Network Fundamentals for Pentesters: The Complete Beginner's Guide

Every penetration test begins with the network. Whether you’re attacking a web application, compromising Active Directory, or pivoting through cloud infrastructure, you need to understand how data flows between systems. This guide covers everything a beginner pentester needs to know about networking.

This is Part 0 of the pentesting series - the foundation everything else builds on.

Quick Reference

Essential Commands

Task	Command
Ping a host	`ping -c 4 10.10.10.1`
Trace route	`traceroute 10.10.10.1`
DNS lookup	`nslookup target.com`
Reverse DNS	`dig -x 10.10.10.1`
Quick port scan	`nmap -sV 10.10.10.1`
Full port scan	`nmap -p- 10.10.10.1`
Capture packets	`tcpdump -i eth0 -w capture.pcap`
Listen on port	`nc -lvnp 4444`
Connect to port	`nc 10.10.10.1 80`
Check open ports	`netstat -tuln`

Ports Every Pentester Must Know

Port	Service	Why It Matters
21	FTP	Anonymous access, clear-text creds
22	SSH	Brute force, key-based auth bypass
23	Telnet	Clear-text everything
25	SMTP	Mail relay, user enumeration
53	DNS	Zone transfers, cache poisoning
80	HTTP	Web vulnerabilities
110	POP3	Email access, clear-text creds
111	RPCbind	NFS enumeration
135	MSRPC	Windows RPC attacks
139	NetBIOS	Legacy Windows shares
143	IMAP	Email access
443	HTTPS	Web vulnerabilities
445	SMB	EternalBlue, null sessions, shares
1433	MSSQL	Database attacks
1521	Oracle	Database attacks
3306	MySQL	Database attacks
3389	RDP	Brute force, BlueKeep
5432	PostgreSQL	Database attacks
5900	VNC	Weak auth, screenshots
8080	HTTP-Alt	Web proxies, alt web servers

1. Why Networking Matters for Pentesters

TL;DR: You can’t hack what you can’t reach. Networking knowledge lets you find targets, understand traffic, and move through networks undetected.

Why Pentesters Care:

Reconnaissance - Finding live hosts and open services
Traffic analysis - Intercepting credentials and sensitive data
Lateral movement - Pivoting through network segments
Evasion - Understanding how firewalls and IDS work

Real-World Example: The Target Breach (2013)

Attackers compromised Target through an HVAC vendor’s network access. They then:

Scanned the internal network to find POS systems
Used SMB to move laterally between systems
Exfiltrated 40 million credit cards over standard HTTP/DNS

Network knowledge used: Internal scanning, SMB lateral movement, data exfiltration tunneling

Impact: $162 million in breach costs

After this guide, you’ll be able to:

Scan networks and identify live hosts
Find open ports and running services
Capture and analyze network traffic
Understand how data travels between systems
Identify common network misconfigurations

2. The OSI Model (Simplified)

TL;DR: The OSI model has 7 layers describing how data travels. Pentesters mostly work at Layers 2-4 (data link, network, transport) and Layer 7 (application).

Think of sending a letter:

You write the message (Layer 7 - Application)
Put it in an envelope with an address (Layer 3 - Network)
The postal service routes it (Layer 2 - Data Link)
Physical trucks carry it (Layer 1 - Physical)

The 7 Layers

Layer	Name	What It Does	Pentester Focus
7	Application	HTTP, DNS, FTP, SSH	Web attacks, service exploits
6	Presentation	SSL/TLS, encryption	Certificate attacks, downgrade
5	Session	Session management	Session hijacking
4	Transport	TCP/UDP, ports	Port scanning, firewall bypass
3	Network	IP addressing, routing	IP spoofing, routing attacks
2	Data Link	MAC addresses, switches	ARP spoofing, VLAN hopping
1	Physical	Cables, signals	Physical access attacks

Which Layers Pentesters Attack Most

Attack	Detect	Defend
Layer 2: ARP spoofing to intercept traffic	Monitor for ARP anomalies, duplicate MACs	Use static ARP entries, 802.1X
Layer 3: IP spoofing, ICMP redirects	Ingress filtering, monitor routing changes	Implement BCP38, disable ICMP redirects
Layer 4: Port scanning, SYN floods	IDS alerts on scan patterns	Firewall rules, SYN cookies
Layer 7: SQL injection, XSS, RCE	WAF, application logs	Input validation, secure coding

Testing Checklist

Identify which OSI layer a vulnerability exists at
Understand what tools work at each layer
Know which layer firewalls/IDS inspect

3. TCP/IP Fundamentals

TL;DR: TCP is reliable (web, email, file transfers). UDP is fast (DNS, video, gaming). The three-way handshake (SYN → SYN-ACK → ACK) establishes TCP connections.

TCP vs UDP

Feature	TCP	UDP
Connection	Connection-oriented	Connectionless
Reliability	Guaranteed delivery	Best effort
Speed	Slower (overhead)	Faster
Use cases	HTTP, SSH, FTP, SMTP	DNS, DHCP, VoIP, streaming
Scanning	SYN scan, connect scan	UDP scan (slower)

The Three-Way Handshake

Client                    Server
   |                         |
   |   ----SYN---->          |   "Hey, want to talk?"
   |   <---SYN-ACK---        |   "Sure, I'm listening"
   |   ----ACK---->          |   "Great, let's go"
   |                         |
   |   [Connection Open]     |

Why pentesters care: Understanding the handshake helps you:

Interpret nmap scan results (SYN scan vs connect scan)
Understand firewall rules (stateful vs stateless)
Perform SYN flood attacks (for authorized stress testing)

Common TCP Flags

Flag	Name	Meaning
SYN	Synchronize	Start connection
ACK	Acknowledge	Confirm receipt
FIN	Finish	Close connection
RST	Reset	Abort connection
PSH	Push	Send data immediately
URG	Urgent	Priority data

Testing Checklist

Capture a TCP handshake with Wireshark
Identify TCP vs UDP services on a target
Understand why UDP scans are slower
Recognize RST packets (port closed/filtered)

Commands

Capture TCP handshake

# Start capture
tcpdump -i eth0 -w handshake.pcap host 10.10.10.1

# In another terminal, initiate connection
nc -v 10.10.10.1 80

# Analyze in Wireshark
wireshark handshake.pcap

Filter TCP flags in Wireshark

# Show only SYN packets
tcp.flags.syn == 1 && tcp.flags.ack == 0

# Show only RST packets
tcp.flags.reset == 1

# Show handshake for specific host
ip.addr == 10.10.10.1 && tcp.flags.syn == 1

4. IP Addressing & Subnetting

TL;DR: IPv4 addresses are 32-bit numbers (e.g., 192.168.1.1). Private ranges (10.x, 172.16-31.x, 192.168.x) are used internally. CIDR notation (/24 = 256 addresses) defines network size.

IPv4 Address Structure

An IP address has 4 octets: 192.168.1.100

192    .    168    .    1      .    100
[octet 1]  [octet 2]  [octet 3]  [octet 4]
   Network portion    |    Host portion
        (depends on subnet mask)

Private vs Public IP Ranges

Private ranges (not routable on internet - used internally):

Range	CIDR	Typical Use
10.0.0.0 - 10.255.255.255	10.0.0.0/8	Large enterprises
172.16.0.0 - 172.31.255.255	172.16.0.0/12	Medium networks
192.168.0.0 - 192.168.255.255	192.168.0.0/16	Home/small office

Why pentesters care: When you’re inside a network, you’re usually in a private range. Understanding this helps you identify network boundaries.

CIDR Notation Cheat Sheet

CIDR	Subnet Mask	# of Hosts	Example
/32	255.255.255.255	1	Single host
/24	255.255.255.0	254	192.168.1.0/24
/16	255.255.0.0	65,534	192.168.0.0/16
/8	255.0.0.0	16,777,214	10.0.0.0/8

Quick calculation: 2^(32-CIDR) - 2 = usable hosts

/24 = 2^8 - 2 = 254 hosts
/16 = 2^16 - 2 = 65,534 hosts

Testing Checklist

Identify your current IP: ip addr or ifconfig
Determine the network range you’re in
Calculate how many hosts are in the subnet
Identify the gateway: ip route or route -n

Commands

Find your network info

# Linux
ip addr show
ip route show

# Or traditional
ifconfig
route -n

# Windows
ipconfig /all
route print

Expected output:

eth0: inet 192.168.1.100/24
      gateway 192.168.1.1

# This means:
# - Your IP: 192.168.1.100
# - Network: 192.168.1.0/24 (192.168.1.1 - 192.168.1.254)
# - Gateway: 192.168.1.1

Calculate subnet range

# Using ipcalc
ipcalc 192.168.1.0/24

# Output shows:
# Network:   192.168.1.0/24
# Broadcast: 192.168.1.255
# HostMin:   192.168.1.1
# HostMax:   192.168.1.254
# Hosts:     254

5. Ports & Services

TL;DR: Ports are numbered endpoints (0-65535) where services listen. Well-known ports (0-1023) are reserved for common services. Finding open ports is step one of every pentest.

Understanding Ports

Think of an IP address as a building address, and ports as apartment numbers:

IP address: Which building (192.168.1.100)
Port: Which apartment (port 80)
Together: Full destination (192.168.1.100:80)

Port Ranges

Range	Name	Examples
0-1023	Well-known	HTTP (80), SSH (22), DNS (53)
1024-49151	Registered	MySQL (3306), RDP (3389)
49152-65535	Dynamic/Private	Ephemeral client ports

Service Banners

Services often reveal version information in their banners:

$ nc 10.10.10.1 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

$ nc 10.10.10.1 21
220 (vsFTPd 3.0.3)

Why pentesters care: Version info helps you find exploits. “OpenSSH 7.2” might be vulnerable to user enumeration (CVE-2016-6210).

Attack	Detect	Defend
Port scan to find services	IDS alerts on scan patterns	Firewall restrict unnecessary ports
Banner grab for versions	Log connection attempts	Disable version banners
Exploit vulnerable versions	Monitor for known exploit signatures	Patch management
Default credential checks	Alert on auth failures	Change default passwords

Testing Checklist

Scan target for open ports
Grab banners for version info
Research CVEs for discovered versions
Check for default credentials
Test non-standard ports (8080, 8443, 8888)

Commands

Port scanning with nmap

# Quick scan (top 1000 ports)
nmap 10.10.10.1

# Version detection
nmap -sV 10.10.10.1

# All ports
nmap -p- 10.10.10.1

# Specific ports
nmap -p 21,22,80,443,445,3389 10.10.10.1

# UDP scan (slower)
nmap -sU --top-ports 20 10.10.10.1

Expected nmap output:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu
80/tcp  open  http    Apache httpd 2.4.41
443/tcp open  ssl/http Apache httpd 2.4.41
445/tcp open  smb     Samba 4.11.6-Ubuntu

Manual banner grabbing

# Using netcat
nc -v 10.10.10.1 22
nc -v 10.10.10.1 80

# Using telnet
telnet 10.10.10.1 25

# HTTP banner
curl -I http://10.10.10.1

6. Common Protocols Deep Dive

TL;DR: Know these protocols inside and out. Each one has common misconfigurations and attack vectors that pentesters exploit regularly.

DNS (Port 53)

What it does: Translates domain names to IP addresses

Common attacks:

Zone transfer (get all DNS records)
DNS cache poisoning
Subdomain enumeration

Attack	Detect	Defend
Zone transfer (AXFR)	Log zone transfer requests	Restrict AXFR to authorized IPs
Subdomain brute force	Alert on high query volume	Rate limit DNS queries
DNS tunneling for exfil	Monitor for unusual query patterns	Inspect DNS payload sizes

DNS Commands

# Basic lookup
nslookup target.com
dig target.com

# Zone transfer attempt
dig axfr @ns1.target.com target.com

# Reverse lookup
dig -x 10.10.10.1

# Find mail servers
dig MX target.com

# Find name servers
dig NS target.com

# Subdomain enumeration
gobuster dns -d target.com -w /usr/share/wordlists/subdomains.txt

Zone transfer success (vulnerable):

; <<>> DiG 9.16.1 <<>> axfr @ns1.target.com target.com
target.com.     IN  SOA   ns1.target.com. admin.target.com.
target.com.     IN  NS    ns1.target.com.
dev.target.com. IN  A     10.10.10.50
admin.target.com. IN A    10.10.10.51

HTTP/HTTPS (Ports 80/443)

What it does: Web traffic - the most common attack surface

Common attacks:

Web vulnerabilities (SQLi, XSS, etc.)
Directory enumeration
Virtual host discovery

Attack	Detect	Defend
Directory brute force	WAF, log 404 patterns	Disable directory listing
Virtual host enumeration	Monitor Host header variations	Restrict vhost access
SSL/TLS downgrade	Monitor for weak cipher usage	Enforce TLS 1.2+, HSTS

HTTP Commands

# Get headers
curl -I http://target.com

# Follow redirects
curl -L http://target.com

# Check SSL certificate
openssl s_client -connect target.com:443

# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# Virtual host enumeration
gobuster vhost -u http://target.com -w /usr/share/wordlists/vhosts.txt

# Check for common files
curl http://target.com/robots.txt
curl http://target.com/.git/HEAD
curl http://target.com/sitemap.xml

FTP (Port 21)

What it does: File transfer (often insecure)

Common attacks:

Anonymous login
Clear-text credential sniffing
Directory traversal

Attack	Detect	Defend
Anonymous login	Alert on anonymous auth	Disable anonymous access
Credential sniffing	N/A (clear-text by design)	Use SFTP/FTPS instead
Bounce attack	Monitor PORT commands	Disable FTP bounce

FTP Commands

# Connect
ftp 10.10.10.1

# Anonymous login attempt
ftp 10.10.10.1
> Name: anonymous
> Password: anonymous@test.com

# Using nmap scripts
nmap --script ftp-anon,ftp-bounce,ftp-vuln* -p 21 10.10.10.1

# Download all files (if anonymous works)
wget -r ftp://anonymous:anon@10.10.10.1/

Anonymous login success:

Connected to 10.10.10.1.
220 (vsFTPd 3.0.3)
Name: anonymous
331 Please specify the password.
Password: [anything]
230 Login successful.    <-- VULNERABLE

SSH (Port 22)

What it does: Secure remote shell access

Common attacks:

Password brute force
Key-based auth bypass
User enumeration (older versions)

Attack	Detect	Defend
Password brute force	Alert on failed logins	Use key-based auth, fail2ban
User enumeration	Monitor for timing attacks	Patch OpenSSH
Weak key exploitation	N/A	Use strong key algorithms

SSH Commands

# Banner grab
nc -v 10.10.10.1 22

# Check supported algorithms
nmap --script ssh2-enum-algos -p 22 10.10.10.1

# Brute force (authorized testing only)
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.1

# Check for auth methods
nmap --script ssh-auth-methods -p 22 10.10.10.1

SMB (Port 445)

What it does: Windows file sharing, Active Directory communication

Common attacks:

Null session enumeration
EternalBlue (MS17-010)
Password spraying
Relay attacks

Attack	Detect	Defend
Null session	Log anonymous connections	Disable null sessions
EternalBlue	IDS signatures	Patch MS17-010
SMB relay	Monitor NTLM auth patterns	SMB signing required
Share enumeration	Log share access	Restrict share permissions

SMB Commands

# Enumerate shares (null session)
smbclient -L //10.10.10.1 -N

# Connect to share
smbclient //10.10.10.1/share -N

# Enumerate with credentials
smbclient -L //10.10.10.1 -U 'user%password'

# Using enum4linux
enum4linux -a 10.10.10.1

# Using crackmapexec
crackmapexec smb 10.10.10.1 --shares
crackmapexec smb 10.10.10.1 -u '' -p '' --shares

# Check for EternalBlue
nmap --script smb-vuln-ms17-010 -p 445 10.10.10.1

Null session success:

$ smbclient -L //10.10.10.1 -N
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
Public          Disk      Public Files    <-- Accessible!

RDP (Port 3389)

What it does: Windows remote desktop

Common attacks:

Password brute force
BlueKeep (CVE-2019-0708)
Session hijacking

Attack	Detect	Defend
Brute force	Alert on failed logins	Account lockout, NLA
BlueKeep	IDS signatures	Patch CVE-2019-0708
Credential theft	N/A	Use MFA, certificates

RDP Commands

# Check if RDP is open
nmap -p 3389 --script rdp-enum-encryption 10.10.10.1

# Check for BlueKeep
nmap -p 3389 --script rdp-vuln-ms12-020 10.10.10.1

# Brute force (authorized testing only)
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.1

# Connect
xfreerdp /u:user /p:password /v:10.10.10.1
rdesktop 10.10.10.1

SMTP (Port 25)

What it does: Email sending

Common attacks:

User enumeration (VRFY, EXPN)
Open relay
Email spoofing

Attack	Detect	Defend
User enumeration	Log VRFY/EXPN commands	Disable VRFY/EXPN
Open relay	Monitor for relay attempts	Restrict relay
Spoofing	SPF/DKIM failures	Implement SPF, DKIM, DMARC

SMTP Commands

# Connect
nc 10.10.10.1 25

# User enumeration
VRFY admin
VRFY root
EXPN admin

# Check for open relay
HELO test.com
MAIL FROM:<test@evil.com>
RCPT TO:<victim@gmail.com>

# Using nmap
nmap --script smtp-commands,smtp-enum-users,smtp-open-relay -p 25 10.10.10.1

User enumeration success:

VRFY admin
252 2.0.0 admin    <-- User exists

VRFY notexist
550 5.1.1 <notexist>: Recipient address rejected

SNMP (Port 161)

What it does: Network device management

Common attacks:

Default community strings
Information disclosure
Configuration extraction

Attack	Detect	Defend
Community string guessing	Alert on failed auth	Change default strings
MIB walking	Log SNMP queries	Restrict SNMP access
Config extraction	Monitor for bulk requests	Use SNMPv3 with auth

SNMP Commands

# Scan for SNMP
nmap -sU -p 161 10.10.10.1

# Community string brute force
onesixtyone -c /usr/share/wordlists/snmp-community.txt 10.10.10.1

# Walk MIB with community string
snmpwalk -v1 -c public 10.10.10.1
snmpwalk -v2c -c public 10.10.10.1

# Get system info
snmpwalk -v2c -c public 10.10.10.1 system

Default community string success:

$ snmpwalk -v2c -c public 10.10.10.1 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux server 5.4.0-42-generic
SNMPv2-MIB::sysName.0 = STRING: webserver01
SNMPv2-MIB::sysLocation.0 = STRING: Server Room 3

ARP (Layer 2)

What it does: Maps IP addresses to MAC addresses on local network

Common attacks:

ARP spoofing (MITM)
ARP cache poisoning

Attack	Detect	Defend
ARP spoofing	Monitor for duplicate MACs	Static ARP entries, 802.1X
Cache poisoning	IDS alerts on gratuitous ARP	DAI (Dynamic ARP Inspection)

ARP Commands

# View ARP cache
arp -a
ip neigh show

# ARP scan local network
arp-scan -l
nmap -sn 192.168.1.0/24

# ARP spoofing (authorized testing only)
# Requires: arpspoof (dsniff package)
# Tell victim that attacker is the gateway
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
# Tell gateway that attacker is the victim
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

7. Network Devices

TL;DR: Routers move traffic between networks, switches move traffic within networks, firewalls filter traffic. Each can be misconfigured.

Routers

What they do: Connect different networks, make routing decisions

Pentester concerns:

Default credentials on management interfaces
Routing table manipulation
SNMP information disclosure

Switches

What they do: Connect devices within a network, forward frames by MAC

Pentester concerns:

VLAN hopping
MAC flooding
Port security bypass

Firewalls

What they do: Filter traffic based on rules

Pentester concerns:

Rule bypass techniques
Stateful vs stateless
Application-layer filtering gaps

Device	Attack Vector	Detection	Defense
Router	Default creds, SNMP	Login alerts, SNMP logs	Strong passwords, disable SNMP
Switch	VLAN hopping, MAC flood	Port security alerts	802.1X, port security
Firewall	Rule bypass, tunneling	Deep packet inspection	Egress filtering, app-aware FW

Testing Checklist

Identify network devices (traceroute, TTL analysis)
Check for management interfaces (80, 443, 22, 23)
Test default credentials
Check SNMP (community strings)
Identify firewall rules (blocked vs filtered ports)

8. Essential Network Tools

TL;DR: Master these tools: nmap (scanning), netcat (connections), Wireshark (packet analysis), tcpdump (command-line capture).

nmap - Network Scanner

Purpose: Port scanning, service detection, OS fingerprinting

# Host discovery
nmap -sn 192.168.1.0/24

# Quick port scan
nmap 10.10.10.1

# Version detection + scripts
nmap -sV -sC 10.10.10.1

# All ports
nmap -p- 10.10.10.1

# UDP scan
nmap -sU --top-ports 20 10.10.10.1

# Aggressive scan (noisy)
nmap -A 10.10.10.1

# Stealth SYN scan
nmap -sS 10.10.10.1

# Output to file
nmap -oA scan_results 10.10.10.1

netcat - Swiss Army Knife

Purpose: Connect to ports, transfer files, create shells

# Connect to port
nc -v 10.10.10.1 80

# Listen on port
nc -lvnp 4444

# Transfer file (receiver)
nc -lvnp 4444 > received_file

# Transfer file (sender)
nc 10.10.10.1 4444 < file_to_send

# Simple port scan
nc -zv 10.10.10.1 20-100

# Banner grab
echo "" | nc -v 10.10.10.1 22

Wireshark - Packet Analysis

Purpose: Capture and analyze network traffic

Common filters:

# Filter by IP
ip.addr == 10.10.10.1

# Filter by port
tcp.port == 80

# HTTP traffic only
http

# DNS traffic
dns

# Follow TCP stream
Right-click packet → Follow → TCP Stream

# Find passwords
http.request.method == "POST"

# FTP credentials
ftp.request.command == "USER" || ftp.request.command == "PASS"

tcpdump - Command-Line Capture

Purpose: Capture packets from command line

# Capture all traffic
tcpdump -i eth0

# Capture to file
tcpdump -i eth0 -w capture.pcap

# Read from file
tcpdump -r capture.pcap

# Filter by host
tcpdump -i eth0 host 10.10.10.1

# Filter by port
tcpdump -i eth0 port 80

# Filter by network
tcpdump -i eth0 net 192.168.1.0/24

# Show ASCII content
tcpdump -i eth0 -A port 80

# Verbose output
tcpdump -i eth0 -vvv host 10.10.10.1

Other Essential Tools

Tool	Purpose	Basic Usage
ping	Test connectivity	`ping -c 4 10.10.10.1`
traceroute	Map network path	`traceroute 10.10.10.1`
dig	DNS queries	`dig target.com ANY`
nslookup	DNS queries	`nslookup target.com`
whois	Domain info	`whois target.com`
arp-scan	Local network scan	`arp-scan -l`

9. Network Enumeration Methodology

TL;DR: Follow a systematic approach: discover hosts → scan ports → enumerate services → fingerprint OS. Document everything.

Phase 1: Host Discovery

Goal: Find live hosts on the network

# Ping sweep
nmap -sn 192.168.1.0/24

# ARP scan (faster on local network)
arp-scan -l

# Ping sweep with no DNS resolution
nmap -sn -n 192.168.1.0/24

Phase 2: Port Scanning

Goal: Find open ports on discovered hosts

# Quick scan (top 1000)
nmap 10.10.10.1

# Full port scan
nmap -p- 10.10.10.1

# Faster full scan
nmap -p- --min-rate 1000 10.10.10.1

# Top 100 UDP ports
nmap -sU --top-ports 100 10.10.10.1

Phase 3: Service Enumeration

Goal: Identify services and versions

# Version detection
nmap -sV -p 22,80,443,445 10.10.10.1

# Version + default scripts
nmap -sV -sC -p 22,80,443,445 10.10.10.1

# All enumeration scripts
nmap -sV --script=default,vuln -p 22,80,443,445 10.10.10.1

Phase 4: OS Fingerprinting

Goal: Identify the operating system

# OS detection
nmap -O 10.10.10.1

# Aggressive OS detection
nmap -O --osscan-guess 10.10.10.1

# Combined scan
nmap -A 10.10.10.1

Enumeration Testing Checklist

Discover all live hosts in scope
Scan all TCP ports on each host
Scan top UDP ports
Identify all services and versions
Fingerprint operating systems
Document findings with screenshots
Research vulnerabilities for each service

10. Packet Analysis Basics

TL;DR: Capture traffic with tcpdump/Wireshark, filter for interesting data, look for credentials and sensitive information in clear text.

What to Look For

Protocol	What to Capture	How to Find It
HTTP	Credentials, cookies	`http.request.method == "POST"`
FTP	Username/password	`ftp.request.command == "USER"`
Telnet	Everything	`telnet`
SMTP	Credentials, emails	`smtp`
DNS	Internal hostnames	`dns`
SMB	Hashes, file access	`smb` or `smb2`

Useful Wireshark Filters

# Show only HTTP POST requests (where passwords usually are)
http.request.method == "POST"

# Show DNS queries
dns.qry.name

# Find specific string in packets
frame contains "password"

# Show failed TCP connections (RST)
tcp.flags.reset == 1

# Show only traffic to/from specific IP
ip.addr == 10.10.10.1

# Exclude noise (broadcast, etc.)
!(arp or icmp or dns)

# Show credentials in HTTP Basic auth
http.authorization

Testing Checklist

Capture traffic on active network
Filter for HTTP POST requests
Look for clear-text credentials
Identify internal hostnames from DNS
Export interesting packets for reports

Capture Session Example

# Start capture (run as root)
tcpdump -i eth0 -w capture.pcap

# Do some activities that generate traffic...
# Stop with Ctrl+C

# Analyze with Wireshark
wireshark capture.pcap

# Or quick analysis with tcpdump
tcpdump -r capture.pcap -A | grep -i "password\|user\|login"

11. Common Network Attacks (Overview)

TL;DR: Preview of attacks you’ll learn in depth. ARP spoofing for MITM, DNS poisoning for redirection, packet sniffing for credential theft.

ARP Spoofing

What: Pretend to be another device on the network How: Send fake ARP replies to associate your MAC with victim’s IP Result: Traffic meant for victim comes to you (Man-in-the-Middle)

DNS Poisoning

What: Provide fake DNS responses How: Intercept DNS queries and respond with malicious IP Result: Victim visits attacker-controlled server instead of legitimate site

Man-in-the-Middle (MITM)

What: Position yourself between victim and destination How: ARP spoofing, DNS poisoning, rogue access point Result: See/modify all traffic between victim and destination

Port Scan Evasion

What: Avoid detection while scanning How: Slow scans, fragmentation, decoys Result: Enumerate targets without triggering IDS

Attack	Tools	Defense
ARP Spoofing	arpspoof, ettercap, bettercap	Static ARP, 802.1X, DAI
DNS Poisoning	dnsspoof, ettercap	DNSSEC, DoH/DoT
MITM	mitmproxy, Burp Suite	HTTPS, certificate pinning
Packet Sniffing	Wireshark, tcpdump	Encryption, segmentation

Note: These attacks are covered in detail in dedicated articles. This is just an overview.

12. Practice Labs

TL;DR: Practice these skills in safe, legal environments. Never test on networks you don’t own or have authorization for.

TryHackMe Rooms (Free)

Room	Focus
Intro to Networking	OSI model, protocols
Nmap	Port scanning
Wireshark 101	Packet analysis
Network Services	FTP, SMB, Telnet, NFS
Network Services 2	NFS, SMTP, MySQL

HackTheBox (Starting Point)

Meow - Telnet basics
Fawn - FTP enumeration
Dancing - SMB enumeration
Redeemer - Redis enumeration
Explosion - RDP access

Home Lab Setup

# Create isolated network with VirtualBox/VMware
# Download vulnerable VMs:
- Metasploitable 2/3
- DVWA (Damn Vulnerable Web Application)
- VulnHub machines

# Capture traffic between VMs
# Practice scanning, enumeration, analysis

Wireshark Practice

Download sample capture files:

Wireshark Sample Captures: https://wiki.wireshark.org/SampleCaptures
Malware Traffic Analysis: https://www.malware-traffic-analysis.net/

13. Glossary

Term	Definition
ARP	Address Resolution Protocol - maps IP to MAC addresses
Broadcast	Message sent to all devices on network segment
CIDR	Classless Inter-Domain Routing - notation for IP ranges (e.g., /24)
DHCP	Dynamic Host Configuration Protocol - assigns IP addresses automatically
DNS	Domain Name System - translates names to IP addresses
Firewall	Device that filters network traffic based on rules
Gateway	Device that routes traffic between networks (usually the router)
ICMP	Internet Control Message Protocol - used by ping, traceroute
MAC Address	Media Access Control - hardware address (Layer 2)
NAT	Network Address Translation - maps private IPs to public
Packet	Unit of data sent over a network
Port	Numbered endpoint where services listen (0-65535)
Protocol	Rules for communication (TCP, UDP, HTTP, etc.)
Router	Device that forwards packets between networks
Subnet	Logical division of an IP network
Switch	Device that forwards frames within a network (Layer 2)
TCP	Transmission Control Protocol - reliable, connection-oriented
TTL	Time to Live - packet hop limit
UDP	User Datagram Protocol - fast, connectionless
VLAN	Virtual LAN - logical network segmentation

What’s Next?

Now that you understand networking fundamentals, you’re ready for:

Active Directory Attack Path - Apply network knowledge to AD environments
Web Application Pentesting - HTTP deep dive and web vulnerabilities
Linux Privilege Escalation - Post-exploitation on Linux
Windows Privilege Escalation - Post-exploitation on Windows

Questions or feedback? Open an issue on GitHub.