Network Basics for Hackers, TCP/IP: Part 1

Network Basics

Welcome back, my aspiring cyberwarriors!

Many of you who aspire to a career in cybersecurity have written me asking whether networking is a key hacker skill. The answer is an unequivocal YES! You are very unlikely to be successful in this field without a fundamental understanding of networks and networking. As a result, I have endeavored to create a series of tutorial s here to close this knowledge gap. In addition, my Network Basics for Hackers book is in the works!

 

IP Addresses

Internet Protocol addresses (IP addresses) makes the world go ’round. Or, at least, enable us to email, Skype, and navigate the web. It’s almost as important as the world going around!

Each digital device (computer, laptop, phone, tablet, etc.) is assigned an IP address, and this is what enables us to communicate and connect with it. Imagine an IP address as similar to your house address. Without that address, no one could find you and send you snail mail.

The IP address system we are presently using is known as IP version 4, or IPv4 (we’ll address the upcoming IPv6 in a coming tutorial). It is made up of 32 bits of four octets, or four groups of 8 bits (on/off switches).

For instance, 192.168.1.101. Each of the numbers between the dots (.) is the decimal equivalent of 8 bits. This means that we calculate the base 2 number that computers use represented by the 8 bits and convert them to decimal numbers that humans are more accustomed to working with (see the diagram below). Each one of the octets (8 bits) is capable of representing numbers within the range 0 through 255 (2 to the 8th power).

Classes of IP Addresses

IP addresses are generally put into three classes, and the ranges are:

  • Class A: 0.0.0.0 – 127.255.255.255

  • Class B: 128.0.0.0 – 191.255.255.255

  • Class C: 192.0.0.0 – 223.255.255.255

 

In a future tutorial, we will address subnetting and subnet masks that vary with these different IP classes.

 

Public vs. Private IP Addresses

It’s important to note that our IP address system has its limitations. The biggest limitation is that there are not enough IP addresses to cover all of the devices that need to connect to the internet. The IPv4 system that we are working with now has only 4.3 billion IP addresses. With 7.5 billion people on the planet and far more devices, that certainly is not enough.

As a result, a system was developed to reuse a group of IP addresses to be used within a LAN—and are not usable over the internet. These addresses can be used over and over again within each local area network, but not over the internet, thereby conserving the number of IP addresses necessary to keep the world going ’round.

 

These private addresses include:

  • 192.168.0.0 – 192.168.255.255

  • 10.0.0.0 – 10.255.255.255

  • 172.16.0.0 – 172.16.255.255

You have probably seen the private IP addresses beginning with 192.168.xxx.xxx or 10.xxx.xxx.xxx on your Kali system when you type ifconfig.

This is your private IP that is only usable on the local area network. To communicate over the internet, it must be translated to a public IP by a NAT device (see NAT below).

 

DHCP

Dynamic Host Configuration Protocol (DHCP) assigns IP addresses dynamically. This means that you do not have the same IP address all of the time. Most of the time, these IP address assignments are on a local area network. Remember, on LANs we use private IP addresses. When each device is connected to the LAN, it must request an IP address. That device sends that request to the DHCP server that then assigns an IP address to that system for a fixed length of time known as a “lease.”

Each time you connect to the LAN, you are likely to receive a different (dynamic) IP address, but usually in the same range. For instance, 192.168.0.0 – 192.168.255.255.

 

NAT

Network Address Translation (NAT) is protocol whereby internal private IP addresses are “translated” to an external public IP address that can be routed through the internet to its destination. Remember, private IP addresses of the systems inside the LAN cannot use their IP addresses on the internet because they are not unique (every LAN uses basically the same IP addresses inside their network).

The NAT device accepts requests to traverse the internet from an internal machine. It then records that machine’s IP address in a table and converts the IP address to the external IP address of the router. When the packet returns from its destination, the NAT device looks into its saved table of the original request and forwards on the packet to the internal IP address of the system that made the original request within the LAN. When working properly, the individual systems and users don’t even realize this translation is taking place.

For instance, the diagram above shows four computer with private IP addresses behind a device that is serving as both a NAT device and a router (not uncommon). The devices use their private IP addresses within the LAN, but when they want to communicate over the internet, the NAT device translates it to one of the public IP addresses that are unique on the internet. In this way, the routers along the way know exactly where to send the packets.

Ports

Ports are a kind of sub-address. The IP address is the primary address and the port is the sub-address. Using a well-worn, but effective metaphor, think of the IP address as the street address of a building and then the port as the apartment number. I need the street address to get to the right building, but I need the apartment address to find who I am looking for. This is the same with ports. The IP address gets us to right machine, but the port takes us to correct service, say HTTP on port 80.

There are 65,536 (2 raised to the 16th power) ports. The first 1,024 are generally referred to as the “common ports”. People obviously don’t remember all 65,536 ports (unless they are a savant), or even the 1,024 most common ports. As a hacker, security engineer, and/or network engineer, though, there are a few ports that you should know by heart:

  • 20 FTP

  • 21 FTP

  • 22 SSH

  • 23 Telnet

  • 25 SMTP

  • 53 DNS

  • 69 TFTP

  • 80 HTTP

  • 88 Kerberos

  • 110 POP3

  • 123 NTP

  • 135 Microsoft’s RPC

  • 137-139 Microsoft’s NetBIOS

  • 143 IMAP

  • 161 SNMP

  • 389 LDAP

  • 443 HTTPS or HTTP over SSL

  • 445 SMB

  • 500 IKE

  • 514 syslog

  • 3389 RDP

We can use a tool such as nmap to see what ports are open on a system. In this way, the security engineer or the hacker can see what ports are open and the services running on the target system.

For more Network Basics for Hackers, click here. Also, watch for my new book Network Basics for Hackers. It will be an excellent companion for all aspiring cyberwarrior to my Linux Basics for Hackers.