Chapter 1 β The OSI Model
The OSI (Open Systems Interconnection) model has 7 layers. Security happens at every layer β knowing where an attack targets tells you how to defend it.
# OSI Layers (remember: "Please Do Not Throw Sausage Pizza Away")
7 Application β HTTP, HTTPS, FTP, SSH, DNS, SMTP
6 Presentation β SSL/TLS, encryption, compression, JPEG
5 Session β Session management, NetBIOS, RPC
4 Transport β TCP, UDP β port numbers live here
3 Network β IP addresses, routing, ICMP, OSPF
2 Data Link β MAC addresses, Ethernet, switches, ARP
1 Physical β Cables, hubs, radio waves
# Security attacks by layer:
L7 β SQLi, XSS, web app attacks
L6 β SSL stripping, certificate attacks
L5 β Session hijacking
L4 β SYN flood, port scanning
L3 β IP spoofing, ICMP attacks
L2 β ARP poisoning, MAC flooding, VLAN hopping
L1 β Physical access, cable tapping
# Data encapsulation as it travels DOWN the stack:
L7: Data
L4: Segment (TCP) / Datagram (UDP)
L3: Packet (adds IP header)
L2: Frame (adds MAC header + FCS)
L1: Bits
Chapter 2 β TCP/IP Model
# Practical 4-layer model used in the real world:
Application β OSI 5,6,7 β HTTP, DNS, SMTP, FTP
Transport β OSI 4 β TCP, UDP
Internet β OSI 3 β IP, ICMP, ARP
Network Accessβ OSI 1,2 β Ethernet, WiFi
# The protocol stack for visiting kalirange.com:
1. DNS query β resolves kalirange.com to IP
2. TCP 3-way handshake to IP:443
SYN β SYN-ACK β ACK
3. TLS handshake β encrypted tunnel
4. HTTP GET / request
5. Server sends HTML response
Chapter 3 β IP Addressing
# IPv4 address = 32-bit number, written as 4 octets
192.168.1.100
β β β βββ Host portion (which device)
β β βββββ Network portion (which subnet)
βββββ΄βββββββββ Must match for hosts to communicate directly
# Private IP ranges (not routable on internet):
10.0.0.0/8 β 10.0.0.0 β 10.255.255.255
172.16.0.0/12 β 172.16.0.0 β 172.31.255.255
192.168.0.0/16 β 192.168.0.0 β 192.168.255.255
# Special addresses:
127.0.0.1 β Loopback (yourself)
169.254.x.x β APIPA (no DHCP server found)
0.0.0.0 β Default route / unspecified
255.255.255.255 β Limited broadcast
# CIDR notation:
192.168.1.0/24 β subnet mask 255.255.255.0 β 254 hosts
192.168.1.0/25 β subnet mask 255.255.255.128 β 126 hosts
10.0.0.0/8 β subnet mask 255.0.0.0 β 16,777,214 hosts
Chapter 4 β Subnetting
# Subnetting = dividing a network into smaller pieces
# Formula: usable hosts = 2^(host bits) - 2
# Quick prefix β hosts reference:
/24 β 254 hosts (255.255.255.0)
/25 β 126 hosts (255.255.255.128)
/26 β 62 hosts (255.255.255.192)
/27 β 30 hosts (255.255.255.224)
/28 β 14 hosts (255.255.255.240)
/29 β 6 hosts (255.255.255.248)
/30 β 2 hosts (255.255.255.252) β point-to-point links
# Example: subnet 192.168.1.0/26
Network: 192.168.1.0
First host: 192.168.1.1
Last host: 192.168.1.62
Broadcast: 192.168.1.63
Hosts: 62
# VLSM (Variable Length Subnet Masking) β subnet efficiently
# Given: 192.168.1.0/24 β allocate subnets for:
# Department A: 100 hosts β /25 (126 hosts) β 192.168.1.0/25
# Department B: 50 hosts β /26 (62 hosts) β 192.168.1.128/26
# Department C: 25 hosts β /27 (30 hosts) β 192.168.1.192/27
# Links: 2 hosts β /30 (2 hosts) β 192.168.1.224/30
Chapter 5 β TCP vs UDP
# TCP β Transmission Control Protocol
Reliable: YES (retransmits lost packets)
Ordered: YES (packets arrive in sequence)
Flow ctrl: YES (won't overwhelm receiver)
Speed: SLOWER (overhead of acknowledgements)
Use case: HTTP, HTTPS, SSH, FTP, SMTP, databases
# TCP 3-way handshake:
Client β SYN β Server "I want to connect"
Client β SYN-ACK β Server "OK, I'm ready"
Client β ACK β Server "Great, let's talk"
# UDP β User Datagram Protocol
Reliable: NO (fire and forget)
Ordered: NO
Flow ctrl: NO
Speed: FASTER (no overhead)
Use case: DNS, DHCP, VoIP, gaming, video streaming, NTP
# Security implications:
SYN flood β attacker sends thousands of SYN packets, never completes handshake
β server fills half-open connection table β DoS
UDP flood β sends UDP to random ports β server sends ICMP unreachable for each
Chapter 6 β Common Protocols & Ports
| Port | Protocol | Use | Security Note |
|---|---|---|---|
| 21 | FTP | File transfer | Credentials in plaintext! Use SFTP instead |
| 22 | SSH | Secure shell | Encrypted. Change default port, use key auth |
| 23 | Telnet | Remote shell | Plaintext! Never use in production |
| 25 | SMTP | Email sending | Relay abuse, spam, phishing |
| 53 | DNS | Name resolution | DNS poisoning, zone transfer leaks |
| 80 | HTTP | Web (unencrypted) | MITM, session hijacking. Use HTTPS |
| 443 | HTTPS | Web (encrypted) | Check SSL/TLS version, certificate validity |
| 445 | SMB | Windows file sharing | EternalBlue, WannaCry β always patch |
| 3306 | MySQL | Database | Never expose to internet |
| 3389 | RDP | Windows remote desktop | BlueKeep, brute-force β restrict access |
Chapter 7 β DNS Deep Dive
# DNS resolves domain names β IP addresses
# When you type "kalirange.com":
1. Browser checks local cache
2. Check /etc/hosts (Linux) or hosts file (Windows)
3. Query local DNS resolver (usually your router: 192.168.1.1)
4. Router queries Recursive DNS (8.8.8.8 or ISP's)
5. Recursive DNS asks Root DNS (13 root servers worldwide)
6. Root DNS refers to .com TLD server
7. TLD server refers to kalirange.com's authoritative DNS
8. Authoritative DNS returns the IP: 1.2.3.4
9. Your browser connects to 1.2.3.4:443
# DNS record types:
A β Domain to IPv4: kalirange.com β 1.2.3.4
AAAA β Domain to IPv6
CNAME β Alias: www β kalirange.com
MX β Mail server
TXT β Arbitrary text (SPF, DKIM, verification)
NS β Nameserver for the domain
PTR β Reverse DNS: IP β domain
SOA β Start of Authority
# DNS queries from command line:
dig kalirange.com # A record
dig kalirange.com MX # mail servers
dig kalirange.com NS # nameservers
dig @8.8.8.8 kalirange.com # query specific DNS server
# Zone transfer (security misconfiguration):
dig axfr @ns1.target.com target.com
# If allowed β dumps ALL DNS records (subdomains, internal hosts)
Chapter 8 β HTTP/S Deep Dive
# HTTP methods:
GET β retrieve a resource (no body)
POST β send data (login, forms)
PUT β replace a resource
PATCH β partially update
DELETE β remove a resource
HEAD β like GET but no response body
OPTIONSβ what methods are allowed?
# HTTP status codes:
1xx β Informational (100 Continue)
2xx β Success (200 OK, 201 Created, 204 No Content)
3xx β Redirect (301 Moved, 302 Found, 304 Not Modified)
4xx β Client Error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found)
5xx β Server Error (500 Internal Server Error, 503 Service Unavailable)
# Security headers (check with curl -I):
Strict-Transport-Security β force HTTPS
Content-Security-Policy β restrict JS sources (XSS mitigation)
X-Frame-Options β prevent clickjacking
X-Content-Type-Options β prevent MIME sniffing
Referrer-Policy β control referrer header
Permissions-Policy β control browser features
# Check security headers:
curl -I https://kalirange.com
Chapter 9 β Routing Basics
# Routers connect different networks (Layer 3)
# Switches connect devices within a network (Layer 2)
# Routing table decision process:
1. Match destination IP against routing table entries
2. Use MOST SPECIFIC match (longest prefix)
3. If tie β use lowest Administrative Distance
4. If still tie β use lowest metric
# Static vs Dynamic routing:
Static β manually configured, no overhead, doesn't adapt
OSPF β Link State, fast convergence, scales well (enterprise)
EIGRP β Cisco proprietary, fast, uses bandwidth+delay metric
RIP β old, slow, max 15 hops, don't use in production
BGP β internet routing protocol (between ISPs)
# Linux routing table:
ip route show
default via 192.168.1.1 dev eth0 β default gateway
192.168.1.0/24 dev eth0 proto kernel β directly connected
# Add a route on Linux:
sudo ip route add 10.0.0.0/8 via 192.168.1.1
Chapter 10 β Switching
# Switches forward frames based on MAC address table
# They LEARN MAC addresses from incoming frames
# Switch process for incoming frame:
1. Record Source MAC + port β add to MAC table
2. Look up Destination MAC in table:
β Found: forward only to that port (unicast)
β Not found: flood to all ports except source (unknown unicast)
β Broadcast: flood to all ports except source
# VLANs (Virtual LANs):
Logically separate devices on same physical switch
VLAN 10: Sales (192.168.10.0/24)
VLAN 20: IT (192.168.20.0/24)
VLAN 30: Servers (192.168.30.0/24)
Traffic between VLANs must go through a router (inter-VLAN routing)
# Access vs Trunk ports:
Access port β belongs to ONE VLAN, used for devices (PCs, printers)
Trunk port β carries MULTIPLE VLANs (between switches, router-on-stick)
# 802.1Q VLAN tagging (trunk links):
Ethernet frame + 4-byte VLAN tag added on trunk ports
Tag removed when frame exits to access port (device never sees it)
Chapter 11 β Firewalls & NAT
# Firewall types:
Packet Filter β simple, checks IP/port/protocol, no state
Stateful Firewall β tracks connection state (knows if packet is part of existing connection)
NGFW β Next-Gen: also inspects application layer, IPS, SSL inspection
WAF β Web Application Firewall: HTTP-specific rules (SQLi, XSS)
# iptables (Linux firewall):
sudo iptables -L -n -v # list rules
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow SSH
sudo iptables -A INPUT -j DROP # block all other incoming
# NAT (Network Address Translation):
Problem: private IPs (192.168.x.x) are not routable on internet
NAT: router translates private IP:port β public IP:port
# NAT types:
Static NAT β one private IP β one public IP (one-to-one)
PAT/NAT β many private IPs β one public IP (many-to-one) = home router
different source ports used to track connections
# Check your public IP:
curl ifconfig.me
curl icanhazip.com
Chapter 12 β Network Security
# Common network attacks and defences:
# ARP Poisoning (MITM):
Attack: attacker sends fake ARP replies β "I am the gateway"
β all traffic routed through attacker
Defence: Dynamic ARP Inspection (DAI) on switches
Static ARP entries for critical hosts
# VLAN Hopping:
Attack 1: Switch Spoofing β attacker's switch negotiates trunk with real switch
Attack 2: Double Tagging β packet has two VLAN tags; outer removed at first switch
Defence: set all access ports to "switchport mode access" (never auto/dynamic)
use a dedicated native VLAN with no devices on it
# Network monitoring:
wireshark # GUI packet capture
tcpdump -i eth0 # CLI packet capture
tcpdump -i eth0 port 80 # filter HTTP
tcpdump -i eth0 host 8.8.8.8 # filter by host
tcpdump -w capture.pcap # save to file
Workbook Complete! Networking is the foundation of everything in security. You can't attack or defend what you don't understand. Read Computer Networks by Tanenbaum for even deeper knowledge.