Hack That Shit
Networking Basics Every Hacker Should Know

Networking Basics Every Hacker Should Know

by

⚠️ Safety & Ethics

Networking knowledge powers both recon and defensive monitoring. Use these concepts and commands only on networks and hosts you own or are authorized to test. Misuse can disrupt services and is illegal.

🧠 Why networking matters for hackers

Understanding how packets flow, how hosts discover each other, and how services listen is fundamental. Recon becomes meaningful when you can interpret network output: which host is reachable, which ports are open, which services respond, and how packets traverse the network.

This post gives you the core building blocks and the Linux commands you’ll use repeatedly in labs and CTFs.

1 — IP addressing & subnets (the basics)

  • IPv4 address: e.g., 192.168.1.10

  • Netmask: 255.255.255.0 or CIDR /24

  • Network / Broadcast: determine host range using the IP + mask

Quick examples:

  • 192.168.1.0/24 → hosts 192.168.1.1 to 192.168.1.254

  • Smaller networks: /30 (4 addresses, 2 usable), /32 (single host)

Why it matters: Knowing subnet size helps scope scans and avoid noisy broad sweeps.

2 — Interfaces & addresses on Linux

Key commands:

  • ip addr show — list interfaces and IPs

  • ip link show — show link state (up/down)

  • ip route — show routing table

  • ifconfig (older systems) — view interfaces

Example:

				
					ip addr show
# Output highlights:
# - interface name (eth0, wlan0, lo)
# - inet 192.168.1.10/24
# - link/ether <mac address>

Tip: Loopback lo (127.0.0.1) is local-only. Don’t confuse it with network-facing interfaces.

3 — Routing & default gateway

  • ip route shows how your machine chooses where to send packets.

  • Default route is usually default via 192.168.1.1 dev eth0

Example commands:

				
					ip route show
ip route add 10.10.0.0/16 via 192.168.1.1   # lab-only route addition

Why it matters: If a target is on a different subnet, routing determines whether you can reach it directly or need a pivot.

4 — ARP: mapping IPs to MAC addresses

  • ARP (Address Resolution Protocol) resolves IP → MAC on Ethernet networks.

  • arp -n or ip neigh shows the ARP table.

  • arping <ip> sends ARP requests to discover a host quickly (lab-only).

Example:

				
					ip neigh show
arping -c 3 192.168.1.1

Why it matters: ARP poisoning/inspection is a classic MITM concept (only study in lab). ARP table tells you which MAC corresponds to which IP.

5 — DNS basics (resolution & useful checks)

  • DNS maps names to IPs. Commands:

    • dig example.com — DNS lookup (detailed)

    • nslookup example.com — quick query

    • host example.com — simple resolution

Examples:

				
					dig +short target.local
dig @8.8.8.8 example.com A

Why it matters: Hostnames in web apps, internal DNS entries, and misconfigured DNS can reveal internal assets. In labs, DNS can be intentionally misconfigured to create CTF challenges.

6 — TCP vs UDP: connection vs datagram

  • TCP: connection-oriented, reliable (three-way handshake), used for SSH (22), HTTP (80/443), etc.

  • UDP: connectionless, used for DNS (53), SNMP, some game servers.

Key Linux tools:

  • ss -tulwn — show listening sockets (-t TCP, -u UDP)

  • netstat -tulpen — older tool for socket info

  • lsof -i — which process owns an open socket

Example:

				
					ss -tulwn
# lists local address:port and state (LISTEN)

Why it matters: Find which services are accessible and which protocol to target for recon.

7 — Traceroute & path discovery

  • traceroute <host> or tracepath <host> — shows hops between you and a target.

  • mtr <host> — combines ping + traceroute for continuous path monitoring.

Example:

				
					traceroute 8.8.8.8
mtr --report 10.0.2.15

Why it matters: Traceroute helps understand network topology and where packets are dropped or filtered.

8 — Packet capture & analysis (Wireshark / tcpdump)

  • tcpdump is terminal-friendly packet capture.

    • Capture example: sudo tcpdump -i eth0 -n -s 0 -w capture.pcap

    • Read file: tcpdump -r capture.pcap

  • wireshark for GUI analysis (open pcap files).

Common tcpdump filters:

  • tcp / udp / icmp

  • host 10.0.2.15

  • port 80

  • Combine: tcpdump -i eth0 tcp and port 80 and host 10.0.2.15

Why it matters: Packet captures show raw traffic — great for learning protocols, debugging, and CTF puzzles.

9 — Banner grabbing & service enumeration

  • nc (netcat) can grab service banners: nc -v -w 2 target 22

  • ss / lsof show local listening services.

  • nmap -sV fingerprints services remotely (lab-only, permission required).

Example:

				
					echo | nc -w 2 10.0.2.15 22
# shows SSH banner like "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"

Why it matters: Banners reveal service types and versions — useful to identify vulnerable software in lab environments.

10 — Useful Linux networking commands cheat-sheet

  • ip addr show — list interfaces & addresses

  • ip link set dev eth0 up/down — enable/disable interface

  • ip route — routing table

  • ip neigh — ARP table

  • ss -tulwn — listening sockets

  • lsof -i — processes with network sockets

  • tcpdump -i eth0 -n — capture traffic

  • traceroute <host> / mtr <host> — path discovery

  • dig <name> / nslookup — DNS lookups

🧪 Lab Exercises (snapshot your VM first)

    • Map your local network

      • Use ip addr, ip route, and ip neigh to list interfaces, gateway, and ARP entries.

      • Record the network range (CIDR) for your VM.

    • Find listening services

      • Run ss -tulwn and lsof -i to identify services and corresponding PIDs. Investigate the binaries behind those PIDs.

    • Local packet capture

      • Capture traffic while you curl a local web page:

        sudo tcpdump -i eth0 -n -s 0 -w webtest.pcap port 80
curl http://127.0.0.1:8080
sudo tcpdump -r webtest.pcap

      • Open the PCAP in Wireshark to inspect HTTP headers.

    • DNS reconnaissance

      • Use dig to query public and internal DNS (lab). Try dig @<internal-dns> internal-hostname.

    • Traceroute to a public IP

      • traceroute 8.8.8.8 (or mtr) and interpret where latency or filtering occurs.

    • Banner grabbing

      • Use nc to connect to local services and capture banners. Save outputs and compare to ss results.

🧠 How networking ties to the series

Networking is the substrate for all recon and exploitation. In Part 10: Network Recon with Netcat, Nmap & Built-in Tools, we’ll put these basics into action with step-by-step lab workflows, combining what you learned here with practical scanning, banner techniques, and safe enumeration scripts.

🎯 Coming Up Next

Part 10: Network Recon with Netcat, Nmap & Built-in Tools — live walkthroughs, scan templates, and how to combine Linux commands into recon pipelines (lab-only).

💬 Got Questions?

Drop them in the comments or join our community on Discord for exclusive hacking tips and resources.

Don’t worry — mastery comes with practice.
Just open your terminal and hack your brain into CLI mode daily.

Let’s keep building. 💻⚔️

Leave a comment

Table of Contents

Index