1. The Core Architecture (The "Why" and "How")
1.1 The Purpose of Networking
Networking is not merely connectivity—it is an abstraction system enabling:
- Resource sharing (filesystems, compute, services)
- Distributed computation (microservices, RPC, message queues)
- Fault tolerance and redundancy
- Protocol abstraction (applications don't manage physical transmission)
From a red team perspective:
Every abstraction layer introduces trust boundaries and attack surfaces.
1.2 OSI Model vs TCP/IP Stack
OSI Model (Conceptual – 7 Layers)
| Layer |
Function |
Red Team Relevance |
| 7 Application |
User-facing protocols |
Data exfiltration |
| 6 Presentation |
Encoding, encryption |
TLS weaknesses |
| 5 Session |
Session mgmt |
Token/session hijacking |
| 4 Transport |
End-to-end comms |
Port scanning |
| 3 Network |
Routing |
IP spoofing |
| 2 Data Link |
Local delivery |
ARP poisoning |
| 1 Physical |
Bits on wire |
Rarely targeted |
TCP/IP Stack (Practical – 4 Layers)
| Layer |
Maps to OSI |
| Application |
5–7 |
| Transport |
4 |
| Internet |
3 |
| Network Access |
1–2 |
Where Software Ends vs Hardware Begins
- Hardware domain: NIC, switches → frame forwarding
- Kernel space: TCP/IP stack implementation
- User space: Applications using sockets
Key insight:
Red teamers exploit mismatches between kernel behavior and application assumptions.
1.3 Packet Lifecycle (Encapsulation)
Outbound:
Application Data
→ TCP Segment
→ IP Packet
→ Ethernet Frame
→ Bits on wire
Inbound:
Reverse process (decapsulation)
Critical Observations:
- Each layer adds headers → attack metadata
- Manipulating headers = protocol abuse
2. The Red Teamer's Toolkit: Essential Topics
2.1 Layer 2 (Data Link)
MAC Spoofing
- Alter NIC MAC address
- Used to bypass MAC filtering
ARP Poisoning (Core MITM Primitive)
- ARP = "Who has IP?"
- No authentication → trust-based
Attack:
Victim → Attacker: "Who is gateway?"
Attacker → Victim: "I am gateway"
Result:
- Traffic routed through attacker
VLAN Hopping
- Exploit trunking misconfigurations
- Techniques:
- Double tagging
- Switch spoofing
2.2 Layer 3 (Network)
IP Addressing
- IPv4 vs IPv6 attack surface differs:
- IPv6 → massive address space → scanning harder
- SLAAC → spoofing opportunities
Subnetting (CIDR)
- Essential for:
- Target scoping
- Lateral movement planning
Example:
192.168.1.0/24 → 256 hosts
ICMP Tunneling
- Abuse ping for covert channels
- Evades naive firewall rules
2.3 Layer 4 (Transport)
TCP 3-Way Handshake
SYN → SYN-ACK → ACK
Abuse cases:
- SYN scan (half-open scanning)
- SYN flood (DoS)
UDP
- Stateless → no handshake
- Ideal for:
- Amplification attacks
- Stealth exfiltration
Port Scanning Mechanics
- Not just tools (e.g., nmap), but:
- TCP flags manipulation
- Timing analysis
- Packet crafting
2.4 Layer 7 (Application)
DNS (High-Value Target)
data.attacker.com
HTTP/S
- Headers are attack surface:
HostX-Forwarded-ForAuthorization
SSH Tunneling
- Encrypts arbitrary traffic inside SSH
- Used for pivoting
SMTP
- Often overlooked
- Attack vectors:
- Open relay abuse
- Header injection
3. Network Technologies & Infrastructure
3.1 Hardware Behavior
| Device |
Function |
Security Implication |
| Hub |
Broadcast |
Easy sniffing |
| Switch |
MAC-based forwarding |
ARP attacks needed |
| Router |
IP routing |
ACL bypass attempts |
| Firewall |
Traffic filtering |
Evasion focus |
Firewalls
- Stateless: packet-by-packet
- Stateful: tracks connections
Red team focus:
Craft packets that appear legitimate within state tables.
3.2 Critical Protocols
DHCP (Dynamic Host Configuration Protocol)
Attack:
- Rogue DHCP server
- Assign attacker-controlled gateway
DNS
- Cache poisoning
- Redirect traffic silently
BGP (Border Gateway Protocol)
- Internet routing protocol
- Attack:
- Route hijacking
- Traffic interception
4. Offensive Principles & Technologies
4.1 Post-Exploitation Networking
Pivoting
- Use compromised host as foothold
- Access internal networks
Port Forwarding
Attacker → Compromised Host → Internal Service
Tools:
4.2 Network Sniffing
Tools:
- Wireshark (GUI)
- Tshark (CLI)
- Tcpdump (low-level)
Skills:
- Read raw packets
- Identify anomalies
- Extract credentials
4.3 Man-in-the-Middle (MITM)
Core idea:
Intercept → Inspect → Modify → Forward
Techniques:
- ARP poisoning
- DNS spoofing
- SSL stripping
5. Additionals (Modern Stack)
5.1 Software-Defined Networking (SDN)
Cloud Networking
AWS VPC
- Subnets
- Route tables
- Security groups
Azure VNets
Red team implication:
Misconfigurations replace traditional vulnerabilities.
5.2 Zero Trust Architecture
Principle:
"Never trust, always verify"
Implications:
- No implicit internal trust
- Strong identity validation
For red teamers:
- Focus shifts to:
- Identity attacks
- Token abuse
- API exploitation
6. Key Areas for Transition (Developer → Red Teamer)
6.1 Scanning & Enumeration
- Silent discovery techniques
- IDS evasion:
- Slow scans
- Fragmented packets
6.2 Protocol Weaknesses
High-risk protocols:
- FTP → plaintext credentials
- Telnet → no encryption
- SMBv1 → exploitable
Focus:
Read RFCs, not just tool docs.
6.3 Active Directory Networking
Critical protocols:
Kerberos
- Ticket-based authentication
- Attacks:
- Pass-the-ticket
- Golden ticket
LDAP
- Directory queries
- Used for enumeration
SMB
- File sharing
- Lateral movement vector
Execution Strategy (Practical Path)
Phase 1 (Weeks 1–3)
- TCP/IP internals
- Packet crafting (Scapy)
Phase 2 (Weeks 4–6)
- ARP, DNS, DHCP attacks
- Wireshark deep analysis
Phase 3 (Weeks 7–10)
- Port scanning mechanics
- MITM lab setups
Phase 4 (Weeks 11–14)
- AD networking (Kerberos/LDAP)
- Pivoting labs
Phase 5 (Ongoing)
- Cloud networking attacks
- Zero Trust bypass strategies
Final Observation
A strong red teamer in networking:
- Thinks in packets, not tools
- Understands protocol invariants
- Exploits implicit trust relationships