With the OSI model as our mental framework, we now turn to the actual protocols that power the internet. The TCP/IP suite is not a single protocol — it is a family of protocols that work together to deliver data across networks. Understanding each protocol's role, behavior, and weaknesses is essential for any offensive security professional.
IP is responsible for addressing and routing packets across networks. It is a connectionless, best-effort delivery protocol — meaning it does not guarantee delivery, ordering, or error checking. Those responsibilities fall to the transport layer. There are two versions in use today: IPv4 (32-bit addresses, e.g., 192.168.1.1) and IPv6 (128-bit addresses, e.g., 2001:0db8::1).
IP packets contain a header with source and destination IP addresses, a Time-to-Live (TTL) field, and protocol identification. The TTL field is particularly interesting to hackers — it decrements at each router hop, and tools like traceroute exploit this to map network paths.
ICMP operates at Layer 3 alongside IP and is used for diagnostic and error-reporting functions. The most familiar ICMP tool is ping, which sends an Echo Request and expects an Echo Reply. However, ICMP has significant offensive potential: it can be used for network reconnaissance, covert tunneling (ICMP tunneling), and denial-of-service attacks (Ping of Death, Smurf attack).
# Basic ping sweep for host discovery
for i in $(seq 1 254); do
ping -c 1 -W 1 192.168.1.$i | grep "bytes from" &
done | sort
# Output:
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64
64 bytes from 192.168.1.5: icmp_seq=1 ttl=128
64 bytes from 192.168.1.10: icmp_seq=1 ttl=255💡 The TTL value in ping responses can reveal the target's operating system. Common defaults: Linux = 64, Windows = 128, Cisco/Network gear = 255. This is a quick OS fingerprinting technique.
| Protocol | Layer | Purpose | Hacker Relevance |
|---|---|---|---|
| IP | 3 (Network) | Addressing and routing | Spoofing, fragmentation attacks |
| ICMP | 3 (Network) | Diagnostics and error reporting | Recon, tunneling, DoS |
| TCP | 4 (Transport) | Reliable, ordered delivery | Port scanning, SYN floods, hijacking |
| UDP | 4 (Transport) | Fast, connectionless delivery | Amplification attacks, DNS abuse |
| ARP | 2/3 boundary | IP-to-MAC resolution | MITM, spoofing, cache poisoning |
| DNS | 7 (Application) | Name-to-IP resolution | Poisoning, tunneling, exfiltration |
| HTTP/HTTPS | 7 (Application) | Web communication | Web app attacks, credential theft |
When you type a URL into a browser, multiple TCP/IP protocols work together: DNS resolves the domain to an IP address, ARP finds the MAC address of your default gateway, IP routes the packets across the internet, TCP establishes a reliable connection, and HTTP carries the actual request. As a hacker, you can intercept, manipulate, or abuse any step in this chain.
⚠️ Many corporate networks block ICMP for 'security.' However, this is security through obscurity — a skilled attacker will simply use TCP-based discovery (e.g., SYN scans on port 80) instead. Never rely on ICMP blocking as a security control.
Verify exercises to earn ★ 130 XP and unlock next lab level.