Ethical Hacking Notes

Network:
 Multiple device connected to each other and sharing resources called network. Computer Network is a
group of devices connected physically/logically for communication.
 Each device in the network is known as host/node.
 Internet is nothing but interconnection of network. Or Internet is all about multiple networks
communicating with each other.
 A network is a set of devices (nodes) connected by communication links.
 A node can be a computer, printer, or any other device capable of sending and/or receiving data
generated by other nodes on the network.
 A network is a combination of hardware and software that sends data from one location to another.
 The hardware consists of the physical equipment that carries signals from one point of the network to
another.
 The software consists of instruction sets that make possible the services that we expect from a network.

Application of Network
• Resource Sharing
– Hardware (computing resources, disks, printers)
– Software (application software)
• Information Sharing
– Easy accessibility from anywhere (files, databases)
– Search Capability (WWW)
• Communication
– Email
– Message broadcast
• Remote computing
• Distributed processing

Transmission Modes:
 Transmission mode means transferring data between two devices. It is also known as a communication
mode. Buses and networks are designed to allow communication to occur between individual devices
that are interconnected.

There are three types of transmission mode: -

 Simplex Mode
 Half Duplex Mode
 Full Duplex Mode

Simplex Mode:
 In Simplex mode, the communication is unidirectional, as on a one-way street. Only one
of the two devices on a link can transmit, the other can only receive. The simplex mode
can use the entire capacity of the channel to send data in one direction.

 Example: Keyboard and traditional monitors. The keyboard can only introduce input;
the monitor can only give the output.

Advantages:
 Simplex mode is the easiest and most reliable mode of communication.
 It is the most cost-effective mode, as it only requires one communication channel.
 There is no need for coordination between the transmitting and receiving devices,
which simplifies the communication process.
 Simplex mode is particularly useful in situations where feedback or response is not
required, such as broadcasting or surveillance.

Disadvantages:
 Only one-way communication is possible.
 There is no way to verify if the transmitted data has been received correctly.
 Simplex mode is not suitable for applications that require bidirectional
communication.

Half Duplex Mode:

 In half-duplex mode, each station can both transmit and receive, but not at the same
time. When one device is sending, the other can only receive, and vice versa. The half-
duplex mode is used in cases where there is no need for communication in both
directions at the same time. The entire capacity of the channel can be utilized for each
direction.

 Example: Walkie-talkie in which message is sent one at a time and messages are sent in
both directions.

 Channel capacity=Bandwidth * Propagation Delay

Advantages:
 Half-duplex mode allows for bidirectional communication, which is useful in situations
where devices need to send and receive data.
 It is a more efficient mode of communication than simplex mode, as the channel can be
used for both transmission and reception.
 Half-duplex mode is less expensive than full-duplex mode, as it only requires one
communication channel.

Disadvantages:
 Half-duplex mode is less reliable than Full-Duplex mode, as both devices cannot
transmit at the same time.
 There is a delay between transmission and reception, which can cause problems in
some applications.
 There is a need for coordination between the transmitting and receiving devices, which
can complicate the communication process.

Full Duplex Mode:

 In full-duplex mode, both stations can transmit and receive simultaneously. In full
duplex mode, signals going in one direction share the capacity of the link with signals
going in another direction, this sharing can occur in two ways:
 Either the link must contain two physically separate transmission paths, one for
sending and the other for receiving. Or the capacity is divided between signals traveling
in both directions.
 Full-duplex mode is used when communication in both directions is required all the
time. The capacity of the channel, however, must be divided between the two directions.
 Example: Telephone Network in which there is communication between two persons by
a telephone line, through which both can talk and listen at the same time.

Advantages:
 Full-duplex mode allows for simultaneous bidirectional communication, which is ideal
for real-time applications such as video conferencing or online gaming.
 It is the most efficient mode of communication, as both devices can transmit and
receive data simultaneously.
 Full-duplex mode provides a high level of reliability and accuracy, as there is no need
for error correction mechanisms.

Disadvantages:
 Full-duplex mode is the most expensive mode, as it requires two communication
channels.
 It is more complex than simplex and half-duplex modes, as it requires two physically
separate transmission paths or a division of channel capacity.
 Full-duplex mode may not be suitable for all applications, as it requires a high level of
bandwidth and may not be necessary for some types of communication.

Repeater:
 Repeaters are network devices operating at physical layer of the OSI model that amplify
or regenerate an incoming signal before retransmitting it. They are incorporated in
networks to expand its coverage area. They are also known as signal boosters.
 Repeater is used to regenerate the signal in the network before it gets weak or corrupted.
 It is a two port device.
 They do not amplify the signals.
Why are Repeaters needed?
 When an electrical signal is transmitted via a channel, it gets attenuated depending upon the nature of
the channel or the technology. This poses a limitation upon the length of the LAN or coverage area of
cellular networks. This problem is alleviated by installing repeaters at certain intervals.
 Repeaters amplifies the attenuated signal and then retransmits it. Digital repeaters can even reconstruct
signals distorted by transmission loss. So, repeaters are popularly incorporated to connect between two
LANs thus forming a large single LAN.

Types of Repeaters:
According to the types of signals that they regenerate, repeaters can be classified into two
categories −
 Analog Repeaters − They can only amplify the analog signal.
 Digital Repeaters − They can reconstruct a distorted signal.

According to the types of networks that they connect, repeaters can be categorized into two
types
 Wired Repeaters − They are used in wired LANs.
 Wireless Repeaters − They are used in wireless LANs and cellular networks.

According to the domain of LANs they connect, repeaters can be divided into two categories
−
 Local Repeaters − They connect LAN segments separated by small distance.
 Remote Repeaters − They connect LANs that are far from each other

Types of Networks:
• Personal area network, or PAN.
• Local area network, or LAN.
• Wireless Local area network, or WLAN.
• Campus area network, or CAM.
• Metropolitan area network, or MAN.
• Wide area network, or WAN.
• Enterprise private network, or EPN
• Virtual private network, or VPN

Personal area network, or PAN:

• A personal area network (PAN) connects electronic devices within a user's immediate area. The size of a
PAN ranges from a few centimeters to a few meters. One of the most common real-world examples of a
PAN is the connection between a Bluetooth earpiece and a smartphone. PANs can also connect laptops,
tablets, printers, keyboards, and other computerized devices.
• PAN network connections can either be wired or wireless. Wired connection methods include USB and
FireWire; wireless connection methods include Bluetooth (the most common), Wi-Fi, IrDA, and ZigBee.
• While devices within a PAN can exchange data with each other, PANs typically do not include a router
and thus do not connect to the Internet directly. A device within a PAN, however, can be connected to a
 local area network (LAN) that then connects to the Internet. For instance, a desktop computer, a
wireless mouse, and wireless headphones can all be connected to each other, but only the computer can
connect directly to the Internet.

Network that is used for personal level. Mostly used to transfer small files.
• wireless: Bluetooth, infrared, NFC.
• Wired: USB cable

Wireless:
• A wireless personal area network (WPAN) is a group of devices connected without the use of wires or
cables. Today, most PANs for everyday use are wireless. WPANs use close-range wireless connectivity
protocols such as Bluetooth.
• The range of a WPAN is usually very small, as short-range wireless protocols like Bluetooth are not
efficient over distances larger than 5-10 meters.
• Wireless Personal Area Network (WPAN) is connected through signals such as infrared, ZigBee,
Bluetooth and ultra wideband, etc.
• High-rate WPAN: The data throughput is more than 20 Mbps
• Medium-rate WPAN: Data throughput is 1 Mbps
• Low-rate WPAN: Data throughput is less than 0.25 Mbps

Following are examples of wireless personal area networks:

• Ultra-wideband (Ultra band): It is a communication method that is used in wireless networking.

UWB has low power consumption due to which it can achieve high bandwidth connections. It transmits
data over short distances without using too much power. Data is transmitted over several frequency
channels simultaneously.

• ZigBee: It is a technology of home networking that is created for controlling and sensing networks. It is
based on IEEE 802.15.4 and is a standard to address the need for low-cost implementation of low-
power devices with low data rates for short-range wireless communications.

• Bluetooth: It is a WPAN technology that is used for exchanging data over shorter distances. This type
of wireless Personal Area Network operates in the industrial, scientific, unlicensed, and medical bands
from 2.4-2.485 GHz.

• IrDA: IrDA short form is Infrared Data Association. This type of Personal Area Network utilizes
infrared light and has a frequency that is lower than that sensitive to the human eye. It can run at
speeds ranging from 115.2Kbps – 1.15Mbps and 4Mbps. Devices that utilize IrDA ports must be within
10 feet of each other with a clear line of sight between them.
Wired PAN:
• Wired PAN is connected through cables/wires such as Fire wire or USB (Universal Serial Bus).
• These networks provide short connections between peripherals using wired technologies, such as USB,
IEEE-1394 high-performance serial buses or a Thunderbolt hardware interface.

Following are examples of wired personal area networks:

• IEEE 1394/ FireWire: It is an interface standard for serial buses that is used for high-speed
communications and isochronous real-time data transfer. This electronic standard is used for
connecting computers and includes a plug-and-socket connection with a serial bus interface.

• Thunderbolt: It is a type of hardware interface for connecting external peripherals to computer. This
networking technology extends PCIe network to external peripherals. The latest version of Thunderbolt
4 protocol supports two 4K displays or a single 8K display. In this case, cords can be up to two meters
long. This version is fully compatible with USB4 protocol and data rates.

• Universal Serial Bus (USB): This industry standard establishes specifications for cables, protocols,
connectors for communication, and power supply between peripheral devices and personal computers.
It standardizes the connection of peripherals, but with time, USB is used for communicating and
supplying electric power.

Local area network, or LAN:

• A local area network (LAN) is a collection of devices connected together in one physical location, such as
a building, office, or home. A LAN can be small or large, ranging from a home network with one user to
an enterprise network with thousands of users and devices in an office or school.
• Devices such as computers, servers, switches, printers located in same building are connected to
network using wired connection that is Ethernet LAN.
• A LAN comprises cables, access points, switches, routers, and other components that enable devices to
connect to internal servers, web servers, and other LANs via wide area networks.
• The rise of virtualization has also fueled the development of virtual LANs, which enable network
administrators to logically group network nodes and partition their networks without a need for major
infrastructure changes.
• For example, in an office with multiple departments, such as accounting, IT support, and
administration, each department's computers could be logically connected to the same switch but
segmented to behave as if they are separate.

• Most LANs connect to the Internet at a central point: a router. Home LANs often use a single router,
while LANs in larger spaces may additionally use network switches for more efficient packet delivery.
• LANs almost always use Ethernet, Wi-Fi, or both in order to connect devices within the network.
Ethernet is a protocol for physical network connections that requires the use of Ethernet cables. WiFi is
a protocol for connecting to a network via radio waves.
• A variety of devices can connect to LANs, including servers, desktop computers, laptops, printers, IoT
devices, and even game consoles. In offices, LANs are often used to provide shared access to internal
employees to connected printers or servers.

There are Two types of LAN

• Client/Server LANs
• Peer-to-Peer LANs.

Client/Server LANs:
• A client/server LAN consists of several devices (the clients) connected to a central server. The server
manages file storage, application access, device access, and network traffic. A client can be any
connected device that runs or accesses applications or the Internet. The clients connect to the server
either with cables or through wireless connections.
• Typically, suites of applications can be kept on the LAN server. Users can access databases, email,
document sharing, printing, and other services through applications running on the LAN server, with
read and write access maintained by a network or IT administrator. Most midsize to large business,
government, research, and education networks are client/server-based LANs.

Peer-to-Peer LANs.:
• A peer-to-peer LAN doesn't have a central server and cannot handle heavy workloads like a
client/server LAN can, and so they're typically smaller. On a peer-to-peer LAN, each device shares
equally in the functioning of the network. The devices share resources and data through wired or
wireless connections to a switch or router. Most home networks are peer-to-peer.

Wireless Local area network, or WLAN.:

• A wireless local-area network (WLAN) is a group of collocated computers or other devices that form a
network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of
WLAN; anyone connected to Wi-Fi while reading this webpage is using a WLAN.
• A wireless local area network (WLAN) is a wireless distribution method for two or more devices.
WLANs use high-frequency radio waves and often include an access point to the Internet. A WLAN
allows users to move around the coverage area, often a home or small office, while maintaining a
network connection
• Wi-Fi standards are designed to allow a nonstationary user's connection to jump from one access point
to another, though some users and applications may experience brief dropouts. Even with no
overlapping access points, a user's connection is simply paused until connection with the next access
point.
• Additional access points can be wired or wireless. When access points overlap, they can be configured to
help optimize the network by sharing and managing loads.

Campus area network, or CAM.

• A network which joins 2 or more LAN’s together.
• A campus area network is a group of interconnected local area networks operating within a limited
geographical area. Campus networks are used in manufacturing, warehousing, universities, and also in
corporate and industrial settings.
• Campus Area Networks (CAN) provide more control over network resources and typically relies on a
centralized hub to which other locations connect, when compared to public networks. This network
design is also sometimes referred to as a corporate area network, but it functions just the same.

Metropolitan area network, or MAN.

• A Metropolitan Area Network is formed by connecting multiple LANs; thus, it covers a larger
geographical area than a LAN. A Metropolitan Area Network is more extensive than a LAN network but
smaller than a wide-area network (WAN). As the data does not have to travel long distances, MANs are
usually more efficient than WANs.
• MAN is larger than CAN. CAN spams over several buildings in city or town.
• MAN’s are typically connected using a high speed connection such as fiber optic cables.
• Metropolitan Area Networks provide high-speed data networks for cities and towns while also providing
the necessary capacity at a cheaper rate, with greater efficiency than obtaining an equivalent service
from a local phone company. A MAN’s operating mechanism is similar to that of an Internet Service
Provider (ISP), but a single organization does not own a MAN network. A MAN, like a WAN, provides
its users with shared network connections.
• MAN’s primary goal is to establish a communication link between two independent LAN nodes in order
to connect geographically dispersed LANs. To accomplish this, the Metropolitan Area Network typically
uses optical fiber as a transmission medium, and the network is built with the help of routers and
switches.

• A switch is a port active in the filtration of data, generally coming in the form of frames. A switch can
also function as a dual-port device, with one end handling data filtration and the other managing
connections. In contrast, a router assists data packets in determining the best path to take and
forwarding data packets to their intended IP addresses.

Wide area network, or WAN.

• A wide-area network (WAN) is the technology that connects your offices, data centers, cloud
applications, and cloud storage together. It is called a wide-area network because it spans beyond a
single building or large campus to include multiple locations spread across a specific geographic area, or
even the world. For example, businesses with many international branch offices use a WAN to connect
office networks together. The world’s largest WAN is the internet because it is a collection of many
international networks that connect to each other. This article focuses on enterprise WANs and their
uses and benefits.
• WAN includes LAN’s, CAN’s, MAN’s. It spans over large geographic area like
• country, continent or globe.
• Example: Internet.

Enterprise private network, or EPN:

• Enterprise networking refers to the creation and management of a group of interconnected computer
systems that serve the needs of a large business. It involves the use of local area networks (LANs) that
connect to wide area networks (WANs) and the cloud to facilitate data exchange, business processes,
and analysis of network activity.
• In an enterprise environment, various components, including data centers, branch offices, public and
private clouds, Internet of Things (IoT) devices, and employees, require reliable network connections.
Unlike the open nature of the internet, enterprise networks are restricted to specific users, devices, and
facilities, and often use encryption techniques such as virtual private networks (VPNs) or Transport
Layer Security (TLS) encryption to secure data transmission.
• What sets enterprise networking apart from other types of networking is its scale. Unlike a home LAN
that connects a few devices to the internet via a single router, enterprise networks connect thousands of
devices to each other and to the internet. Some enterprise networks are even assigned an autonomous
system number (ASN).
• An enterprise private network is a computer network built by a business to interconnect its various
company sites (such as production sites, offices and shops) in order to share computer resources.

Features of Enterprise Private Network

• Private and Secure − EPN is a private network that is not open to the public. It is designed to keep
the company's data and communication confidential and secure.
• Scalability − EPN is highly scalable, which means it can accommodate the growing needs of the
organization as it expands.
• Customization − EPN can be customized to meet the specific requirements of the organization. This
allows the organization to tailor the network to its specific needs and workflows.
• High-performance − EPN is designed to deliver high-performance connectivity with low latency,
high bandwidth, and high availability.
• Reliability − EPN is highly reliable and provides guaranteed uptime and service levels.
• Centralized Management − EPN is managed centrally, which makes it easy to monitor and manage
the network components.
• Quality of Service − EPN provides quality of service (QoS) guarantees, which means that the network
can prioritize traffic to ensure that critical applications receive the necessary bandwidth.
• Integration − EPN can be integrated with other enterprise systems, such as customer relationship
management (CRM) and enterprise resource planning (ERP) systems.

Virtual private network (VPN):

• A virtual private network (VPN) is programming that creates a safe and encrypted connection over a
less secure network, such as the public internet. A VPN works by using the shared public infrastructure
while maintaining privacy through security procedures and tunneling protocols.
• In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end,
send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An
additional level of security involves encrypting not only the data, but also the originating and receiving
network addresses.
• A VPN hides your IP address by letting the network redirect it through a specially configured remote
server run by a VPN host. This means that if you surf online with a VPN, the VPN server becomes the
source of your data.
• This means your Internet Service Provider (ISP) and other third parties cannot see which websites you
visit or what data you send and receive online. A VPN works like a filter that turns all your data into
"gibberish". Even if someone were to get their hands on your data, it would be useless.
What are the benefits of a VPN connection?
• Secure encryption: To read the data, you need an encryption key. Without one, it would take millions
of years for a computer to decipher the code in the event of a brute force attack. With the help of a VPN,
your online activities are hidden even on public networks.

• Disguising your whereabouts: VPN servers essentially act as your proxies on the internet. Because
the demographic location data comes from a server in another country, your actual location cannot be
determined. In addition, most VPN services do not store logs of your activities. Some providers, on the
other hand, record your behavior, but do not pass this information on to third parties. This means that
any potential record of your user behavior remains permanently hidden.
• Access to regional content: Regional web content is not always accessible from everywhere. Services
and websites often contain content that can only be accessed from certain parts of the world. Standard
connections use local servers in the country to determine your location. This means that you cannot
access content at home while traveling, and you cannot access international content from home. With
VPN location spoofing, you can switch to a server to another country and effectively “change” your
location.

• Secure data transfer: If you work remotely, you may need to access important files on your
company’s network. For security reasons, this kind of information requires a secure connection. To gain
access to the network, a VPN connection is often required. VPN services connect to private servers and
use encryption methods to reduce the risk of data leakage.

Brief of VPN:
• Suppose the IP address is 101.22.23.3 which belongs to India. That’s why our device is not able to access
the Spotify music app.
• But the magic begins when we used the Psiphon app which is an android app and is used to change the
device IP address to the IP address of the location we want (say US where Spotify works in a seamless
manner).
• The IP address is changed using VPN technology. Basically what happens is that your device will
connect to a VPN server of the respective country that you have entered in your location textbox of the
Psiphon app and now you will inherit a new IP from this server.
• Now we typed “what is my IP address”? Amazingly the IP address changed to 45.79.66.125 which
belongs to the USA and since Spotify works well in the US, so we can use it now being in India (virtually
in the USA). Is not that good? obviously, it is very useful.
• VPN also ensures security by providing an encrypted tunnel between client and VPN server.
• VPN is used to bypass many blocked sites.
• VPN facilitates Anonymous browsing by hiding your ip address.
• Also, most appropriate Search engine optimization(SEO) is done by analyzing the data from VPN
providers which provide country-wise stats of browsing a particular product. This method of SEO is
used widely my many internet marketing managers to form new strategies

Network Topology:
• A network topology is the physical and logical arrangement of nodes and connections in a network.
Nodes usually include devices such as switches, routers and software with switch and router features.
Network topologies are often represented as a graph.
• The network topology defines the way in which computers, printers, and other devices are connected.
• A network topology describes the layout of the wire and devices as well as the paths used by data
transmissions

Type of Network Topology:

• Wired topology: Each computer on the network is connected to the other computers with cable (or
some other medium, such as wireless using radio frequency signals)
• Wireless topology: Wireless network topology shows how the computers connect each other when
there is no physical connection. The computers communicate each using the wireless devices.

Wired Topology:
Star topology:
• The most common wired topology is star topology. In star topology all the computers are connected to a
central wiring point such as hub or a switch with a point to point connection. In this computer there is
dedicated connection to all computers and has very fast performance. We can easily upgrade the hub
which is the central point all the data will be pass from the hub before continuing to its destination.
When the information will be sent from the computer to the hub and from where all the data will be
transfer to other computers. While if the centralized device is switch when the message will be sent to
the switch from where depending on the address the data will be sent to the destination. Multiple
communications are possible in the star topology. Star topology is mostly used in client server networks.
• A configuration that centers around one node to which all others are connected and through which all
messages are sent.

Advantage of the Star topology:

• One of the major benefits of the topology is that if one computer damaged or if there is a break in the
cable or the cable is disconnected then other computers will not be affected because each computer has
their own cable connection.
• It is easy to modify and maintain the network.
• Adding and removing computer can be done without disturbing the network
• Finding fault become simple
• Single failure does not bring down the whole network
Disadvantage of the Star topology:
• However, the disadvantage of the star topology is that the whole topology depends upon on the hub.
When the central hub or switch fails then then all the computers on the central point will be affected.
This is called a single point of the failure. If this happens the entire network will go down.
• It requires large length of cable to connect the computer. It is more expensive.

Ring topology:
• The most common wired topology is star topology. In star topology all the computers are connected to a
central wiring point such as hub or a switch with a point to point connection. In this computer there is
dedicated connection to all computers and has very fast performance.
• We can easily upgrade the hub which is the central point all the data will be pass from the hub before
continuing to its destination. When the information will be sent from the computer to the hub and from
where all the data will be transfer to other computers.
• While if the centralized device is switch when the message will be sent to the switch from where
depending on the address the data will be sent to the destination. Multiple communications are possible
in the star topology. Star topology is mostly used in client server networks.
• A configuration that connects all nodes in a closed loop on which messages travel in one direction.

Advantage of the ring topology:

 The ring topology is easy to install and easy to troubleshoot
 It is very cheap and easy to install
 It does not require central device to control and manage the network
 The additional node will not affect the performance of the network

Disadvantage of the ring topology:

 If just one of these computer goes down or if there is was a single break in the cable, then all the data flow
would be disrupted.
 The network activity will be disturbing if we add or remove a node.

BUS topology:
• The bus topology is very old technology and like the ring topology it not used that much.
• This is the kind of the network setup where each of the computer and the network devices are connected
to a single cable which coaxial cable and at the end of the wire we connect grounded terminals which is
known as terminator so that the data communication cannot be echoed by the message. The terminator
will ground the message.
• The terminator stops signals after reaching end wire. A lot of computer is connected with main cable or
hub. The data will flow in one direction. By adding more computers will reduce the access speed of the
network.
• The devices will share responsibility for getting data from one point to another point.
• Each computer communicates to other computer on the network independently this is referred to peer
to peer network system. Because each computer communicating with other computer independently.
• The computer connecting to this cable using special connectors called BNC which is also known as T
connectors.
• All nodes are connected to a single communication line that carries messages in both directions

Advantages of the bus topology:

• The bus topology is that it is also fairly cheap and easy to implement.
• It works well for small network.
• The bus topology is cost effective and is used in small network like home.
• It is easy to expand in the linear way without disturbing the network but it is slower and dependent on
the main cable.
• It can be easily understanding.

Disadvantage of the bus topology:

• In order for this setup to remain operational there must not be any open connections, including the
ends that attach to the computer.
• So if the computer is removed or if the terminator is losing or missing then the cable would be open and
the data would bounce back and this bounce is known as signal reflection.
• The data will be disrupted during signal reflection. During transmission only one message or data can
be transmitted through the bus topology.
• So if we want to send data we will first see whether the network is free or not. Otherwise the sender will
wait until the network is free.

MESH topology:
• In a mesh topology each computer on the network is connected to every other computer on the network.
In this topology it has channels for n devices.
• There are two ways for data transferring one is routing in which the computer or hub all already know
and have an algorithm which finds a best and short way to send data.
• Another method is flooding the data is flooded to all the nodes.
• This topology is robust and is fully connected and secure.
• The mesh topology connects all devices (nodes) to each other for redundancy and fault tolerance.
• So by having so many connections it handles failure very well. In this illustration there are 4 computers
with 3 connections on each computer which makes a total 12 connections for this network.
• The advantage of the mesh topology is that it creates a high redundancy level. Because if one or more
connections fail the computer would be still being able to communicate with each other but because of
the amount of the cabling and network cards that have to be used, mesh topologies can be expensive so
they are rarely used on local area network or LAN.
• They are mainly used in wide area network like the internet. In fact, the internet is good example of a
mesh topology because the internet is made up of numerous routers all over the world that are
connected to each other to route data to their intended destination.
• So even if a few routers goes down the data will get routed using a different path ultimately reach their
destination. Internet is very redundant because it is using a mesh topology.

Tree topology:
• In this topology we have the main bus and hubs to which computers are connected in star formation such type
of topology is known as tree topology. As this is the combination of two topologies which are bus and star
topology. Now that is used in WAN which means wide area network.
• We can easily expend the nodes in it which means we can easily connect a lot of devices and star networks to it.
The maintenance of this topology is easy but it is also hub dependent that means if the main bus fails then all the
network will fail.

• If one of the star topology will damage it will not affect the network.

Hybrid topology:
• It consists of the main bus with which the star topology and ring topology are connected with the central hub.
When more than two types of topologies are combined then this type of topology is known as hybrid topology. It
is used to handle larger volume.
• In this type of the topology if any of the computers fails it is easily detected and removed. It has improved
network performance but on the negative side it is very expensive. It requires MSAU which means multi station
access unit which is used to bypass the faulty devices and has complex design.

Advantages of Hybrid Topology

• This topology is very flexible.
• The size of the network can be easily expanded by adding new devices.

Drawbacks of Hybrid Topology

• It is challenging to design the architecture of the Hybrid Network.
• Hubs used in this topology are very expensive.
• The infrastructure cost is very high as a hybrid network requires a lot of cabling and network devices.

Wireless topologies:
Infrastructure topology:
• This topology uses a combination of the wired and wireless devices. This is very similar to a star topology where
we have a wired device. The computers are physically connected to a switch and also have wireless access point
that also connected by a cable to same switch.
• The wireless access point is here so that the wireless devices such as laptops, tablets, cell phones etc. can
connect wirelessly to the network.
• So the wireless access points act like a bridge between the wireless network and the wired network. Now the
infrastructure topology is not limited to the single wireless access point.
• In fact, we can have the multiple wireless access point if we want it just depends on the needs of the network.

Ad hoc topology:
• Ad hoc is very simple wireless topology. It is simple because it does not rely on any infrastructure such as cables,
routers, servers or wireless access point. All the devices in Ad hoc network wirelessly connect to other devices in
a simple peer to peer network.
• They directly connect to each other without using a centralized device such as a Wi-Fi router or access point and
because they directly access each other without a server or router in between each device is responsible for its
own security and permission.
• Ad hoc are useful for setting up quick wireless network on the fly where the device can share the data without
the need of an existing wireless network.

Wireless mesh topology:

• Wireless mesh topology is similar to wired mesh topologies where devices are interconnected with each other
but with the exception that they are wirelessly interconnected. So for example we want to deploy multiple
wireless access point all throughout a building. So that wireless devices that are in different areas are able to
access the internet. So normally we would have a modem that brings in the internet to the building and then we
would have switch that connected to the modem.
• Then we would connect each wireless access point with a cable to the switch. So by doing this we would require
extra cabling it would also require extra time running the cable throughout the building. This is more expensive
and more time consuming.
• The wireless topology is similar to it but without the cables. In a wireless mesh each wireless access point with
talk to other wireless access point to create a seamless internet connection for wireless device to connect. If the
laptop wants to access the internet it would connect with to the nearest wireless access point and then this
access point would rely the connection to the next access point and then the next one and eventually find its
way back to the modem.
• So no matter which access point we connected to we will have the internet access because all the access points
are in constant communication with each other and the modem and even if one or more access points were to
fail it would not matter because the other access point will reroute the data many access point.

Network of Networks
Internet
• No single person or company owns the Internet or even controls it entirely.
• As a wide-area network, it is made up of many smaller networks.
• These smaller networks are often owned and managed by a person or organization.
• The Internet is defined by how connections can be made between these networks.
 Internet Connection
• Internet backbone
– A set of high-speed networks that carry Internet traffic
– These networks are provided by companies such as AT&T, GTE, and IBM
• Internet service provider (ISP)
– A company that provides other companies or individuals with access to the Internet

There are various technologies available that you can use to connect a home
computer to the Internet
• A phone modem converts computer data into an analog audio signal for transfer over a telephone line, and then
a modem at the destination converts it back again into data
• A digital subscriber line (DSL) uses regular copper phone lines to transfer digital data to and from the phone
company’s central office
• A cable modem uses the same line that your cable TV signals come in on to transfer the data back and forth

OSI Model
• The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to
communicate over a network. It was the first standard model for network communications, adopted by all major
computer and telecommunication companies in the early 1980s.
• The modern Internet is not based on OSI, but on the simpler TCP/IP model. However, the OSI 7-layer model is
still widely used, as it helps visualize and communicate how networks operate, and helps isolate and
troubleshoot networking problems.
• Open Systems Interconnection (OSI).
• Developed by the International Organization for Standardization (ISO).
• Model for understanding and developing computer-to-computer communication architecture that is flexible,
robust and interoperable.
• It is not a protocol.
• Developed in the 1980s.
• Divides network architecture into seven layers.

• Each layer performs a subset of the required communication functions

• Each layer relies on the next lower layer to perform more primitive functions
• Each layer provides services to the next higher layer
• Changes in one layer should not require changes in other layers
• Layer 1,2,3 are the network support layer, deals with the physical aspects of moving data from one device to
another.
• Layer 5,6,7 are the user support layer, allow the interoperability among unrelated software.
• Layer 4 ensures that what the lower layer have transmitted is in a form that the upper layers can use.
Protocol Data Unit (PDU):
• At each layer, protocols are used to communicate
• Control information is added to user data at each layer
• For example, the transport layer may fragment user data
• Each fragment has a transport header added
– Destination Address
– Sequence number
– Error detection code
• This creates a transport protocol data unit (TPDU)

1. Physical Layer:
• The physical layer transports data using electrical, mechanical or procedural interfaces. This layer is responsible
for sending computer bits from one device to another along the network. It determines how physical
connections to the network are set up and how bits are represented into predictable signals as they're
transmitted either electrically, optically or via radio waves.
• The main functionality of the physical layer is to transmit the individual bits from one node to another node.
• It is the lowest layer of the OSI model.
• It establishes, maintains and deactivates the physical connection.
• It specifies the mechanical, electrical and procedural network interface specifications.

The Functions of the Physical Layer

• Bit synchronization: The physical layer provides the synchronization of the bits by providing a clock. This clock
controls both sender and receiver thus providing synchronization at the bit level.
• Bit rate control: The Physical layer also defines the transmission rate i.e. the number of bits sent per second.
• Physical topologies: Physical layer specifies how the different, devices/nodes are arranged in a network i.e. bus,
star, or mesh topology.
• Transmission mode: Physical layer also defines how the data flows between the two connected devices. The
various transmission modes possible are Simplex, half-duplex and full-duplex.
• Line Configuration: It defines the way how two or more devices can be connected physically.
• Data Transmission: It defines the transmission mode whether it is simplex, half-duplex or full-duplex mode
between the two devices on the network.
• Topology: It defines the way how network devices are arranged.
• Signals: It determines the type of the signal used for transmitting the information.

Physical layer technologies are defined by organizations such as:

• The International Organization for Standardization (ISO)
• The Institute of Electrical and Electronics Engineers (IEEE)
• The American National Standards Institute (ANSI)
• The International Telecommunication Union (ITU)
• The Electronics Industry Alliance/Telecommunications Industry Association (EIA/TIA)
• National telecommunications authorities such as the Federal Communication Commission (FCC) in the USA.

Physical Layer Operations:

• At this stage of the communication process, the user data has been segmented by the Transport layer, placed
into packets by the Network layer, and further encapsulated as frames by the Data Link layer. The purpose of the
Physical layer is to create the electrical, optical, or microwave signal that represents the bits in each frame.
These signals are then sent on the media one at a time. It is also the job of the Physical layer to retrieve these
individual signals from the media, restore them to their bit representations, and pass the bits up to the Data Link
layer as a complete frame.

• The media does not carry the frame as a single entity. The media carries signals, one at a time, to represent the
bits that make up the frame.

There are three basic forms of network media on which data is represented:
– Copper cable
– Fiber
– Wireless

• The representation of the bits - that is, the type of signal - depends on the type of media. For copper cable
media, the signals are patterns of electrical pulses. For fiber, the signals are patterns of light. For wireless media,
the signals are patterns of radio transmissions.
• Note: 1. Hub, Repeater, Modem, and Cables are Physical Layer devices.

2. Layer 2: Data Link Layer:

• The data-link, or protocol layer, in a program handles moving data into and out of a physical link in a network.
This layer handles problems that occur as a result of bit transmission errors. It ensures that the pace of the data
flow doesn't overwhelm the sending and receiving devices. This layer also permits the transmission of data to
Layer 3, the network layer, where it's addressed and routed.
• This layer is responsible for the error-free transfer of data frames.
• It defines the format of the data on the network.
• It provides a reliable and efficient communication between two or more devices.
• It is mainly responsible for the unique identification of each device that resides on a local network.
• Moving frames from one hop (node) to the next.
• Framing: divided the stream of bits received from the
• network layer manageable data units called frames.
• Physical address (MAC address).
• Flow control.
• Error control: added trailer to the end of frame.
• Access control.
• Hop to hop delivery

• It contains two sub-layers:

o Logical Link Control Layer
 It is responsible for transferring the packets to the Network layer of the receiver that is
receiving.
 It identifies the address of the network layer protocol from the header.
 It also provides flow control.
o Media Access Control Layer
 A Media access control layer is a link between the Logical Link Control layer and the network's
physical layer.
 It is used for transferring the packets over the network.
Functions of the Data-link layer:
• Framing: The data link layer translates the physical's raw bit stream into packets known as Frames. The Data link
layer adds the header and trailer to the frame. The header which is added to the frame contains the hardware
destination and source address.
• Physical Addressing: The Data link layer adds a header to the frame that contains a destination address. The
frame is transmitted to the destination address mentioned in the header.
• Flow Control: Flow control is the main functionality of the Data-link layer. It is the technique through which the
constant data rate is maintained on both the sides so that no data get corrupted. It ensures that the transmitting
station such as a server with higher processing speed does not exceed the receiving station, with lower
processing speed.
• Error Control: Error control is achieved by adding a calculated value CRC (Cyclic Redundancy Check) that is
placed to the Data link layer's trailer which is added to the message frame before it is sent to the physical layer.
If any error seems to occur, then the receiver sends the acknowledgment for the retransmission of the corrupted
frames.
• Access Control: When two or more devices are connected to the same communication channel, then the data
link layer protocols are used to determine which device has control over the link at a given time.

Note:
– Packet in the Data Link layer is referred to as Frame.
– 2. Data Link layer is handled by the NIC (Network Interface Card) and device drivers of host machines.
– 3. Switch & Bridge are Data Link Layer devices

Hop-to-Hop Delivery:
• Hop to Hop delivery in Data Link Layer can be delivery of packets from the host’s network interface card(NIC) to
the router’s interface or it can be delivery of packets from one router’s interface to another router’s interface or
it can be delivery of packets from one router’s interface to host’s network interface card(NIC). It does not
directly deliver the packets from source to destination instead delivers them from one hop(node) to another

3. Layer 3: Network Layer:

• The primary function of the network layer is to move data into and through other networks. Network layer
protocols accomplish this by packaging data with correct network address information, selecting the appropriate
network routes and forwarding the packaged data up the stack to the transport layer. From a TCP/IP
perspective, this is where IP addresses are applied for routing purposes.
• The network layer works for the transmission of data from one host to the other located in different networks. It
also takes care of packet routing i.e. selection of the shortest path to transmit the packet, from the number of
routes available. The sender & receiver’s IP addresses are placed in the header by the network layer.
• It is a layer 3 that manages device addressing, tracks the location of devices on the network.
• It determines the best path to move data from source to the destination based on the network conditions, the
priority of service, and other factors.
• The Data link layer is responsible for routing and forwarding the packets.
• Routers are the layer 3 devices, they are specified in this layer and used to provide the routing services within an
internetwork.
• The protocols used to route the network traffic are known as Network layer protocols. Examples of protocols are
IP and Ipv6.
• The delivery of individual packets from the original source to the final destination.
• Logical addressing: if the packet passes the network boundary we need another addressing system to help
(source to destination) connection.
• Routing: route or switch the packet to final destination.
• Source-to-destination delivery (End-to-End).

Functions of Network Layer:

• Subnet Traffic Control: Routers (network layer intermediate systems) can instruct a sending station to “throttle
back” its frame transmission when the router’s buffer fills up.
• Logical-Physical Address Mapping: translates logical addresses, or names, into physical addresses.
• Subnet Usage Accounting: has accounting functions to keep track of frames forwarded by subnet intermediate
systems, to produce billing information.
• In the network layer and the layers below, peer protocols exist between a node and its immediate neighbor, but
the neighbor may be a node through which data is routed, not the destination station. The source and
destination stations may be separated by many intermediate systems.
• Internetworking: One of the main responsibilities of network layer is to provide internetworking between
different networks. It provides logical connection between different types of network. It is because of this layer,
we can combine various different networks to form a bigger network.
• Logical Addressing: Large number of different networks can be combined together to from bigger networks or
internetwork. In order to identify each device on internetwork uniquely, network layer defines an addressing
scheme. Such an address distinguishes each device uniquely and universally.
• Routing: When independent networks or links are combined together to create internet works, multiple routes
are possible from source machine to destination machine. The network layer protocols determine which route
or path is best from source to destination. This function of network layer is known as routing.
• Routes frames among networks.
• Packetizing: The network layer receives the data from the upper layers and creates its own packets by
encapsulating these packets. The process is known as packetizing. This packetizing in done by Internet Protocol
(IP) that defines its own packet format.
• Fragmentation: Fragmentation means dividing the larger packets into small fragments. The maximum size for a
transportable packet in defined by physical layer protocol. For this, network layer divides the large packets into
fragments so that they can be easily sent on the physical medium.
• If it determines that a downstream router’s maximum transmission unit (MTU) size is less than the frame size, a
router can fragment a frame for transmission and re-assembly at the destination station.

Source-to-Destination Delivery by Network Layer

• If two systems are connected to same link, then there is no need for network layer. And if two systems are
attached to different networks with connecting devices like routers between the networks, then there is need
for the network layer.
• It also translates the logical address into the physical address e.g. computer name into MAC address. It is also
responsible for defining the route, it managing the network problems and addressing The network layer controls
the operation of the subnet, deciding which physical path the data should take based on network conditions,
priority of service, and other factors. The X.25 protocols works at the physical, data link, and network layers.
• The network layer lies between data link layer and transport layer. It takes services from Data link and provides
services to the transport layer.
4. Layer 4: Transport Layer:
• The transport layer provides services to the application layer and takes services from the network layer. The data
in the transport layer is referred to as Segments. It is responsible for the End to End Delivery of the complete
message. The transport layer also provides the acknowledgment of the successful data transmission and re-
transmits the data if an error is found.
• At the sender’s side: The transport layer receives the formatted data from the upper layers, performs
Segmentation, and also implements Flow & Error control to ensure proper data transmission. It also adds Source
and Destination port numbers in its header and forwards the segmented data to the Network Layer.

Note: The sender needs to know the port number associated with the receiver’s application.

• Generally, this destination port number is configured, either by default or manually. For example, when a web
application requests a web server, it typically uses port number 80, because this is the default port assigned to
web applications. Many applications have default ports assigned.
• At the receiver’s side: Transport Layer reads the port number from its header and forwards the Data which it
has received to the respective application. It also performs sequencing and reassembling of the segmented data.
• The Transport layer is a Layer 4 ensures that messages are transmitted in the order in which they are sent and
there is no duplication of data.
• The main responsibility of the transport layer is to transfer the data completely.
• It receives the data from the upper layer and converts them into smaller units known as segments.
• This layer can be termed as an end-to-end layer as it provides a point-to-point connection between source and
destination to deliver the data reliably.

The two protocols used in this layer are:

Transmission Control Protocol/ Connection-Oriented Service:
• It is a standard protocol that allows the systems to communicate over the internet.
• It establishes and maintains a connection between hosts.
• When data is sent over the TCP connection, then the TCP protocol divides the data into smaller units known
as segments. Each segment travels over the internet using multiple routes, and they arrive in different
orders at the destination. The transmission control protocol reorders the packets in the correct order at the
receiving end.
 • In this type of transmission, the receiving device sends an acknowledgment, back to the source after a
packet or group of packets is received. This type of transmission is reliable and secure.

User Datagram Protocol/ Connectionless service:

• User Datagram Protocol is a transport layer protocol.
• It is an unreliable transport protocol as in this case receiver does not send any acknowledgment when the
packet is received, the sender does not wait for any acknowledgment. Therefore, this makes a protocol
unreliable.

Functions of Transport Layer:

• Service-point addressing: Computers run several programs simultaneously due to this reason, the transmission
of data from source to the destination not only from one computer to another computer but also from one
process to another process. The transport layer adds the header that contains the address known as a service-
point address or port address. The responsibility of the network layer is to transmit the data from one computer
to another computer and the responsibility of the transport layer is to transmit the message to the correct
process.
• Segmentation and reassembly: When the transport layer receives the message from the upper layer, it divides
the message into multiple segments, and each segment is assigned with a sequence number that uniquely
identifies each segment. When the message has arrived at the destination, then the transport layer reassembles
the message based on their sequence numbers.
• Connection control: Transport layer provides two services Connection-oriented service and connectionless
service. A connectionless service treats each segment as an individual packet, and they all travel in different
routes to reach the destination. A connection-oriented service makes a connection with the transport layer at
the destination machine before delivering the packets. In connection-oriented service, all the packets travel in
the single route.
• Flow control: The transport layer also responsible for flow control but it is performed end-to-end rather than
across a single link.
• Error control: The transport layer is also responsible for Error control. Error control is performed end-to-end
rather than across the single link. The sender transport layer ensures that message reach at the destination
without any error.

Process-to-process delivery:
• The data link layer is responsible for delivery of frames between two neighboring nodes over a link. This is called
node-to-node delivery. The network layer is responsible for delivery of datagrams between two hosts.
• This is called host-to-host delivery. Real communication takes place between two processes (application
programs). We need process-to-process delivery.
• The transport layer is responsible for process-to-process delivery-the delivery of a packet, part of a message,
from one process to another.
5. Layer 5: Session Layer:
• This layer is responsible for the establishment of connection, maintenance of sessions, and authentication, and
also ensures security.
• The session layer sets up, coordinates and terminates conversations between applications. Its services include
authentication and reconnection after an interruption. This layer determines how long a system will wait for
another application to respond. Examples of session layer protocols include X.225 and Zone Information Protocol
(ZIP).

Functions of Session layer:

• Session establishment, maintenance, and termination: The layer allows the two processes to establish, use and
terminate a connection.
• Synchronization: This layer allows a process to add checkpoints that are considered synchronization points in
the data. These synchronization points help to identify the error so that the data is re-synchronized properly,
and ends of the messages are not cut prematurely and data loss is avoided.
• Dialog Controller: The session layer allows two systems to start communication with each other in half-duplex or
full-duplex.

Note:
 All the below 3 layers (including Session Layer) are integrated as a single layer in the TCP/IP model as the
“Application Layer”.
 Implementation of these 3 layers is done by the network application itself. These are also known as Upper
Layers or Software Layers.
6. Layer 6: Presentation Layer:
• The presentation layer is also called the Translation layer. The data from the application layer is extracted here
and manipulated as per the required format to transmit over the network.
• The presentation layer translates or formats data for the application layer based on the semantics or syntax the
application accepts. This layer also handles the encryption and decryption that the application layer requires.
• A Presentation layer is mainly concerned with the syntax and semantics of the information exchanged between
the two systems.
• It acts as a data translator for a network.
• This layer is a part of the operating system that converts the data from one presentation format to another
format.
• The Presentation layer is also known as the syntax layer.

Functions of Presentation layer:

• Translation: The processes in two systems exchange the information in the form of character strings, numbers
and so on. Different computers use different encoding methods; the presentation layer handles the
interoperability between the different encoding methods. It converts the data from sender-dependent format
into a common format and changes the common format into receiver-dependent format at the receiving end.
• Encryption: Encryption is needed to maintain privacy. Encryption is a process of converting the sender-
transmitted information into another form and sends the resulting message over the network.
• Compression: Data compression is a process of compressing the data, i.e., it reduces the number of bits to be
transmitted. Data compression is very important in multimedia such as text, audio, video.

7. Layer 7: Application Layer:

• At the very top of the OSI Reference Model stack of layers, we find the Application layer which is implemented
by the network applications. These applications produce the data, which has to be transferred over the network.
This layer also serves as a window for the application services to access the network and for displaying the
received information to the user.
• An application layer serves as a window for users and application processes to access network service.
• It handles issues such as network transparency, resource allocation, etc.
• An application layer is not an application, but it performs the application layer functions.
• This layer provides the network services to the end-users.

• Example: Application – Browsers, Outlook, Skype Messenger, etc.

• Note: The application Layer is also called Desktop Layer.
TCP/IP Layer:
 TCP/IP stands for Transmission Control Protocol/Internet Protocol. It has 4 layers named as Physical layer,
Network layer, Transport layer, and Application layer. It also can be used as a communications protocol in a
private computer network. It was designed by Vint Cerf and Bob Kahn in the 1970s.

Advantages
 Many Routing protocols are supported.
 It is highly scalable and uses a client-server architecture.
 It is lightweight.
Disadvantages
 Little difficult to set up.
 The transport layer does not guarantee delivery of packets.
 Vulnerable to a synchronization attack.

TCP (Transmission Control Protocol):

 TCP: Applications can interact with one another using TCP as though they were physically connected by a circuit.
TCP transmits data in a way that resembles character-by-character transmission rather than separate packets. A
starting point that establishes the connection, the whole transmission in byte order, and an ending point that
closes the connection make up this transmission.
UDP (User Datagram Protocol):
 User Datagram Protocol (UDP) is a Transport Layer protocol. UDP is a part of the Internet Protocol suite,
referred to as UDP/IP suite. Unlike TCP, it is an unreliable and connectionless protocol. Therefore, there is no
need to establish a connection prior to data transfer. The UDP helps to establish low-latency and loss-tolerating
connections establish over the network. The UDP enables process-to-process communication.
 Though Transmission Control Protocol (TCP) is the dominant transport layer protocol used with most of the
Internet services; provides assured delivery, reliability, and much more but all these services cost us additional
overhead and latency. Here, UDP comes into the picture. For real-time services like computer gaming, voice or
video communication, live conferences, we need UDP. Since high performance is needed, UDP permits packets
to be dropped instead of processing delayed packets. There is no error checking in UDP, so it also saves
bandwidth.
 User Datagram Protocol (UDP) is more efficient in terms of both latency and bandwidth.

UDP Header: –
 UDP header is an 8-bytes fixed and simple header, while for TCP it may vary from 20 bytes to 60 bytes. The first 8
Bytes contains all necessary header information and the remaining part consist of data. UDP port number fields
are each 16 bits long, therefore, the range for port numbers is defined from 0 to 65535; port number 0 is
reserved. Port numbers help to distinguish different user requests or processes.

1. Source Port: Source Port is a 2 Byte long field used to identify the port number of the source.
2. Destination Port: It is a 2 Byte long field, used to identify the port of the destined packet.
3. Length: Length is the length of UDP including the header and the data. It is a 16-bits field.
4. Checksum: Checksum is 2 Bytes long field. It is the 16-bit one’s complement of the one’s
complement sum of the UDP header, the pseudo-header of information from the IP header, and the
data, padded with zero octets at the end (if necessary) to make a multiple of two octets.

Applications of UDP:
 Used for simple request-response communication when the size of data is less and hence there is
lesser concern about flow and error control.
 It is a suitable protocol for multicasting as UDP supports packet switching.
 UDP is used for some routing update protocols like RIP (Routing Information Protocol).
 Normally used for real-time applications which cannot tolerate uneven delays between sections of a
received message.
 UDP is widely used in online gaming, where low latency and high-speed communication is essential
for a good gaming experience. Game servers often send small, frequent packets of data to clients,
and UDP is well suited for this type of communication as it is fast and lightweight.
 Streaming media applications, such as IPTV, online radio, and video conferencing, use UDP to
transmit real-time audio and video data. The loss of some packets can be tolerated in these
applications, as the data is continuously flowing and does not require retransmission.
 VoIP (Voice over Internet Protocol) services, such as Skype and WhatsApp, use UDP for real-time
voice communication. The delay in voice communication can be noticeable if packets are delayed due
to congestion control, so UDP is used to ensure fast and efficient data transmission.
 DNS (Domain Name System) also uses UDP for its query/response messages. DNS queries are
typically small and require a quick response time, making UDP a suitable protocol for this application.
 DHCP (Dynamic Host Configuration Protocol) uses UDP to dynamically assign IP addresses to
devices on a network. DHCP messages are typically small, and the delay caused by packet loss or
retransmission is generally not critical for this application.

Following implementations uses UDP as a transport layer protocol:

 NTP (Network Time Protocol)
 DNS (Domain Name Service)
 BOOTP, DHCP.
 NNP (Network News Protocol)
 Quote of the day protocol
 TFTP, RTSP, RIP.
 The application layer can do some of the tasks through UDP-
 Trace Route
 Record Route
 Timestamp
 UDP takes a datagram from Network Layer, attaches its header, and sends it to the user. So, it works
fast.
 Actually, UDP is a null protocol if you remove the checksum field.
 Reduce the requirement of computer resources.
 When using the Multicast or Broadcast to transfer.
 The transmission of Real-time packets, mainly in multimedia applications.

Advantages of UDP:
1. Speed: UDP is faster than TCP because it does not have the overhead of establishing
a connection and ensuring reliable data delivery.
2. Lower latency: Since there is no connection establishment, there is lower latency and
faster response time.
3. Simplicity: UDP has a simpler protocol design than TCP, making it easier to
implement and manage.
4. Broadcast support: UDP supports broadcasting to multiple recipients, making it useful
for applications such as video streaming and online gaming.
5. Smaller packet size: UDP uses smaller packet sizes than TCP, which can reduce
network congestion and improve overall network performance.
Disadvantages of UDP:
1) No reliability: UDP does not guarantee delivery of packets or order of delivery, which
can lead to missing or duplicate data.
2) No congestion control: UDP does not have congestion control, which means that it
can send packets at a rate that can cause network congestion.
3) No flow control: UDP does not have flow control, which means that it can overwhelm
the receiver with packets that it cannot handle.
4) Vulnerable to attacks: UDP is vulnerable to denial-of-service attacks, where an
attacker can flood a network with UDP packets, overwhelming the network and
causing it to crash.
5) Limited use cases: UDP is not suitable for applications that require reliable data
delivery, such as email or file transfers, and is better suited for applications that can
tolerate some data loss, such as video streaming or online gaming.

Difference between OSI Model and TCP Model

OSI TCP/IP

OSI represents Open System Interconnection. TCP/IP model represents the Transmission
Control Protocol / Internet Protocol.

OSI is a generic, protocol independent standard. It TCP/IP model depends on standard protocols
is acting as an interaction gateway between the about which the computer network has created. A
network and the final-user. connection protocol assigns the network of hosts
over the internet.

The OSI model was developed first, and then The protocols were created first and then built the
protocols were created to fit the network TCP/IP model.
architecture’s needs.

It provides quality services. It does not provide quality services.

The OSI model represents defines administration, It does not mention the services, interfaces, and
interfaces and conventions. It describes clearly, protocols.
which layer provides services.

The protocols of the OSI model are better unseen The TCP/IP model protocols are not hidden, and
and can be returned with another appropriate we cannot fit a new protocol stack in it.
protocol quickly.

It is difficult as distinguished to TCP/IP. It is simpler than OSI.

It provides both connection and connectionless It provides connectionless transmission in the

oriented transmission in the network layer; network layer and supports connecting and
however, only connection-oriented transmission in connectionless-oriented transmission in the
the transport layer. transport layer.

It uses a vertical approach. It uses a horizontal approach.

 OSI TCP/IP

The smallest size of the OSI header is 5 bytes. The smallest size of the TCP/IP header is 20
bytes.

Protocols are unknown in the OSI model and are In TCP/IP, returning protocol is not difficult.
returned while the technology modifies.

Devices:
1. Hub, a distributor that has a lot of ports, which connected to computers.
2. Switches, like a hub but it transmit packets to it destination
3. Bridge, it is used to connect two similar LANs.
4. Routers: A router is a device that connects two or more packet-switched networks or subnetworks. It serves two
primary functions: managing traffic between these networks by forwarding data packets to their intended IP
addresses, and allowing multiple devices to use the same Internet connection. It chooses the best path to
transmit the packet.
5. Gateway, it is use to connect two deferent LANs and connect different application protocols.
6. Repeaters, repeats signals that travels via long distance

IP v4 (Internet Protocol version 4):

 IP stands for Internet Protocol and v4 stands for Version Four (IPv4). IPv4 was the primary version brought into
action for production within the ARPANET in 1983.
 IP version four addresses are 32-bit integers, which will be expressed in decimal notation.
 Example- 192.0.2.126 could be an IPv4 address.
 It has 4.3 billion possible address.

Parts of IPv4:
 Network part:
The network part indicates the distinctive variety that is appointed to the network. The network part
conjointly identifies the category of the network that is assigned.
 Host Part:
The host part uniquely identifies the machine on your network. This part of the IPv4 address is assigned to
every host.
For each host on the network, the network part is the same, however, the host half must vary.
 Subnet number:
This is the nonobligatory part of IPv4. Local networks that have massive numbers of hosts are divided into
subnets and subnet numbers are appointed to that.

Characteristics of IPv4:
 IPv4 could be a 32-Bit IP Address.
 IPv4 could be a numeric address, and its bits are separated by a dot.
 The number of header fields is twelve and the length of the header field is twenty.
 It has Unicast, broadcast, and multicast style of addresses.
 IPv4 supports VLSM (Virtual Length Subnet Mask).
 IPv4 uses the Post Address Resolution Protocol to map to the MAC address.
 RIP may be a routing protocol supported by the routed daemon.
 Networks ought to be designed either manually or with DHCP.
 Packet fragmentation permits from routers and causing host.

Advantages of IPv4
 IPv4 security permits encryption to keep up privacy and security.
 IPV4 network allocation is significant and presently has quite 85000 practical routers.
 It becomes easy to attach multiple devices across an outsized network while not NAT.
 This is a model of communication so provides quality service also as economical knowledge transfer.
 IPV4 addresses are redefined and permit flawless encoding.
 Routing is a lot of scalable and economical as a result of addressing is collective more effectively.
 Data communication across the network becomes a lot of specific in multicast organizations.
 Limits net growth for existing users and hinders the use of the net for brand new users.
 Internet Routing is inefficient in IPv4.
 IPv4 has high System Management prices and it is labor-intensive, complex, slow & frequent to
errors.
 Security features are nonobligatory.
 Difficult to feature support for future desires as a result of adding it on is extremely high overhead
since it hinders the flexibility to attach everything over IP.

Limitations of IPv4
 IP relies on network layer addresses to identify end-points on network, and each network has a unique IP
address.
 The world’s supply of unique IP addresses is dwindling, and they might eventually run out theoretically.
 If there are multiple host, we need IP addresses of next class.
 Complex host and routing configuration, non-hierarchical addressing, difficult to re-numbering addresses,
large routing tables, non-trivial implementations in providing security, QoS (Quality of Service), mobility and
multi-homing, multicasting etc. are the big limitation of IPv4 so that’s why IPv6 came into the picture.

IP v6 (Internet Protocol Version 6):

 IPv6 or Internet Protocol Version 6 is a network layer protocol that allows communication to take place over
the network. IPv6 was designed by Internet Engineering Task Force (IETF) in December 1998 with the purpose
of superseding the IPv4 due to the global exponentially growing internet users.
 An IPv4 address consists of four numbers, each of which contains one to three digits, with a single dot (.)
separating each number or set of digits. Each of the four numbers can range from 0 to 255. This group of
separated numbers creates the addresses that let you and everyone around the globe to send and retrieve
data over our Internet connections. The IPv4 uses a 32-bit address scheme allowing to store 2^32 addresses
which is more than 4 billion addresses. To date, it is considered the primary Internet Protocol and carries 94%
of Internet traffic. Initially, it was assumed it would never run out of addresses but the present situation paves
 a new way to IPv6, let’s see why? An IPv6 address consists of eight groups of four hexadecimal digits. Here’s
an example IPv6 address:
 IPv4: 25.59.209.224
 IPv6: 3001:0da8:75a3:0000:0000:8a2e:0370:7334
 This new IP address version is being deployed to fulfil the need for more Internet addresses. It was aimed to
resolve issues which are associated with IPv4. With 128-bit address space, it allows 340 undecillion unique
address space. IPv6 also called IPng (Internet Protocol next generation).

Note: IPv6 support a theoretical maximum of 340, 282, 366, 920, 938, 463, 463, 374, 607, 431, 768, 211, 456.
To keep it straightforward, we will never run out of IP addresses again.

Advantages of IPv6
 Reliability
 Faster Speeds: IPv6 supports multicast rather than broadcast in IPv4.This feature allows bandwidth-intensive
packet flows (like multimedia streams) to be sent to multiple destinations all at once.
 Stronger Security: IP Security, which provides confidentiality, and data integrity, is embedded into IPv6.
 Routing efficiency
 Most importantly, it is the final solution for growing nodes in Global-network.

Disadvantages of IPv6
 Conversion: Due to widespread present usage of IPv4 it will take a long period to completely shift to IPv6.
 Communication: IPv4 and IPv6 machines cannot communicate directly with each other. They need an
intermediate technology to make that possible.

How to assign IP Address to yourself.

Open Control Panel:

Open Network & Internet Settings:

Open Network & Sharing Center:

Open Change Adapter settings:

Right Click on Connected Network/Wi-Fi and Open Properties

Double Click on Internet Protocol Version 4

Open Command Draft and Check your IP by suing IPConfig and then check existing IP by
Ping command and put IP.

Ping – 192.168.27.100 like

First There Octal is network ID and 4th octal is host id.
Get the Publically Available DNS Server from google and press Enter – IP is assigned now.

What is DNS (Domain Name System)?

 DNS is a hierarchical and decentralized naming system for computers, and other resources that are connected to
a private network or the Internet. It connects a variety of bits of data to domain names assigned to each of the
participants.
 DNS transforms domain names into numerical IP addresses, which are needed to locate and identify computer
services and devices utilizing the underlying network protocols. It converts and maps alphabetic domain names
(website addresses or names) to numeric Internet Protocol (IP) addresses of computers and servers. It can also
reverse the process. User Datagram Protocol (UDP) is used by DNS. The DNS service utilizes port 53.
 DNS has been a crucial component of the Internet's operation since 1985, offering a global, distributed domain
name system.
 By selecting authoritative name servers for each domain, the Domain Name System transfers the duty of
mapping those names to the Internet and assigning domain names and services. Other name servers may be
given authority over sub-domains of a network administrator's allotted name space. This technique was created
to eliminate a single big central database and delivers distributed and fault-tolerant service.

What is DHCP (Dynamic Host Configuration Protocol)?

 The Dynamic Host Configuration Protocol is a network protocol for Internet Protocol (IP) networks that assign IP
addresses and other communication settings to devices connected to the network using a client-server
architecture.
 The technology is made up of two network components: a network DHCP server that is centrally deployed and
the client instances of the protocol stack on each computer or device that eliminate the necessity for manually
configuring the network devices. When one client first connects to the network, it uses the DHCP protocol to
request a set of settings from the DHCP server.
 DHCP is a client/server protocol that automatically assigns an IP address and other configuration information to
an Internet Protocol (IP) host, such as the subnet mask and default gateway. When using DHCP, the server uses
port 67 and the client uses port 68.
 When a computer is connected into a different location on the network, DHCP allows a network administrator to
oversee and distribute IP addresses from a central location, and it immediately transmits a new Internet Protocol
(IP) address.

DHCP is an application layer protocol that provides −

 Subnet Mask
 Router Address
 IP Address

 DHCP may be used on a variety of networks, from small home networks to big university networks and regional
ISP networks. DHCP server capability is available on many routers and residential gateways.

Differences:
S.NO DNS DHCP

While DHCP stands for Dynamic

1. DNS stands for Domain Name System.
Host Configuration Protocol.

While it works in 67 and 68 port

2. It works in 53 port number.
number.

The protocol supported by DNS While in this only UDP protocol

3.
are: UDP and TCP. is used.
S.NO DNS DHCP

While DHCP is centralized

4. DNS is decentralized system.
system.

In DNS, with the help of DNS server, domain While in DHCP, DHCP server is
5. names are translated into IP addresses and IP used to configures the hosts
addresses are translated into domain names. mechanically.

With the help of DNS, we don’t need to

6. It is reliable IP configuration.
remember the IP address.

Ethical Hacking CEH V12

What is Hacking?
 Compromise or gaining un-authorized access to digital devices, such as computers, smartphones, tablets, and
even entire networks.

Ethical Hacking:-
 Hacking is an authorized practice of bypassing system security to identify potential data breaches and threats in
a network. The company that owns the system or network allows Cyber Security experts to perform such
activities in order to test the system’s defenses. Thus, unlike malicious hacking, this process is planned,
approved, and more importantly, legal.

Terminologies:
Attack:
 An attack is an action that is done on a system to get its access and extract sensitive data.

Vulnerability:
 A vulnerability in security refers to a weakness or opportunity in an information system that cybercriminals can
exploit and gain unauthorized access to a computer system. Vulnerabilities weaken systems and open the door
to malicious attacks.
 Weakness in a system e.g.: in hardware or software

Exploit:
 An exploit is a software tool that takes advantage of a vulnerability in a computer system for malicious purposes
such as installing malware.
 A method to intrude or penetrate in a system.

Payload:
 Malicious code inside the exploit is called payload.

Malware:
 Malware is malicious (intent ended to do harm) software which when enters the target host, gives an attacker
full or limited control over the target.

Backdoor:
 A back door, or trap door, is a hidden entry to a computing device or software that bypasses security measures,
such as logins and password protections.

Hack value:
 The notion among hackers that something is worth doing. It is the reputation of the hackers (i.e.) how good he is
in hacking

Zero day attack:

 When a hacker finds a new vulnerability in a system and no one others know about it , that vulnerability or
exploit is called zero day attack.

Firewall:
 A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic
based on a defined set of security rules

Intrusion Detection & Intrusion Prevention:

 IDS/IPS compare network packets to a cyber-threat database containing known signatures of cyberattacks. The
main difference between them is that IDS is a monitoring system, while IPS is a control system

Introduction to Ethical Hacking:

Phases/Steps of Hacking:
 There are mainly 5 phases in hacking. Not necessarily, a hacker has to follow these 5 steps in a sequential
manner. It is a stepwise process and when followed yields a better result.

1. Reconnaissance:
 Reconnaissance, also known as the preparatory phase, is where the hacker gathers information about a target
before launching an attack and is completed in phases prior to exploiting system vulnerabilities. One of the first
phases of Reconnaissance is dumpster diving?
 It is during this phase that the hacker finds valuable information such as old passwords, names of important
employees (such as the head of the network department), and performs an active reconnaissance to know how
the organization functions.
 As a next step, the hacker completes a process called foot printing to collect data on the security posture,
reduces the focus area such as finding out specific IP addresses, identifies vulnerabilities within the target
system, and finally draws a network map to know exactly how the network infrastructure works to break into it
easily. Foot printing provides important information such as the domain name, TCP and UDP services, system
names, and passwords.
 There are also other ways to do foot printing, including impersonating a website by mirroring it, using search
engines to find information about the organization, and even using the information of current employees for
impersonation.

We usually collect information about three groups,

 Network
 Host
 People involved

There are two types of Foot printing:

 Active: Directly interacting with the target to gather information about the target. Eg Using Nmap tool to scan
the target
 Passive: Trying to collect the information about the target without directly accessing the target. This involves
collecting information from social media, public websites etc.

2. Scanning:
Three types of scanning are involved:
 Port scanning: This phase involves scanning the target for the information like open ports, live systems, and
various services running on the host.
 Vulnerability Scanning: Checking the target for weaknesses or vulnerabilities, which can be exploited. Usually
done with help of automated tools
 Network Mapping: Finding the topology of network, routers, firewalls servers if any, and host information and
drawing a network diagram with the available information. This map may serve as a valuable piece of
information throughout the hacking process.

3. Gaining Access:
 In this phase, the hacker designs the blueprint of the network of the target with the help of data collected during
Phase 1 and Phase 2. The hacker has finished enumerating and scanning the network and now decides that they
have some options to gain access to the network.
 For example, say a hacker chooses a Phishing Attack. The hacker decides to play it safe and use a simple phishing
attack to gain access. The hacker decides to infiltrate the IT department. They see that there have been some
recent hires and they are likely not up to speed on the procedures yet. A phishing email will be sent using the
CTO’s actual email address using a program and sent out to the techs.
 The email contains a phishing website that will collect their login and passwords. Using any number of options
(phone app, website email spoofing, Zmail, etc.) the hacker sends an email asking the users to log in to a new
Google portal with their credentials. They already have the Social Engineering Toolkit running and have sent an
email with the server address to the users masking it with a bitly or tinyurl.

4. Maintaining Access:
 Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Once the
hacker owns the system, they can use it as a base to launch additional attacks.
 In this case, the owned system is sometimes referred to as a zombie system. Now that the hacker has multiple e-
mail accounts, the hacker begins to test the accounts on the domain. The hacker from this point creates a new
administrator account for themselves based on the naming structure and tries and blends in. As a precaution,
the hacker begins to look for and identify accounts that have not been used for a long time. The hacker assumes
 that these accounts are likely either forgotten or not used so they change the password and elevate privileges to
an administrator as a secondary account in order to maintain access to the network.
 The hacker may also send out emails to other users with an exploited file such as a PDF with a reverse shell in
order to extend their possible access. No overt exploitation or attacks will occur at this time. If there is no
evidence of detection, a waiting game is played letting the victim think that nothing was disturbed. With access
to an IT account, the hacker begins to make copies of all emails, appointments, contacts, instant messages and
files to be sorted through and used later.

5. Clearing Tracks (so no one can reach them):

 Prior to the attack, the attacker would change their MAC address and run the attacking machine through at least
one VPN to help cover their identity. They will not deliver a direct attack or any scanning technique that would
be deemed “noisy”.
 Once access is gained and privileges have been escalated, the hacker seeks to cover their tracks. This includes
clearing out Sent emails, clearing server logs, temp files, etc. The hacker will also look for indications of the
email provider alerting the user or possible unauthorized logins under their account.
 Most of the time is spent on the Reconnaissance process. Time spend gets reduced in upcoming phases. The
inverted triangle in the diagram represents a time to spend in subsequent phases that get reduced.

Cyber Kill Chain

 The cyber kill chain is an adaptation of the military’s kill chain, which is a step-by-step approach that identifies
and stops enemy activity. Originally developed by Lockheed Martin in 2011, the cyber kill chain outlines the
various stages of several common cyberattacks and, by extension, the points at which the information security
team can prevent, detect or intercept attackers.
 The cyber kill chain is intended to defend against sophisticated cyberattacks, also known as advanced persistent
threats (APTs), wherein adversaries spend significant time surveilling and planning an attack. Most commonly,
these attacks involve a combination of malware, ransomware, Trojans, spoofing and social engineering
techniques to carry out their plan.

7 Phases of the Cyber Kill Chain Process

Phase 1: Reconnaissance:
 During the Reconnaissance phase, a malicious actor identifies a target and explores vulnerabilities and
weaknesses that can be exploited within the network. As part of this process, the attacker may harvest login
credentials or gather other information, such as email addresses, user IDs, physical locations, software
applications and operating system details, all of which may be useful in phishing or spoofing attacks.
 Generally speaking, the more information the attacker is able to gather during the Reconnaissance phase, the
more sophisticated and convincing the attack will be and, hence, the higher the likelihood of success.
 Intelligence Gathering
 Target Selection
 Open Source Intelligence (OSINT)
 Covert Gathering
 Foot printing

Intelligence Gathering:
 Intelligence collection involves finding, selecting, and acquiring information from publicly available sources and
analyzing it to produce actionable intelligence. An intelligence-gathering network is a system through which
information about a particular entity is collected for the benefit of another through the use of more than one,
inter-related source. Such information may be gathered by a military intelligence, government intelligence, or
commercial intelligence network.

Target Selection:
• Identification and Naming of Target
• Consider any Rules of Engagement limitations
• Check your Ethics
• Size of the company and revenue
• Consider end goal
• Politics

Open Source Intelligence (OSINT):

• Open-source Intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence
context. In the intelligence community, the term "open" refers to overt, publicly available sources.
• OSINT under one name or another has been around for hundreds of years. With the advent of instant
communications and rapid information transfer, a great deal of actionable and predictive intelligence can now
be obtained from public, unclassified sources.
• In most cases it is legal to obtain information in this way. This means that despite the high potential for harm this
critical information may be obtained at little or no risk to the third party.

Covert Gathering:
• Covert means not getting caught. In the reconnaissance phase this is gathering open source information about a
target, or searching for a target anonymously.

Foot printing:
• The process of accumulating data regarding a specific network environment, usually for the purpose of finding
ways to intrude into the environment. This information can be open source or from direct inspection.

Phase 2: Weaponization:
 During the Weaponization phase, the attacker creates an attack vector, such as remote access malware,
ransomware, virus or worm that can exploit a known vulnerability. During this phase, the attacker may also set
up back doors so that they can continue to access to the system if their original point of entry is identified and
closed by network administrators.

Phase 3: Delivery:
 In the Delivery step, the intruder launches the attack. The specific steps taken will depend on the type of attack
they intend to carry out. For example, the attacker may send email attachments or a malicious link to spur user
activity to advance the plan.
 This activity may be combined with social engineering techniques to increase the effectiveness of the campaign.

Phase 4: Exploitation:
 Exploitation is the stage that follows delivery and weaponization. In the exploitation step of the Cyber Kill Chain,
attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a
target’s network and achieve their objectives. In this process, cybercriminals often move laterally across a
network to reach their targets. Exploitation can sometimes lead attackers to their targets if those responsible for
the network have not deployed deception measures.

Phase 5: Installation:
 After cybercriminals have exploited their target’s vulnerabilities to gain access to a network, they begin the
installation stage of the Cyber Kill Chain: attempting to install malware and other cyber weapons onto the target
network to take control of its systems and exfiltrate valuable data. In this step, cybercriminals may install cyber
weapons and malware using Trojan horses, backdoors, or command-line interfaces.

Phase 6: Command and Control:

 In Command & Control, the attacker is able to use the malware to assume remote control of a device or identity
within the target network. In this stage, the attacker may also work to move laterally throughout the network,
expanding their access and establishing more points of entry for the future.

Phase 7: Actions on Objective:

 In this stage, the attacker takes steps to carry out their intended goals, which may include data theft,
destruction, encryption or exfiltration.
 Over time, many information security experts have expanded the kill chain to include an eighth step:
Monetization. In this phase, the cybercriminal focuses on deriving income from the attack, be it through some
form of ransom to be paid by the victim or selling sensitive information, such as personal data or trade secrets,
on the dark web.
 Generally speaking, the earlier the organization can stop the threat within the cyber-attack lifecycle, the less risk
the organization will assume. Attacks that reach the Command and Control phase typically require far more
advanced remediation efforts, including in-depth sweeps of the network and endpoints to determine the scale
and depth of the attack. As such, organizations should take steps to identify and neutralize threats as early in the
lifecycle as possible in order to minimize both the risk of an attack and the cost of resolving an event.

The MITRE ATT&CK Framework:

MITRE ATT&CK:
• MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is a framework, set of data matrices,
and assessment tool developed by MITRE Corporation to help organizations understand their security readiness
and uncover vulnerabilities in their defenses.

• Developed in 2013, the MITRE ATT&CK Framework uses real-world observations to documents specific attack
methods, tactics, and techniques. As new vulnerabilities and attack surfaces come to light, they are added to the
ATT&CK framework, which thus is constantly evolving. In the past few years, the MITRE ATT&CK framework and
its matrices have become an industry standard for both knowledge and remediation tools regarding attacker
behavior.

MITRE ATT&CK framework:

• MITRE ATT&CK is an abbreviation for MITRE Adversarial Tactics, Techniques, and Common Knowledge. The
MITRE ATT&CK framework is a curated repository that includes matrices that provide a model for cyberattack
behaviors. The framework is generally presented in tabular form, with columns that represent the tactics (or
desired outcomes) used during the life of an attack, and rows that represent of techniques that are utilized to
achieve their tactical goals. The framework also documents technique usage and other metadata that is linked to
individual techniques.
• MITRE ATT&CK framework is an outgrowth of a MITRE experiment that emulated both attacker and defender to
help understand how attacks happen and improve post-compromise detection using telemetry sensing and
behavioral analytics. To better understand how well the industry is doing at detecting documented adversarial
behavior they created the ATT&CK framework as a tool to categorize these behaviors.

MITRE ATT&CK Matrix:

• The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective.
Those objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the
point of reconnaissance to the final goal of exfiltration or "impact". Looking at the broadest version of ATT&CK
for Enterprise, which includes Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS,
Network, and Containers, the following adversary tactics are categorized:

• Tactic Attacker(s) Objective

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control Communicate with compromised systems to control them
13. Exfiltration
14. Impact
Gather information they can use to plan future operations
Establish resources they can use to support operations
Get into your network
Run malicious code
Maintain their foothold
Gain higher-level permissions
Avoid being detected
Steal account names and passwords
Figure out your environmen
Move through your environment
Gather data of interest to their goal
Steal data
Manipulate, interrupt or destroy your systems and data

1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target
organization
2. Resource Development: establishing resources to support operations, i.e., setting up command and control
infrastructure
3. Initial Access: trying to get into your network, i.e., spear phishing
4. Execution: trying the run malicious code, i.e., running a remote access tool
5. Persistence: trying to maintain their foothold, i.e., changing configurations
6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
8. Credential Access: stealing accounts names and passwords, i.e., keylogging
9. Discovery: trying to figure out your environment, i.e., exploring what they can control
10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through
multiple systems
11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web
traffic to communicate with a victim network
13. Exfiltration: stealing data, i.e., transfer data to cloud account
14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware
• Within each tactic of the MITRE ATT&CK matrix there are adversary techniques, which describe the actual
activity carried out by the adversary. Some techniques have sub-techniques that explain how an adversary
carries out a specific technique in greater detail.

MITRE ATT&CK Technologies:

ATT&CK Technologies can include the following:
• Enterprise IT systems covering Windows, macOS, Linux
• Network infrastructure devices (network)
• Container technologies (containers)
• Cloud systems covering infrastructure as a service (IaaS)
• Software as a service (SaaS)
• Office 365
• Azure Active Directory (Azure AD)
• Google Workspace
• Mobile devices covering Android and iOS

Module 2
Information Gathering
Passive Information Gathering:
 DNS Info:
 Tech Info:
 Cache Info:
 Google Dorks:
 Employee Emails:
 Sub Domain
 Metadata
 DMZ (Demilitarized zone)

DNS Info:
 Search DNS Lookup on google
 https://www.digitalocean.com/
 https://www.whatismyip.com/
 https://dnschecker.org/
 https://who.is/
 https://sitereport.netcraft.com/
 And many more
RIR (Regional Internet Registries):
 There are five Regional Internet Registries (RIRs) in the world. RIRs manage, distribute, and register Internet
number resources (IPv4 and IPv6 address space and Autonomous System (AS) Numbers) within their respective
regions.

Technology Info:
 Use https://www.wappalyzer.com/ to get Technology info of the website

Cache Info:
 Use Way back Machine https://archive.org/ to get the history/Geography of the websites.

Google Dorks:
 Google dorking, also called Google hacking, is a search-hacking technique that uses advanced search queries to
uncover hidden information in Google. Google dorks, or Google hacks, refer to the specific search commands
(including special parameters and search operators) that when entered into the Google search bar reveal hidden
parts of websites.
 When Google crawls the web to index pages for its search engine, it can see parts of websites that normal
internet users can’t. Google dorks and Google hacks uncover some of that hidden data, letting you see
information that organizations, companies, and website owners may not want you to see.
 A simple example of an advanced search query is the use of quotation marks. Using quotation marks in searches
gives you a list of results that includes web pages where the complete phrase is used, rather than some
combination (complete or incomplete) of the individual words you entered into the search field.
 There are many more types of Google hacks using advanced search queries, but their technical explanations
don’t actually get much more complicated than that. Their power lies in the ability to use them creatively.

Common Google dork operators and commands

1. Site:
 Using “site:” in a search command will provide results only from the specific website mentioned.

2. Intitle:
 Using “intitle:” asks Google to search only for pages with that specific text in their HTML pages titles.

3. Inurl:
 Using “inurl:” will search only for pages with that specific text in their URL.
4. Filetype or ext:
 Using “filetype:” or “ext:” will narrow your search to the specific file type mentioned.

5. Intext:
 Using “intext:” in a search query will search only for the supplied keywords. In the example below, all results
listed will have the quoted text somewhere on the page.

Advanced Google dork operators and commands

 Now let’s examine more advanced Google hacking commands. Advanced Google hacks let you look up the
archives of files, read recently-deleted content, and access CCTV webcams of certain areas like a parking lot or
the grounds of a college campus.
1. Cache:
 Using “cache” in your search can let you see older versions of a website or access files that have recently been
removed. Try entering something like “cache:twitter.com/madonna” to see a history of the artist’s posts,
including recently-deleted tweets.
2. :ftp
 This advanced Google hack can be used at the end of a combined query to find FTP servers. FTP servers often
hold large amounts of files. Search shakespeare:ftp to find a massive archive of all his texts.
3. Filetype:log:
 Using this Google dork will search for log files.
For More Depth: https://www.exploit-db.com/google-hacking-database

The Harvester Tool – Kali Linux

 TheHarvester is another tool like sublist3r which is developed using Python. This tool can be used by penetration
testers for gathering information of emails, sub-domains, hosts, employee names, open ports, and banners from
different public sources like search engines, PGP key servers, and SHODAN computer database.
 To see how to use Harvester, Use - theHarvester –h in Kali
 usage: theHarvester [-h] -d DOMAIN [-l LIMIT] [-S START] [-p] [-s] [--screenshot SCREENSHOT] [-v] [-e
DNS_SERVER] [-r] [-n] [-c] [-f FILENAME] [-b SOURCE]

To use Old theHarvester go to download directory/download Path Over there open theHarvester
Use LS command to view Directories

Use Sudo pip3 install -r requirements.txt to use old one

Use python3 theHarvester.py –h to view Old Havester – Now we will have theHarvester.py – google,
linkedin, etc
Use python3 theHarvester.py -d facebook.com -l 200 -b google

Subfinder – Subdomain
 Use subfinder -h to view uses of it
Usage of subfinder:

How to get Subdomain information

Metadata
 Metadata means "data about data". Metadata is defined as the data providing information about one or more
aspects of the data; it is used to summarize basic information about data that can make tracking and working
with specific data easier.
 Metadata is often used to describe information about the file, such as its author and creation date. It can also
include other data, including keywords and ratings. Metadata helps users find files they are looking for and make
decisions about which ones to use. Metadata is often used to describe the contents of a file.

Some examples include:

 Means of creation of the data
 Purpose of the data
 Time and date of creation
 Creator or author of the data
 Location on a computer network where the data was created
 Standards used
 File size
 Data quality
 Source of the data
 Process used to create the data

 Information gathering: This is the very first and very essential phase of any security assessment project. The
focus is on collecting as much information as possible related to the target. Success of any Pentest highly relies
on the information gathering phase as it the information collected during this phase that is leveraged in later
stages for the purpose of intrusion. The task of gathering the information can be done utilizing various methods
such as OSINT (Open Source Intelligence) tools eg. Search Engines, scanners, fingerprinting tools (active and
passive) etc.

 OSINT (Open Source Intelligence): Open Source Intelligence implicates finding, selecting and procuring
information from the sources which are publicly available. This information can be exploited to harvest acumen
based on which critical decisions can be taken. Open source intelligence can be collected from variety of sources
such as Newspapers; Web based content; Public documents etc. From Cyber security point of view it is mostly
the web based content that is the main source of open source intelligence. The advantage of open source
intelligence is that it is present in the public domain and hence it is easy to access. It is a very crucial part of the
information gathering phase of security testing.

 Metagoofil: Metagoofil is a linux based tool developed in python which extracts metadata from public
documents which are available on the target website(s). Metagoofil supports different document types like df,
doc, xls, ppt, odp, ods, docx, xlsx, pptx. The tool utilizes different python libraries like GoogleSearch, Hachoir,
PdfMiner etc. for the purpose of locating the files and extracting metadata. The output of the tool is displayed as
a report in HTML format, which can be easily viewed on a browser.

To Read More about Metadata – Visit https://resources.infosecinstitute.com/topic/metadata-the-hidden-treasure/

Metagoofil – Kali
Use metagoofil –h to view usage of it

Use this way to get data from any website metagoofil -d intellipaat.com -l 30 -t
doc,pdf,xls -n 30
 DMZ (Demilitarized zones)
 Demilitarized zones, or DMZ for short, are used in cybersecurity. DMZs separate internal networks from the
internet and are often found on corporate networks. A DMZ is typically created on a company’s internal network
to isolate the company from external threats. While the name might sound negative, a DMZ can be a helpful tool
for network security.

 The DMZ is a network barrier between the trusted and untrusted network in a company’s private and public
network. The DMZ acts as a protection layer through which outside users cannot access the company’s data.
DMZ receives requests from outside users or public networks to access the information, website of a company.
For such type of request, DMZ arranges sessions on the public network. It cannot initiate a session on the private
network. If anyone tries to perform malicious activity on DMZ, the web pages are corrupted, but other
information remains safe.
 The goal of DMZ is to provide access to the untrusted network by ensuring the security of the private network.
DMZ is not mandatory, but a better approach to use it with a firewall.
 Advantages Disadvantages

 It provides access to external users by securing the  Various vulnerabilities can be found in DMZ
internal sensitive network. System’s services.

 If an attacker successfully cracks the DMZ

 A DMZ can be used with a combination of a firewall &
system, they may access your confidential
router, which as a result provide high security.
information.

 By implementing DMZ, only the data that is intended

 An attacker having are authenticated data
to be visible publicly is displayed. the rest is hidden
can access the system as an authorized user.
and secured.

 DMZ enables web server, email servers etc. to be  The data provided on a public network to the
accessible on the internet simultaneously protecting it external networks can be leaked or
with a firewall. replicated.

Key features:
 A DMZ provides a buffer from the outside world for your computer systems. When you create a network, you
must decide where your computer systems will reside.
 Creating a buffer zone between your systems and the internet allows you to function normally without being
susceptible to external attacks. Keeping your internal systems inside a DMZ also makes it difficult for hackers to
steal data or cause disruptions on company networks. For this reason, most organizations use a DMZ when
creating secure computer systems.
 A DMZ provides a target for ethical hackers. Hackers often seek out companies with weak computer security;
this is why many organizations use a DMZ to protect their internal systems.
 Companies that have strong security measures typically don’t create vulnerabilities in their networks by
demilitarizing zones on their own computers or in their IT environments.
 The DMZ makes it easy for ethical hackers to find vulnerabilities and gain access to designated targets once
they’re inside the buffer zone. By knowing which systems have weak security and then targeting them, ethical
hackers can perform necessary maintenance without damaging company networks further.

Maltego – All in One tool

 Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining and information
gathering, as well as the representation of this information on a node-based graph, making patterns and
multiple order connections between said information easily identifiable.
 “Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting
information for investigative tasks.”

How does Maltego work?

 Maltego is used to map the relationships between pieces of information. It uses Entities and Transforms, both
are described in the fourth video [6] in the Maltego Essentials series.

Entities:
 Entities are “bits of information” that we have obtained from a data source.
 The above example from Maltego’s docs shows some basic Entity types available in Maltego: a physical location,
a website, a company name, an email address, a person’s name and a telephone number. It is possible to create
custom Entities

Transforms:
 A Transform is “the bit of code that generates some information based on a bit of information we already have…
[T]he process of executing the code that generates more Entities [is known] as ‘Running a Transform’
Example: Open Maltego in Kali – Click on New and Paste Website URL

Above details Include wayback, DNS, IP, emails and all.