Networking Fundamentals for Ethical Hackers
Ethical hacking is largely about understanding how data moves from one machine to another — and finding the places where that movement can be intercepted, redirected, or abused. You cannot test a network without understanding how it works. This topic gives you the networking foundation every ethical hacker needs.
What Is a Network?
A network is two or more computers connected together so they can share data and resources. Your home Wi-Fi is a network. Your office building's LAN is a network. The internet is the world's largest network — a network of networks.
Every device on a network has an address. Data sent from one device travels in small chunks called packets, each labeled with the sender's address and the destination address. Routers read these labels and decide which path each packet should take to reach its destination.
IP Addresses: The Postal System of the Internet
Every device connected to a network gets an IP address — a unique numerical label that identifies it on that network. Think of it like a home address: without it, nobody knows where to deliver your mail.
IPv4
IPv4 addresses look like four numbers separated by dots: 192.168.1.10. Each number ranges from 0 to 255. IPv4 supports about 4.3 billion unique addresses — a number that seemed enormous in the 1980s but has since run out as billions of devices came online.
IPv6
IPv6 addresses use eight groups of four hexadecimal digits: 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IPv6 supports 340 undecillion addresses — enough for every grain of sand on Earth to have its own address many times over.
Public vs Private IP Addresses
| Type | Range Example | Where Used |
|---|---|---|
| Public IP | 203.0.113.45 | Visible on the internet; assigned by your ISP |
| Private IP | 192.168.x.x / 10.x.x.x | Used inside home or office networks; not routable on the internet |
| Loopback | 127.0.0.1 | Points back to the device itself; used for local testing |
Ports: Doors Into a Device
An IP address gets data to the right machine. A port number gets it to the right application on that machine. Think of a large apartment building: the street address (IP) gets the mail carrier to the building, and the apartment number (port) gets the letter to the right tenant.
There are 65,535 ports. Some are standardized:
- Port 80 — HTTP (unencrypted web traffic)
- Port 443 — HTTPS (encrypted web traffic)
- Port 22 — SSH (secure remote login)
- Port 21 — FTP (file transfer)
- Port 25 — SMTP (email sending)
- Port 53 — DNS (domain name resolution)
- Port 3389 — RDP (Windows Remote Desktop)
During a penetration test, one of the first tasks is port scanning — finding which ports are open on a target system. An open port means a service is listening there, and a service can have vulnerabilities.
The OSI Model: Seven Layers of Communication
The OSI (Open Systems Interconnection) model breaks down network communication into seven layers. Each layer has a specific job. When data is sent, it passes down through all seven layers on the sender's machine, travels across the network, and passes back up through all seven layers on the receiver's machine.
Ethical hackers think in terms of which layer an attack targets:
| Layer | Name | Job | Attack Example |
|---|---|---|---|
| 7 | Application | User-facing apps and protocols (HTTP, DNS, FTP) | SQL injection, XSS |
| 6 | Presentation | Data encoding, encryption, compression | SSL stripping |
| 5 | Session | Opens, manages, and closes connections | Session hijacking |
| 4 | Transport | Reliable delivery, ports, error checking (TCP/UDP) | Port scanning, SYN flood |
| 3 | Network | Routing packets between networks (IP) | IP spoofing, route injection |
| 2 | Data Link | Device-to-device delivery on the same network (MAC) | ARP spoofing, MAC flooding |
| 1 | Physical | Cables, signals, hardware | Wiretapping, hardware implants |
TCP vs UDP: Two Ways to Send Data
TCP (Transmission Control Protocol)
TCP is reliable. Before sending data, it performs a three-way handshake to establish a confirmed connection. It checks that all data arrives in the correct order and requests retransmission of anything that goes missing. Web browsing, email, and file transfers use TCP because accuracy matters more than speed.
The three-way handshake works like this:
- SYN — The client says: "I want to connect."
- SYN-ACK — The server says: "Okay, I acknowledge. Are you ready?"
- ACK — The client says: "Ready. Let's go."
Ethical hackers exploit the handshake in a SYN flood attack: the attacker sends thousands of SYN packets but never completes the handshake. The server holds open thousands of half-finished connections until it runs out of resources.
UDP (User Datagram Protocol)
UDP is fast but unreliable. It fires packets without checking if they arrive. Video streaming, online gaming, and DNS lookups use UDP because speed matters more than perfect delivery — a slightly choppy video call is better than a two-second delay.
DNS: The Internet's Phone Book
DNS (Domain Name System) translates human-readable domain names into IP addresses. When you type "google.com" into a browser, your computer asks a DNS server: "What is the IP address for google.com?" The DNS server responds with an address like "142.250.190.14" and your browser connects to it.
Ethical hackers frequently target DNS because controlling DNS resolution means controlling where users are sent. DNS attacks include:
- DNS Cache Poisoning — Injecting a false record into a DNS resolver so it sends users to the wrong IP address.
- DNS Enumeration — Querying a DNS server to map out all subdomains of a target (mail.example.com, vpn.example.com, dev.example.com), revealing potential attack targets.
- DNS Tunneling — Encoding data inside DNS queries to bypass firewalls and exfiltrate data from a network that blocks other outbound traffic.
Subnetting: Dividing a Network
Large networks are divided into smaller segments called subnets. Subnetting improves performance, security, and manageability. A hospital might put its patient records system on a separate subnet from its public Wi-Fi. A breach on the Wi-Fi network cannot directly reach the patient records if the subnets are properly isolated.
A subnet mask tells a device which part of an IP address identifies the network and which part identifies the specific device. For example:
- IP address: 192.168.1.50
- Subnet mask: 255.255.255.0
- This means: devices 192.168.1.1 through 192.168.1.254 are all on the same subnet.
Ethical hackers use subnet information to understand the scope of a target network and identify which systems are reachable from a compromised machine.
Common Network Devices and Their Security Roles
Router
A router connects different networks and directs traffic between them. Routers use routing tables to decide where each packet should go. Misconfigured routers can expose internal networks to the internet or allow attackers to redirect traffic.
Switch
A switch connects multiple devices within the same network. It reads MAC addresses and delivers packets only to the intended device. Attackers use MAC flooding to overwhelm a switch's address table, forcing it to broadcast packets to all devices — making traffic visible to anyone sniffing the network.
Firewall
A firewall filters network traffic based on rules. It allows or blocks traffic based on IP addresses, ports, and protocols. A firewall is not impenetrable — ethical hackers test firewall rules to find permitted paths that could be exploited.
IDS and IPS
An Intrusion Detection System (IDS) monitors traffic and alerts administrators when suspicious patterns appear. An Intrusion Prevention System (IPS) does the same but also takes action — blocking traffic that matches attack signatures. Ethical hackers test whether the IDS/IPS detects their scanning and exploitation techniques.
Key Points
- IP addresses identify devices on a network; ports identify services on those devices.
- The OSI model has seven layers — ethical hackers target attacks at specific layers.
- TCP ensures reliable delivery through a three-way handshake; UDP prioritizes speed without confirmation.
- DNS translates domain names to IP addresses and is a frequent target for manipulation.
- Subnets segment networks for security; understanding subnets helps an ethical hacker map a target environment.
- Routers, switches, firewalls, and IDS/IPS all have security implications an ethical hacker must understand and test.