Week 1: Computing & Networking Foundations

MITRE ATT&CK: Tactic — TA0007 (Discovery), Technique — T1046 (Network Service Scanning)

Real-World Attack Scenario: How Equifax Was Breached

In 2017, attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) on Equifax's web servers. The attack chain demonstrates why Week 1 foundations matter:

1. Reconnaissance: Attackers scanned Equifax's public IP ranges to find web servers (nmap -sV)
2. Service Identification: Discovered Apache Struts version running on port 443
3. Vulnerability Research: Found unpatched CVE-2017-5638 in NVD/cvedetails
4. Exploitation: Sent malformed Content-Type header to execute commands
5. Lateral Movement: Used initial shell to access internal databases
6. Exfiltration: Stole 147 million customer records

Why this week matters: Understanding how networks work, what ports do, and how services communicate is the foundation of every breach. Attackers find the weak link; defenders must understand the entire chain.

Objectives

• Understand how computers communicate on a network
• Learn the OSI 7-layer model and TCP/IP protocol stack
• Master essential networking commands
• Identify key ports and services
• Comprehend how attackers perform network reconnaissance

The OSI Model (Conceptual Framework)

Understanding the OSI model is critical because each layer represents a potential attack surface. Real-world attacks exploit specific layers:

Layer 7: Application    → HTTP, FTP, SMTP, DNS, DHCP
Layer 6: Presentation   → SSL/TLS, JPEG, PNG, ASCII
Layer 5: Session        → NetBIOS, RPC, SQL sessions
Layer 4: Transport      → TCP (reliable), UDP (fast)
Layer 3: Network        → IP, ICMP, routers, routing
Layer 2: Data Link      → Ethernet (MAC), switches, ARP
Layer 1: Physical       → Cables, hubs, signals, bits

Layer-by-layer attack examples:

• Layer 7 (Application): SQL injection in web apps, DNS zone transfers, SMTP relay abuse
• Layer 6 (Presentation): SSL/TLS stripping, image-based malware embedding
• Layer 5 (Session): Session hijacking via cookie theft, RPC exploitation
• Layer 4 (Transport): TCP SYN floods, UDP amplification DDoS
• Layer 3 (Network): IP spoofing, ICMP redirect attacks, routing attacks
• Layer 2 (Data Link): ARP spoofing for MITM, MAC flooding on switches
• Layer 1 (Physical): Physical wiretapping, evil twin rogue APs

Practical mnemonic: "All People Seem To Need Data Processing"

TCP/IP Model (Reality)

While OSI is conceptual, TCP/IP is what actually runs on the internet. Understanding it helps you trace packets and identify where attacks happen:

4. Application     → HTTP, DNS, SSH, SMB
3. Transport       → TCP, UDP (ports 1-65535)
2. Internet        → IP (IPv4/IPv6), ICMP, routers
1. Link            → Ethernet, WiFi, ARP, switches

Key difference from OSI: TCP/IP merges OSI layers 5-7 into a single Application layer, making it simpler to understand but requiring deeper knowledge of individual protocols.

Essential Commands

Windows

# IP configuration
ipconfig /all

# Flush DNS cache
ipconfig /flushdns

# Active connections
netstat -ano

# ARP table
arp -a

# Routing table
route print

# DNS lookup
nslookup target.com

# Trace route
tracert target.com

Linux

# Interface info
ip addr show
ip link show

# Routing
ip route show
ip neigh show  # ARP

# Connection tracking
ss -tunap

# DNS lookup
dig target.com
host target.com

# Trace route
traceroute target.com

# Interface statistics
netstat -i

Common Ports & Services

Port	Service	Security Context
21	FTP	Cleartext, anonymous access, upload/download
22	SSH	Encrypted but brute-forceable, key-based auth
23	Telnet	Cleartext — never use in production
25	SMTP	Email relay, spam, SPF/DKIM/DMARC
53	DNS	Zone transfers, DNS poisoning, amplification
80/443	HTTP/HTTPS	Web attack surface, MITM on HTTP
139/445	NetBIOS/SMB	EternalBlue, relay attacks, lateral movement
3306	MySQL	SQL injection, weak root passwords
3389	RDP	BlueKeep, brute force, NLA bypass
5432	PostgreSQL	SQL injection, default creds
6379	Redis	No auth by default, SST injection
8080	HTTP Alt	Proxy, dev servers, SSRF entry point

IP Addressing & Subnetting

IPv4 Structure

Class A: 1.0.0.0   – 126.255.255.255   (8 network bits, 24 host bits)
Class B: 128.0.0.0 – 191.255.255.255   (16 network bits, 16 host bits)
Class C: 192.0.0.0 – 223.255.255.255  (24 network bits, 8 host bits)
Class D: 224.0.0.0 – 239.255.255.255  (Multicast)
Class E: 240.0.0.0 – 255.255.255.255  (Reserved)

Private ranges (RFC 1918):
  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16

Subnet Masks

/24 = 255.255.255.0   = 256 addresses (254 usable)
/25 = 255.255.255.128 = 128 addresses (126 usable)
/26 = 255.255.255.192 = 64 addresses (62 usable)
/27 = 255.255.255.224 = 32 addresses (30 usable)
/28 = 255.255.255.240 = 16 addresses (14 usable)
/30 = 255.255.255.252 = 4 addresses (2 usable) — point-to-point links

Nmap Basics (Week 1 Focus)

# Basic scan
nmap -sn 10.0.0.0/24              # Ping sweep (no port scan)
nmap -sV 10.0.0.5                 # Version detection
nmap -sC 10.0.0.5                 # Default scripts
nmap -p- 10.0.0.5                 # All ports

# Aggressive scan
nmap -A 10.0.0.5                  # OS detection, version, script, traceroute

# Output options
nmap -oA scan_results 10.0.0.5    # All output formats
nmap -oX scan.xml 10.0.0.5        # XML output
nmap -oN scan.nmap 10.0.0.5       # Normal output

# Timing (faster = noisier)
nmap -T0 10.0.0.5   # Paranoid (IDS evasion)
nmap -T4 10.0.0.5   # Aggressive (default for local nets)

Wireshark/Tcpdump Basics

# Capture packets
tcpdump -i eth0 -n host 10.0.0.5
tcpdump -i eth0 -n port 80
tcpdump -i eth0 -n -w capture.pcap

# Read capture
tcpdump -r capture.pcap -n

# Display filters (Wireshark syntax)
tcpdump -i eth0 'tcp port 80 and host 10.0.0.5'
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'
tcpdump -i eth0 'udp port 53'

Practice Labs

Lab 1: Network Discovery

# Boot up Metasploitable VM, find its IP
nmap -sn 10.0.0.0/24

# Once found, do a full port scan
nmap -sV -sC -p- -A 10.0.0.5 -oA metasploitable_scan

Lab 2: Service Identification

# Identify what's running on each port
nmap -sV --script=banner 10.0.0.5

# Check for anonymous FTP
ftp 10.0.0.5
# Try: anonymous / anonymous

Lab 3: Packet Capture

# On Kali, capture traffic while scanning
tcpdump -i eth0 -n -w week1.pcap &

# Run nmap scan
nmap -sV 10.0.0.5

# Stop capture and analyze
# Open in Wireshark: wireshark week1.pcap
# Filter: tcp.port == 21 || tcp.port == 80

Key Takeaways

1. OSI/TCP-IP models — understand which layer does what
2. Ports 1-65535 — know the top 20 by memory (21, 22, 23, 25, 53, 80, 443, 445, 3306, 3389, etc.)
3. Nmap is your primary recon tool — master timing, output formats, common flags
4. Wireshark for deep packet analysis — learn display filters
5. Subnetting — calculate usable hosts, understand CIDR notation

Additional Resources

• Nmap Documentation — Master every nmap flag and output format
• Wireshark User Guide — Deep packet analysis reference
• Subnet Calculator — Practice subnet calculations
• Path Analyzer — Visualize DNS resolution chains
• Video: TCP/IP and OSI Models Explained — Visual learning for networking basics
• Port Numbers Registry — Official port assignments

Real-World Application: Analyzing a Real Network Breach

Consider the 2013 Target breach where attackers used credentials stolen from an HVAC vendor to access Target's payment network:

Attack chain demonstrating Week 1 concepts:

1. Reconnaissance: Attackers scanned Target's external network (nmap -sS)
2. Service Discovery: Found HVAC vendor's VPN accessible on port 443
3. Credential Theft: Stolen credentials from HVAC vendor via phishing
4. Initial Access: VPN connection with legitimate (stolen) credentials
5. Lateral Movement: Used accesses from HVAC vendor to payment network via shared trust
6. Data Exfiltration: RAM-scraped credit card data from point-of-sale memory

Network fundamentals at play:

• Port 443 (HTTPS) was the entry point — understand how TLS protects (or doesn't protect) when credentials are already compromised
• Shared trust between networks — why network segmentation matters
• Understanding SMB on port 445 — how the attackers moved laterally once inside

Key lesson: The attackers didn't use sophisticated zero-days — they exploited basic network misconfigurations and stolen credentials. Network fundamentals would have identified the unusual traffic patterns.

Next Week Preview

Week 2 dives deep into TCP/IP protocols — TCP handshake, UDP, DNS, HTTP, ARP, DHCP. You'll understand HOW data actually moves across networks and how attackers manipulate each protocol. After Week 2, you'll understand why the SYN-ACK response in a TCP handshake is exploitable and how DNS can be weaponized for exfiltration.