refers to the actual layout of cables, devices, and physical connections. In contrast, the logical topology defines how data flows through the network, independent of the physical layout.
Network connections can be either wired or wireless, each using different transmission media:
| Wired Connections | Wireless Connections |
|---|---|
| Coaxial cabling | Wi-Fi |
| Glass fiber cabling | Cellular |
| Twisted-pair cabling | Satellite |
| Others | Others |
Network nodes are devices or points that send, receive, or forward signals across the transmission medium. These nodes may include computing devices or simpler microcontroller-based systems.
| Active Components | Routing and Control Components |
|---|---|
| Repeaters | Routers / Modems |
| Hubs | Gateways |
| Bridges | Firewalls |
| Switches |
Topologies are classified as either physical or logical. The physical layout refers to the real-world arrangement of devices and cables, while logical topology refers to the flow of data between nodes. For instance, computers arranged in a circle physically may still use a logical bus or star topology.
There are eight basic network topologies. These topologies can also be combined into hybrid designs to accommodate specific performance, redundancy, and scalability requirements.
Complex enterprise networks often use hybrid topologies to ensure fault tolerance, load balancing, and efficient communication across systems.
A proxy is a service or device that mediates communication between two endpoints. Unlike a gateway, a proxy can inspect and possibly modify the data passing through it, making it a Layer 7 component in the OSI model. Proxies are used across various fields for different purposes, from traffic inspection to access control and security.
While the average person might associate proxies with obfuscating geographic location (often confusing them with VPNs), security professionals and developers use them for monitoring, filtering, or pivoting traffic. Misconceptions aside, the defining feature of a proxy is its role as an intermediary with visibility into the communication.
A forward proxy sits between a client and the destination server. It processes outgoing requests on behalf of the client and forwards them to the intended resource. Common use cases include corporate web filters and tools like Burp Suite.
In corporate networks, forward proxies often serve as barriers between internal hosts and the Internet. They enforce access policies, monitor traffic, and block malicious content. Malware must be proxy-aware to bypass these controls, which is rare in environments with browser-specific configurations (e.g., Firefox using libcurl rather than the system proxy).
For example, Burp Suite functions as a forward proxy, intercepting and modifying HTTP traffic. Its flexibility allows configuration as a reverse or transparent proxy as well.
A reverse proxy handles incoming traffic, forwarding it to internal services. Unlike forward proxies, they protect servers rather than clients. Reverse proxies are commonly deployed in front of web applications to offload traffic, enforce access controls, and act as Web Application Firewalls (WAFs).
Examples include Cloudflare and ModSecurity. These solutions filter inbound traffic, block malicious requests, and provide DDoS mitigation. Reverse proxies can also be used in penetration testing to tunnel attacker traffic through infected endpoints to evade detection.
Reverse proxies may also facilitate encrypted traffic inspection, but this requires TLS termination, which may raise privacy or compliance concerns.
Proxies can operate in transparent or non-transparent modes. A transparent proxy intercepts traffic without requiring client configuration. Clients are unaware of its presence, and traffic is automatically rerouted through it.
Non-transparent proxies require explicit configuration. Applications must be aware of the proxy and route traffic through it directly. If no proxy configuration is provided and no fallback exists, the client cannot communicate externally.
Two major models are used to describe data communication across networks: the OSI (Open Systems Interconnection) model and the TCP/IP model. Both provide a layered framework for understanding how data is processed and transmitted from one host to another.
The OSI model is a standardized reference model developed by the International Organization for Standardization (ISO). It consists of seven layers, each with specific responsibilities in the data communication process:
Each layer interacts with the layer directly above and below it, allowing modular design and detailed traffic analysis. OSI is often referred to as a reference model due to its widespread use in education and troubleshooting.
The TCP/IP model is a practical implementation framework for Internet communications. It defines four layers:
The model covers a family of protocols including TCP, IP, UDP, and ICMP. It focuses on interoperability, making it less rigid than OSI and more reflective of real-world protocol behavior.
While the OSI model provides a theoretical framework for packet analysis, the TCP/IP model describes the actual operation of the Internet. OSI offers clearer abstraction between layers, while TCP/IP favors simplicity and functional integration.
| Layer Type | OSI Model | TCP/IP Model | Data Unit |
|---|---|---|---|
| Host Layers | 7. Application FTP, HTTP |
4. Application | Data |
| 6. Presentation JPG, PNG, SSL, TLS |
|||
| 5. Session NetBIOS |
|||
| 4. Transport TCP, UDP |
3. Transport | Segment / Datagram | |
| Media Layers | 3. Network Router, L3 Switch |
2. Internet | Packet |
| 2. Data-Link Switch, Bridge |
1. Link | Frame | |
| 1. Physical Network Card |
Bit |
In both models, data is passed down the stack from application to physical layer. Each layer adds a header to the data, forming a new Protocol Data Unit (PDU) in a process known as encapsulation. The data is transmitted to the receiver, which then decapsulates each layer in reverse.
| Sender | Protocol Layer | Receiver |
|---|---|---|
| Data | Application | Data |
| H + Data | Presentation | Data + H |
| H + Data | Session | Data + H |
| TCP + Data | Transport | Data + TCP |
| IP + TCP + Data | Internet / Network | TCP + Data + IP |
| MAC + IP + TCP + Data | Data-Link | TCP + Data + IP + MAC |
| Binary Transmission - 10011001... | Physical | Binary Transmission - 10011001... |
The OSI (Open Systems Interconnection) model is a reference architecture developed to standardize the communication of heterogeneous systems across various networks, devices, and technologies. It is composed of seven hierarchical layers, each representing a phase in the connection process. These layers describe how data is generated, transmitted, routed, and received between two endpoints.
The model ensures compatibility and interoperability between systems by clearly defining the responsibilities and interfaces of each layer. It enables visualization and structured analysis of data flow in a network connection.
| Layer | Function |
|---|---|
| 7. Application | Manages data input/output and provides application-level services. |
| 6. Presentation | Transforms data into an application-independent format for standardized representation. |
| 5. Session | Establishes, maintains, and manages logical communication sessions between systems. |
| 4. Transport | Provides end-to-end transmission control, flow control, segmentation, and reliability. |
| 3. Network | Handles routing, addressing, and delivery of packets between networks. |
| 2. Data Link | Ensures reliable frame delivery over the physical medium; handles MAC addressing and error detection. |
| 1. Physical | Transmits raw bitstreams over physical media using electrical, optical, or radio signals. |
Layers 1 through 4 are transport-oriented, while layers 5 through 7 are application-oriented. Each layer provides services to the layer above and relies on the services of the layer below, forming a modular structure.
In a communication process, both the sender and the receiver traverse all seven layers. The sending system encapsulates data from layer 7 down to layer 1, while the receiving system decapsulates the data from layer 1 up to layer 7. Each layer performs distinct functions to ensure the security, reliability, and performance of the communication.
The TCP/IP model, also known as the Internet Protocol Suite, is a layered reference model used to standardize communication across interconnected networks. It consists of four abstraction layers and provides the foundation for the modern Internet. TCP/IP stands for Transmission Control Protocol and Internet Protocol, which reside in the transport and network layers, respectively, in the OSI model.
Unlike the OSI model, the TCP/IP model consolidates several layers and focuses on the practical implementation of protocol communication, rather than strict separation of functionality.
| Layer | Function |
|---|---|
| 4. Application | Provides interface for applications to access network services and defines the protocols used to exchange data (e.g., HTTP, DNS, FTP). |
| 3. Transport | Ensures reliable communication and data segmentation using protocols like TCP and UDP. |
| 2. Internet | Handles logical addressing, packet routing, and fragmentation via IP. |
| 1. Link | Responsible for accessing the physical network medium and encapsulating IP datagrams into frames for transmission. |
TCP/IP enables application-level communication across heterogeneous networks, regardless of physical location or media. IP guarantees packet delivery to the correct destination, while TCP maintains end-to-end connection integrity and flow control. Compared to the OSI model, TCP/IP merges layers like Presentation and Session into the Application layer.
The Network Layer (Layer 3) is responsible for delivering data packets between devices located on different networks. It enables communication across multiple subnets by handling packet forwarding through intermediate routers. This layer ensures that data reaches its destination—even when the sender and receiver are not directly connected. The core functions of Layer 3 include:
| Protocol | Purpose |
|---|---|
| IPv4 / IPv6 | Core protocols for logical addressing and packet forwarding. |
| IPsec | Provides secure communication through authentication and encryption at Layer 3. |
| ICMP | Used for diagnostics (e.g., ping, traceroute) and network error reporting. |
| IGMP | Manages multicast group memberships for IPv4 networks. |
| RIP | Distance-vector routing protocol used for routing within small to medium-sized networks. |
| OSPF | Link-state routing protocol designed for large and complex network topologies. |
Packets traversing Layer 3 are forwarded hop-by-hop from one router to another. These routers evaluate the packet's destination address and consult their routing tables to determine the next hop. Data does not get processed by higher layers in intermediate nodes — only the destination host processes the upper-layer content.
Every host on a network is uniquely identified by an IP address, typically in IPv4 or IPv6 format. The IPv4 address is a 32-bit number divided into four octets and typically represented in dotted decimal format (e.g., 192.168.1.1). IP addresses allow devices to locate each other on a network and communicate accordingly.
Notation | Representation
Binary | 01111111.00000000.00000000.00000001
Decimal | 127.0.0.1IPv4 allows for ~4.29 billion unique addresses, which are structured with a network part and a host part. IP addresses are typically assigned and managed by the network administrator or IANA. In the past, further classification took place here. The IP network blocks were divided into classes A - E. The different classes differed in the host and network shares' respective lengths.
| Class | Network Address | First | Last | Subnet Mask | CIDR | IPs |
|---|---|---|---|---|---|---|
| A | 1.0.0.0 | 1.0.0.1 | 126.255.255.255 | 255.0.0.0 | /8 | 16,777,214 + 2 |
| B | 128.0.0.0 | 128.0.0.1 | 191.255.255.255 | 255.255.0.0 | /16 | 65,534 + 2 |
| C | 192.0.0.0 | 192.0.0.1 | 223.255.255.255 | 255.255.255.0 | /24 | 254 + 2 |
| D | 224.0.0.0 | 224.0.0.1 | 239.255.255.255 | Multicast | Multicast | Multicast |
| E | 240.0.0.0 | 240.0.0.1 | 255.255.255.255 | Reserved | Reserved | Reserved |
Subnetting divides a larger network into smaller subnets to optimize routing and management. A subnet mask determines which bits in an IP address define the network and which define the host.
Subnet Mask: 255.255.255.0
Binary: 11111111.11111111.11111111.00000000
CIDR: /24A broadcast address allows communication to all devices in a subnet. It is the last address in any given subnet. For example, in 192.168.10.0/24, the broadcast address is 192.168.10.255.
The default gateway is the router that connects the local subnet to other networks. Often, it's the first (e.g., 192.168.10.1) or last usable IP address in the subnet.
Classless Inter-Domain Routing (CIDR) simplifies routing and allows flexible subnetting. CIDR notation uses a suffix (e.g., /24) to represent how many bits belong to the network portion.
192.168.10.39/24 → Subnet mask: 255.255.255.0
Binary: 11111111.11111111.11111111.00000000Subnetting is the division of an IPv4 address range into smaller, logical address ranges. Each subnet represents a segment of a network where all IP addresses share the same network prefix.
Using a subnet mask, we can identify the fixed part of the IP address (network) and the variable part (host). This segmentation supports efficient IP address allocation and facilitates network management.
Example configuration:
The subnet mask defines the boundary between the network and host portions. The bits set to 1 in the mask identify the network; those set to 0 represent the host range.
| Details of | 1st Octet | 2nd Octet | 3rd Octet | 4th Octet | Decimal |
|---|---|---|---|---|---|
| IPv4 | 1100 0000 | 1010 1000 | 0000 1100 | 1010 0000 | 192.168.12.160/26 |
| Subnet mask | 1111 1111 | 1111 1111 | 1111 1111 | 1100 0000 | 255.255.255.192 |
Changing all host bits to 0 yields the network address. Setting them to 1 gives the broadcast address. Usable hosts fall between these two.
| Details of | 1st Octet | 2nd Octet | 3rd Octet | 4th Octet | Decimal |
|---|---|---|---|---|---|
| Network Address | 1100 0000 | 1010 1000 | 0000 1100 | 10|00 0000 | 192.168.12.128/26 |
| Broadcast Address | 1100 0000 | 1010 1000 | 0000 1100 | 10|11 1111 | 192.168.12.191/26 |
| Hosts | IPv4 |
|---|---|
| Network Address | 192.168.12.128 |
| First Host | 192.168.12.129 |
| Last Host | 192.168.12.190 |
| Broadcast Address | 192.168.12.191 |
To divide a subnet into smaller segments, subnet masks are extended by adding bits. For example, splitting a /26 into four subnets requires two additional bits, resulting in a /28 subnet mask.
Calculation:
Each /28 subnet accommodates 16 addresses (14 usable).
| Subnet No. | Network Address | First Host | Last Host | Broadcast Address | CIDR |
|---|---|---|---|---|---|
| 1 | 192.168.12.128 | 192.168.12.129 | 192.168.12.142 | 192.168.12.143 | /28 |
| 2 | 192.168.12.144 | 192.168.12.145 | 192.168.12.158 | 192.168.12.159 | /28 |
| 3 | 192.168.12.160 | 192.168.12.161 | 192.168.12.174 | 192.168.12.175 | /28 |
| 4 | 192.168.12.176 | 192.168.12.177 | 192.168.12.190 | 192.168.12.191 | /28 |
Each host in a network has its own 48-bit (6 octets) Media Access Control (MAC) address, represented in hexadecimal format. MAC is the physical address for our network interfaces. There are several different standards for the MAC address:
This is because the MAC address addresses the physical connection (network card, Bluetooth, or WLAN adapter) of a host. Each network card has its individual MAC address, which is configured once on the manufacturer's hardware side but can always be changed, at least temporarily.
Example MAC representations:
DE:AD:BE:EF:13:37
DE-AD-BE-EF-13-37
DEAD.BEEF.1337| Representation | 1st Octet | 2nd | 3rd | 4th | 5th | 6th |
|---|---|---|---|---|---|---|
| Binary | 1101 1110 | 1010 1101 | 1011 1110 | 1110 1111 | 0001 0011 | 0011 0111 |
| Hex | DE | AD | BE | EF | 13 | 37 |
The first 3 bytes (24 bits) form the Organizationally Unique Identifier (OUI), assigned by IEEE. The remaining 3 bytes form the Network Interface Controller (NIC) portion, ensuring uniqueness.
On delivery, the destination MAC address is resolved based on the IP and whether the destination is in the same subnet. If not, the packet is addressed to the router (default gateway).
Certain address ranges are reserved for local use:
02:00:00:00:00:00
06:00:00:00:00:00
0A:00:00:00:00:00
0E:00:00:00:00:00The last bit of the first octet distinguishes Unicast (0) from Multicast (1). Broadcast uses all bits set to 1.
DE:AD:BE:EF:13:3701:00:5E:EF:13:37FF:FF:FF:FF:FF:FFMAC addresses can be manipulated or spoofed, and therefore should not be considered a secure means of device identification. Network administrators must implement layered security approaches, such as network segmentation and robust authentication mechanisms.
ARP is used to resolve IP addresses (layer 3) into MAC addresses (layer 2) on a Local Area Network (LAN). It enables direct communication between hosts using MAC addresses.
ARP spoofing (or ARP cache poisoning) is an attack where false ARP responses are sent to associate an attacker’s MAC with another device’s IP. Tools like Ettercap or Cain & Abel are often used.
1 0.000000 10.129.12.100 -> 10.129.12.101 ARP 60 10.129.12.101 is at AA:AA:AA:AA:AA:AA
2 0.000015 10.129.12.100 -> 10.129.12.255 ARP 60 Who has 10.129.12.101? Tell 10.129.12.100
3 0.000030 10.129.12.101 -> 10.129.12.100 ARP 60 10.129.12.101 is at BB:BB:BB:BB:BB:BB
4 0.000045 10.129.12.100 -> 10.129.12.101 ARP 60 10.129.12.101 is at AA:AA:AA:AA:AA:AA
These falsified replies redirect traffic intended for a legitimate device to the attacker. The attacker can then intercept, modify, or redirect data—enabling man-in-the-middle (MITM) attacks.
IPv6 is the successor to IPv4. Unlike IPv4, an IPv6 address is 128 bits long. The address includes a prefix that identifies the network and host components. The Internet Assigned Numbers Authority (IANA) manages the assignment of IPv4 and IPv6 addresses and their respective network segments. IPv6 is expected to fully replace IPv4 over time, although both protocols can coexist via Dual Stack implementation.
IPv6 adheres to the end-to-end communication principle, offering globally unique IP addresses to devices without requiring NAT. Interfaces can possess multiple IPv6 addresses, including special-purpose addresses.
| Features | IPv4 | IPv6 |
|---|---|---|
| Bit length | 32-bit | 128-bit |
| OSI layer | Network Layer | Network Layer |
| Addressing range | ~4.3 billion | ~340 undecillion |
| Representation | Binary | Hexadecimal |
| Prefix notation | 10.10.10.0/24 | fe80::dd80:b1a9:6687:2d3b/64 |
| Dynamic addressing | DHCP | SLAAC / DHCPv6 |
| IPsec | Optional | Mandatory |
| Type | Description |
|---|---|
| Unicast | Used for a single interface |
| Anycast | Assigned to multiple interfaces; only the nearest one receives the packet |
| Multicast | Packets are delivered to all interfaces in the group |
Note: IPv6 does not use broadcast addresses; multicast is used instead for communication with multiple nodes.
IPv4 address: 192.168.12.160
| Representation | 1st Octet | 2nd Octet | 3rd Octet | 4th Octet |
|---|---|---|---|---|
| Binary | 1100 0000 | 1010 1000 | 0000 1100 | 1010 0000 |
| Hex | C0 | A8 | 0C | A0 |
| Decimal | 192 | 168 | 12 | 160 |
The following table provides a reference of fundamental networking protocols. Although not exhaustive, it covers many common technologies and their core functionalities.
| Protocol | Acronym | Description |
|---|---|---|
| Wired Equivalent Privacy | WEP | Legacy security protocol for wireless networks; now considered insecure. |
| Secure Shell | SSH | Encrypted protocol for remote system access and command execution. |
| File Transfer Protocol | FTP | Used to transfer files between systems over a network. |
| Simple Mail Transfer Protocol | SMTP | Protocol used to send email messages. |
| Hypertext Transfer Protocol | HTTP | Standard protocol for data communication on the web. |
| Server Message Block | SMB | Used for file, printer, and resource sharing in networks. |
| Network File System | NFS | Allows file access over a network as if local. |
| Simple Network Management Protocol | SNMP | Used to monitor and manage network devices. |
| Wi-Fi Protected Access | WPA | Security protocol for wireless networks. |
| Temporal Key Integrity Protocol | TKIP | Deprecated encryption method used in WPA. |
| Network Time Protocol | NTP | Synchronizes clocks across networked devices. |
| Virtual Local Area Network | VLAN | Segments a physical network into logical sub-networks. |
| VLAN Trunking Protocol | VTP | Distributes VLAN information across switches. |
| Routing Information Protocol | RIP | Distance-vector routing protocol for small networks. |
| Open Shortest Path First | OSPF | Link-state routing protocol for large enterprise networks. |
| Interior Gateway Routing Protocol | IGRP | Cisco proprietary protocol for routing within AS. |
| Enhanced Interior Gateway Routing Protocol | EIGRP | Advanced Cisco routing protocol combining distance-vector and link-state features. |
| Pretty Good Privacy | PGP | Encryption program used for secure communication. |
| Network News Transfer Protocol | NNTP | Used for retrieving and posting articles on Usenet. |
| Cisco Discovery Protocol | CDP | Proprietary Cisco protocol for device discovery. |
| Hot Standby Router Protocol | HSRP | Ensures high availability through router redundancy. |
| Virtual Router Redundancy Protocol | VRRP | Provides automatic failover for IP routers. |
| Spanning Tree Protocol | STP | Prevents switching loops in Layer 2 networks. |
| Terminal Access Controller Access-Control System | TACACS | Protocol for centralized network access authentication. |
| Session Initiation Protocol | SIP | Initiates, maintains, and terminates multimedia sessions. |
| Voice Over IP | VOIP | Technology to transmit voice over IP networks. |
| Extensible Authentication Protocol | EAP | Authentication framework supporting multiple methods. |
| Lightweight EAP | LEAP | Cisco-proprietary EAP method for wireless networks. |
| Protected EAP | PEAP | Provides encrypted EAP communication tunnel. |
| Systems Management Server | SMS | Microsoft solution for managing enterprise systems. |
| Microsoft Baseline Security Analyzer | MBSA | Security tool for identifying Windows vulnerabilities. |
| Supervisory Control and Data Acquisition | SCADA | Industrial control system for process automation. |
| Virtual Private Network | VPN | Secure tunnel over the internet for private communication. |
| Internet Protocol Security | IPsec | Encrypts and authenticates IP packets for secure communication. |
| Point-to-Point Tunneling Protocol | PPTP | Protocol for implementing VPN tunnels. |
| Network Address Translation | NAT | Translates private IP addresses to public IP addresses. |
| Carriage Return Line Feed | CRLF | Text delimiter used in network and file formatting. |
| Asynchronous JavaScript and XML | AJAX | Technique for dynamic web page updates. |
| Internet Server API | ISAPI | Interface for developing web server extensions. |
| Uniform Resource Identifier | URI | Generic identifier for internet resources. |
| Uniform Resource Locator | URL | Specifies the location of a resource on the internet. |
| Internet Key Exchange | IKE | Establishes secure communications using IPsec. |
| Generic Routing Encapsulation | GRE | Encapsulates packets to enable VPN tunneling. |
| Remote Shell | RSH | Unix command-line tool to execute remote commands. |
| Telnet | Telnet | Remote login protocol over TCP port 23. |
| Trivial File Transfer Protocol | TFTP | Simplified FTP over UDP, typically used for firmware or config file transfers. |
| Post Office Protocol v3 | POP3 | Email retrieval protocol using port 110. |
| Internet Message Access Protocol | IMAP | Email protocol allowing access and management of email messages. |
| Bootstrap Protocol | BOOTP | Used to assign IP addresses to clients at boot time. |
| Kerberos | Kerberos | Authentication protocol using tickets and symmetric encryption. |
| Lightweight Directory Access Protocol | LDAP | Protocol for querying and modifying directory services. |
| Remote Authentication Dial-In User Service | RADIUS | Protocol for AAA (authentication, authorization, accounting). |
| Remote Desktop Protocol | RDP | Remote GUI access protocol by Microsoft. |
| Remote Procedure Call | RPC | Allows executing procedures on remote systems. |
| Identification Protocol | Ident | Identifies user of a TCP connection. |
| Internet Control Message Protocol | ICMP | Used for diagnostics and error reporting. |
| Internet Group Management Protocol | IGMP | Manages membership of multicast groups. |
| Oracle Transparent Network Substrate | Oracle-TNS | Oracle DB listener protocol on port 1521. |
| Ingres Lock Service | Ingreslock | Ingres DB listener service; sometimes exploited. |
| Squid Web Proxy | HTTP-Proxy | Caching HTTP proxy service. |
| Secure Copy Protocol | SCP | Secure file transfer over SSH. |
| Simple Object Access Protocol | SOAP | Protocol for exchanging structured info in web services. |
| Secure Socket Layer | SSL | Deprecated protocol for encrypted communications; replaced by TLS. |
| TCP Wrappers | TCPW | Access control framework for TCP services. |
| Internet Security Association and Key Management Protocol | ISAKMP | Negotiates security associations for IPsec. |
| Kerberized Internet Negotiation of Keys | KINK | Key management using Kerberos with IPsec. |
| Remote Execution | REXEC | Executes commands on remote Unix systems. |
| Remote Login | RLOGIN | Interactive login to Unix systems over TCP port 513. |
| X Window System | X11 | GUI system and protocol for networked Unix environments. |
| IBM DB2 | DB2 | Enterprise relational database protocol on port 50000. |
| MySQL | MySQL | Open-source RDBMS using TCP port 3306. |
| Microsoft SQL Server Browser | MS-SQL-M | UDP protocol for SQL Server instance discovery. |
| Universal Plug and Play | UPnP | Enables devices to discover and interact with each other. |
| PostgreSQL | PGSQL | Open-source object-relational DBMS. |
| Virtual Network Computing | VNC | Remote desktop sharing protocol on port 5900. |
| Syslog | SYSLOG | Standard for forwarding log messages. |
| Internet Relay Chat | IRC | Protocol for real-time text communication. |
| OpenPGP | OpenPGP | Standard for email encryption and signing. |
| X Display Manager Control Protocol | XDMCP | Allows remote login to graphical X11 sessions. |
Wireless networks enable communication between devices using wireless data transmission, primarily over radio frequency (RF). These networks eliminate the need for physical cabling, allowing for increased mobility and convenience.
Devices equipped with wireless adapters convert digital data into RF signals, which are transmitted through the air and received by other wireless-capable devices. This exchange relies on protocols like IEEE 802.11 and can occur over different ranges depending on the network type—WiFi (LAN), or cellular (WWAN: 3G, 4G, 5G).
WiFi networks typically operate in the 2.4 GHz and 5 GHz bands. Communication is managed by a Wireless Access Point (WAP), which serves as a bridge between wireless clients and a wired network. When a device initiates transmission, it must first associate with the WAP. The process involves sending an association request that includes:
After successful association, the device can send and receive data via the WAP, including accessing Internet services.
SSID broadcast can be disabled to obscure network visibility. However, SSIDs are still exposed within authentication packets, making them discoverable.
WiFi security involves multiple protocols and mechanisms, including TCP/IP, DHCP for address assignment, and WPA2/WPA3 for encryption and integrity.
WEP uses a challenge-response handshake to authenticate devices and establish a secure session. The process involves multiple steps:
| Step | Who | Description |
|---|---|---|
| 1 | Client | Sends an association request to the WAP. |
| 2 | WAP | Replies with a challenge string. |
| 3 | Client | Encrypts the challenge with the shared key and sends the response. |
| 4 | WAP | Validates the response and sends authentication result. |
WEP uses a Cyclic Redundancy Check (CRC) to detect errors. The CRC is calculated on plaintext data, not the encrypted payload, and appended to the packet before encryption.
This design flaw allows an attacker to infer the original plaintext by manipulating or analyzing CRC values without decrypting the packet. As a result, WEP is considered cryptographically broken and obsolete.
WiFi networks implement several security mechanisms to prevent unauthorized access and protect data confidentiality and integrity. Key features include encryption, access control, and firewall capabilities.
Encryption protects data in transit using algorithms such as WEP, WPA2, and WPA3. WPA2 and WPA3 use AES (Advanced Encryption Standard), which provides stronger encryption compared to older algorithms like RC4 used in WEP.
Access to the wireless network can be restricted through authentication methods requiring passwords, certificates, or device identifiers like MAC addresses. Devices must present valid credentials to gain access.
Most wireless routers integrate firewall functionality to control incoming and outgoing traffic. These firewalls enforce rules to block malicious traffic and protect internal devices from Internet-based threats.
WEP and WPA are common WiFi encryption protocols. WPA uses stronger encryption with AES and supports longer key lengths, making it more secure than WEP.
| Protocol | IV | Secret Key |
|---|---|---|
| WEP-40/WEP-64 | 24-bit | 40-bit |
| WEP-104 | 24-bit | 80-bit |
Due to the small IV size, WEP is susceptible to brute-force attacks. Once the IV is recovered, the attacker can decrypt captured packets and compromise confidentiality.
WPA addresses WEP's vulnerabilities by using stronger authentication (e.g., PSK or 802.1X) and more secure encryption (AES). WPA2 and WPA3 are the recommended standards for modern networks.
Authentication protocols such as LEAP and PEAP enhance security during network access. Both are based on the Extensible Authentication Protocol (EAP):
TACACS+ is a protocol used for centralized authentication and authorization, often between Wireless Access Points (WAPs) and a central authentication server. It encrypts the entire payload of the authentication request to protect user credentials and session details. Encryption may be provided by SSL/TLS or IPsec, depending on configuration.
A Disassociation Attack exploits the management frames in wireless networks to forcibly disconnect clients by sending forged disassociation frames. This causes service disruption and may lead to further attacks like MITM by forcing clients to reconnect.
Security can be improved by disabling SSID broadcast, enabling WPA2/WPA3 encryption, filtering MAC addresses, and implementing certificate-based authentication via EAP-TLS.
A Virtual Private Network (VPN) establishes a secure, encrypted tunnel between a remote device and a private network. This enables secure access to internal resources over untrusted networks such as the Internet.
VPNs are commonly used by administrators and remote employees to access services that are restricted to the internal network. The VPN client authenticates with a VPN server, which assigns an internal IP address and routes traffic through the encrypted tunnel.
VPNs typically use protocols such as PPTP (TCP/1723), IKEv1/v2 (UDP/500), and IPsec (UDP/4500) to establish and secure the tunnel.
| Requirement | Description |
|---|---|
| VPN Client | Installed on the remote device to establish the connection (e.g., OpenVPN). |
| VPN Server | Receives connections and routes traffic into the private network. |
| Encryption | Secures communication using algorithms such as AES via protocols like IPsec. |
| Authentication | Ensures identity verification using credentials or digital certificates. |
IPsec secures IP communications by authenticating and encrypting each packet. It operates in two modes:
| Protocol | Port | Description |
|---|---|---|
| AH | Protocol 51 | Provides integrity/authenticity without encryption. |
| ESP | Protocol 50 | Provides encryption and optional integrity/authenticity. |
| IKE | UDP/500 | Negotiates keys for IPsec sessions. |
| NAT-T (ESP over UDP) | UDP/4500 | Used when ESP is encapsulated to traverse NAT devices. |
PPTP creates VPN tunnels by encapsulating PPP frames. Though easy to deploy, PPTP is deprecated due to weak encryption (MSCHAPv2) and known vulnerabilities. Alternatives like L2TP/IPsec and OpenVPN are strongly recommended.
Key exchange methods are used to securely share cryptographic keys between two parties. These mechanisms are essential for establishing encrypted communication channels, as the security of the data depends on the secrecy of the cryptographic keys. Various key exchange methods exist, each offering different security guarantees and performance characteristics depending on the application.
These mechanisms generally allow two parties to agree on a shared secret key over an insecure channel. The key is then used for encryption and decryption during communication. The key exchange process typically involves complex mathematical computations that ensure the derived key cannot be easily intercepted or calculated by unauthorized entities.
Diffie-Hellman is a key exchange protocol that enables two parties to establish a shared secret over an untrusted channel without prior shared secrets. It is widely used in securing communications protocols such as TLS. However, it is vulnerable to Man-in-the-Middle (MITM) attacks if the authenticity of parties is not verified. Additionally, it requires significant computational power, which can be a drawback in resource-constrained environments.
RSA is a public-key algorithm that relies on the computational difficulty of factoring large integers. It is extensively used in secure communications and supports encryption, digital signatures, and key exchange. RSA is widely implemented in SSL/TLS, digital certificates, and authentication systems such as PKINIT in Kerberos. Its main drawback is its computational intensity compared to newer elliptic curve-based approaches.
ECDH is an elliptic curve variant of the Diffie-Hellman key exchange that provides equivalent security with smaller key sizes, making it more efficient and suitable for mobile or embedded devices. It is commonly used in protocols like TLS and IKE (used in VPNs), and supports forward secrecy, ensuring past communications remain confidential even if private keys are compromised.
ECDSA is used for creating digital signatures based on elliptic curve cryptography. It enables the verification of sender authenticity and message integrity in key exchange and other cryptographic operations. Due to its efficiency and strong security properties, ECDSA is increasingly adopted in modern cryptographic standards and applications.
Internet Key Exchange (IKE) is a protocol used to establish and maintain secure communication sessions, particularly in VPNs. It utilizes Diffie-Hellman and other cryptographic techniques to securely negotiate security parameters and exchange keys between a client and server, enabling the creation of encrypted tunnels for secure data transmission.
IKE supports two operation modes:
IKE can authenticate using Pre-Shared Keys (PSKs), which must be securely distributed prior to the exchange. Although PSKs add an extra layer of security, their compromise or poor handling (e.g., weak secrets or unsecure sharing) may expose the session to MITM attacks.
Authentication protocols are essential mechanisms used in networking to verify the identity of devices and users. These protocols ensure that only authorized entities gain access to network resources, thereby protecting the network from unauthorized access, impersonation, and other security threats.
They also enable the secure exchange of sensitive information across the network, helping maintain data confidentiality and integrity. Below is an overview of the most commonly used authentication protocols and frameworks:
| Protocol | Description |
|---|---|
| Kerberos | KDC-based authentication protocol that uses tickets in domain environments. |
| SRP | Password-based authentication protocol using cryptographic proof to resist MITM and eavesdropping. |
| SSL / TLS | Cryptographic protocols providing secure communication over the internet; TLS is the successor of SSL. |
| OAuth | Authorization framework allowing third-party applications limited access without exposing credentials. |
| OpenID | Decentralized protocol for single identity login across multiple services. |
| SAML | XML-based standard for exchanging authentication and authorization data between parties. |
| 2FA / MFA | Use of two or more factors (password, token, biometric) to verify identity. |
| FIDO | Alliance supporting open standards for strong authentication using public key cryptography. |
| PKI | System for managing digital certificates and public-key encryption. |
| SSO | Allows users to authenticate once and access multiple systems without re-authenticating. |
| PAP | Simple and insecure protocol that transmits credentials in plaintext. |
| CHAP | Uses a three-way handshake with challenge-response mechanism to authenticate users. |
| EAP | Extensible framework supporting various authentication methods (e.g., EAP-TLS, PEAP). |
| SSH | Secure shell protocol for remote access and file transfer using encrypted sessions. |
| HTTPS | HTTP secured via SSL/TLS for encrypted web communications and server authentication. |
| LEAP | Cisco-developed wireless authentication protocol using EAP and RC4; considered insecure. |
| PEAP | Secure tunnel-based authentication using TLS to protect MSCHAPv2 hashes and support multiple auth methods. |
In practice, PEAP is preferred over LEAP due to stronger security mechanisms including TLS tunneling and support for modern encryption algorithms. While LEAP's use of RC4 and lack of protection for authentication hashes exposes it to dictionary and brute-force attacks, PEAP mitigates these threats with certificate-based authentication and encrypted credential exchange.
Protocols such as SSH and HTTPS are widely adopted to ensure confidentiality, integrity, and authenticity in remote communication and web browsing. Both rely on TLS/SSL and can integrate with PKI for certificate-based mutual authentication, reducing the risk of MITM attacks.
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are fundamental transport layer protocols used for data transmission across networks. TCP is a connection-oriented protocol that ensures reliable delivery of data through mechanisms like acknowledgments, retransmissions, and flow control. In contrast, UDP is a connectionless protocol optimized for speed, sacrificing reliability and ordering to enable real-time communication such as video streaming and online gaming.
TCP involves a three-way handshake process to establish a connection and maintains session state to manage reliable delivery. If packet loss or errors occur, TCP will retransmit the data. UDP, however, sends datagrams without establishing a connection and does not verify receipt, leading to faster transmission but potential data loss.
| Field | Description |
|---|---|
| Version | IP protocol version (e.g., IPv4 or IPv6) |
| Internet Header Length | Length of the header in 32-bit words |
| Class of Service | Priority and service level of the packet |
| Total Length | Total length of the packet in bytes |
| Identification (ID) | Unique identifier for fragment reassembly |
| Flags | Indicates fragmentation status |
| Fragment Offset | Specifies fragment position |
| Time to Live | Maximum hops before the packet is discarded |
| Protocol | Encapsulated protocol (e.g., TCP, UDP) |
| Checksum | Error detection for the header |
| Source/Destination | IP addresses of sender and recipient |
| Options | Optional routing and control information |
| Padding | Fills out header to a 32-bit boundary |
Blind spoofing is an attack in which false packets are crafted and sent to a host, typically with forged IP headers. Attackers set arbitrary sequence numbers and spoof source IPs without seeing the response. This can desynchronize TCP sessions or impersonate hosts to disrupt or intercept communications.
Encryption is fundamental to securing digital communication by protecting data such as payment information, emails, and personal records from unauthorized access and tampering. It transforms readable data into an unreadable format using cryptographic algorithms and digital keys. Depending on the method and key length, encryption strength can vary. Modern encryption algorithms, especially those with long key lengths, are considered extremely secure and resistant to compromise. Cryptographic techniques are primarily classified into symmetric and asymmetric encryption.
Symmetric encryption, also referred to as secret key encryption, uses the same key for both encryption and decryption. The main challenge in symmetric encryption is the secure exchange and management of the shared key. If the key is exposed, the confidentiality of the encrypted data is compromised. Common symmetric algorithms include Advanced Encryption Standard (AES) and Data Encryption Standard (DES). Symmetric encryption is highly efficient and suitable for encrypting large volumes of data, such as storage media or network transmissions.
Asymmetric encryption, or public-key encryption, utilizes a pair of cryptographic keys: a public key for encryption and a private key for decryption. This approach enables secure communication without needing a shared secret in advance. Well-known asymmetric algorithms include RSA, PGP, and Elliptic Curve Cryptography (ECC). Asymmetric encryption is commonly used in digital signatures, SSL/TLS, VPNs, SSH, PKI, and cloud services. It facilitates secure data transmission and authentication while resolving the key distribution problem inherent in symmetric encryption.
DES is a symmetric-key block cipher that encrypts data using a 56-bit key derived from a 64-bit input (8 bits used for parity). It encrypts 64-bit plaintext blocks into 64-bit ciphertext blocks. Due to its short key length, DES is vulnerable to brute-force attacks. Triple DES (3DES) enhances DES security by applying the encryption process three times with different keys, though it remains slower and less secure than modern standards.
AES is the successor to DES and is currently the most widely used symmetric encryption standard. It supports key sizes of 128, 192, and 256 bits, offering strong security and high performance. AES is efficient due to its capability to operate on multiple blocks simultaneously and is implemented in a wide range of protocols and applications, such as WLAN (IEEE 802.11i), IPsec, SSH, VoIP, PGP, and OpenSSL.
Cipher modes define how block ciphers encrypt data larger than a single block. Each mode has unique characteristics suited to specific security requirements and use cases. Below is a summary of common cipher modes:
| Cipher Mode | Description |
|---|---|
| Electronic Code Book (ECB) | Encrypts each block independently; does not hide data patterns well and is not recommended for secure communications. |
| Cipher Block Chaining (CBC) | Each plaintext block is XORed with the previous ciphertext block before encryption; used in disk encryption and TLS/SSL. |
| Cipher Feedback (CFB) | Transforms block cipher into a stream cipher; suited for real-time communications and file encryption in transit. |
| Output Feedback (OFB) | Generates key streams independently of plaintext and ciphertext; used in secure stream-based communication. |
| Counter (CTR) | Encrypts blocks using a counter that increments with each block; allows parallel processing and is used in IPsec and BitLocker. |
| Galois/Counter Mode (GCM) | Combines counter mode encryption with integrity protection using Galois field multiplication; used in VPNs and wireless protocols. |
Choosing the appropriate cipher mode depends on the specific application requirements, such as the need for real-time encryption, error tolerance, or message integrity. Secure implementation and proper mode selection are critical to maintaining data confidentiality and integrity.