Think about how often you connect to public Wi-Fi — checking emails, logging into your bank account, sending messages, just because its free. That convenience often comes at the cost of your security and privacy.

ICANN & IANA

Internet Corporation of Assigned Names and Numbers (ICANN) & Internet Assigned Numbers Authority (IANA) are the two key organizations that help keep the internet running smoothly by managing domain names, IP addresses, and essential technical standards.

ICANN is the organization that oversees the overall policy, coordination and governance of the domain name system, including domain names IP address.

IANA is a department within ICANN responsible for the technical management and implementation of these policies, such as allocating IP address blocks to Regional Internet Registries, managing the DNS root zone, and assigning protocol parameters.

IP Address and its versions

IP address is a unique 32 bit numerical identifier assigned to each device in the network.

Analogy - Each house in the city has its own address (IP address). This address ensures that letter (data) reaches the intended destination.

Each octet (8 bits) can contain any numbers between 0-255.

IP address is separated into 2 parts -

1. Network Address -

   Identifies the specific network a device belongs to. All devices on the same network share this part.

   Analogy - Like a building number or wing in an apartment complex — it tells you the general location.

2. Host Address -

   Identifies the individual device (host) within that network. Must be unique within the same network.

   Analogy - Like a flat or house number — it tells you exactly which unit inside the building.

To know which part is network address and host address, subnet mask is used.

A subnet mask is a 32-bit number that divides an IP address into two parts:

1. The network portion

2. The host portion

   

   The box part of IP address is the Network ID and rest is Host ID. Today, instead of using the traditional subnet mask notation, CIDR notation is commonly used.

   Eg. CIDR (Classless Inter-Domain Routing) Notation - 192.168.2.56/24 This means first 24 bits is Network ID and rest is Host ID

Comparative study of IPv4 & IPv6

IPv4 Classes

Classful classification is a method of dividing IP addresses into fixed classes (A, B, C, D, E) based on their leading bits and subnet masks.

IPv6 Address Types

Usage of IPv6 address types

Web browsing (HTTP/HTTPS): A user’s computer communicates with a web server using Unicast.

Streaming services (audio, video): Applications like YouTube, Netflix, and live video broadcasts use Multicast to efficiently distribute video or audio content to multiple viewers.

DNS: Multiple DNS servers around the world might share the same Anycast address, and a client will automatically be routed to the nearest DNS server based on network topology.

Content Delivery Networks (CDNs): Anycast is used to route requests for web content to the closest server in a CDN, minimizing latency.

Internet Protocols (IP)

Both TCP and UDP are transport layer protocols in the Internet Protocol Suite (TCP/IP model) that enable data communication between devices over a network. They define how the data is delivered over the network.

TCP (Transmission Control Protocol) is a connection-oriented (requires handshake) transport layer protocol that provides reliable, ordered, and error-checked delivery of data between applications over an IP network.

Thanks, TCP — for making sure your email didn’t get lost, broken, or show up out of order!😂
Without TCP, those attachments might never make it!

Use cases -

• Web browsing (HTTP, HTTPS) — ensures web pages load completely and correctly

• Email (SMTP, IMAP, POP3) — guarantees messages arrive without loss

• File transfers (FTP, SFTP) — reliable delivery of files

UDP (User Datagram Protocol) is connection less (no handshake) transport layer protocol that provides fast but unreliable and unordered delivery of between applications over an IP network.

Use cases -

• Video streaming — fast delivery, some data loss is acceptable

• Online gaming — speed is critical, small packet loss doesn’t ruin experience

• VoIP (Voice over IP) — real-time communication where delays are worse than loss

OSI Model

The OSI Model (Open Systems Interconnection Model) is a conceptual framework that standardizes how different computer systems communicate over a network by dividing the communication process into 7 distinct layers, each with specific functions.

Source - GeeksforGeeks

TCP/IP Model

The TCP/IP model (also called the Internet Protocol Suite) is a simplified and practical model used to describe how data is transmitted across the internet. It has 4 layers, each responsible for part of the communication process.

Source - Kyle Law - Medium

Types of Networks

Type of IPs

Discover your public IP instantly with our GarudaSec Tools — fast, accurate, and easy to use!

Basic Network Commands

1. ipconfig is a network command that shows configuration details of all network interfaces on a Windows computer.

   

2. ping <ip or domain name> The ping command is a network diagnostic tool used to test the connectivity between your computer and another device (such as a server, router, or website) over a network. It works by sending ICMP Echo Request packets to the destination and waits for an **ICMP (**Internet Control Message Protocol) Echo Reply.

   By default, the ping command sends several echo requests, typically four or five. The result of each echo request is displayed, showing whether the request received a successful response, how many bytes were received in response, the Time to Live (TTL), and how long the response took to receive, along with statistics about packet loss and round trip times.

   The time-to-live value instructs a network router when a packet should be discarded.

   This output shows the results of using the ping command to test the connection to Google’s public DNS server at IP address 8.8.8.8

   

   1. Ping sweep script

      for /L %i in (1, 1, 254) do ping 192.168.0.%i -n 1 -w 100 | find “TTL=”

      The above command is a Windows batch loop used to ping a range of IP addresses—typically to check for live hosts on a subnet. find “TTL=” this command will only display successful ping responses.

      

   2. Advanced IP scanner

      Advanced IP Scanner is a tool that scans your local network to -

      • Identify live hosts on the network

      • Show IP and MAC Address

      • Identify device names and manufacture

3. tracert <ip or domain name> The tracert command (short for trace route) is a network diagnostic tool used in Windows to track the path that packets take from your computer to a specified destination across an IP network. It shows each hop along the route and how long each hop takes.

   

Ports

1. Physical Ports

   Physical ports in computers are the hardware interfaces where peripheral devices connect to the computer. These ports allow for data transfer, power delivery, and communication between the computer and external devices.

   

2. Virtual Ports

   Virtual Port is a layer 4 Transport Layer concept in OSI Model. A port is a virtual point where network connections start and end. Ports are software based and managed by computer’s OS. Each port is associated with a service/process. Ports allow computers to easily differentiate between different kinds of traffic: emails go to a different port than webpages, for instance, even though both reach a computer over the same Internet connection.

   Ports are standardized across all network-connected devices, with each port assigned a number. Most ports are reserved for certain protocols — for example, all Hypertext Transfer Protocol (HTTP) messages go to port 80. While IP addresses enable messages to go to and from specific devices, port numbers allow targeting of specific services or applications within those devices.

There are total 65335 ports.

Well Know Ports

3. Detecting open ports through Nmap

   Nmap is a powerful, open source network scanning tool that helps in

• Host Discovery - Finds active devices on a network.

• Port Scanning - Detects open ports and services running on a host

• Service and Version detection - Identifies applications and versions on open ports

• OS Detection - Tries to determine the operating system of hosts

• Port Scanning is the method used to identify ports that are open and actively listening for connections and services running on those ports.

• Basic Nmap Commands

  1. nmap <domain or ip> to scan a single host

     It displays open ports and service running on those ports

     

  2. nmap [ip] >> result.txt To store scan results in a text fil

3. nmap <target1 target2> to scan multiple hosts

4. nmap -- open <ip> Only display open ports.

5. nmap -p- <ip> scan all virtual ports

6. nmap -O <ip> OS Detection

7. nmap -sV <ip> Service Version Detection

8. nmap -sT <ip> TCP Connect Scan

   • Description: Completes a full TCP 3-way handshake.

   • Detectable? Yes, very.

Source - Nmap

9. nmap -sS <ip> TCP SYN scan

   • Description: Sends SYN packets to the target ports and analyzes responses without completing the TCP handshake. Therefore known as half open scan. Scans 1000 most common ports.

   • Detectable?: Stealthier than TCP connect scan.

SYN scan of open port

Source - Nmap

SYN scan of closed port

Source - Nmap

SYN scan of filtered port

Source - Nmap

A filtered port in Nmap's results means that Nmap cannot determine whether the port is open or closed because packet filtering is preventing the probe packets from reaching the port (or the responses from coming back).

10. nmap -sU UDP scan

    • Description: Since UDP is a connectionless protocol, there is no 3 way handshake in this. Nmap sends a UDP datagram to the target port (often an empty payload or protocol-specific payload).

    • Some popular services we look for in UDP scan -

      DHCP - Port 67

      DNS - Port 53

      Kerberos Authentication Protocol - Port 88

    • Detectable? : moderately stealthy

Source - GeeksforGeeks

Inverse TCP Scanning / Stealth scans

They're called inverse or stealth TCP scans because they invert the normal behavior of how a TCP connection is initiated — essentially doing the opposite of a standard TCP handshake.

In a typical TCP Handshake -

• Client sends SYN packet to the server

• Server responds to the client with SYN-ACK packet

• Client responds to the server with ACK packet to establish the connection.

  This is the expected behaviour and can be easily detectable by intrusion detection systems. Instead of starting with a SYN packet, these scans send packets with illegal combination of flags to avoid detection.

How Nmap interprets responses to a NULL, FIN, or Xmas scan probe

These scans are OS dependent. These scans relies on specific behavior outlined in the TCP standard (RFC 793). But not all operating systems follow this standard exactly.

Before understanding these scans we’ll first understand what TCP flags are and their types -

TCP flags are signals used by computers to start, manage and end a conversation.

We’ll understand this through an analogy -

Imagine 2 people trying to talk on a phone -

• FIN scan nmap -sF <ip or domain>

  FIN scan is stealthy port scanning technique that sends a TCP packet with FIN flag set to a target port.

  FIN flag in TCP is set to close an established connection. Sending a FIN packet without establishing a connection is unusual.

  

  Source - Oreilly

• XMAS scan nmap -sX <ip or domain>

  XMAS scan = Nmap sends TCP packet with FIN + URG + PSH flag set.

  This combination is unusual and unexpected by normal systems.

  It is called Xmas scan because the scan “lights up” bits in the TCP header like a Christmas tree.

• NULL scan nmap -sN <target ip or domain>

  Nmap sends TCP packet with not flags set.

Nessus

Nessus is a vulnerability scanner—a powerful cybersecurity tool used to identify security holes, misconfigurations, and vulnerabilities in computers, servers, networks, and applications.

Developed by: Tenable Inc.

What Nessus can do ?

• Vulnerability scanning

• Configuration auditing

• Malware detection

• Web application scanning

• Compliance checks (e.g., CIS, PCI DSS)

What is Scan Policy?

Scan Policy is a set of rules and configurations that define how vulnerability scanning is conducted. Think of it as a checklist Nessus follows during a scan.

It determines -

• What plugins to use

• Speed and depth of the scan

• What types of vulnerabilities to look for

• Whether to use credentials

We can create our own scan policy as well.

The preconfigured scan policies provided by Tenable Inc. are known as Scan Templates

1. Select Advanced Scan

2. Enter the target IP and details

   

   

3. Click on Launch button