🌱 Beginner

Networking Basics

The internet is built on layers of abstraction. To exploit it, you must peel back these layers.

The OSI Model

The Open Systems Interconnection (OSI) model describes how computer systems communicate. Hackers use this to categorize attacks (e.g., "Layer 7 DDoS" vs "Layer 2 ARP Spoofing").

Memory Trick

Please Do Not Throw Sausage Pizza Away (Physical, Data Link, Network, Transport, Session, Presentation, Application) - from bottom to top.
Layer Name Function Protocols Attack Examples
7 Application End-user processes HTTP, SSH, FTP, DNS, SMTP SQLi, XSS, RCE
6 Presentation Data formatting/encryption SSL/TLS, JPEG, ASCII SSL Stripping, Padding Oracle
5 Session Connections between apps NetBIOS, RPC, SMB Session Hijacking
4 Transport End-to-end connections TCP, UDP SYN Flood, Port Scanning
3 Network Routing and addressing IP, ICMP, IPSec IP Spoofing, Smurf Attack
2 Data Link Physical addressing Ethernet, ARP, Wi-Fi ARP Spoofing, MAC Flooding
1 Physical Raw bit stream Cables, Hubs, Radio Wiretapping, Jamming

IP Addressing (Layer 3)

An IP address is a logical identifier for a device on a network. Unlike MAC addresses, IPs can be changed and are used for routing across networks.

IPv4

32-bit address, written as 4 octets (0-255 each).

192.168.1.1

~4.3 billion addresses (exhausted)

IPv6

128-bit address, hexadecimal notation.

2001:0db8:85a3::8a2e:0370:7334

340 undecillion addresses

Private IP Ranges (RFC 1918)

These addresses are NOT routable on the public internet. You'll see them on every internal network.

Class Range CIDR Hosts Common Use
A 10.0.0.0 - 10.255.255.255 10.0.0.0/8 16M+ Large enterprises
B 172.16.0.0 - 172.31.255.255 172.16.0.0/12 1M+ Medium organizations
C 192.168.0.0 - 192.168.255.255 192.168.0.0/16 65K Home/Small office

Pentest Tip

When you land on a target, immediately check the IP range. 10.x.x.x often means a large corporate network with many subnets to explore. 192.168.x.x is typically a smaller, flatter network.

MAC Addresses (Layer 2)

A Media Access Control (MAC) address is a hardware identifier burned into the network interface card (NIC). It is used for communication within the same local network segment (LAN).

00:1A:2B:3C:4D:5E
00:1A:2B
OUI (Vendor ID)
Identifies manufacturer
3C:4D:5E
NIC Specific
Unique to device

Useful Commands

View your MAC address 
ip link show          # Linux
ipconfig /all         # Windows
ifconfig              # macOS
View ARP cache (IP to MAC mappings) 
arp -a                # All platforms
ip neigh show         # Linux modern
Spoof MAC address (Linux) 
ip link set dev eth0 down
ip link set dev eth0 address XX:XX:XX:XX:XX:XX
ip link set dev eth0 up

Hacker Note

MAC addresses can be easily spoofed! Never rely on MAC filtering for security. It's trivial to bypass by sniffing allowed MACs and cloning them.

ARP: The Bridge Between L2 and L3

Address Resolution Protocol (ARP) maps IP addresses to MAC addresses. When a device wants to communicate with another on the LAN, it asks: "Who has IP X.X.X.X? Tell me your MAC."

ARP Spoofing Attack (Man-in-the-Middle)

  1. Attacker sends fake ARP replies: "192.168.1.1 is at AA:BB:CC:DD:EE:FF" (attacker's MAC)
  2. Victim's ARP cache is poisoned - traffic intended for the gateway goes to the attacker
  3. Attacker forwards traffic to the real gateway (invisible interception)
  4. All victim traffic can now be sniffed, modified, or blocked
# Using arpspoof (dsniff)
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

Related Tools

🔍

MAC Analyzer

Look up vendor information from OUI.

 🦈

Wireshark Cheatsheet

Capture and analyze network traffic.
MAC addresses can be easily spoofed! Never rely on MAC filtering for security.