WEBVTT 1 00:00:00.080 --> 00:00:04.480 Imagine a world where every email you send, every video 2 00:00:04.559 --> 00:00:07.120 you stream, all the smart devices in your home, even 3 00:00:07.160 --> 00:00:11.320 your car, they're all speaking this hidden language. It's this 4 00:00:11.400 --> 00:00:14.919 invisible web of connections making our digital lives work. But 5 00:00:14.960 --> 00:00:17.679 what if you could actually understand that language, the nuts 6 00:00:17.719 --> 00:00:20.559 and bolts of it, and crucially see where the weak 7 00:00:20.600 --> 00:00:21.120 spots are. 8 00:00:21.559 --> 00:00:26.239 That's a really powerful idea, because in today's world everything's connected. 9 00:00:26.440 --> 00:00:30.719 Understanding how networks actually function it's not just for the 10 00:00:30.760 --> 00:00:34.079 tech geeks or the security pros anymore, like a critical 11 00:00:34.119 --> 00:00:36.920 way to see what's happening in our digital lives, whether 12 00:00:36.960 --> 00:00:39.600 you're building things, securing them, or just trying to use 13 00:00:39.640 --> 00:00:41.399 the Internet safely exactly. 14 00:00:41.560 --> 00:00:43.479 And that's really our mission today on the deep Dive. 15 00:00:43.880 --> 00:00:46.240 We're going to dig into a foundational guide. It's called 16 00:00:46.719 --> 00:00:51.560 Network Basics for Hackers, written by Occupy the Web. Their website, 17 00:00:51.640 --> 00:00:55.960 hackers Arise is described as a white hat hacker training site, 18 00:00:56.520 --> 00:01:00.560 So the focus is on using these skills for good ethically. 19 00:01:00.799 --> 00:01:03.679 Our goal here is to pull out the most important bits, 20 00:01:03.679 --> 00:01:06.159 those nuggets of knowledge, to give you a shortcut to 21 00:01:06.200 --> 00:01:10.599 really getting how networks operate their flaws and you understand 22 00:01:10.680 --> 00:01:13.400 not just what's happening. But why it's important. 23 00:01:13.040 --> 00:01:15.959 And what's interesting about this source is how it defines 24 00:01:16.200 --> 00:01:19.840 white hat hacker. It's not just about finding flaws for companies. 25 00:01:19.959 --> 00:01:25.480 It talks about being a beacon and warrior for information 26 00:01:25.640 --> 00:01:27.400 freedom and human rights on the Internet. 27 00:01:27.560 --> 00:01:28.680 That's a strong statement. 28 00:01:28.879 --> 00:01:31.519 Yeah, and it even goes into detail about occupyth Web's 29 00:01:31.680 --> 00:01:37.079 documented activities in the Ukraine conflict, things like denial of 30 00:01:37.120 --> 00:01:41.120 service attacks against Russian government sites, finding oligarch yachts, hacking 31 00:01:41.159 --> 00:01:44.640 cameras for war crime evidence, even cyber attacks on Russian 32 00:01:44.640 --> 00:01:48.200 industrial systems, the schodaic stuff, and setting up a cybersecurity 33 00:01:48.200 --> 00:01:52.040 school in Kharkiev. Now, obviously we're just reporting this impartially 34 00:01:52.200 --> 00:01:54.319 as it's laid out in the source material. 35 00:01:54.040 --> 00:01:56.439 Right understood, Okay, so let's get into it. We're started 36 00:01:56.480 --> 00:01:59.239 with the absolute basics, the plumbing, like what is an 37 00:01:59.280 --> 00:02:03.120 IP address really, and we'll go all the way to 38 00:02:03.680 --> 00:02:08.840 well networks in cars, factories, even hacking radio signals. It's 39 00:02:08.879 --> 00:02:11.879 a deep dive into the hidden anatomy of our digital world. 40 00:02:12.400 --> 00:02:15.000 Let's start right at the beginning. IP addresses. 41 00:02:15.080 --> 00:02:18.039 Okay, Yeah, IP addresses they are absolutely fundamental. Think of 42 00:02:18.039 --> 00:02:21.919 it simply as the house address for every single digital device, 43 00:02:21.919 --> 00:02:26.159 your laptop, your phone, your smart fridge. Without that unique address, 44 00:02:26.280 --> 00:02:29.360 data just wouldn't know where to go. Communication breaks down. 45 00:02:29.680 --> 00:02:32.400 So if it's a house number, how's it structured? Most 46 00:02:32.439 --> 00:02:34.280 of us are still on IPv four, right, that's the 47 00:02:34.280 --> 00:02:35.080 thirty two bit one. 48 00:02:35.120 --> 00:02:37.759 That's the one. It's broken into four groups of eight bits. 49 00:02:37.800 --> 00:02:40.360 We call those octets. So you see things like one, 50 00:02:40.520 --> 00:02:42.520 ninety two point one, sixty eight point one, one zero 51 00:02:42.599 --> 00:02:45.080 one each number in there. Each octet can be anything 52 00:02:45.120 --> 00:02:48.159 from zero up to two fifty five. Okay, Now, historically 53 00:02:48.159 --> 00:02:50.520 these were grouped into classes ABC based on the first 54 00:02:50.520 --> 00:02:54.039 few numbers. Helped organize things early on. But the real issue, 55 00:02:54.080 --> 00:02:56.719 the big problem today is we've basically run out of 56 00:02:56.719 --> 00:03:00.520 IPv four addresses. Yeah, there are only about four point 57 00:03:00.520 --> 00:03:04.240 three billion unique addresses possible with that thirty two bit structure, 58 00:03:04.520 --> 00:03:07.080 and we've got what over seven point five billion people 59 00:03:07.159 --> 00:03:10.719 plus way more devices than that. The math just doesn't 60 00:03:10.719 --> 00:03:11.759 work anymore. 61 00:03:11.360 --> 00:03:13.439 So how do we cope. That's where things like private 62 00:03:13.439 --> 00:03:14.080 ips come. 63 00:03:14.000 --> 00:03:16.960 In, exactly. That's one of the clever workarounds. They set 64 00:03:16.960 --> 00:03:20.599 aside specific ranges of IP addresses just for internal use 65 00:03:20.719 --> 00:03:23.879 inside your local area network your land. These are the private. 66 00:03:23.560 --> 00:03:26.199 Ips like one ninety two point one six eight dot 67 00:03:26.280 --> 00:03:28.280 something or ten dots are the common ones. 68 00:03:28.360 --> 00:03:30.439 Yeah, one ninety two point one six eight dot x 69 00:03:30.479 --> 00:03:32.439 dot x, ten dot x dot is and also the 70 00:03:32.520 --> 00:03:35.759 one seventy two point one six dot x dot x range. 71 00:03:35.960 --> 00:03:39.159 Your home router probably signs these to all your devices, which. 72 00:03:38.919 --> 00:03:41.120 Brings up a good question. Then, if my phone is 73 00:03:41.159 --> 00:03:43.719 an internal private IP like one ninety two point one 74 00:03:43.800 --> 00:03:46.000 six eight point one point five, how does it talk 75 00:03:46.039 --> 00:03:47.800 to a website out on the public internet. 76 00:03:47.879 --> 00:03:51.120 Ah? Good question. That involves two key pieces of magic 77 00:03:51.439 --> 00:03:55.919 DHCP and net. First, DCP Dynamic Host Configuration protocol that's 78 00:03:56.000 --> 00:03:58.639 usually running on your router. It automatically hands out those 79 00:03:58.680 --> 00:04:01.599 private IP addresses to divice is joining your network. Often 80 00:04:01.599 --> 00:04:03.479 it's just a temporary lease, so your phone might get 81 00:04:03.479 --> 00:04:05.599 a slightly different private IP next time it connects. 82 00:04:05.680 --> 00:04:06.479 Got it and that. 83 00:04:06.680 --> 00:04:09.840 NAT is network address translation. Think of it as the 84 00:04:10.759 --> 00:04:14.039 translator or the receptionist for your entire network. It lets 85 00:04:14.080 --> 00:04:16.480 all those devices on your internal network, each with its 86 00:04:16.480 --> 00:04:20.639 own private IP. Yeah, share the single public IP address 87 00:04:20.720 --> 00:04:22.959 that your internet provider gives to your router. 88 00:04:23.319 --> 00:04:23.839 Ah. Good. 89 00:04:24.000 --> 00:04:27.040 So When your phone sends a request out, NAT swaps 90 00:04:27.079 --> 00:04:30.319 the private source IP for the router's public IP, keeps 91 00:04:30.319 --> 00:04:33.199 a record, and when the reply comes back, NAT knows 92 00:04:33.240 --> 00:04:36.480 exactly which internal device which private IP to send it 93 00:04:36.519 --> 00:04:37.120 back to, and. 94 00:04:37.120 --> 00:04:39.800 It all just happens automatically, feels seamless to. 95 00:04:39.759 --> 00:04:44.040 Me as the user, completely transparent. That's the beauty of it. Okay, 96 00:04:44.079 --> 00:04:46.319 so we have the house address the IP. What about 97 00:04:46.319 --> 00:04:47.040 the apartment number. 98 00:04:47.040 --> 00:04:50.240 That's whereports come in ports. Right, So the IP gets 99 00:04:50.360 --> 00:04:53.279 dated to the right computer, but the port tells it 100 00:04:53.399 --> 00:04:58.319 which specific program or service on that computer should receive it, exactly. 101 00:04:58.040 --> 00:05:01.319 Like web traffic usually goes to port eighty for standard 102 00:05:01.399 --> 00:05:05.800 HTTP or four to forty three for secure HTTPS. Email 103 00:05:05.879 --> 00:05:08.519 uses different ports, Games use different ports. It directs the 104 00:05:08.560 --> 00:05:09.480 traffic internally. 105 00:05:09.600 --> 00:05:11.720 And how many ports are there? I remember reading it's 106 00:05:11.759 --> 00:05:12.199 a lot. 107 00:05:12.439 --> 00:05:15.519 It is sixty five thousand, five hundred and thirty six 108 00:05:15.639 --> 00:05:19.199 possible ports for each IP address zero through six hundred 109 00:05:19.240 --> 00:05:22.079 and five to five thirty five. The first oneenty twenty 110 00:05:22.120 --> 00:05:24.959 four are often called the well known or common ports 111 00:05:25.160 --> 00:05:27.279 reserved for standard services, and from. 112 00:05:27.160 --> 00:05:29.920 A security angle, knowing which ports are open on a 113 00:05:29.959 --> 00:05:32.839 device is huge, right, that's what tools like map do 114 00:05:33.279 --> 00:05:34.120 absolutely critical. 115 00:05:34.240 --> 00:05:37.160 End MAP scans a target. IP probes these ports and 116 00:05:37.199 --> 00:05:39.120 tells you which ones are open, meaning a service is 117 00:05:39.160 --> 00:05:42.560 listening there. It's often the very first step in reconnaissance, 118 00:05:42.600 --> 00:05:45.439 for a security assessment or for an attacker. It maps 119 00:05:45.439 --> 00:05:46.800 out the potential entry points. 120 00:05:46.879 --> 00:05:50.439 Okay, so IP addresses for location ports for the specific service. 121 00:05:50.600 --> 00:05:54.040 What's the language they're actually speaking? That's TCPIP primarily. 122 00:05:54.120 --> 00:05:58.160 Yes, TCPIP is the dominant suite of protocols for Internet communication. 123 00:05:58.639 --> 00:06:02.680 TCP is Transmission Control protocol and IP is Internet protocol. 124 00:06:02.759 --> 00:06:05.519 And protocols are just agreed upon rules. 125 00:06:05.240 --> 00:06:08.399 For talking, pretty much like a language has grammar and vocabulary. 126 00:06:08.519 --> 00:06:11.800 For networks, these rules ensure devices understand each other. They're 127 00:06:11.839 --> 00:06:15.160 often defined in technical documents called RFC's Requests for Comments. 128 00:06:15.279 --> 00:06:18.120 So the IP part that handles the addressing and routing, 129 00:06:18.480 --> 00:06:21.759 making sure packets get from source AID to destination B correct. 130 00:06:21.839 --> 00:06:25.639 The ipheader within each data packet contains crucial info like 131 00:06:26.160 --> 00:06:29.639 the version is this IPv four or the newer IPv 132 00:06:29.800 --> 00:06:32.680 six and the source and destination IP addresses? 133 00:06:32.720 --> 00:06:35.360 Obviously, what about that TTL field I've heard about? Time 134 00:06:35.399 --> 00:06:35.720 to live? 135 00:06:35.879 --> 00:06:40.199 Ah? Yes, TTL. It's basically a counter that prevents packets 136 00:06:40.240 --> 00:06:43.879 from looping endlessly around the Internet. Each router that handles 137 00:06:43.879 --> 00:06:47.319 the packet decreases the TTL value. If it hits zero, 138 00:06:47.600 --> 00:06:50.519 the packet is discarded. Okay, but here's a neat trick. 139 00:06:51.040 --> 00:06:55.240 Different operating systems often start packets with different default TTL values, 140 00:06:55.759 --> 00:06:58.680 So just by looking at the TTL of incoming packets, 141 00:06:58.680 --> 00:07:00.560 you can sometimes make a pretty good I guess about 142 00:07:00.560 --> 00:07:03.959 the sender's OS, Windows, Linux, Mac OS. It's a passive 143 00:07:03.959 --> 00:07:05.240 fingerprinting technique. 144 00:07:05.279 --> 00:07:07.920 That's clever. Okay, So that's IP. What about the TCP 145 00:07:08.040 --> 00:07:10.279 part you said, Transmission Control Protocol Right. 146 00:07:10.439 --> 00:07:13.439 TCP sits on top of IP and adds reliability. It's 147 00:07:13.439 --> 00:07:16.839 header has fields like source port and destination port. Connecting 148 00:07:16.879 --> 00:07:19.319 back to our port discussion makes sense. But crucially, it 149 00:07:19.360 --> 00:07:22.879 adds sequence numbers and acknowledgment numbers. These ensure that all 150 00:07:22.879 --> 00:07:25.040 the packets arrive and that they get reassembled in the 151 00:07:25.040 --> 00:07:28.279 correct order at the destination. If the center doesn't get 152 00:07:28.319 --> 00:07:31.480 an acknowledgment ack back for a packet it's sent, it 153 00:07:31.639 --> 00:07:32.759 knows to resend it. 154 00:07:33.240 --> 00:07:36.439 So that's why TCP is called connection oriented and reliable 155 00:07:36.800 --> 00:07:38.439 because of that back and forth checking. 156 00:07:38.560 --> 00:07:42.000 Precisely, it establishes a formal connection before sending data and 157 00:07:42.120 --> 00:07:43.879 ensures everything gets there intact. 158 00:07:44.160 --> 00:07:46.920 And what are those TCP flags? Things like s yn 159 00:07:47.040 --> 00:07:49.000 ack fim ah. 160 00:07:48.920 --> 00:07:52.360 The flags. They're like little single bit signals within the 161 00:07:52.399 --> 00:07:55.600 TCP header that manage the state of the connection. S 162 00:07:55.800 --> 00:08:00.800 yn synchronized starts a connection, ack acknowledged, confirms seat of data, 163 00:08:01.240 --> 00:08:04.160 fin finish signals the end of the data transmission. 164 00:08:04.360 --> 00:08:04.680 Okay. 165 00:08:04.759 --> 00:08:07.879 There are others to like RST reset to abruptly kill 166 00:08:07.920 --> 00:08:13.720 a connection, or PSH push and urg urgent. Understanding these 167 00:08:13.759 --> 00:08:17.079 flags is key for analyzing traffic, and attackers can manipulate 168 00:08:17.120 --> 00:08:20.000 them for scanning like an s yn scan or even 169 00:08:20.079 --> 00:08:21.480 trying to bypass firewalls. 170 00:08:21.519 --> 00:08:24.199 And this all starts with the famous three way handshake. 171 00:08:24.000 --> 00:08:27.040 Every single TCP connection. Yes, it's fundamental. 172 00:08:27.160 --> 00:08:28.000 How does that work again? 173 00:08:28.079 --> 00:08:31.519 Simple client sends a s yn packet I want to connect. 174 00:08:31.879 --> 00:08:35.360 Server replies with a s y n ack. Okay, acknowledge 175 00:08:35.360 --> 00:08:37.759 your request, and I also want to sink. Client sends 176 00:08:37.759 --> 00:08:41.399 a final ack, got it connection established? Only then can 177 00:08:41.440 --> 00:08:45.440 the actual data start flowing. S yn s yn ack 178 00:08:45.879 --> 00:08:47.159 three steps, got. 179 00:08:46.919 --> 00:08:49.840 It s y n s y n ack ack. 180 00:08:50.120 --> 00:08:53.519 So TCP is reliable, but has that set up overhead? 181 00:08:53.639 --> 00:08:54.440 What's the alternative? 182 00:08:54.480 --> 00:08:58.039 UDP? UDP user data GRAM protocols the polar opposite in 183 00:08:58.080 --> 00:09:01.679 some ways. It's connectionless, meaning meaning it doesn't do the handshake. 184 00:09:01.720 --> 00:09:04.919 It just sends packets datagrams out toward the destination. No 185 00:09:05.080 --> 00:09:07.960 sequence numbers, no acknowledgements, no guarantee they'll arrive or in 186 00:09:08.000 --> 00:09:08.480 what order. 187 00:09:08.559 --> 00:09:09.399 So why use it? 188 00:09:09.440 --> 00:09:12.799 Sounds risky Because it's fast and efficient, low overhead. It's 189 00:09:12.840 --> 00:09:14.879 perfect for things where losing a tiny bit of data 190 00:09:14.960 --> 00:09:17.399 isn't the end of the world and speed matters more. 191 00:09:17.679 --> 00:09:20.799 Think streaming video or music ah. 192 00:09:20.320 --> 00:09:25.399 Right, a droped frame is barely noticeable exactly, or online gaming. Also, 193 00:09:25.639 --> 00:09:30.039 some really important network services use UDP, like DNS for 194 00:09:30.080 --> 00:09:33.879 looking up domain names, SNMP for network management, and NTP 195 00:09:34.120 --> 00:09:38.120 for time synchronization. They handle reliability at the application layer 196 00:09:38.159 --> 00:09:38.639 if needed. 197 00:09:38.720 --> 00:09:41.399 Okay, that makes sense. Protocols covered. What about the physical 198 00:09:41.480 --> 00:09:43.879 layout how the devices are actually connected. 199 00:09:44.159 --> 00:09:48.639 Network topology right toology how the network is physically or 200 00:09:48.759 --> 00:09:52.360 logically arranged. There are a few classic types. The simplest 201 00:09:52.440 --> 00:09:54.360 is maybe the bus topology like. 202 00:09:54.320 --> 00:09:57.200 An old school ethernet cable everyone plugs into. 203 00:09:57.120 --> 00:10:00.960 Pretty much all devices share a single communication line. It's 204 00:10:01.080 --> 00:10:03.519 cheap and easy to set up, but prone to collisions 205 00:10:03.519 --> 00:10:06.120 if multiple devices talk at once, and if the main 206 00:10:06.159 --> 00:10:08.039 cable breaks, the whole segment goes down. 207 00:10:08.279 --> 00:10:10.200 Not ideal. What's more common now for. 208 00:10:10.159 --> 00:10:13.840 Local area networks definitely the start apology. Every device connects 209 00:10:13.919 --> 00:10:16.519 directly to a central point, usually a switch these days, 210 00:10:16.720 --> 00:10:17.639 historically a hub. 211 00:10:17.759 --> 00:10:19.600 That seems way better for resilience. 212 00:10:19.759 --> 00:10:22.480 It is, if one device is cable fails, it only 213 00:10:22.559 --> 00:10:25.639 affects that one device. The rest of the network keeps working. 214 00:10:26.000 --> 00:10:28.399 It's the standard for most office and home networks. 215 00:10:28.399 --> 00:10:29.879 Okay, any other's worth knowing. 216 00:10:30.120 --> 00:10:33.759 Well, there's the ring topology. Devices are connected in a circle. 217 00:10:34.080 --> 00:10:38.039 Data packets travel around the ring until they reach their destination. Simple, 218 00:10:38.320 --> 00:10:41.240 can be efficient, but like the bus, a single break 219 00:10:41.240 --> 00:10:44.320 in the ring can be catastrophic. Used in some older 220 00:10:44.360 --> 00:10:45.840 network types like token ring. 221 00:10:46.120 --> 00:10:46.320 Right. 222 00:10:46.360 --> 00:10:49.720 And then there's mesh. In a full mesh, every device 223 00:10:49.720 --> 00:10:51.679 connects directly to every other device. 224 00:10:52.000 --> 00:10:53.480 Wow, that sounds complicated, but. 225 00:10:53.519 --> 00:10:58.240 Robust, extremely robust, lots of redundant paths. If one link fails, 226 00:10:58.360 --> 00:11:01.840 data can easily reroute the Internet itself at a high 227 00:11:01.960 --> 00:11:06.080 level functions like a massive mesh network, and interestingly, some 228 00:11:06.240 --> 00:11:10.039 modern peer to peer mobile apps like Brier can create 229 00:11:10.120 --> 00:11:13.240 ad hoc mesh networks using Bluetooth or Wi Fi by 230 00:11:13.279 --> 00:11:15.039 passing the need for central servers. 231 00:11:15.080 --> 00:11:18.759 Fascinating. Okay, so we have protocols topologies. How do we 232 00:11:18.840 --> 00:11:22.279 conceptibly tie all these layers together? That's the OSI model. 233 00:11:22.039 --> 00:11:25.679 Right, ah, the o SI model, the Open System's interconnection model. Yes, 234 00:11:25.679 --> 00:11:28.200 it's a conceptual framework, a way to understand how different 235 00:11:28.200 --> 00:11:31.679 networking tasks are divided into layers, each performing a specific function. 236 00:11:31.960 --> 00:11:32.919 Seven layers in total. 237 00:11:32.960 --> 00:11:35.519 Seven layers. Can you list them? And maybe that mnemonic 238 00:11:35.559 --> 00:11:36.799 I always forget. 239 00:11:36.600 --> 00:11:40.080 Sure from top closest to the user to bottom closest 240 00:11:40.080 --> 00:11:43.679 to the physical wire layer. Seven is applications, six is presentation, 241 00:11:43.799 --> 00:11:46.320 five a session, four is transport, three is network, two 242 00:11:46.440 --> 00:11:49.240 is data link, and one is physical. Okay, the mnemonics 243 00:11:49.240 --> 00:11:53.360 help going down? All people seem to need data processing 244 00:11:53.519 --> 00:11:56.840 going up? Please do not throw sausage pizza away, chezy, 245 00:11:56.919 --> 00:11:57.480 but they work. 246 00:11:57.720 --> 00:12:05.279 Huh. Okay, Please do not throw sausage pizzaway. Physical, data link, network, transport, session, presentation, application. 247 00:12:04.919 --> 00:12:05.279 Got it? 248 00:12:06.039 --> 00:12:08.519 But why is This model useful, especially from a. 249 00:12:08.519 --> 00:12:12.399 Security viewpoint, because different types of attacks target different layers. 250 00:12:12.679 --> 00:12:15.639 Understanding the model helps you categorize threats and defenses. 251 00:12:15.799 --> 00:12:16.960 You give examples sure. 252 00:12:17.159 --> 00:12:20.720 Layer seven application is where you see application specific exploits 253 00:12:20.919 --> 00:12:24.200 like SQL injection on a web app. Layer six presentation 254 00:12:24.360 --> 00:12:27.240 deals with data formatting and encryption. Phishing attacks often try 255 00:12:27.279 --> 00:12:28.679 to trick users at this interface. 256 00:12:28.799 --> 00:12:29.080 Okay. 257 00:12:29.200 --> 00:12:33.039 Layer five session manages connection session hijacking attacks happen here. 258 00:12:33.360 --> 00:12:37.080 Layer four transport, where TCPUDP live is often targeted for 259 00:12:37.159 --> 00:12:41.360 reconnaissance like port scanning. Layer three network, where IP lives 260 00:12:41.480 --> 00:12:44.240 is vulnerable to things like men in the middle attacks 261 00:12:44.360 --> 00:12:49.440 or routing manipulation. Layer two data link MIIC addresses can 262 00:12:49.480 --> 00:12:54.320 see MP spoofing or ARP poisoning. And Layer one physical 263 00:12:54.519 --> 00:12:57.360 is where simple wiretapping or signal jamming occurs. 264 00:12:57.639 --> 00:12:59.919 So the model provides a map for understanding where things 265 00:12:59.919 --> 00:13:01.200 are can go wrong exactly. 266 00:13:01.360 --> 00:13:05.039 It's a foundational concept for network engineers and security pros. 267 00:13:05.120 --> 00:13:08.039 Okay, this is great foundational stuff. Let's shift gears a bit. 268 00:13:08.080 --> 00:13:10.759 We talked about running out of IPv four addresses. How 269 00:13:10.799 --> 00:13:13.399 do we use the ones we have more efficiently than involve. 270 00:13:13.200 --> 00:13:17.440 Subnetting, subnetting, yes, and cid R notation. The main reasons 271 00:13:17.440 --> 00:13:21.399 for subnetting are one to conserve that limited IPv four space, 272 00:13:21.799 --> 00:13:24.919 two to create network segments with a more realistic number 273 00:13:24.960 --> 00:13:28.559 of hosts instead of huge flat networks, and three to 274 00:13:28.679 --> 00:13:32.120 improve performance and security by dividing large networks into smaller, 275 00:13:32.200 --> 00:13:33.799 manageable broadcast domains. 276 00:13:34.000 --> 00:13:37.080 So a subnet is like a network within a network. 277 00:13:37.120 --> 00:13:38.519 That's a perfect way to put it. You take a 278 00:13:38.559 --> 00:13:40.759 larger block of IP addresses assigned to you and break 279 00:13:40.799 --> 00:13:42.799 it down into smaller logical networks. 280 00:13:42.879 --> 00:13:45.320 How does that work technically with the subnet mask? 281 00:13:45.879 --> 00:13:48.840 Right? The subnet mask is another thirty two BET number 282 00:13:48.840 --> 00:13:51.080 that looks like an IP address, like two five five 283 00:13:51.159 --> 00:13:54.159 point two five to five point zero. It's used mathematically, 284 00:13:54.279 --> 00:13:56.759 usually with a binary A and D operation to separate 285 00:13:56.799 --> 00:13:59.440 the network portion of an IP address from the host portion. 286 00:14:00.000 --> 00:14:03.120 Tells devices which part identifies the street network and which 287 00:14:03.159 --> 00:14:05.919 part identifies the house number host on that street. 288 00:14:06.039 --> 00:14:09.000 Okay, and CIDR, that slash notation like twenty. 289 00:14:08.759 --> 00:14:12.120 Four CIR class list inter domain roading is basically shorthand 290 00:14:12.120 --> 00:14:14.360 for the subnet mask. Instead of writing out the full mask, 291 00:14:14.440 --> 00:14:16.519 you just put a slash followed by the number of 292 00:14:16.559 --> 00:14:17.919 bits used for the network portion. 293 00:14:18.039 --> 00:14:20.519 So one nineteen point one six eight point one point 294 00:14:20.679 --> 00:14:22.879 zero two four means the first twenty four bits are 295 00:14:22.919 --> 00:14:23.759 the network. 296 00:14:23.399 --> 00:14:26.440 Part exactly, which corresponds to a subnetmask of two hundred 297 00:14:26.480 --> 00:14:28.080 five five point two FI five five point two five 298 00:14:28.159 --> 00:14:30.519 five point zero eight would be two hundred finty five 299 00:14:30.559 --> 00:14:31.919 point zero point zero and song. 300 00:14:32.080 --> 00:14:33.759 And you can use this to carve up networks. 301 00:14:33.960 --> 00:14:37.200 Absolutely. You could take a standard Class C range like 302 00:14:37.200 --> 00:14:39.320 that twenty four, giving you about two hundred and fifty 303 00:14:39.360 --> 00:14:43.360 four usable host addresses, and decide you need, say six 304 00:14:43.440 --> 00:14:47.799 smaller departments, each needing maybe twenty five hosts. By borrowing 305 00:14:47.840 --> 00:14:50.399 a few bits from the host portion for the network portion, 306 00:14:50.600 --> 00:14:54.000 making it say a twenty seven, you can create multiple 307 00:14:54.039 --> 00:14:57.720 smaller subnets from that original block. It's efficient and helps 308 00:14:57.840 --> 00:14:59.159 organize and secure the network. 309 00:14:59.320 --> 00:15:01.759 Makes sense. Okay, Now, how do we actually see what's 310 00:15:01.799 --> 00:15:04.639 happening on our network? What tools are there besides just theory? 311 00:15:04.759 --> 00:15:08.000 Good question. There are essential command line tools built into 312 00:15:08.039 --> 00:15:12.320 most operating systems. If CANFIG or IP addra on modern 313 00:15:12.360 --> 00:15:16.960 Linux shows your network interface configuration, IP address, MAC address, etc. 314 00:15:17.320 --> 00:15:20.919 Right Ping two, Ping, is fundamental. Sends a simple ECO 315 00:15:21.000 --> 00:15:23.159 request to see if a host is online and how 316 00:15:23.200 --> 00:15:26.039 long it takes to respond. Basic connectivity testing. 317 00:15:26.159 --> 00:15:28.320 What about seeing active connections for that? 318 00:15:28.440 --> 00:15:31.240 Netstat is classic? It shows all the network connections to 319 00:15:31.320 --> 00:15:35.559 and from your machine, TCPUDP, listening, poards, established connections, really 320 00:15:35.639 --> 00:15:39.080 useful for troubleshooting or even spotting suspicious activity like malware 321 00:15:39.080 --> 00:15:39.600 calling home. 322 00:15:39.720 --> 00:15:40.679 Is there a newer version? 323 00:15:40.960 --> 00:15:45.559 Yeah? On Linux, USS socket statistics is generally preferred now, 324 00:15:45.759 --> 00:15:49.559 often faster and provides more detailed information than netstat. 325 00:15:49.799 --> 00:15:52.440 Okay, those are good for looking at my own machines connections. 326 00:15:52.440 --> 00:15:54.840 But yeah, what about seeing all the traffic flowing across 327 00:15:54.879 --> 00:15:55.720 the network segment? 328 00:15:56.039 --> 00:16:00.440 That's sniffing, right, that's network sniffing or packet analysis using 329 00:16:00.440 --> 00:16:05.519 tools called sniffers or packet analyzers. These are incredibly powerful. 330 00:16:05.799 --> 00:16:10.120 Network engineers use them constantly to diagnose problems, forensic investigators 331 00:16:10.200 --> 00:16:13.840 use them to capture digital evidences, and hackers use them 332 00:16:13.960 --> 00:16:18.759 for reconnaissance, finding vulnerabilities, capturing sensitive data if it's unencrypted, 333 00:16:19.159 --> 00:16:22.399 like passwords, session cookies, emails files. 334 00:16:22.879 --> 00:16:25.600 Is this legal? I remember hearing that FBI tool. Ah. 335 00:16:25.679 --> 00:16:29.600 Yeah, the source mentions the FBI's Carnivore system, which was controversial. 336 00:16:29.960 --> 00:16:32.279 Sniffing traffic on a network you don't own or have 337 00:16:32.360 --> 00:16:35.720 permission to monitor is generally illegal in most places, but 338 00:16:35.840 --> 00:16:40.000 for legitimate network administration and security testing on your own networks, 339 00:16:40.320 --> 00:16:41.840 it's an indispensable tool. 340 00:16:42.000 --> 00:16:43.200 What do you need to make it work? 341 00:16:43.440 --> 00:16:47.600 Two main things. First, your computer's network interface card and 342 00:16:47.720 --> 00:16:51.799 I SEE needs to be put into promiscuous mode. Normally, 343 00:16:52.039 --> 00:16:55.000 and I SEE ignores packets not addressed to its specific 344 00:16:55.000 --> 00:16:57.879 and MESSI doaters. Promiscuous mode tells it to grab every 345 00:16:57.919 --> 00:17:00.000 packet it sees on the wire or Wi Fi channel. 346 00:17:00.240 --> 00:17:00.600 Okay. 347 00:17:00.799 --> 00:17:04.759 Second, you need the sniffing software itself, and captured traffic 348 00:17:04.839 --> 00:17:07.440 is usually saved in a standard file format called dot 349 00:17:07.519 --> 00:17:10.759 p cap packet capture, which many different tools can read. 350 00:17:10.839 --> 00:17:13.599 Let's talk tools. The source mentions TCP dump. 351 00:17:13.680 --> 00:17:17.119 TCP dump the classic. It's a command line sniffer that's 352 00:17:17.119 --> 00:17:19.519 been around since the late eighties, available on Linux and 353 00:17:19.640 --> 00:17:23.319 Unix like systems. It's powerful and flexible, though the output 354 00:17:23.359 --> 00:17:24.240 can be a bit raw. 355 00:17:24.319 --> 00:17:24.960 How do you use it? 356 00:17:25.000 --> 00:17:27.000 You can just run TCP dump and it starts showing 357 00:17:27.039 --> 00:17:31.039 packet summary, scrolling by more usefully you use flags SS 358 00:17:31.160 --> 00:17:33.799 specifies the interface to listen on like F zero or 359 00:17:33.839 --> 00:17:36.759 one and zero. AW writs the raw packets to a 360 00:17:36.799 --> 00:17:38.640 dot pcap file for later analysis. 361 00:17:38.680 --> 00:17:40.759 What about filtering? Can it narrow down the traffic? 362 00:17:41.160 --> 00:17:44.759 Absolutely? That's its strength. You can filter by source or destination, 363 00:17:44.839 --> 00:17:48.480 IP address, SRC host or DCS host. You can filter 364 00:17:48.559 --> 00:17:51.720 by port port eighty for web traffic. You can filter 365 00:17:51.799 --> 00:17:55.720 by protocol TCP, UDP, ICP. You can even filter based 366 00:17:55.720 --> 00:17:59.519 on TCP flags, TCPDCP flags and tcps in equals zero 367 00:17:59.559 --> 00:18:01.519 to C only syn. 368 00:18:01.119 --> 00:18:03.720 Packets wow specific very You. 369 00:18:03.680 --> 00:18:07.119 Can combine filters with and or not. The source even 370 00:18:07.119 --> 00:18:09.880 shows examples of filtering for things like clear text passwords, 371 00:18:10.039 --> 00:18:13.480 password or specific user agent strings from web browsers or 372 00:18:13.480 --> 00:18:16.880 session cookies. It requires understanding the protocols, but it lets 373 00:18:16.880 --> 00:18:18.839 you zero in on exactly what you need. 374 00:18:19.079 --> 00:18:22.319 Powerful, but maybe not super user friendly for visualizing things. 375 00:18:22.559 --> 00:18:24.160 What's the go to graphical tool? 376 00:18:24.240 --> 00:18:25.960 That would be wire shark. The source calls it the 377 00:18:25.960 --> 00:18:29.920 de facto standard, and that's accurate. It's graphical, runs on Windows, Mac, Os, Linux, 378 00:18:30.119 --> 00:18:32.559 and it makes analyzing packet captures much easier. 379 00:18:32.599 --> 00:18:33.960 How does it display the data? 380 00:18:34.119 --> 00:18:36.079 It has three main pains. The top PAIN is the 381 00:18:36.119 --> 00:18:39.440 packet list, showing a summary of each captured packet. Click 382 00:18:39.480 --> 00:18:42.240 one there, and the middle pain packet details shows a 383 00:18:42.279 --> 00:18:45.319 decoded breakdown of all the protocol layers and fields within 384 00:18:45.359 --> 00:18:50.039 that packet Ethernet, IP, TCP, application data. The bottom pain 385 00:18:50.359 --> 00:18:53.960 packet bytes shows the raw hexadecimal and ask data. 386 00:18:54.039 --> 00:18:55.599 And filtering in wire Shark. 387 00:18:55.559 --> 00:18:58.559 Also very powerful. You can type display filters directly like 388 00:18:58.640 --> 00:19:01.920 IP dot adr equals one ninety two point one sixty 389 00:19:01.960 --> 00:19:05.119 eight point one point one, or TCP dot port equals 390 00:19:05.160 --> 00:19:08.839 eighty or HTTP contains Facebook. There's also an expression builder 391 00:19:08.839 --> 00:19:10.319 to help create complex filters. 392 00:19:10.400 --> 00:19:13.160 What about seeing a whole conversation like a web request 393 00:19:13.279 --> 00:19:14.079 in its response. 394 00:19:14.200 --> 00:19:17.440 Wireshark makes that super easy with the follow TCP stream 395 00:19:17.559 --> 00:19:21.359 or udpr SSLTLS stream feature. Write click a packet in 396 00:19:21.400 --> 00:19:23.839 a conversation, choose follow, and it opens a new window 397 00:19:23.920 --> 00:19:26.319 showing just the data exchange between those two end points, 398 00:19:26.400 --> 00:19:30.759 reassembled in order. Fantastic for reading HTTP requests, emails, chat 399 00:19:30.759 --> 00:19:32.039 messages if they're unencrypted. 400 00:19:32.279 --> 00:19:35.519 Okay, wire Shark sounds essential for digging into dot pcat files. 401 00:19:36.039 --> 00:19:37.680