Chapter 6 Exercises: Networking Fundamentals for Hackers

Exercise 1: OSI Layer Attack Mapping (Beginner)

For each of the following attacks, identify the primary OSI layer being targeted and explain why: a) ARP spoofing b) SQL injection c) SYN flood d) DNS cache poisoning e) SSL stripping f) MAC flooding g) BGP hijacking h) Phishing email i) Wireless deauthentication j) IP fragmentation evasion

Exercise 2: Subnetting Practice (Beginner)

For each of the following CIDR ranges, calculate: - Network address - Broadcast address - First and last usable host addresses - Number of usable hosts

a) 10.10.50.0/26 b) 172.16.100.0/22 c) 192.168.5.128/28 d) 10.0.0.0/20 e) 172.20.15.64/27

Exercise 3: TCP Flag Identification (Beginner)

You capture the following TCP packet sequences with Wireshark. For each sequence, explain what is happening (connection establishment, port scan, denial of service, etc.):

a) SYN -> SYN-ACK -> ACK -> (data transfer) b) SYN -> RST-ACK c) SYN -> SYN-ACK -> RST d) SYN -> (no response) -> SYN -> (no response) e) FIN -> ACK -> FIN -> ACK f) 10,000 SYN packets from random source IPs to port 80

Exercise 4: DNS Record Reconnaissance (Beginner)

Using command-line tools (dig, nslookup, or host), perform DNS reconnaissance against a domain you control or a known test domain. Document: a) All A records b) All MX records c) All NS records d) All TXT records (look for SPF, DKIM, DMARC) e) The SOA record f) Attempt a zone transfer (AXFR)

Write up your findings as if they were the DNS section of a penetration test report.

Exercise 5: HTTP Header Security Audit (Beginner)

Use curl or a browser's developer tools to examine the HTTP response headers of five different websites (choose a mix of large enterprises, small businesses, and government sites). For each site, check for the presence and configuration of: a) Content-Security-Policy b) X-Frame-Options c) Strict-Transport-Security d) X-Content-Type-Options e) X-XSS-Protection f) Referrer-Policy

Rate each site's header security on a scale of 1-10 and explain your rating.

Exercise 6: Wireshark Capture Analysis (Intermediate)

In your Student Home Lab, perform the following captures and analysis:

a) Capture a complete TCP three-way handshake. Identify the initial sequence numbers (ISN) from both sides. Calculate the ISN difference. Could you have predicted the server's ISN?

b) Browse to a website using HTTP (not HTTPS). Use Wireshark's "Follow TCP Stream" feature to reconstruct the HTTP conversation. Identify the request method, URL, User-Agent header, and response body.

c) Perform a DNS lookup and capture the traffic. Identify the query type, the queried domain, and the response. How long did the resolution take?

d) Capture ARP traffic on your local network for 5 minutes. How many ARP requests and replies did you see? Are there any gratuitous ARP packets? What devices are communicating?

Exercise 7: Port Scanning Comparison (Intermediate)

Using your Student Home Lab, scan a target machine using the following Nmap scan types. For each scan, capture the traffic with Wireshark and compare:

a) TCP Connect scan (-sT) b) SYN scan (-sS) c) FIN scan (-sF) d) Xmas scan (-sX) e) UDP scan (-sU)

For each scan type, answer: 1. How many packets does the scan send per port? 2. What is the packet pattern for open, closed, and filtered ports? 3. Which scan is fastest? Stealthiest? 4. How would each scan appear in a typical IDS?

Exercise 8: Scapy Packet Crafting (Intermediate)

Write Scapy scripts for the following tasks (test only in your Student Home Lab):

a) Craft and send a single TCP SYN packet to port 80 of your target machine. Print whether the port is open or closed based on the response.

b) Perform an ARP scan of your lab network to discover all live hosts. Print the IP and MAC address of each responding host.

c) Craft a DNS query for a domain of your choice and send it to Google's DNS server (8.8.8.8). Parse and print the response.

d) Create a custom ICMP echo request (ping) with a custom payload message. Send it to your target and verify the payload in Wireshark.

Exercise 9: Network Topology Mapping (Intermediate)

Given the following information gathered during a penetration test, draw a network topology diagram:

  • External IP range: 203.0.113.0/28
  • DMZ subnet: 10.0.1.0/24
  • Web server: 10.0.1.10 (ports 80, 443 open)
  • Mail server: 10.0.1.20 (ports 25, 587, 993 open)
  • DNS server: 10.0.1.30 (port 53 open)
  • Internal subnet: 10.0.2.0/24
  • Domain controller: 10.0.2.10 (ports 53, 88, 389, 445 open)
  • File server: 10.0.2.20 (ports 139, 445 open)
  • Database server: 10.0.2.30 (port 3306 open)
  • Management subnet: 10.0.3.0/24
  • Jump box: 10.0.3.10 (port 22 open)

Identify: (a) potential pivot points between subnets, (b) the most likely attack path from the internet to the database server, and (c) any security concerns with the topology.

Exercise 10: Protocol Vulnerability Research (Intermediate)

Research and write a 500-word summary of one of the following protocol-level vulnerabilities: a) Heartbleed (OpenSSL TLS) b) POODLE (SSLv3) c) EternalBlue (SMBv1) d) ShellShock (CGI/Bash) e) Log4Shell (Log4j)

Your summary should include: the technical root cause, affected protocol/layer, the attack mechanism, the impact, and the patch/mitigation.

Exercise 11: IPv6 Security Assessment (Intermediate)

In your Student Home Lab, enable IPv6 on two virtual machines and perform the following:

a) Identify the IPv6 addresses assigned to each machine (link-local and, if available, global). b) Determine whether the IPv6 address reveals the machine's MAC address (EUI-64 vs. privacy extensions). c) Perform an IPv6 port scan using Nmap. d) Attempt to communicate between the machines using IPv6 while monitoring only IPv4 traffic with Wireshark. Does the IPv6 traffic appear in an IPv4-only capture filter?

Document your findings and their security implications.

Exercise 12: SNMP Enumeration Lab (Intermediate)

Set up an SNMP service on a target in your Student Home Lab (many Linux distributions include net-snmp). Configure it with the default "public" community string.

a) Use snmpwalk to enumerate system information. b) Identify what information is exposed (hostname, OS, network interfaces, routing table, running processes, installed software). c) Assess the security risk of each piece of exposed information. d) Reconfigure SNMP with a strong community string and SNMPv3 authentication. Verify that your earlier enumeration commands no longer work.

Exercise 13: DNS Tunneling Lab (Advanced)

Set up a DNS tunneling environment in your Student Home Lab using iodine or dnscat2.

a) Configure the server component on one machine and the client on another. b) Establish a DNS tunnel and transfer a small file through it. c) Capture the tunneling traffic with Wireshark. How does the DNS traffic differ from normal DNS queries? d) What detection signatures could an IDS use to identify DNS tunneling? e) Calculate the approximate data transfer rate of your DNS tunnel.

Exercise 14: Man-in-the-Middle Lab (Advanced)

In your isolated Student Home Lab (do NOT perform this on any production network), set up a man-in-the-middle scenario:

a) Use ARP spoofing (with arpspoof or Bettercap) to position your Kali machine between a target and the default gateway. b) Capture HTTP traffic from the target machine as it browses a web application. c) Identify any credentials transmitted in cleartext. d) Attempt SSL stripping against an HTTPS connection. Does HSTS prevent the attack? e) Set up Dynamic ARP Inspection on the gateway to prevent the attack. Verify that the defense is effective.

Document each step, including Wireshark captures showing the ARP spoofing and intercepted traffic.

Exercise 15: Custom Network Scanner (Advanced)

Write a Python script using Scapy that performs the following: a) Takes a target IP range (CIDR notation) as input b) Performs ARP discovery on the local network (or ICMP discovery for remote networks) c) For each live host, performs a TCP SYN scan of the top 20 most common ports d) Identifies the service likely running on each open port (based on port number) e) Outputs results in a formatted table

Test your scanner in your Student Home Lab and compare results with Nmap.

Exercise 16: TLS Configuration Analysis (Advanced)

Using testssl.sh or sslscan, perform a comprehensive TLS assessment of three websites (choose sites you have permission to test or well-known public sites). For each site:

a) Identify supported TLS versions b) List supported cipher suites and flag any weak ones c) Check for known vulnerabilities (Heartbleed, POODLE, BEAST, ROBOT, etc.) d) Evaluate the certificate chain e) Check for HSTS and HSTS preloading f) Rate the overall TLS configuration (A-F scale)

Write a comparative report with remediation recommendations.

Exercise 17: BGP Hijacking Simulation (Advanced)

Research the Pakistan/YouTube BGP hijacking incident of 2008 and the China Telecom route leak incidents. Create a detailed technical write-up that includes: a) A diagram showing normal BGP routing for YouTube's prefix b) A diagram showing the hijacked routing c) An explanation of why other networks accepted the false route d) A timeline of the incident and response e) An analysis of what defenses (RPKI, ROV, route filtering) could have prevented the incident f) The current state of BGP security adoption

Exercise 18: Packet Forensics Challenge (Advanced)

Download a sample pcap file from a CTF challenge or use one provided by your instructor. Analyze the capture to answer: a) How many unique hosts are communicating? b) What protocols are in use? c) Are there any signs of reconnaissance or scanning activity? d) Is there evidence of exploitation or data exfiltration? e) Can you reconstruct any files transferred in the capture? f) Can you identify any credentials?

Document your analysis methodology and findings as a forensic report.

Exercise 19: Network Protocol Fuzzing (Advanced)

Using Scapy or a fuzzing framework (like Boofuzz), write a simple fuzzer that tests for vulnerabilities in a network service:

a) Choose a target protocol (HTTP, FTP, DNS, or SMTP) b) Generate malformed packets by modifying specific protocol fields (oversized values, null bytes, unusual character sequences) c) Send the fuzzed packets to a test service in your Student Home Lab d) Monitor the service for crashes, errors, or unexpected behavior e) Document any anomalous responses

Write a 500-word report on your fuzzing methodology and findings.

Exercise 20: Comprehensive Network Assessment (Advanced)

Perform a complete network reconnaissance and assessment of your Student Home Lab, simulating the beginning of a real penetration test. Your assessment should include:

a) Passive reconnaissance (DNS enumeration, if applicable) b) Host discovery (ARP and ICMP scanning) c) Port scanning (TCP and UDP) d) Service identification and version detection e) OS fingerprinting f) TLS/SSL assessment of any HTTPS services g) SNMP enumeration (if applicable) h) SMB enumeration (if applicable) i) Vulnerability identification based on service versions j) Network traffic analysis (10-minute Wireshark capture)

Compile your findings into a professional-quality network assessment report with an executive summary, methodology section, findings (rated by severity), and remediation recommendations. This report should be 5-10 pages and follow a professional penetration testing report format.