Network Fundamentals for Pentesters
Understanding the protocols and architecture that power every network attack
What You'll Discover
🎯 Why This Matters
Every exploit, every scan, every packet capture relies on your understanding of network protocols. When you see a SYN packet or understand why UDP is "connectionless," you're not just reading definitions - you're seeing the attack surface. Security professionals who deeply understand networking can identify misconfigurations, spot anomalies in traffic, and craft attacks that bypass detection. This knowledge is what transforms tool users into actual pentesters.
🔍 What You'll Learn
- The TCP/IP model and how data flows through network layers
- TCP three-way handshake and why it matters for port scanning
- UDP protocol characteristics and why it's used for specific attacks
- Common ports and the services behind them
- Using Wireshark and tcpdump to analyze network traffic
🚀 Your First Win
In the next 10 minutes, you'll capture live network packets on your machine, see the TCP handshake in action, and identify exactly which services are communicating. You'll see your own traffic the way an attacker would.
🔧 Try This Right Now
Capture packets on your network interface and watch the TCP handshake happen in real-time:
# Start capturing TCP packets (Linux/macOS)
sudo tcpdump -i any -n tcp -c 20
# In another terminal, generate some traffic
curl https://hackerdna.comYou'll see: SYN, SYN-ACK, and ACK packets - the TCP three-way handshake that initiates every TCP connection. Each line shows source/destination IPs, ports, and TCP flags.
Skills You'll Master
✅ Core Understanding
- TCP/IP layer model and data encapsulation
- TCP flags and their role in connection states
- UDP characteristics and use cases
- Port numbers and service identification
🔍 Expert Skills
- Packet capture and analysis with tcpdump
- Reading Wireshark captures effectively
- Identifying services by traffic patterns
- Understanding network attack surfaces
Understanding Network Protocols
Networks are built on layers of protocols, each handling a specific part of communication. When you understand these layers, you understand where vulnerabilities exist and how to exploit them.
"Every network attack exploits a protocol's behavior - understanding protocols means understanding attack vectors."
The TCP/IP Model
The TCP/IP model has four layers, and as a pentester, you'll work with all of them:
Application Layer
HTTP, HTTPS, SSH, FTP, DNS, SMTP - the protocols users interact with directly. Most web application attacks target this layer.
Transport Layer
TCP and UDP live here. Port scanning, session hijacking, and denial of service attacks often target transport layer behavior.
Internet Layer
IP addressing and routing. IP spoofing, ICMP attacks, and routing manipulation happen here.
TCP: The Reliable Protocol
TCP (Transmission Control Protocol) ensures reliable, ordered delivery of data. The three-way handshake is fundamental to understanding port scanning:
# TCP Three-Way Handshake
Client → Server: SYN (Synchronize) - "I want to connect"
Server → Client: SYN-ACK (Synchronize-Acknowledge) - "OK, I'm ready"
Client → Server: ACK (Acknowledge) - "Let's go"
# TCP Flags (used in scanning)
SYN - Initiate connection
ACK - Acknowledge receipt
FIN - Finish/close connection
RST - Reset connection (used to detect closed ports)
PSH - Push data immediately
URG - Urgent dataWhen you run a SYN scan with Nmap, you're sending SYN packets and watching for SYN-ACK (port open) or RST (port closed) responses. This is why understanding TCP flags is essential.
UDP: Fast but Connectionless
UDP (User Datagram Protocol) doesn't establish connections - it just sends data. This makes it faster but unreliable:
# Common UDP Services
DNS - Port 53 (Domain Name System)
DHCP - Port 67/68 (IP address assignment)
TFTP - Port 69 (Trivial File Transfer)
SNMP - Port 161 (Network Management - often misconfigured!)
NTP - Port 123 (Time synchronization)UDP scanning is slower because there's no handshake - you send a packet and wait. No response often means the port is open (or filtered), while an ICMP "port unreachable" means it's closed.
Critical Ports Every Pentester Knows
Memorize these - you'll see them constantly:
# High-Value Targets
21 FTP - File Transfer (often anonymous access)
22 SSH - Secure Shell (brute force target)
23 Telnet - Unencrypted remote access (legacy systems)
25 SMTP - Email (open relays, user enumeration)
53 DNS - Domain resolution (zone transfers)
80 HTTP - Web traffic
110 POP3 - Email retrieval
139 NetBIOS - Windows networking
443 HTTPS - Encrypted web traffic
445 SMB - Windows file sharing (EternalBlue, anyone?)
3306 MySQL - Database
3389 RDP - Windows Remote Desktop
5432 PostgreSQL - Database
8080 HTTP-Alt - Alternative web/proxyTools and Techniques
tcpdump - Command-Line Packet Capture
tcpdump is the pentester's Swiss Army knife for packet analysis. It's available on virtually every Unix system and requires no GUI.
# Basic capture on all interfaces
sudo tcpdump -i any
# Capture only TCP traffic
sudo tcpdump -i any tcp
# Capture traffic to/from specific host
sudo tcpdump -i any host 192.168.1.100
# Capture traffic on specific port
sudo tcpdump -i any port 80
# Capture and save to file for later analysis
sudo tcpdump -i any -w capture.pcap
# Read saved capture
tcpdump -r capture.pcap
# Show packet contents in ASCII
sudo tcpdump -i any -A port 80
# Combine filters (traffic to port 22 OR 80)
sudo tcpdump -i any 'port 22 or port 80'
# Show only SYN packets (connection attempts)
sudo tcpdump -i any 'tcp[tcpflags] & tcp-syn != 0'Wireshark - Visual Packet Analysis
Wireshark provides a graphical interface for deep packet inspection. It's essential for analyzing complex protocols and following TCP streams.
# Useful Wireshark Display Filters
tcp.port == 80 # HTTP traffic
ip.addr == 192.168.1.100 # Traffic to/from IP
tcp.flags.syn == 1 # SYN packets only
http.request # HTTP requests
dns # DNS queries
tcp.stream eq 0 # Follow specific TCP stream
# Start Wireshark from command line
wireshark -i eth0 -k # Start capture immediately
wireshark -r capture.pcap # Open saved capturenetstat and ss - Local Connection Analysis
Understanding what's running on your own system (or a compromised target) is crucial:
# Show all listening ports (Linux)
ss -tlnp # TCP listening ports with process
ss -ulnp # UDP listening ports with process
ss -antp # All TCP connections
# netstat alternative (works on more systems)
netstat -tlnp # TCP listening
netstat -an # All connections
# Find what's using a specific port
sudo lsof -i :80 # What's on port 80?Real-World Attack Scenarios
Case Study: The Mirai Botnet (2016)
The Mirai botnet demonstrated the devastating impact of understanding network fundamentals. Attackers scanned the internet for IoT devices with open Telnet ports (23) using default credentials. At its peak, Mirai compromised over 600,000 devices and launched DDoS attacks exceeding 1 Tbps.
The attack was simple: scan for port 23, try default username/password combinations, and add compromised devices to the botnet. This Cloudflare analysis details how basic port scanning and protocol knowledge enabled one of the largest DDoS attacks in history.
Lesson: Knowing which ports indicate vulnerable services is fundamental reconnaissance.
Case Study: SMB and EternalBlue (MS17-010)
The WannaCry ransomware outbreak of 2017 exploited a vulnerability in the SMB protocol (port 445). The EternalBlue exploit, leaked from the NSA, allowed remote code execution on unpatched Windows systems. Within days, it infected over 200,000 computers across 150 countries.
Pentesters who understood SMB's role in Windows networking immediately recognized the significance. Port 445 open to the internet became a critical finding. Microsoft's security bulletin (CVE-2017-0144) documents the vulnerability.
Lesson: Understanding protocol-to-port mappings helps you immediately assess risk when you see open ports.
Case Study: DNS Amplification Attacks
DNS amplification attacks exploit UDP's connectionless nature. Attackers send small DNS queries to open resolvers with a spoofed source IP (the victim's). The DNS servers send large responses to the victim, amplifying the attack traffic by factors of 50x or more.
Understanding that UDP doesn't verify source addresses is key to understanding this attack. CISA's advisory on DNS amplification explains the mechanics and mitigation strategies.
Lesson: Protocol characteristics (like UDP's lack of handshake) directly enable specific attack types.
Defensive Countermeasures
Network Segmentation
Divide networks into segments with controlled access between them. Critical systems should be isolated from general user traffic. VLANs and firewalls create boundaries that limit an attacker's lateral movement.
Defense-in-depth means even if one segment is compromised, others remain protected.
Port and Service Hardening
Close unnecessary ports. Every open port is a potential attack surface. Disable services that aren't required, especially legacy protocols like Telnet (use SSH instead) and FTP (use SFTP or SCP).
Regular port scans of your own infrastructure reveal unexpected exposed services.
Firewall Rules and Access Control
Implement strict ingress and egress filtering. Block all ports by default and only allow what's necessary. Rate-limit connection attempts to prevent scanning and brute force attacks.
Egress filtering prevents compromised systems from establishing outbound connections to attacker infrastructure.
Network Monitoring and IDS/IPS
Deploy intrusion detection systems to identify suspicious traffic patterns. Tools like Snort, Suricata, or Zeek analyze traffic for known attack signatures and anomalies.
Maintain baseline traffic patterns to detect deviations that may indicate reconnaissance or exploitation attempts.
Frequently Asked Questions
What's the difference between TCP and UDP in terms of security?
TCP establishes connections with a three-way handshake, making it harder to spoof source addresses. UDP is connectionless - it doesn't verify who's really sending packets. This makes UDP susceptible to spoofing attacks like DNS amplification. However, TCP connections can be hijacked if an attacker can predict sequence numbers. Both have security implications; the choice depends on the service requirements.
Why do I need to understand network fundamentals if I just want to do web app testing?
Web applications run on networks. Understanding how HTTP works over TCP, what happens during TLS negotiation, how DNS resolves domains - all of this affects your testing. You might discover SSRF vulnerabilities that let you access internal networks, or find that the application leaks internal IP addresses. The best web app testers understand the full stack, from application logic down to packet level.
How many ports are there and which ones should I scan?
There are 65,535 TCP ports and 65,535 UDP ports. Ports 0-1023 are "well-known" ports used by common services. Ports 1024-49151 are "registered" ports. Ports 49152-65535 are dynamic/private. For quick scans, focus on the top 1000 ports (Nmap's default). For thorough assessments, scan all 65,535 TCP ports. UDP scanning is slower, so prioritize known UDP services (53, 67, 123, 161, 500) unless you have time for comprehensive UDP scans.
What's the difference between the OSI model and TCP/IP model?
The OSI model has 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application). The TCP/IP model has 4 layers (Network Access, Internet, Transport, Application). TCP/IP is what the internet actually uses - OSI is more of a conceptual framework. As a pentester, focus on TCP/IP but know OSI references since many security professionals use them. When someone says "Layer 7 attack," they mean application layer (HTTP, etc.).
Can I practice network analysis legally?
You can capture and analyze traffic on networks you own or have explicit permission to test. Your home network is fair game. Set up a lab with virtual machines to practice. Our Packet Pursuit challenge lets you practice analyzing captures in a safe environment. Never capture traffic on networks without authorization - this is illegal in most jurisdictions under wiretapping and computer fraud laws.
🎯 You've Got Network Fundamentals Down!
You now understand the protocols that power every network attack. TCP handshakes, UDP characteristics, port assignments, and packet analysis - these are the building blocks of penetration testing. When you see a port scan result, you understand what's really happening.
Ready to start active scanning with Nmap and Masscan