Network for Penetration Testers

Data link layer

The Data Link Layer, also known as Layer 2 of
the OSI model, is responsible for establishing
and maintaining communication between
devices on the same network segment. It deals
with the physical addressing of devices, error
detection and correction, and the framing of
data packets for transmission.
Addressing
● The Data Link Layer uses Media Access Control (MAC) addresses, which are
unique hardware addresses assigned to network interface cards (NICs) by
manufacturers.

● MAC addresses are 48 bits long (6 bytes) and are typically represented in
hexadecimal format. Example: 00:1A:2B:3C:4D:5E
Error Detection and Flow Control
● The Data Link Layer performs error detection using techniques like cyclic
redundancy check (CRC) to ensure the integrity of transmitted data.

● Flow control mechanisms help manage the flow of data between sender and
receiver, preventing data overflow and ensuring smooth communication.
Media Access Control (MAC)
● The MAC sublayer is responsible for controlling access to the physical
network medium. It ensures that multiple devices connected to the same
network segment can communicate without causing data collisions.

● MAC addresses, also known as hardware addresses or physical addresses,

are unique identifiers assigned to network interface cards (NICs) by
manufacturers. They are used by the MAC sublayer to address and direct
data packets to the correct destination within the local network.
Media Access Control (MAC)
● Ethernet is one of the most common protocols associated with the MAC
sublayer. It uses MAC addresses to deliver frames between devices on a
local area network (LAN).
Switching and Bridging
● Data Link Layer switches and bridges operate at Layer 2 and use MAC addresses
to forward frames between devices within the same LAN.

● Switches maintain MAC address tables to learn and store MAC addresses
associated with specific ports. This enables efficient and intelligent forwarding of
frames to their intended destinations.
Ethernet
Ethernet is a widely used networking
technology that operates at the Data Link
Layer (Layer 2) of the OSI model. It is known
for its simplicity, scalability, and compatibility
with various network devices.
Physical Medium
Ethernet can operate over various physical media,

● twisted-pair copper cables (Ethernet cables with RJ45 connectors)

● fiber optic cables
● wireless connections (Wi-Fi)
Frame Structure
● Data at the Data Link Layer is encapsulated into frames for transmission over the
network medium. A frame consists of several fields
○ Preamble: Synchronizes receiver and sender clocks.
○ Start Frame Delimiter (SFD): Marks the start of the frame.
○ Destination MAC Address: Identifies the intended recipient device.
○ Source MAC Address: Identifies the sender of the frame.
○ Length/Type: Indicates the length of the data or the type of protocol used.
○ Data: Actual payload or data being transmitted.
○ Frame Check Sequence (FCS): Error-checking mechanism to detect
transmission errors.
○ Frame trailer: Marks the end of the frame.
Frame Structure
Ethernet Standards
Various Ethernet standards specify different data rates (speeds) and physical media
types. Common Ethernet standards include:

● 10BASE-T: Operates at 10 Mbps over twisted-pair copper cables.

● 100BASE-TX: Operates at 100 Mbps over twisted-pair copper cables.
● 1000BASE-T (Gigabit Ethernet): Operates at 1 Gbps over twisted-pair copper
cables.
● 10GBASE-T (10 Gigabit Ethernet): Operates at 10 Gbps over twisted-pair copper
cables.
● 1000BASE-SX/LX (Gigabit Ethernet over fiber): Operates at 1 Gbps over fiber
optic cables.
Ethernet in LANs and WANs
● Ethernet is commonly used in local area networks (LANs) for connecting devices
within a limited geographical area, such as offices, homes, or campuses.
ARP
ARP (Address Resolution Protocol) is a crucial
protocol in computer networking that operates
at the Data Link Layer (Layer 2) and the
Network Layer (Layer 3) of the OSI model. Its
primary function is to resolve (map) IP
addresses to MAC addresses within a local
network.
Address Resolution
● ARP is used to resolve the mapping between IP addresses (logical addresses)
and MAC addresses (physical addresses) within the same subnet or local network
segment.
● When a device wants to communicate with another device on the same subnet, it
needs to know the MAC address of the destination device. ARP helps in obtaining
this information.
ARP Request and Reply
● When a device wants to find the MAC address associated with a specific IP
address, it sends an ARP request broadcast message to all devices on the local
network. It basically asks, “Howdy everybody, my IP address is XX.XX.XX.XX
, and my MAC address is XX:XX:XX:XX:XX:XX. I need to send something to
whoever has the IP address XX.XX.XX.XX, but I don’t know its hardware
address. Will whoever has this IP address please respond back with your MAC
address?”
● The ARP request message contains the IP address the sender wants to resolve.
● The device with the corresponding IP address replies with an ARP reply message,
which includes its MAC address, it just answer like, “Hey, transmitting device,
I’m who you are looking for with the IP address of XX.XX.XX.XX . My MAC
address is XX:XX:XX:XX:XX:XX .”
ARP Request and Reply
● Once the sender receives the ARP reply, it can update its ARP cache (also known
as ARP table) with the MAC address of the destination device for future
communication.
ARP Request and Reply
ARP Cache
● Each device maintains an ARP cache, which is a table that stores mappings
between IP addresses and MAC addresses of other devices on the local network.

● The ARP cache helps devices avoid sending ARP requests for frequently
accessed IP addresses, improving network efficiency.
ARP Operation Example
● Suppose Device A wants to communicate with Device B using its IP address.
● Device A checks its ARP cache for Device B's MAC address. If not found, it sends
an ARP request to all devices on the network.
● Device B, recognizing its IP address in the ARP request, replies with an ARP reply
containing its MAC address.
● Device A updates its ARP cache with Device B's MAC address and can now send
packets directly to Device B.
ARP Header
● Hardware Type The layer 2 type used. In most cases, this is
ethernet (type 1).
● Protocol Type The higher-layer protocol for which the ARP
request is being used.
● Hardware Address Length The length (in octets/bytes) of the
hardware address in use (6 for Ethernet).
● Protocol Address Length The length (in octets/bytes) of the
logical address of the specified protocol type.
● Operation The function of the ARP packet: 1 for a request & 2 for
a reply.
● Sender Hardware Address The hardware address of the sender.
● Sender Protocol Address The sender’s upper-layer protocol
address.
● Target Hardware Address The intended receiver’s hardware
address (zeroed in ARP requests).
● Target Protocol Address The intended receiver’s upper-layer
protocol address
Arp utility
● arp utility is used to look ARP cache and manipulate it
● Open cmd or terminal and type
○ arp -a → to list the cache
○ arp -s ip-address mac address → to add an entry
○ arp -d ip-address → to delete an entry
ARP Spoofing
● ARP spoofing (also known as ARP Cache poisoning) is a malicious attack where
an attacker sends falsified ARP messages to associate their MAC address with the
IP address of another device.
● This attack can be used for various malicious purposes, such as intercepting
network traffic, performing man-in-the-middle attacks, or launching
denial-of-service attacks.
● To mitigate ARP spoofing, techniques like ARP inspection, static ARP entries, and
secure ARP protocols (Secure ARP in IPv6) are used.
ARP Spoofing MITM
ARP Spoofing Demo using ettercap
IPv4
IPv4 (Internet Protocol version 4) is the fourth
revision of the Internet Protocol (IP) and is
widely used for communication over the
Internet and private networks. It defines how
data packets are addressed, routed, and
transmitted across networks.
Objective and Context
● The objective of IP is to allow communication between different networks, with
a system of addressing, information on fragmentation and routing.
● Inasimplenetworke.g.aLocalAreaNetwork(LAN)the communication is
managed using MAC Addresses but when we want to connect two LANs we
need a router, which operates at layer 3 and IP protocol.
● Operatesatlayer3anditisconnection-less.

● RFC791
Addressing Scheme

● An IP address is a numerical label assigned to each device connected to a

network. It consists of two parts: the network portion and the host portion.
● In IPv4, IP addresses are 32 bits long and are typically represented in decimal
format for human readability , such as 192.168.1.1. The address is divided
into four octets, with each octet ranging from 0 to 255 ( 00000000 to
11111111 ), so ipv4 address virtually from 0.0.0.0 to 255.255.255.255
● The network portion identifies the network to which the device belongs, while
the host portion identifies the specific device within that network.
Header Format
● IPv4 packet consists of a header and a
payload. The header contains essential
information for routing and delivery of the
packet.
● The IPv4 header includes fields such as
version, header length, type of service,
total length, identification, flags, fragment
offset, time to live (TTL), protocol (TCP,
UDP), header checksum, source IP
address, and destination IP address.
Routing
● IPv4 routers use routing tables to determine the best path for forwarding
packets between networks. Routing protocols like RIP, OSPF, and BGP are
used to exchange routing information and maintain routing tables dynamically.

● IPv4 supports unicast (one-to-one), multicast (one-to-many), and broadcast

(one-to-all) communication.
TTL (Time to Live)
The TTL field in the IPv4 header specifies the maximum number of hops (routers)
a packet can traverse before being discarded. It prevents packets from circulating
indefinitely in the network.
IPv4 Limitations
● One of the main limitations of IPv4 is the limited address space, leading to
address exhaustion. This issue led to the development and adoption of IPv6,
which provides a much larger address space.

● IPv4 also lacks built-in security features, although protocols like IPsec can be
used for secure communication.
IPv4 (Internet Protocol version 4) used a
system of address classes to manage and
allocate IP addresses within networks. These
classes define different ranges of IP addresses
based on their purpose and size. There are five
classes in total: A, B, C, D, and E. This became
part of the History right now
Address Classes

Class Range Example Notes

A 0-127 0.0.0.0 – 127.0.0.0 First 8bit is the network (N.0.0.0)

B 128-191 128.0.0.0 – 191.255.0.0 First 16bit is the network (N.N.0.0)

C 192-223 192.0.0.0 – 223.255.255.0 First 24bit is the network (N.N.N.0)

D 224-239 224.0.0.0 – 239.255.255.255 Used for multicast.

E 240-255 240.0.0.0 – 255.255.255.255 Reserved for experimental.

Class A Addresses
● Class A addresses are identified by the first bit being 0 in binary notation.
They are used for large networks and can accommodate a vast number of
devices.
● The range of Class A addresses is from 0.0.0.0 to 127.255.255.255, with
0.0.0.0 reserved as the default route and 127.0.0.0 to 127.255.255.255
reserved for loopback testing.
● The first octet (8 bits) represents the network portion, and the remaining three
octets (24 bits) represent hosts. This allows for up to 16,777,214 hosts per
network.
Class B Addresses
● Class B addresses are identified by the first two bits being 10 in binary
notation. They are typically used for medium-sized networks.
● The range of Class B addresses is from 128.0.0.0 to 191.255.255.255.
● The first two octets (16 bits) represent the network portion, and the remaining
two octets (16 bits) represent hosts. This allows for up to 65,534 hosts per
network.
Class C Addresses
● Class C addresses are identified by the first three bits being 110 in binary
notation. They are used for small networks and are commonly assigned to
organizations.
● The range of Class C addresses is from 192.0.0.0 to 223.255.255.255.
● The first three octets (24 bits) represent the network portion, and the
remaining octet (8 bits) represent hosts. This allows for up to 254 hosts per
network.
Class D Addresses
● Class D addresses are identified by the first four bits being 1110 in binary
notation. They are reserved for multicast addresses, used for one-to-many
communication.

● The range of Class D addresses is from 224.0.0.0 to 239.255.255.255.

Class E Addresses
● Class E addresses are identified by the first four bits being 1111 in binary
notation. They are reserved for experimental or future use and are not
typically assigned to devices on networks.

● The range of Class E addresses is from 240.0.0.0 to 255.255.255.255.

Reserved Addresses
● Loopback Address: 127.0.0.0/8 (127.0.0.1 - 127.255.255.254)
○ Used for internal testing and communication within the device itself. The most commonly used
address is 127.0.0.1, which refers to the device's own loopback interface.
● Private IP Addresses:
○ Class A: 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
○ Class B: 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
○ Class C: 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
○ Reserved for use in private networks and are not routable on the public internet. They are
commonly used for internal networks within organizations and are translated to public IP
addresses by NAT (Network Address Translation) when accessing the internet.
● Link-local Addresses: 169.254.0.0/16 (169.254.0.0 - 169.254.255.255)
○ Automatically assigned to devices when they cannot obtain an IP address from a DHCP
server. Used for communication within a single network segment.
Reserved Addresses
● Multicast Addresses: Ranges from 224.0.0.0
to 239.255.255.255
Class Network ID Broadcast Address
Used for one-to-many communication, where a
single packet is sent from one sender to A 10.0.0.0 10.255.255.255
multiple receivers. Various multicast groups are
defined for specific purposes. B 172.16.0.0 172.16.255.255

● Broadcast Address: 255.255.255.255 C 192.168.1.0 192.168.1.255

Used to send data packets to all devices on the
same network segment. Broadcast traffic is
limited to the local network and does not cross
routers.
Limitation with ip classes
● Inefficient Allocation: Classful addressing offered fixed network sizes (A - large, B -
medium, C - small). This became problematic as the internet grew and network needs
varied greatly. Organizations with a medium number of devices might be assigned a
Class B address with thousands of unused addresses, leading to wasted space.
● Address Exhaustion: The limited number of available addresses, especially Class B,
became depleted due to the inefficient allocation system. This contributed to the overall
shortage of IPv4 addresses.
● Scalability limitations: Classful addressing couldn't accommodate the exponential
growth of the internet and the increasing number of devices needing IP addresses.
Subnet and subnet mask
A subnet mask, also known as a netmask, is a
32-bit number used in conjunction with an IP
address to determine the network and host
portions of the address. It serves as a dividing
line that separates the network identifier
(network address) from the host identifier (host
address) within an IP address. A subnet mask
uses binary 1s to indicate the network portion
and binary 0s to indicate the host portion.
Binary Representation
● A subnet mask consists of 32 bits, represented in binary format.
● It's often written in decimal format for human readability, such as
255.255.255.0 for a Class C network.
● In binary, a subnet mask with consecutive 1s followed by consecutive 0s
indicates the division between network and host portions. For example:
○ 255.255.255.0 in decimal is 11111111.11111111.11111111.00000000 in
binary.
○ In this subnet mask, the first 24 bits (or 3 octets) are dedicated to the
network, and the remaining 8 bits (or 1 octet) are for hosts.
Network Portion vs. Host Portion:
● The network portion of an IP address, determined by the subnet mask,
identifies the specific network to which a device belongs.

● The host portion of an IP address, also determined by the subnet mask,

identifies the individual device within that network.
CIDR Notation
● Classless Inter-Domain Routing (CIDR) notation is commonly used to
represent subnet masks and IP addresses in a concise format.

● In CIDR notation, the subnet mask is expressed as the number of bits set to 1
in the mask. For example:
○ A subnet mask of 255.255.255.0 (or /24 in CIDR) means the first 24
bits are for the network and the remaining 8 bits are for hosts.
Example
● Consider an IP address 192.168.1.100 with a subnet mask 255.255.255.0
(/24). In binary, the subnet mask is 11111111.11111111.11111111.00000000.

● The first 24 bits (11111111.11111111.11111111) represent the network, and the

last 8 bits (00000000) represent hosts.

● Thus, the network address is 192.168.1.0, and the range of host addresses is
from 192.168.1.1 to 192.168.1.254, with 192.168.1.255 reserved for
broadcasts.
A subnet, short for subnetwork, is a logical
subdivision of an IP network. It allows network
administrators to divide a larger network into
smaller, more manageable segments. Subnetting
helps improve network performance, security,
and efficiency by organizing devices into smaller
groups based on their IP addresses.
Subnetting
● Subnetting involves creating smaller networks within a larger network by
borrowing bits from the host portion of the IP address to create additional
network addresses.
● By subnetting, administrators can efficiently allocate IP addresses and reduce
broadcast traffic, improving network performance.
● Subnetting also enhances network security by isolating segments of the
network and implementing access controls between subnets.
Subnet Calculation
● To create subnets, you determine the number of subnets and hosts per
subnet required for your network.
● You then calculate the subnet mask based on the number of subnet bits
needed. For example, if you need 4 subnets, you would borrow 2 bits (2^2 = 4
subnets) from the host portion of the subnet mask.
● The formula for calculating the number of hosts per subnet is 2^(number of
host bits) - 2, where the -2 accounts for the network address and broadcast
address, which cannot be assigned to hosts.
Subnetting Example
● the IP address 192.168.1.0 with a subnet mask of 255.255.255.0 (/24). subnet
this network into 4 subnets.
● Borrowing 2 bits from the host portion (making it a /26 subnet mask), you
create subnets:
○ Subnet 1: 192.168.1.0/26 (192.168.1.1 to 192.168.1.62)
○ Subnet 2: 192.168.1.64/26 (192.168.1.65 to 192.168.1.126)
○ Subnet 3: 192.168.1.128/26 (192.168.1.129 to 192.168.1.190)
○ Subnet 4: 192.168.1.192/26 (192.168.1.193 to 192.168.1.254)