Beginner ⏱ 60 Minutes Prereq: None

Networking Fundamentals

Before you can exploit a network, you must understand the infrastructure. This module covers the vocabulary of the internet, how devices identify each other, and the core protocols of data exchange.

1. What is a Network?

Launch Ping Sim

A network is a system of interconnected devices that exchange data using standardized communication protocols. More precisely, a network exists when two or more devices can exchange packets using an agreed communication standard.

How Data Actually Moves

When one device sends data to another, it does not send a continuous stream. The data is broken into small structured units called packets. Each packet contains addressing information and control data so intermediary devices know where to forward it.

This means communication is not magic — it is a series of structured decisions made by switches and routers.

🎯 Hacker Mindset

If you can understand how traffic flows, you can manipulate it. Every attack — MITM, DNS spoofing, session hijacking — is just controlled manipulation of packet flow.

The 4 Core Elements

1️⃣ End Devices (Hosts)

Devices that generate or consume data (PCs, Servers, IoT). Every host is a potential attack surface.

2️⃣ Intermediary Devices

Devices that forward or filter traffic (Routers, Switches, Firewalls). They enforce policy and trust boundaries.

3️⃣ Transmission Media

The path data travels (Copper, Fiber, Wi-Fi). Remember: Wired ≠ Secure. Security depends on encryption.

4️⃣ Protocols

The rules of communication (HTTP, TCP, DNS). Without protocols, devices create chaos.

🕵️

Security Relevance

Hackers start every engagement by "mapping the network." If intermediary devices are misconfigured, the entire network becomes exposed.

2. LAN vs WAN

Launch LAN Visualizer

Networks are classified by their physical scope. Understanding this distinction is vital for understanding "pivoting" attacks.

LAN (Local Area Network)

Connects devices within a limited physical area (Home, Office). Characterized by private IP addressing, low latency, and high speed.

🛡️ Risk: Lateral Movement

Most internal breaches spread through LAN weakness. Attacks like ARP Spoofing and MAC Flooding happen here.

WAN (Wide Area Network)

Connects multiple LANs across large distances (The Internet). Characterized by public IP exposure and higher latency.

NAT (Bridge Between LAN & WAN)

Network Address Translation (NAT) allows private IP addresses to access the public internet. It hides internal addressing but is NOT a firewall.

# Without NAT, private IPs cannot talk to the internet
Source: 192.168.1.5 (LAN) -> Router (NAT) -> Dest: 8.8.8.8 (WAN)

Trust Boundaries

Every network has trust boundaries. A LAN is usually considered a trusted zone, while the WAN (internet) is considered untrusted. Firewalls are placed at these boundaries to filter traffic.

🔐

Important Concept

Most major breaches happen because the internal LAN was treated as "trusted" without proper segmentation.

3. MAC vs IP Address

Launch Packet Viewer

If this concept is weak, subnetting and routing will be impossible to understand. Every device has two identities.

MAC Address (Layer 2 - Physical)

Burnt into the hardware. Looks like: 00:1A:2B:3C:4D:5E. Used for local communication inside the LAN. Switches use MAC addresses to forward frames.

IP Address (Layer 3 - Logical)

Assigned by the network router. Looks like: 192.168.1.5. Used for routing across the internet. Routers use IP addresses to forward packets.

Feature MAC Address IP Address
Layer Layer 2 (Data Link) Layer 3 (Network)
Scope Local Network Only Global Routing
Mutability Permanent* (Hardware) Changeable (Location)

How They Work Together

When you visit a website:

  1. Your device checks the destination IP.
  2. If the IP is outside your network, traffic is sent to the default gateway.
  3. Your device uses ARP to discover the MAC address of the gateway.
  4. The frame is delivered using MAC locally, then routed using IP globally.

This shows that MAC and IP are not competing — they operate at different layers and cooperate.

💀 Attack Vector: MAC Spoofing

Hackers change their MAC address to bypass "MAC Filtering" or to impersonate trusted devices. In Linux: macchanger -r eth0.

4. Bandwidth, Latency, Throughput

Launch Speed Sim

Understanding performance helps identify attack behaviors and congestion.

  • Bandwidth: The max theoretical capacity (The width of the highway).
  • Latency (Ping): Time taken for a packet to travel to the destination and back.
  • Throughput: Actual usable speed. Always lower than bandwidth due to encryption overhead and congestion.

Why Performance Matters in Security

  • Sudden bandwidth spikes → possible data exfiltration.
  • High latency with stable bandwidth → possible routing issue.
  • Packet loss → congestion or deliberate flooding.

📊 Analyst Thinking

Blue team analysts often detect attacks by observing abnormal traffic patterns rather than signatures.

⚠️

Red Flag: DDoS Attacks

DDoS attacks aim to exhaust bandwidth, drastically increase latency, and collapse throughput, making the network unusable.

5. DNS (Domain Name System)

Launch DNS SIMULATION

DNS converts human-readable domain names (google.com) into IP addresses. It is the phonebook of the internet.

DNS Resolution Flow

  1. User types domain (google.com).
  2. Local resolver checks cache.
  3. Query goes to Root Server -> TLD Server -> Authoritative Server.
  4. IP Address is returned to user.

Important DNS Records

  • A: IPv4 Address
  • AAAA: IPv6 Address
  • MX: Mail Server
  • TXT: Text (used for verification)

Why DNS Is Critical in Reconnaissance

Before attacking a system, attackers enumerate subdomains, mail servers, and TXT records to gather intelligence.

  • Subdomain enumeration reveals hidden services.
  • MX records reveal mail infrastructure.
  • TXT records may expose verification tokens.

⚠️ Attack Vector: DNS Poisoning

If a hacker corrupts the DNS cache, they can redirect facebook.com to a malicious IP. DNS is a primary target for reconnaissance.

6. Packet Structure

Every piece of data sent over a network is chopped into "packets". Understanding this is the foundation for using tools like Wireshark.

Header
Payload (Data)
Trailer
  • Header: Contains control info (Source IP, Destination IP, Protocol).
  • Payload: The actual data being delivered (a piece of an image, text, etc).
  • Trailer: Error checking data to ensure the packet arrived intact.

Encapsulation Preview

When data is sent, it is wrapped multiple times:

  • Application data
  • TCP/UDP header added
  • IP header added
  • Ethernet frame added

This wrapping process is called encapsulation. The OSI model in the next module will break this down completely.

7. Practical Commands

Theory is useless without action. Use these commands to inspect your network now.

# 1. Show IP and Interface info
root@kali:~# ip a

# 2. Show the routing table (How traffic leaves)
root@kali:~# ip route

# 3. Check connectivity and latency
root@kali:~# ping 8.8.8.8

# 4. Query DNS manually
root@kali:~# nslookup google.com

🧠 Knowledge Check

  • Why does ARP only work inside a LAN?
  • Why can NAT not replace a firewall?
  • What would happen if DNS stopped working?
  • Why does a switch care about MAC but not IP?
  • What abnormal behavior might indicate a DDoS?

📌 Module Recap

  • Hosts & Intermediaries: A network is composed of end devices and the devices that connect them.
  • LAN vs WAN: Private/Fast vs Public/Slower. NAT bridges the gap.
  • MAC vs IP: MAC is your physical fingerprint; IP is your digital address.
  • Bandwidth vs Throughput: Theoretical speed vs Actual speed.
  • DNS: Translates names to numbers. Vulnerable to poisoning.
← Back to Roadmap
Next: OSI Model & Encapsulation
Next Module →