Chapter 3: Reconnaissance and Information Gathering

In this chapter, we will learn about the basics of networking. Without having a solid understanding of computer networks, you will not be able to go very far in the field of penetration testing and ethical hacking. We will cover some basic details about how networking works. We will also take a look at the different abstraction layers in networking and the role of each layer.

Every ethical hacking process starts with gathering relevant information about the target, and this chapter is dedicated to what type of information we can obtain and how this information can be useful to us. We will discuss the standard OSI model that's used to describe the network layers and how this model can be helpful for us. In this chapter, we will cover the following topics:

  • What is a computer network?
  • Classifying networks
  • Network stack
  • Network entities
  • Protection
  • Changing MAC

What is a computer network?

In the Information Technology (IT) domain, networking means the ability of two or more devices to be able to communicate and exchange data with each other. In the early days of computing, computers were unable to talk to each other and were standalone systems. Their functionalities were very limited. As the technology advanced, the need for communication between devices grew. In its simplest form, two computers that connect with each over a medium form a network. This medium is the link through which these devices talk with each other. As we proceed, you will see that things become very complicated very quickly in computer networks:

Figure 3.1 – The simplest form of a network – two interconnected computers

Figure 3.1 – The simplest form of a network – two interconnected computers

As you will see in the following chapters, most modern-day computer networks are not built like this. For your computer to talk to other computers, it will need as many links as it has computers, and this can quickly become unmanageable. We will learn more about how we can avoid this problem by using a middle node called router in the Components of a computer network section. So, what happens when you want a network with 10 devices? For this, we could have cables running from every device to every other device and let them talk. The following diagram shows four computers talking with each other. As you can imagine, such a system would become exponentially unmanageable. This has several drawbacks. For example, it adds complexity to the system and wastes a lot of resources as you will need to maintain a cable between two computers, even if they talk for a very small amount of time:

Figure 3.2 – Network with four nodes

Figure 3.2 – Network with four nodes

To get rid of this redundancy, we can introduce a central device that will be responsible for allowing different devices to talk to each other. There are different types of central devices, all of which we will explore in the Components of a basic computer network section:

Figure 3.3 – Network with a central device

Figure 3.3 – Network with a central device

The preceding diagram resembles the network we have in our homes. A central device – in our case, the router – helps us communicate with other devices. This is a very primitive form of a network; networks in real life are much more complex than this. Coming back to the idea of what constitutes a network, a network is simply two devices that communicate and share data with each other through a medium. Now that we have seen what a network is and started talking about what goes into constructing one, let's look at the components in detail.

Components of a basic computer network

In this section, we will learn about the different components of a computer network. In computer network literature, you will often see the term node being used to represent a computer in a network. In networking domains, a specific nomenclature is used to identify particular devices in a network. We will look at these terms next.


A node is usually a device that is connected to the central device. In a sense, it is a computer that takes part in a communication network. This works for simple and small networks, but as more and more devices get added to a network, different devices start taking up different roles, so we can only simplify a device's role in a network as a node up to a certain point. In qualifying scenarios, nodes can be your laptop, desktop PC, printer, tablet, phone, or any other network connected device.


Servers are computers that hold some information that can be shared over the network to devices that need them. Servers are usually online, which means that they serve devices by being continuously available to other devices.

Transmission media

The resource/link through which devices in a network are connected to each other and can communicate is called transmission media. It can be both wired and wireless. An example of wired transmission media is an Ethernet cable, which is typically used in local networks. Wi-Fi is an example of wireless transmission media.

Network interface card

To participate in a network, the connecting node/device must have something called a Network Interface Card (NIC). The role of NIC is to take what you want to transfer and convert it into a form that's accepted by the transmission media.


A hub is a central device in a network. If you want to communicate with a node in a network, you probably won't have a direct link to the node. Instead, you should have a link through some central device – in this case, a hub. Your message/data will go to a hub, which will then broadcast it to the whole network. Depending on the content of the message, the respective device will answer.


A switch is a special type of hub. In contrast to a hub, which broadcasts the message to all the nodes, a switch only sends the message to the intended receiver. This greatly decreases traffic on the network since the devices that are not intended shouldn't receive the message.


So far, we have been talking about a single network. What if a computer wants to talk with a computer that is not present in your network? What if this computer is in France and the intended receiver computer is in a network in the United States? We can extend the concept of interconnection of computers to interconnection of networks. Routers are devices that help us communicate with external networks.


A gateway is the endpoint router in a network. All the traffic coming in or going out of a network goes through it. It acts as a mediator between the internet and local devices. To the devices outside our own network, the gateway is the main communication point for any device in the local network.


A firewall is an optional device in some networks. Firewalls can be software-based, such as your operating system's firewall, or they can be a hardware-based device for the whole network. The role of a firewall is to enhance the security of the system and to monitor the network traffic. This ensures that no unauthorized access is made to a network. Firewalls typically block all incoming connection requests to your local network, except those that have been authorized and mentioned in the rule engine of the firewall:

Figure 3.4 – Components in a network

Figure 3.4 – Components in a network

As the name implies, it serves as an entry point, as well as an exit point, to a local network. For practical reasons and for small networks, the small components of a network such as a router, switch, gateway, and sometimes even a firewall are merged into a single physical device.

In this section, we learned about the different components of a network and what the role of each component is. Next, we will talk about how these different networks are classified.

Classifying network

As more and more computers start connecting, it becomes essential to classify them into different classes so that we can use them. There are various methods we can use for classification; however, the most common one is network classification based on geography. We will discuss this next.

Local area network

When you connect your laptop or phone to a Wi-Fi router located in your home, you are essentially participating in a local area network (LAN). There are multiple types of connections you can make to a LAN, such as by using Wi-Fi, which is a wireless connection, or by using a wired connection such as an ethernet cable. There is no hard definition of what constitutes a LAN. However, a LAN is usually composed of devices that are in the same proximity in a building. LAN can be as simple as two devices connecting to a router or as complicated as LANs in universities and offices.


Ethernet is one of the most used technologies in LAN. Modern ethernet protocols offer very high speeds in a LAN. It is highly reliable and secure compared to wireless mediums. The ethernet protocol defines how the data will be transferred over LAN. Modern-day ethernet can provide speeds in the order of Gigabits per second.


Complementary to ethernet, which uses physical cables to connect devices to a network, Wi-Fi allows devices to connect with each other over a wireless medium. This removes the need for wires. It should be noted the even though it is wireless, communication between devices on a LAN is not direct. The data still goes through a central router, called an Access Point (AP), which forwards the data to the intended recipient.

A comparison between these two mediums is as follows:

Table 1.1 – Wi-Fi versus ethernet

Table 1.1 – Wi-Fi versus ethernet

Both mediums have their own pros and cons. Wireless is much easier to use for an average user and gives them more freedom of movement in the network, while cable-based ethernet is much faster and is often used when the need for mobility is low in a network. Now that we have learned about LAN, we will start looking at other geographical-based networks.

Personal area network

In contrast to LAN, a personal area network (PAN) is usually very small. The range of PANs are in the order of tens of meters only. An example of a PAN would be two Bluetooth-based devices talking to each other. In rare cases, PANs are also connected to LANs.

Metropolitan area networks

Sometimes, we tend to merge several small local area networks into a single category. They are usually called metropolitan area networks (MANs). An example of a MAN would be government offices located in different areas of a city connected to a single network. These networks are usually restricted to a city.

Wide area network

As the name indicates, a wide area network (WAN) is a network that spans a large geographical area. A WAN usually constitutes a network within a country.


So far, we have only discussed networks in one geographical location. Inter-network, or the internet, is a giant network that connects different networks located in different geographical locations to each other. With this huge network, you can communicate with any device anywhere in the world, provided it is also connected to the internet. Different WANs are connected to each other through very high-speed fiber optic networks:

Figure 3.5 – Networks by scale

Figure 3.5 – Networks by scale

So far, we have discussed the physical components of and different types of networks. This gave us an overview of networking in computers. Now that we are aware of the basics of networking, we can start diving deeper into how data is transferred from one device to another in a network.

Network stack

The previous section gave us a high-level introduction to networking. Now, we will learn about how the actual bits and pieces are transferred over a network.

Introduction to OSI model

From the time you type a message on an application to the time that it gets delivered to its intended recipient, your message passes though different layers in a communication system. To help us understand all the communication processes and mediums your data passes though before it reaches its destination, a framework was conceptualized to describe the functionality of a networking system. This model is called the Open Systems Interconnected (OSI) model. This model is not necessarily applied to the internet alone and can be applied to any modern communication system:

Figure 3.6 – 7-layer OSI stack

Figure 3.6 – 7-layer OSI stack

The OSI model contains 7 layers that conceptualize how data is transferred over any electronic communication medium. Let's look at these layers in more detail.

Application layer

The application layer is the top-most layer of the OSI stack. This is the layer that the user interacts with. Any internet-connected device you use probably has an application layer interface. It serves as an input/output endpoint to the user. Any data you send is added to the application layer and any data you receive from the others is displayed over this layer.

Presentation layer

This layer resides below the application layer and is responsible for converting data into a useful format. The data from the application layer comes in different formats and is usually not in the most readable form for the communication system. Here, data gets converted into a suitable form. Also, the user data in not encrypted from the application layer. At the presentation layer, encryption is usually added to the data for security purposes.

Session layer

Below the presentation layer is the session layer. Once the data is ready to be sent, the sending device and the receiving device must establish a connection so that they can send data over the channel. The session layer helps do just that – it establishes a connection from your device to the recipient device.

Transport layer

Once the session has been established between two devices, the data is ready to be sent over the channel. The transport layer takes the actual data to be sent and divides it into smaller and manageable chunks, called segments, that can be sent over the link. It is also responsible for receiving segments of data from other devices and assembling it back for your consumption.

The transport layer is also responsible for flow and error control. Different transmission media has different speeds and different error rates. It is the job of the transport layer to ensure that proper data is transmitted.

Network layer

The role of the network layer comes into play when we want to communicate with devices that are not present on the same network. The network layer breaks down segments from the transport layer into even smaller packets. The network layer also determines the best possible route for the packet to take to reach its destination.

Data link layer

This is somewhat similar to the network layer; however, it facilitates communication between devices in the same network. The data link layer breaks down packets into frames.

Physical layer

This is the lowermost layer of the stack and is where the data entered by the user is converted into physical signals that can be transported over transmission media. In the case of a digital system, this means that 0s and 1s of data are converted into their suitable representations in physical systems, such as voltage levels.

Complete cycle

The complete cycle for communication is as follows:

Figure 3.7 – Data transmission in the OSI stack

Figure 3.7 – Data transmission in the OSI stack

The data that's entered by user goes from the application layer to the physical layer and then from the physical layer to the application layer at the other end.

TCP/IP model

The previously shown model is a very generic model that conceptualizes communication in any medium. However, how computer networks work is a special case of the OSI model and is commonly referred to as the TCP/IP model. You will often see this model mentioned in the literature instead of the more generic OSI model:

Figure 3.8 – TCP/IP stack

Figure 3.8 – TCP/IP stack

In contrast to the OSI model, which has seven layers, the internet stack has four layers. Let's look at them in more detail.

Application layer

This is the topmost layer. This layer is responsible for process-to-process communication. Common application layer protocols include HTTP, FTP, SSH, DNS, and others.

Transport layer

TCP and UDP are common protocols at this layer. This layer is responsible for end-to-end communication and error control. TCP is connection oriented, while UDP is a connectionless protocol.

Internet layer

This layer parallels the network layer in the OSI stack. It defines protocols that are responsible for logically transferring data from one node to another. One of the most famous protocols at this layer is the IP protocol, which uses IP addresses to communicate between devices.

Network access layer

This layer combines the data link and the physical layer in the OSI stack.

Mapping the OSI and TCP/IP stack

The layer mapping for the OSI and TCP/IP stack is as follows:

Figure 3.9 – Mapping for the TCP/IP and OSI stack

Figure 3.9 – Mapping for the TCP/IP and OSI stack

The preceding image shows how the OSI stack is mapped to the TCP/IP stack for use in network communication. As we mentioned previously, even though the OSI model is a more generic model, the functionality of some of the layers in the OSI model can be merged into one layer in the TCP/IP stack. Now that we have learned how the data moves in a network at a conceptual level, we will dig more deeply into the actual bits and pieces of communication at the byte level.

Network entities

Before proceeding, we will introduce a few network-related concepts that will be used throughout this book. Having prior knowledge of them is essential so that you have a complete understanding of this book.

Private IP address

An internet protocol (IP) address is a unique identifier that identifies a device in a network. An IP address is a 32-bit number. Whenever you connect to a new network, you are either assigned a new IP address by a Dynamic Host Control Protocol (DHCP) server or you get an IP address stored in your system configuration if it is available. This is usually called a local/private IP address. More often than not, you will see this address in the form 192.168.1.x.

Important Note about IP Addresses

IP addresses are 32-bit, which means that there are only 2^32 = 4,294,967,295 internet addresses available. The IP address is an old protocol and when it was developed, there were not many internet-connected devices. At the time, 4 billion devices was considered a sufficient number. However, as we have seen recently, there are far more than 4 billion devices in the world today, so how do all the devices get their addresses? This is done through the Network Address Translation (NAT) protocol, which we will look at in a moment.

In addition to a private IP address, we also have a public IP address. To avoid the problem of running out of IP addresses with each new device getting a new unique IP address, we use a protocol called the NAT protocol. Instead of giving each device a new IP address, when you get an internet connection from your Internet Service Provider (ISP), you will only get one public IP address. This will be associated with your router/gateway. This IP address will be accessible to all the other networks on the internet. So, every device within this network will use this public/gateway IP address to communicate with any device in the network. The following diagram illustrates this:

Figure 3.10 – Public and private IPs

Figure 3.10 – Public and private IPs

Let's consider your home LAN network, which contains four devices – three PCs and one router/gateway. When you get an internet subscription from your ISP, you will get a public IP address or a WAN IP address. In the preceding example, the public IP is This is associated with your router. If you connect to the router and go on the internet and search for your public IP, you will get this IP. You can also find this IP on your router's setting page. In addition to the public IP, each node in the network will have a private IP address. This address is not visible to the devices outside of this LAN. The private IP addresses in the preceding example are, 60, and 80. Each of these devices will appear to have an IP address of to the devices external to this network.

So, to external devices, all these internal PCs will look like one device. So, how does the data coming and going in and out of a network know which PC to go to? This is done using a media access control (MAC) address. Inside the internal network, the devices only work though MAC addresses. MAC addresses will be explained in the MAC address section.

Public versus private IP addresses

The main differences between public and private IP addresses are as follows:

Table 3.2 – Differences between public and private IP addresses

Table 3.2 – Differences between public and private IP addresses

The IP addresses we have seen so far are IPV4 addresses, which are quite popular. However, there are other addresses as well. Let's take a look.

IPv4 versus IPv6

So far, the IP addresses we have learned about are called IPv4 addresses. There is another version of the IP address called IPv6. These are 128-bit addresses. They have been created to be used in future computing systems. However, their adoption has been slow due to the use of the NAT protocol. Currently, only 40% of the internet supports IPv6 addresses.

MAC address

A MAC address is also called a hardware address and is usually associated with the NIC card. Each NIC has its own MAC address. A MAC address is a physical number that's assigned by the manufacturer. Each manufacturer is assigned a pool of numbers that it can use to manufacture its products. A MAC address is a 48-bit number:

Figure 3.11 – MAC address bytes

Figure 3.11 – MAC address bytes

Next, let's discuss ports.


While a MAC address uniquely identifies a NIC, which the data uses to identify the correct device it should go to, a port identifies a unique service running on a PC. It serves as a logical endpoint of communication. Each device has multiple applications sending or receiving data over a network. For example, you could be browsing on your PC while you have a download running in the background and another service is uploading data to a server. Once the data reaches your PC, it uses ports to distinguish between the different processes the data belongs to. There are total of 65,535 ports on a system. Some of the first 1,024 are reserved and it is not recommended to use these ports.


So far in this chapter, we have learned about the basics of computer networking, which are essential to understanding the rest of this book. Now, we will start looking at what parameters can be used to track us and how we can protect ourselves. In the previous chapter, we learned that the first step in ethical hacking is information gathering. But before we start gathering information, we must make sure that our identity is protected. Otherwise, we can be easily tracked. Your identity can be tracked back to you with a number of parameters. The most common is your IP address and your MAC address.

To mask your public IP address, you can use Virtual Private Networks (VPNs). We will not be discussing VPNs as they are not in the scope of this book. One important thing to note here is that you should not put complete trust in your VPN provider. From a security point of view, using a VPN simply means that you are handing over your trust from your internet service provider (ISP) to another company that provides VPN services. You should be very careful about your choice in VPNs and from cybersecurity aspect, you should be very cautious about free VPNs as a lot of them are bundled with either malware or use your PC resources for other purposes, such as bitcoin mining. Some VPNs leak your domain name server (DNS), a server used for mapping website names to IP addresses, even though they might claim to mask your identity.

However, when we are scanning our local networks, we can be traced with our MAC address. In Chapter 2, Getting Started – Setting Up Your Lab Environment, we installed two virtual machines: Kali and Windows 10. The Kali machine will be our attack machine. Our machine has a NIC, which is used to communicate with other devices. This NIC has a MAC address. In the Changing our MAC address section, we will try to spoof a MAC address so that we can change it when scanning. By doing this, even if the intrusion detection system (IDS) finds out that we were scanning a port on a PC, it will not find out our real MAC address.

Changing our MAC address

In this section, we will try to change our MAC address on the Kali machine. Let's start our Kali machine and open up a Terminal. To change the MAC address, you will need to install the net-tools package. In most Linux distributions, this tool is already available. However, if it is not installed, you can install it using the following commands:

sudo apt-get update -y

sudo apt-get install -y net-tools

It will prompt you for a password, which is kali. Once the tools have been installed, you can view the MAC address with the following command:

sudo ifconfig

If everything goes well, you will see an output similar to the following:

Figure 3.12 – ifconfig command output

Figure 3.12 – ifconfig command output

There is a lot to unpack here, so let's break it down. There are two values here called eth0 and lo. eth0 is the name of the NIC, whereas lo is the loopback adapter. For now, we can ignore the loopback adapter. The inet field represents the private IP address of the Kali machine. inet6 is the IPv6 address of the Kali machine. ether is the MAC address, and this is the field we want to change.

If you want to change the MAC address, you can't do so while the NIC is turned on. First, you have to shut down the network interface. To shut down the interface, you can use the following command:

sudo ifconfig eth0 down

This command will shut down the NIC named eth0. If you don't see an error in the command's output, this means that the command ran successfully.

Now, if you type in the ifconfig command again, you will see the following output:

Figure 3.13 – Shutting down a network interface card

Figure 3.13 – Shutting down a network interface card

Now, you will only see the loopback adapter and that eth0 has been turned off. To change the MAC address, you can run the following command. Let's say you want your new MAC address to be 00:11:22:33:44:55. Here, you can do the following:

sudo ifconfig eth0 hw ether 00:11:22:33:44:55

This command changes the eth0 interface and the ether parameter of this NIC:

Figure 3.14 – Changing MAC address

Figure 3.14 – Changing MAC address

Now, if there is no error, this means that the command ran successfully. At this point, we can turn on the interface again by running the following command:

sudo ifconfig eth0 up

Now, let's run the ifconfig command again to see if our changes took place:

Figure 3.15 – Changed MAC address

Figure 3.15 – Changed MAC address

Here, you can see that the MAC address has been changed successfully. Now, if we want to scan something in a network, this MAC address will be shown instead of our real MAC address.

Creating a Python script

So far, we have written manual commands to change our MAC. Ideally, we would like to write a Python script that will help us to change it. To do this, we need to find a way to run bash commands with the help of Python. Luckily, Python has a standard library that it uses to run system commands called subprocess. This library allows you to interact with the underlying OS.

To import this library into your module, you can simply write the following command:

import subprocess

To run a command, subprocess has a method called run. Using this method, you can execute system commands on your operating system. If you want to see the information about eth0, you can run the following command:

        ["ifconfig", "eth0"],



This function requires a list of commands. The other parameter, shell=true, means that we want to see the output printed to the console.

If you run the previous file, you will see an output similar to running the ifconfig eth0 command. Note that you need to be a root user to run the command, so it should look like this:

sudo python3

Here's the output:

Figure 3.16 – Running system commands using Python

Figure 3.16 – Running system commands using Python

Now that you know how to run system commands using Python, you can repeat the preceding commands using Python. The full code is as follows:

import subprocess

if __name__ == "__main__":

    interface = "eth0"

    new_mac = "22:11:22:33:44:57"

    print("Shutting down the interface")["ifconfig", "eth0", "down"])

    print("changing the interface hw address of ", interface, " to ", new_mac)["ifconfig", interface, "hw", "ether", new_mac])

    print("MAC address changed to ", new_mac)["ifconfig", interface, "up"])


    print("network interfaced turned on")

If you check the interface again, you will be able to see the new MAC address:

Figure 3.17 – New MAC address

Figure 3.17 – New MAC address

Now that we have learned how to run commands on a system and how to change MAC address of a system using Python, we will stop our discussion here. In next chapter, we will look at information gathering.


In this chapter, we learned about the basics of networking and how we can protect ourselves on a local network by spoofing our MAC address for scanning purposes. This chapter helped us get a deeper insight into the networking aspects of the computer system, as well as how we can use Python to protect and mask our identity in a local network. In the next chapter, we will learn about scanning local networks.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.