The Client-Server Model

Client-Server Model: A network computing model that defines how resources and services are shared across a network

Request and Response Method

The server hosts the resources and services requested by the client

The server returns the resources or executes the service, as requested

The request is the process in which the client sends a message to a server

The response is sent back to the client after the server receives and processes the request, which could contain an acknowledgment of the request, a requested resource, or an error message

Typically, servers receive resource requests from many clients

Network Security

Network Security: The practices and policies used to protect and monitor a computer network’s resources against these threats and risks

Risks include:

Network Structure

Local Area Network

Local Area Network (LAN): A private computer that connects devices in smaller physical areas

Advantages of a LAN include:

As technology advanced, computer networks expanded and small networks in different locations were able to connect, which lead to the creation of Wide Area Networks (WAN)

Network Toplogies


Ring: Each device is connected to the next device in the chain

Two sub-types of ring topologies:




Linear: Each device is connected to the adjacent device by a two-way link. The two devices at the ends of the network are not connected to one another




Star: All devices in the network are attached to a central node. Devices transmit data by sending it to the central node, which then determines which other device on the network to forward it to




Bus: Every device is attached to a central data link. When a device transmits data, it sends it on the link, at which point every device on the network can receive it simultaneously


Many connected devices are arranged like the branches of a tree. There can only be one connection between any to connected devices

Fully Connected

Every device on the network is directly connected to every other




Similar to a fully connected topology, however, not every device is directly connected. Rather, many of them are connected and devices on the network cooperate to find the shortest path to forward data to one another


Combination of all topologies and implemented as needed

For example, a linear topology with star networks attached to the endpoints

Most modern networks are hybrid topologies

Network Devices

Router: A networking device that forwards (routes) resources to other networks. A router can connect two different LANs, two different WANs, and a LAN to a WAN

Switch: Forwards resources within a network

Switches are intelligent devices and can be programmed to direct resources to certain computers

Hub: Serves the exact same purpose as a switch, except it is not an intelligent device. They instead direct a copy of the exact same resource to all computers connected to them

Hubs are now outdated and rarely used

Bridges: Switches that only have two connections: one in and one out. They are often used to tie two LANs together

Network Interface Controller (NIC): Connects a computer to a computer network.

Usually, a circuit board or chip installed on a computer

Each computer must have a NIC in order to receive or send resources

NICs can be wired or wireless

Modems: Converts resource data into a format the next type of connection can understand

The computer and the internet service provider speak different languages, and the modem acts as the translator

Wireless Access Point (WAP): Allow wireless devices to connect to a wired network

All-in-One Device: Can contain modems, WAPs, routers, and more all built into a single device. All-in-One’s are very common in households

Network Security Devices

Firewall: An intelligent network security device that monitors incoming and outgoing traffic based on security rules

Typically placed at the entry point of a LAN

Load Balancer: An intelligent network security device that distributes incoming network traffic across multiple servers

Demilitarized Zones (DMZ): A smaller subnetwork within a LAN used to add an additional layer of security to an organization’s LAN, protecting secure data within the internal networks

A DMZ typically has its own network security devices, such as firewalls, that attempt to detect network attacks before they access the internal network

Binary Data and IP Addresses

Binary data is used for indicating the network addresses that machines need to direct and deliver data across networks

Adding in Binary

The Anatomy of an IP Address

IPv4 IP Addresses are written as for octets separated by decimals

The octets are actually eight binary bits of ones and zeros that are converted to a more interpretable decimal form

Each IP Octet can range from zero (00000000) to 255 (11111111)

IP Conversion Tool

Public and Private IP Addresses

Public IPs

Public IPs are addresses that can accessed over the internet

These addresses are typically assigned out in IP ranges by an internet service provider

IP’s in IP Ranges are typically sequential

Private IPs

Private IP Addresses are addresses that are not exposed to the internet and are typically located within a LAN

Three IPv4 ranges are saved as private IP Addresses and used only for private addressing:


Subnetting: The process of breaking up an IP Address Range into smaller, more specific networks of grouped devices

Classless Inter-Domain Routing (CIDR): Format used for subnetting

Means that the last octet can be from 0-255:

CIDR Conversion Tool

MAC Address

Media Access Control Address (MAC): Addresses assigned to devices that cannot be changed

A MAC address is a string of six sets of alphanumeric characters, separated by colons:


Addresses and the Internet

Domain Name System (DNS): Translates human-readable names to IP Addresses

Layers of Cache

When a website is entered into a browser, the browser will check DNS caches to see if they already have the DNS translation of the domain’s IP address is stored

Caches are searched in ascending order of scope:

  1. Browser’s cache
  2. The OS’s cache, stored in the hosts file
  3. ISP’s Cache
  4. The Top-Level Domain’s (TLD) cache

DNS, URLs, and Security

DNS Hijacking or DNS Redirection is the process of manipulating the DNS cache to return a domain or resource that wasn’t originally requested

On Unix systems, the hosts file is located at /etc/hosts

To implement DNS Hijacking, edit the hosts file to point a domain to a specific IP Address


Network Packets

Clients and servers communicate by exchanging binary data

The binary data is grouped together into packets and transmitted across the network

The version field is indicated in the header, which is in the first field that starts at the first bit and ends at the fourth bit:

For example, in PAP (Password Authentication Protocol), each client request contains bits in a specific order and length:

The receiving server will know where to look in the bitstream for content:


Ports are the access points for transmitting and receiving data

Visual Ports

Computer software use visual ports to access other systems over a network

Every protocol has an assigned numerical virtual port number

The assigned port, or destination port, is where other machines send data when they want to communicate using that protocol

There are 65,536 virtual ports, and ports are divided into three three ranges:

Common Ports:

OSI Layers

The process of sending an email starts with the following steps:

  1. Convert the text of the user’s email into a format the email service can understand
    1. IMAP or POP3 handles this task
  2. Add the destination address and destination port to this data
    1. TCP adds this information
  3. Convert the packet to a format that can be transmitted through physical wires
    1. The IP Address adds this information

The Open Systems Interconnection (OSI) Model

The OSI Model provides a framework for categorizing and conceptualizing a large number of ports and protocols Please Do Not Throw Sausage Pizza Away

The OSI model is a seven layer framework that describes how communications work on a network by detailing the processes, devices, and protocols in place at each layer

Layer 1 Physical: Responsible for transmission of binary data through a physical data through a physical medium. It handles how data is physically encoded and decoded

Cables, hubs, repeaters, fibers, wireless

Layer 2: Data Link: Establishes links between nodes. It also ensures data gets to its final destination without corruption, thus protecting daMAta integrity

Devices: Network cards, switches

Protocols: MAC, ARP

Layer 3: Network: Routes data through physical networks using an IP Address, deciding which physical path the data will take, and ensuring it gets to the correct location

Devices: Routers

Protocols: IP

Layer 4: Transport: Responsible for actually transmitting data across the network. It puts data onto the network, and assigns source and destination ports

Protocols: TCP, UDP

Layer 5: Session: Manages connections between ports on computers and handles data flow

Protocols: NetBios, SQL

Layer 6: Presentation: The translator for the network that formats data to be presented to the Application layer, handles data representation, decryption and encryption, character set translation, and conversion

Protocols: SSL, TLS, JPEG, ACII

Layer 7: Application: Responsible for representing data in a way the consuming application can understand. Users use this layer for interaction, such as a web or email application

Devices: User Applications

Protocols: HTTP, FTP, SMTP, DNS

Encapsulation and Decapsulation


Encapsulation: The process of data moving from layers seven to one, in which headers, and sometimes trailers, are placed around the data to direct it to its destination

Encapsulation Example


Decapsulation: The process of removing the headers, and sometimes trailers, around the data to confirm the data reaches the destination

Decapsulation Example


Wireshark is a tool that enables the real-time visibility of communications across a network and monitor the activities of connected devices

Networks communicate with sequences of binary data called packets, and Wireshark can be used to capture those packets

Multiple packets collected into a file by Wireshark are called a packet capture. These captures have .cap, .pcap, and .pcapng file extensions

Following Data Through Layers 2, 3, and 4


Enumeration: The process of gathering data for a specific network, usually for the purpose of finding ways to gain access into that network

Enumeration can provide:

Address Resolution Protocol (ARP) (Layer 2: Data Link)

When data travels from a WAN to a LAN, data is routed via switches to a physical machine address, or their Media Access Control (MAC) address

To ensure data gets from Lan to machine, the ARP maps a physical machine address to an IP address within the LAN

Request: The network device transmitting the data broadcasts an ARP request to all devices in its network to find the physical address matching the IP Address

Reply: The device owning that IP Address recognizes their IP in the ARP request and sends an ARP reply with their MAC address so the network knows where to route the data

The ma.compping of the MAC address to the IP Address is added into the ARP cache, so the next time data comes in for this specific destination, it won’t need to broadcast an ARP request

ARP Cache Timeout: Entries added to the ARP cache are called dynamic ARP entries, which can be changed with future ARP replies. Dynamic ARP entries will only stay in the ARP cache for a limited period of time known as the ARP cache timeout

ARP Spoofing

The attacker can send a spoof ARP message to the LAN, directing all traffic intended for the good host to the attacker’s MAC address

The attack is updating the ARP Cache and

After the attacker sends the spoof ARP message, all traffic originally destined for the good host is intercepted by the attacker’s device with the malicious MAC address

For example, the correct host is assigned to the MAC Address is 00:50:56:fd:2f:16, but an attacker can send a spoofed ARP message and direct request to the host to their own device’s MAC address, 00:0c:29:1d:b3:b1

Wireshark can detect and alert on multiple MAC addresses associated with a single IP address, but it will not take any action on its own

In Wireshark, the following can be used to filter results:

arp.code==1: Only requests

arp.code==2: Only responses

&&: Include next filter

arp.src.proto_ipv4==[IP_ADDR]: Search for specified IP Address

Wireshark will show the response to the ARP request in the following format:

Static ARP Entries: Create permanent IP-to-MAC-address mappings in the ARP cache

All IP-to-MAC address mappings of all hosts on a network must be known ahead of time

ping Packet Inter-Network Groper

ping: Utility used to determine if a host is operating and accepting requests

When a host is pinged, it sends an Internet Control Message Protocol (ICMP) echo request to a specific IP address and waits on a reply

fping allows to ping multiple domains/IP Addresses

fping -g [starting IP of range] [ending IP of range]: Will allow to ping a range of IP Addresses

Introduction to traceroute

When data travels from a source to a destination, it typically doesn’t follow a straight path

Data is redirected by many routers, and the redirection of data transmissions are called hops

Optimal routing paths are determined on the shortest path

traceroute: Utility that shows the route taken between two systems across a network

traceroute Can be used for:

traceroute also utilizes ICMP, which contains the Time to Live (TTL) field

TTL is an indicator of how long a data packet can exist in a network, and is utilized as a decrementing hop counter

Every router that forwards the packet decrements the TTL value by one

If the starting TTL value of a data packet is five, and the data travels across two routers, the TTL will drop to three

TCP (Transmission Control Protocol)

Layer 4: Transport is responsible for end-to-end communication over a network

The data from the above layers is broken into smaller packets and transported to the destiniation

The recipient reassembles these packets into a complete message

TCP: A widely used protocol use for data transmission

A “connection-oriented” protocol, which means the server must acknowledge it has receive the request from the client

If the request is not acknowledged, the sender assumes the request has not been received and will attempt to resend

This connection-oriented acknowledgement is known as the TCP Handshake’

TCP is used with other protocols, such as HTTP, HTTPS, FTP, SSH, and SMTP

Three-Way Handshake: The process that lets both sides know data has been transmitted completely

  1. SYN (synchronize) From client to server. Client sends a SYN data packet to the server to determine if it is ready to open a connection
  2. SYN/ACK: From server to client. The server acknowledges or confirms receipt of the SYN packet
  3. ACK: From client to server. Client confirms receipt of the SYN/ACK packet
  4. Once the handshake is successfully completed, the data transmission can begin


  1. FIN From client to server. The client sends a FIN data packet to the server to close the connection
  2. ACK: From server to client. The server acknowledges receipt of the FIN packet
  3. FIN: From server to client: After the server terminates the connection, it sends a FIN packet
  4. ACK: From Client to server: The client acknowledges it has receive the server’s FIN packet. The TCP termination process is complete

TCP has disadvantages, such as retransmissions (when the server resends packets because the client does not acknowledge receipt)

TCP in Wireshark

Each packet represents a different step of the handshake:

The step of the handshake is indicated in the flag, which is a field in the TCP header:

When selecting a request/response, Wireshark will display a bracket to indicate the connections are related:

UDP Datagram Protocol

UDP: Connectionless protocol used for reducing latency versus transmitting all data

UDP does not does not require a handshake to transmit data

SYN Scanning

A SYN Request can be used to check for open ports on a network. If a SYN/ACK response is give, the port is verified as open

A SYN Scan is the enumeration process of sending SYN requests to many ports on a network

Port States:

Wireshark can be used to display request and response conversations in order to determine a port’s state

Open the packet capture, then select Statistics > Conversations. Then, sort by descending Packet size

IPs and Protocols

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP): A client-server based protocol on your local network responsible for managing and providing IP Addresses to computers

DHCP is dynamic, because most devices do not have fixed IP Addresses

DHCP is a Layer 7: Application protocol

Port 67: Server

Port 68: Client

Four step process:

  1. DHCP Discover: Client needs to finds the DHCP server
  2. DHCP Offer: Server checks which IP Addresses are available to give out
  3. DHCP Request: Client sends a message back to the DHCP server
  4. DHCP ACK: Server acknowledges IP is assigned and stays assigned periodically
    1. This period of time is the DHCP Lease, and once expired, the IP Address can be reassigned

In wireshark:

The ACK entry includes the Renewal time and Lease Time:

To filter for specific entries:


1: Discover

2: Offer

3: Request

5: Ack


Network Address Translation (NAT): A method of mapping a private IP address to a public IP Address and vice versa

NAT tables are managed by the router

NAT’s main task is IP Address translation, so primarily works on Layer 3: Network

The translation is necessary due to the limitations of IPv4


Creating the packet: The computer creates a packet

Destination IP And Port:

Source: IP and Port:

Step Two: Packet to NAT Table

The packet is sent to the internal router, which creates a record in the NAT Table:

LAN Address:

WAN Address:

Step Three: Going Public The router modifies the packet and replaces the source IP with the network’s public IP Address

Destination IP and Port:

Source IP and Port:

Step Four: Receives and Responds

The website’s server receives the packet and then responds with another packet

Step Five: Back to NAT The router receives the packet, checks the NAT table and knows exactly which device is expecting this packet

DHCP Attacks

An attacker could send a large number of DHCP messages over a network, resulting in the DHCP server running out of IP’s

This is known as DHCP Starvation, which is a type of an DoS Attack

An attacker can use software to spoof different MAC Addresses for multiple requests

A Maximum Threshold of DHCP requests a server can accept per second to prevent DHCP starvation

DHCP Spoofing: The act of an attacker configuring a fraudulent DHCP server that can send spoof messages, which could result in the assignment of malicious routers to clients

DHCP Snooping: Process implemented on a network switch that inspects packets to confirm that they’re legitimate DHCP offers

Routing Schemes and Protocols

Routing: The act of choosing the path that traffic takes in or across the networks

Routing Schemes

Unicast: Single device delivers a message to another single specific device

Broadcast: Single device broadcasts a message to all devices on that same network

Multicast: Device sends a message to devices that have expressed interest in receiving the messages


Unicast: If the message has to reach multiple destinations, many unicast messages must be sent

Broadcast: Can cause unnecessary traffic

Multicast: Intended recipients will need to be updated and maintained to make sure they’re accurate

Routing Techniques

Static: Manual configuration of a network route, typically done by a network adminstrator

Usually used on smaller networks



Dynamic: Allowing the network to act autonomously in order to avoid network blockages

Network is adaptive and data gets forwarded on a different route depending on the network conditions

What is used over the internet

Uses routing protocols to determine the best route

Routing Protocols

There are two criteria to determine the path traffic takes to reach its destination:

Distance: The number of hops it takes to get from the source to the destination

Dynamic routing protocols that use distance as a criteria are Distance-Vector Routing Protocols

Protocols Include:

Speed: Route determined by the time it takes to move from the source to the destination

Protocols using speed as a criteria are link-state routing protocols

One protocol is Open Shortest Path First (OSPF)


Devices that use WiFi have a standard called 802.11

Wireless Access Points (WAPs) broadcast a signal caled a beacon that computers detect and tune into

When a WAP needs to broadcast its signal, it must identify itself with a Basic Service Set Identifier (BSSID)

Since BSSID’s are not easily recognizable, WAPs also broadcast Service Set Identifiers (SSID) (Airport WiFi, Austin Public Library, etc)

Wireless Security

WEP (Wired Equivalent Privacy): Security protocol using encryption to provide protection and privacy to wireless traffic

WPA (WiFi Protected Access): Replaced WEP due to WEP’s major vulnerabilities

WPA2: Even more secure protocol used as today’s standard

In Wireshark:

The Info column identifies the beacon signal:

The Protocol column lists 802.11, indicating the requests are over WiFi

To View SSID:

Select Wireless > WLAN Traffic to open Wireshark’s wireless traffic analysis tool

To view WPA version:

Email Networks and Security

DNS Records

All the records for a domain are stored in a the DNS Zone file

DNS Zone files live in a DNS Server

They contain a Time to Live (TTL) which indicates how long DNS cache will remember information in the file before having to request an updated copy

DNS zone files also contain the DNS records containing DNS information

DNS Record Types

A Record: Translates a domain to an IP Address

PTR Record: Translates an IP Address to a domain

CNAME Record: An alias record used to point one domain to another domain

SOA (State of Authority) Record: Contains administrative details about a domain, such as the email administrator, TTL value, and time of last update

NS (Name Server) Record: Indicates which server contains actual DNS records for a domain

MX (Mail Exchange) Record: Directs emails to a specific mail server for a domain

Ex: emails sent to, the sender validates the MX record for is, then sends the email to that host

Domains can have multiple MX records for availability

The lower the number, the higher the priority

TXT (Text) Records: Used to include notes related to the DNS

SPF Record: Indicates mail servers that can send emails on behalf of a domain to prevent spam, phishing,, and email spoofing, by detecting emails that may have a forged sender email

ex: v=spf1 ip4:

nslookup: Utility that checks the DNS record of a specified domain

-type=: Will return the requested record type

Email Networking

Step 1: An email is sent using an email application

An email is composed, then sent to the sender’s email server

The email server is also referred to as the MTA (Mail Transfer Agent)

Step 2: The sender mail server locates the receiving mail server

The sender mail server does a DNS lookup against the receiving domain name

The sender mail server acquires this information from the receiving server’s MX record

Step 3: The sender mail server forwards the email

This is done using SMTP, which is apart of Layer 7

Step 4: The email is downloaded from the receiving mail server to the application

Two Layer 7 protocols used to transfer email:

POP3: The mail server does not keep a copy of the email once downloaded

IMAP: A copy of the email is kept on the server

Email Headers

Return-Path: Specifies the sender’s return email

Received: Shows a list of the mail servers, illustrating the path of the email from source to destination

Message-ID: Unique string created by the sending mail server as an identifier of the email

Received SPF: The SPF verification field

Email Security Issues

Email Spoofing: Designing emails to trick the receiver into believing they’re coming from a trusted source

Phishing: The attempt to gain sensitive information from an email recipient

Email Spoofing Detection Methods

From Email Header

Spammers can disguise the source email

The From or Return-Path fields will display the true email address

Received-SPF Email Header

The Received-SPF email header uses the IP address from the Received field and determines if it’s an IP of an authorized sender

If the IP is accepted it will display pass

If the IP is not accepted, it will display fail

Received Email Header

The Received email header includes the source IP of the sending mail server

That IP address can be investigated and conclusions can be made based on its ownership and location

Leave a Reply

Your email address will not be published.