A solid grasp of TCP/IP is essential for any cybersecurity professional. Most tools used in penetration testing, threat analysis, and vulnerability scanning operate on top of TCP/IP. This module reviews core TCP/IP networking concepts—particularly those relevant to security testing and system hardening. While foundational networking knowledge (e.g., CompTIA Network+ or equivalent) is assumed, this content bridges that foundation with the specific demands of cybersecurity operations
IPv4 remains the most widely deployed protocol version, despite lacking built-in security. Exploitable weaknesses in IPv4 make it critical to understand the protocol stack, addressing schemes, and numbering systems to develop effective defenses.
TCP/IP Protocol Stack Overview
Computers must follow standardized rules or protocols to communicate over a network. TCP/IP is the de facto suite for Internet communication, structured in four layers:
- Application Layer – Interfaces with user-facing applications and services (e.g., HTTPS, SMTP, SSH)
- Transport Layer – Manages data delivery using TCP or UDP
- Internet Layer – Handles addressing and routing via IP
- Network Layer – Oversees physical transmission (not covered in detail here)
This module emphasizes the Application, Transport, and Internet layers—where most vulnerabilities and threat surfaces are found.
Application Layer Protocols
The Application Layer enables communication between software and lower network layers. Common protocols include:
| Protocol | Function |
|---|---|
| HTTPS | Secure web communication |
| FTP | File transfers across networks |
| SMTP | Email transmission |
| SNMP | Network device monitoring |
| SSH | Secure remote access |
| IRC | Real-time messaging (legacy) |
| Telnet | Insecure remote login (legacy) |
Transport Layer Protocols
The Transport Layer encapsulates data into segments and ensures delivery through two main protocols:
- TCP (Transmission Control Protocol) – Reliable, connection-oriented
- UDP (User Datagram Protocol) – Unreliable, connectionless, but faster
TCP Three-Way Handshake
TCP establishes reliable communication through a three-step handshake:
- Host A sends a SYN (synchronize) packet
- Host B replies with a SYN-ACK
- Host A sends an ACK to complete the connection
TCP Segment Headers
Understanding the TCP header structure is essential for analyzing and recognizing attacks. Key components include:
- TCP Flags: SYN, ACK, PSH, URG, RST, FIN
- Initial Sequence Number (ISN): 32-bit identifier for ordering packets
- Port Numbers: Logical endpoints for identifying services
TCP Flags Explained
| Flag | Description |
|---|---|
| SYN | Initiates a connection |
| ACK | Acknowledges packets |
| PSH | Pushes data to the app |
| URG | Marks urgent data |
| RST | Resets connection |
| FIN | Gracefully ends a session |
Security Relevance
ISNs and TCP flags are commonly targeted in exploits such as TCP hijacking and stealth scans. Proficiency in these fields enhances threat detection and traffic analysis.
TCP & UDP Ports
Ports identify services running on devices. Among the 65,535 total, ports 1–1023 are considered well-known.
| Port | Protocol | Description |
|---|---|---|
| 20, 21 | FTP | File transfers |
| 22 | SSH | Secure remote login |
| 25 | SMTP | Email sending |
| 53 | DNS | Domain resolution |
| 69 | TFTP | Basic file transfers |
| 80 | HTTP | Standard web traffic |
| 110 | POP3 | Retrieves email |
| 143 | IMAP | Email management |
| 443 | HTTPS | Encrypted web traffic |
| 993 | IMAPS | Secure IMAP service |
Security Insight: Disabling unused ports reduces exposure. However, disabling essential ports (e.g., 80 or 443) may break application functionality. Security must be selective and contextual.
IP Addressing & Subnetting
IPv4 addresses are composed of four 8-bit octets (32 bits). Each address is split between network and host identifiers.
Address Classes:
| Class | Range | Hosts | Notes |
|---|---|---|---|
| A | 1–126 | ~16 million | Large networks |
| B | 128–191 | ~65,000 | Medium networks |
| C | 192–223 | 254 | Small networks |
Loopback (127.x.x.x) and Class D/E addresses are reserved for special purposes.
Subnetting
Subnets divide large networks into smaller segments. A subnet mask helps differentiate network bits from host bits.
Example:
- IP:
128.214.18.16 - Subnet Mask:
255.255.255.0 - Subnet Result:
128.214.18.0
Each host in a subnet should have a default gateway to reach external networks.
Security Note: Incorrect subnetting or gateway configuration can result in inaccessible systems or unintended exposure.
Numbering Systems Review
Numerical systems like binary, octal, hexadecimal, and base-64 are critical in cybersecurity contexts, including log analysis, file permissions, and payload decoding.
- Binary (Base-2)
Digits: 0, 1
Example:111= 7 (rwx in Unix permissions) - Octal (Base-8)
Digits: 0–7
Common in Unix/Linux file permissions (chmod 755) - Hexadecimal (Base-16)
Digits: 0–9, A–F
Used in IPv6, memory addresses, packet headers (0xFF = 255) - Base-64
Characters: A–Z, a–z, 0–9, +, /
Used to encode binary into text format (e.g., email attachments, payload obfuscation)
Module Summary
- TCP/IP is foundational to network communications.
- TCP enables reliable transmission; UDP favors speed over reliability.
- Understanding TCP headers, ports, and ISNs supports effective exploit detection.
- Subnetting and proper IP planning are essential for segmentation and security.
- Proficiency in binary, octal, hex, and base-64 enhances interpretation of system behaviors and threats.
Reference
Wilson, Rob, S. et al. Hands-On Ethical Hacking and Network Defense. Available from: Yuzu Reader, (4th Edition). Cengage Learning US, 2022.