Skip to main content
Penetration Testing
CHAPTER 04

Networking Fundamentals for Penetration Testing

Updated: May 15, 2026
25 min read

# CHAPTER 4

Networking Fundamentals for Penetration Testing

1. Introduction

You cannot attack or defend a fortress if you do not understand its roads, gates, and supply lines. In cybersecurity, the network is the battlefield. If a penetration tester does not understand how an IP packet travels from a browser to a web server, they are simply guessing. In this chapter, we will demystify the core components of network communication. We will explore IP Addressing, the TCP/IP model, the Domain Name System (DNS), and the critical concept of Ports and Protocols, establishing the foundational knowledge required to perform network vulnerability scans.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define an IP Address (IPv4) and a MAC Address.
  • Understand the role of DNS in translating human-readable domain names.
  • Explain the concept of Ports and common service mappings (e.g., Port 80 = HTTP).
  • Describe the TCP Three-Way Handshake.
  • Utilize basic Linux networking commands (ping, ip a, netstat).

3. Beginner-Friendly Explanation

Imagine the internet as an enormous apartment building.
  • The IP Address (e.g., 192.168.1.5): This is the physical street address of the building. It tells the mailman exactly where the building is located on the earth.
  • The Domain Name (e.g., google.com): Human beings are bad at remembering numbers. We put a sign on the front of the building that says "The Google Building."
  • DNS (Domain Name System): The phonebook that tells you "The Google Building" is located at "192.168.1.5".
  • The Ports (e.g., Port 80, Port 22): Once you get to the building, there are 65,535 different apartment doors inside. If you want to browse a website, you knock on Door 80 (HTTP). If you want to securely control the server, you knock on Door 22 (SSH).

A penetration tester's job is to scan all 65,535 doors, find out which ones are unlocked, and see what software is running behind them.

4. IP Addresses and TCP/IP

Every device on a network has an IP Address (e.g., 10.0.0.5).
  • Public IP: Your house's address facing the real street (the Internet).
  • Private IP (Local): Your bedroom number inside the house. Only devices inside the house can see it.

Data travels across the internet using TCP (Transmission Control Protocol). Before a computer sends data, it must establish a reliable connection using the Three-Way Handshake:

  1. 1. SYN: Client says "Hello, can we talk?"
  1. 2. SYN-ACK: Server says "Yes, I hear you, can we talk?"
  1. 3. ACK: Client says "Yes, let's communicate."
*(Hackers often manipulate this handshake to scan networks invisibly).*

5. Common Ports and Protocols

There are 65,535 logical ports on a computer. Services listen on standardized ports:
  • Port 21: FTP (File Transfer - Insecure)
  • Port 22: SSH (Secure Remote Login)
  • Port 80: HTTP (Websites - Insecure)
  • Port 443: HTTPS (Secure Websites)
  • Port 3306: MySQL (Databases)

*Defensive Rule: If a port is not actively needed, it must be blocked by a Firewall.*

6. Mini Project: Analyze Network Communication

Let's use the Kali Linux terminal to interrogate our network.
  1. 1. Find your own IP Address:
``bash ip a ` *(Look for eth0 or wlan0. You will see inet 192.168.x.x)*
  1. 2. Test connectivity to a server (Ping):
`bash ping 8.8.8.8 ` *(This sends ICMP packets to Google's DNS server to see if it responds. Press Ctrl+C to stop).*
  1. 3. DNS Lookup:
Find the IP address of a website. `bash nslookup example.com `
  1. 4. Check open ports on your own machine:
`bash sudo netstat -tulnp ` *(This shows you what "Doors" are currently open and listening on your Kali machine).*

7. Real-World Scenarios

During a security audit, a penetration tester scanned a company's public IP address. They found Port 443 (HTTPS) open, which is normal for a website. However, they also found Port 3306 (MySQL) open to the entire internet. The system administrator had accidentally misconfigured the firewall, leaving the company's core database directly accessible to anyone on earth. The penetration tester reported this critical misconfiguration, and the Blue Team instantly blocked Port 3306 at the firewall, averting a massive data breach.

8. Best Practices

  • Default Deny Firewall Policy: The golden rule of network security. Your firewall should be configured to explicitly DENY all incoming traffic to all 65,535 ports by default. You then deliberately open *only* the specific ports you need (e.g., Allow Port 443). Never use a "Default Allow" policy.

9. Security Recommendations

  • Avoid Cleartext Protocols: Never use protocols like Telnet (Port 23), FTP (Port 21), or HTTP (Port 80) for sensitive operations. These protocols send data (including passwords) in "Cleartext," meaning anyone eavesdropping on the network Wi-Fi can read the passwords. Always use encrypted alternatives: SSH (Port 22), SFTP (Port 22), and HTTPS (Port 443).

10. Troubleshooting Tips

  • Firewall Blocking Pings: If you run ping my-target-server.com and receive 100% packet loss, it does not necessarily mean the server is offline. Many modern firewalls and Windows servers block ICMP "Ping" requests by default to hide themselves from basic network scans.

11. Exercises

  1. 1. Explain the operational difference between a Public IP address and a Private (Local) IP address.
  1. 2. If you are auditing a web server, which two ports do you expect to find open, and which one is considered secure?

12. FAQs

Q: What is a MAC Address and how is it different from an IP Address? A: An IP Address is logical and can change depending on what Wi-Fi you connect to. A MAC Address is physical; it is permanently burned into your computer's network card at the factory and never changes.

13. Interview Questions

  • Q: Describe the TCP Three-Way Handshake. How does an understanding of this handshake assist a penetration tester in performing network reconnaissance (e.g., SYN scans)?
  • Q: You discover Port 21, Port 80, and Port 3389 open on a public-facing server. Detail the security risks associated with these specific protocols and recommend modern, secure alternatives.

14. Summary

In Chapter 4, we decoded the invisible infrastructure of the internet. We established that data relies on IP Addresses for routing and DNS for human readability. We explored the critical concept of Ports, understanding that a server provides different services (web, database, SSH) through 65,535 logical doors. By mastering command-line networking tools (ping, netstat, ip a`), we gained the ability to interrogate network interfaces and verify connectivity. Ultimately, we learned that a penetration tester's initial objective is to map these ports, identifying which services are exposed to the internet and evaluating them against secure, encrypted standards.

15. Next Chapter Recommendation

Now that we understand how networks operate, we can begin the first phase of an actual penetration test: gathering intelligence about our target. Proceed to Chapter 5: Information Gathering and Reconnaissance.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Linux and Command Line Basics
Next Chapter Information Gathering and Reconnaissance

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5