Networking is the foundation of IT. IT is the foundation of Pentesting.
If you’re just starting out from a background that didn’t include the fundamentals of networking, you might feel lost and behind when the subject comes up. If offensive cyber security is your desired profession, then learning as much as you can about networking will serve you well. But to get started, there are a few concepts that are not requirements but will aid in advancing your skills and efficiency.
So, we will take a look at what networking concepts you should focus on starting out, why they matter for pentesting, and a few resources for learning.
(If you are looking to get started in pentesting, the Practical Ethical Hacking course from TCM is a 20+ hour hands-on walkthrough of pentesting methodology and tactics. You can also certify those skills with the Practical Junior Penetration Tester exam, a 2-day practical simulation of an internal pentest, complete with a 48-hour report writing window and review. The goal is day one readiness for an offensive cyber security role.)
The OSI Model
There are a lot of opinions about the OSI model, but for better or worse, it’s the standard language for discussing the different layers of a network. As a pentester, knowing the basics of each layer will be helpful for mapping out a plan of attack against a network.
Simple OSI Layer Rundown for Pentesters:
- L7 Application: HTTP, DNS, SMTP, web apps – SQLi, XSS, authentication flaws.
- L6 Presentation: TLS/SSL, encoding – expired certifications, weak ciphers.
- L5 Session: Sessions, authentication state – session fixation/hijack.
- L4 Transport: TCP/UDP, ports – port scanning, SYN floods, session management.
- L3 Network: IP addressing, routing, ACLs – IP filtering, routing misconfig, IP spoofing.
- L2 Data Link: MAC, ARP, VLANs, switching – ARP spoofing, VLAN hopping.
- L1 Physical: Cables, wireless signals – physical access, rogue APs.
Knowing the OSI model also allows you to present more precise findings to the client and suggest mitigations in certain layers of their network.
IP Addresses
This one may seem ridiculous at first glance. If you aren’t prepared to define what an IP address is, then you may need to do a bit of studying or you are going to struggle with recon and scope.
Knowing the attack surface of a network is an important aspect of recon, and that means understanding how networks are segmented. It is also helps keep you within scope (the client may not want you poking around the entire network).
MAC Addresses
Understanding these network device addresses is not just a skill for those interested in hardware. Information is power, and knowing more about the devices running on a network is only going to benefit the penetration tester. They are also a fundamental part of ARP (Address Resolution Protocol) which enables such methods as MITM (Man in the Middle) and ARP cache poisoning/spoofing for inspection of cleartext traffic for credentials.
As a practical example, knowing that the first three segments of the MAC address indicate the vendor, and thus hint at the device type, can elevate your enumeration game and provide a more precise picture of targets and selection of attacks.
TCP & the Three-Way Handshake
Even a basic study of IT and cyber security will touch on this protocol since it is one of the primary methods by which information moves from one place to another in the digital world. For pentesting in particular, scanning a network with a tool like Nmap will become routine, but understanding how the three-way handshake works will help you make sense of how the network is interacting with your scan.
Quick handshake review:
- Client > Server: SYN – “I want to open a connection; my seq = X.”
- Server > Client: SYN-ACK – “I see you; here’s my seq = Y, ack = X+1.”
- Client > Server: ACK – “Got it; ack = Y+1. Connection open.”
Flags to remember: SYN, ACK, RST (reset), FIN (finish).
In the case of a scan, if your SYNs never get SYN-ACKs then a firewall could be blocking the response, or if unexpected RST responses are resetting the connection immediately after the attempt, then there might be an IDS/IPS guarding the network. Understanding the three-way handshake can provide context for the results of your scan.
Common Ports and Protocols
Knowing which ports to look out for during reconnaissance can accelerate the process of identifying attack vectors and vulnerabilities. Memorizing all of them is unnecessary, but there are a few that will likely come up during pentests. If they’re open and you recognize them, you can save some time and better plan your attack.
For instance, port 445 is commonly used for Microsoft SMB (file sharing), which is historically known to have some misconfigurations and vulnerabilities. Port 3389 is typically RDP (Microsoft Remote Desktop), and if it can be accessed through weak credentials would be a huge finding. DNS (Domain Name System) operating over port 53 and SMTP (Simple Mail Transfer Protocol) over port 25 can provide information regarding the internal structure of the network.
Having a solid grasp on a few common port numbers and the protocols they’re associated with can be a big help when it comes to a penetration test.
Subnetting
This is the math-heavy one most people want to avoid, but it has some practical uses for a pentester and is worth putting a little of your study time toward.
First, it helps you stay within the scope of your engagement. Wandering into IPs that the client has deemed off-limits is bad practice and could have some critical unintended consequences, so stay within your range.
Second, once you’re inside, you can more effectively pivot to other internal networks by analyzing subnets. Once you have a foothold, understanding subnets helps you discover adjacent networks, identify likely targets, and plan efficient enumeration (you don’t blindly scan huge address blocks).
Practical example:
If your scope is 10.10.5.64/26, the usable hosts run from 10.10.5.65 to 10.10.5.126. Don’t scan 10.10.5.127 (that’s the broadcast) or addresses outside the /26 unless the engagement explicitly allows it.
Resources for IT Learning
If you want to get started or take a deeper dive into these concepts and others here are a few resources that can help you along the way:
Professor Messer Network+ Study Guide
The CompTIA Network+ covers a lot of the foundational networking knowledge for entry-level IT (ie entry entry-level cyber security) and Professor Messer does an excellent job of breaking down and explaining those concepts. Many people have used Professor Messers videos to study and pass CompTIA certifications, including myself.
Even if you’re not planning to take the certification, the study materials are well laid out so you can pick and choose which topics you want to learn more about. Also, it’s FREE.
Practical Help Desk Course
TCM’s Andrew Bellini created this course to give those looking to start in a help desk role a practical, hands-on course for learning and practicing skills that are used daily in that profession.
This FREE course also touches on how networking fits into the day-to-day duties of an entry-level IT professional, and the practical nature of the course makes the concepts more real and highlights useful information.
Cisco Packet Tracer
This network simulation tool allows you to practice concepts in a virtual environment and close a little of the gap between knowledge and practice. Great way to get your feet wet before building out your own labs.
Conclusion
This is not an exhaustive list, and barely scratches the surface of how basic IT informs cyber security, but hopefully it provides a little context as to why becoming familiar with these concepts is helpful and how to get started with building up some knowledge in this area. Getting started with the basics can seem like a step backward sometimes, but creating that foundation of knowledge is something you will always be able to leverage and build on during your career.
You’ve got this!
About the Author: Josh Daniels
Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.
When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcm-sec.com/our-services/ Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.