How the Internet
Works — Through a
Hacker's Lens
No fluff. No marketing. Just the protocol trust models, attack techniques, real-world case studies, and defense strategies that actual attackers and defenders use every day.
"There is no patch for human stupidity."
— Kevin Mitnick, "The Art of Deception" (2002) — once the world's most wanted hackerProtocols, Trust & Exploitation
A protocol is a set of agreed rules for formatting and exchanging data. The internet is not a single system — it's a stack of protocols layered on each other. Every layer trusts the one below it, and that trust is precisely what attackers exploit.
"The Internet was not designed with security in mind. It was designed to survive a nuclear war — reliability over confidentiality."
— Security axiom referencing ARPANET's origins, often cited in CEH training materialTCP is the workhorse of reliable internet communication. It establishes a session using a 3-way handshake (SYN → SYN-ACK → ACK) and uses sequence numbers to track the order of packets. Once a session is established, neither side re-authenticates — the sequence number is the only "proof" of identity.
Assumes sequence numbers and port numbers are unpredictable and therefore can't be guessed by a third party observing the network.
Session Hijacking — guess or observe the sequence number, inject packets appearing to come from a trusted host. Server has no way to distinguish real from fake.
IP handles addressing and routing — it decides how packets travel across the global internet. Every packet contains a source IP address, but there is absolutely no mechanism for verifying that the stated source IP is accurate. Any machine can write any IP address in that field.
Zero authentication of source IP address. The internet routes packets based on destination only — it doesn't care whether the source is real.
IP Spoofing — forge the source address to bypass allow-lists, or reflect amplified attack traffic at a victim (DNS/NTP/Memcached amplification DDoS). Responsible for the largest DDoS attacks in history.
DNS is the internet's phone book — it translates domain names into IP addresses. It runs over UDP (connectionless, no state), relying solely on a 16-bit transaction ID and a 16-bit source port for response validation. That's only 32 bits of randomness — trivially brute-forceable by a fast attacker.
Matching transaction ID + source port. No cryptographic proof that a response is authentic. Cache entries are trusted for their full TTL period.
DNS Cache Poisoning — race to inject a fake DNS response before the real server replies. If you win, the resolver caches your fake record. Millions of users get directed to your server when they type a trusted domain.
HTTP is the protocol for all web traffic. Plain HTTP transmits everything in cleartext — passwords, session tokens, private messages — all visible to anyone on the same network. HTTPS wraps HTTP in TLS for encryption, but trust in HTTPS depends entirely on Certificate Authorities (CAs) not being compromised or coerced.
HTTP: none. HTTPS: trusts the CA ecosystem — approximately 150+ root CAs pre-installed in browsers. Any single compromised CA can issue a valid certificate for any domain.
Downgrade attacks (strip HTTPS to HTTP), rogue CA certificates (DigiNotar 2011), session hijacking via cookie theft on unencrypted connections (Firesheep, 2010).
ARP maps IP addresses to MAC (hardware) addresses on a local network. When your computer needs to talk to the router, it broadcasts "Who has IP 192.168.1.1?" The router replies with its MAC address. There is no authentication — any machine can reply to any ARP request, and machines also accept unsolicited "gratuitous ARP" replies that they never asked for.
Completely unauthenticated. Machines accept the most recent ARP reply they receive, overwriting their cache immediately. No verification of legitimacy.
ARP Spoofing (MITM) — broadcast "I am the default gateway" with your MAC. All LAN traffic flows through you first. Read, modify, or selectively drop packets before forwarding.
Four Ways Experts Weaponize Protocol Trust
HTTP, DNS, ARP, and NTP all transmit in plaintext. On shared networks (coffee shop Wi-Fi, compromised switches, misconfigured cloud VPCs) a passive observer reads everything. DNS queries alone reveal every website visited — even when the pages themselves use HTTPS. Tools: Wireshark, tcpdump, Bettercap.
Since ARP and DNS have no authentication, attackers craft and broadcast fake responses. ARP replies to redirect LAN traffic. DNS responses to hijack domain resolution. TCP RST packets to forcibly terminate connections between two parties — a technique used by the Great Firewall of China and some DDoS services.
Protocols without timestamps or nonces (one-time random values) are vulnerable to replay attacks. A captured legitimate DHCP ACK can be retransmitted to reassign a machine's DNS server to an attacker-controlled resolver — silently redirecting all name resolution with no visible disruption to the user.
Protocols that respond to small requests with large responses become DDoS weapons when combined with IP spoofing. The attacker sends 1 Gbps of small spoofed requests to thousands of open DNS resolvers or NTP servers. Those servers each send large replies to the victim's IP. DNS amplification achieves ~50x multiplier. Memcached achieved ~51,200x in the 2018 GitHub attack (1.35 Tbps).
Protocol Attacks That Changed the Internet
Security researcher Dan Kaminsky discovered that virtually all DNS resolvers in production were vulnerable to cache poisoning far faster than anyone realized — an attack taking hours could be reduced to seconds.
By rapidly sending thousands of fake DNS responses — each with a different transaction ID guess — an attacker could statistically win the race against the legitimate DNS server, poisoning a resolver's cache with a malicious record.
Every person using a poisoned resolver would have their traffic silently redirected — banking, email, anything — to attacker-controlled servers. No indication anything was wrong. Scale: most of the internet.
Kaminsky coordinated a synchronized, industry-wide patch release across all major DNS vendors on the same day (July 8, 2008). The fix: randomize the source port of DNS queries (adds 16 more bits of entropy, making guessing 65,535x harder). DNSSEC is the permanent solution but remains under-deployed.
GitHub was hit with 1.35 Terabits per second of traffic — at the time the largest DDoS attack ever recorded. GitHub was unreachable for approximately 10 minutes.
Attackers used Memcached servers (a caching system commonly exposed on the public internet on UDP port 11211) as reflectors. A 203-byte spoofed request to a Memcached server could generate a 100MB response — a 51,200x amplification factor. With IP spoofing, all responses flooded GitHub.
Only ~6,000 Memcached servers were needed to generate 1.35 Tbps. GitHub is critical infrastructure for millions of developers globally — even 10 minutes of downtime disrupts CI/CD pipelines, deployments, and development workflows worldwide.
GitHub routed traffic through Akamai Prolexic (a scrubbing service) within 10 minutes, which absorbed and filtered the attack. Long-term fix: firewall UDP port 11211 on Memcached servers. GitHub also invested in direct DDoS mitigation capacity. Cloudflare independently blocked a 1.7 Tbps Memcached attack days later.
Dutch CA DigiNotar was compromised, and attackers issued fraudulent SSL certificates for google.com, Mozilla, CIA, MI6, and 500+ other domains. Iranian users' Gmail traffic was intercepted using a valid-looking HTTPS certificate.
Attackers breached DigiNotar's internal systems (likely via a web application vulnerability), gained access to certificate issuance systems, and issued wildcard certificates for high-value domains — all without the domain owners' knowledge. The fraudulent *.google.com certificate was used for HTTPS interception (MITM) in Iran.
This exposed a fundamental architectural weakness in HTTPS: any of 150+ root CAs can issue a certificate for any domain. Compromising one CA breaks HTTPS trust globally. 300,000+ Iranian Gmail users had their encrypted traffic intercepted in real-time by state actors.
All major browsers revoked DigiNotar's root certificate, instantly destroying their business. The incident accelerated development of Certificate Transparency (CT) logs — a public, append-only record of every issued certificate — and HPKP (HTTP Public Key Pinning, now deprecated in favor of CT). DigiNotar went bankrupt within weeks.
Common Attacks Using Legitimate Web Components
The most effective attacks don't break security — they abuse features that already exist and are intentionally allowed. SQL databases accept queries. Browsers execute JavaScript. Servers follow redirects. Attackers inject malicious input through these channels.
"Hackers don't break in. They log in."
— Common red team saying; popularized by Marcus Hutchins (MalwareTech) and the broader pen testing communityEvery component that accepts input, resolves names, or follows redirects is a potential attack surface. Security must be applied at the input boundary — never assume anything inside the system is safe once input enters.
| Attack | Component Abused | Mechanism | Example / Result |
|---|---|---|---|
| SQL Injection | Dynamic SQL queries | User input is inserted directly into a query without parameterization. The attacker escapes the string literal and rewrites query logic — turning a lookup into a full data dump, auth bypass, or even file read/write on some databases. | ' OR 1=1 -- Bypasses login. '; DROP TABLE users; -- Deletes data. |
| Cross-Site Scripting (XSS) | Browser's JavaScript engine | Attacker injects <script> into stored content. When any user loads the page, their browser executes attacker code in the context of the legitimate site — full access to cookies, localStorage, and the DOM. | Stored XSS in a forum steals every visitor's session cookie. Attacker gets account access without a password. |
| CSRF | Browser's automatic cookie attachment | Browser attaches session cookies to any request to the target domain, regardless of which site initiated it. An attacker's page crafts a cross-origin request to the victim's bank — the browser authenticates it with the user's live session. | Victim visits evil.com. Invisible form posts to /bank/transfer?to=attacker&amount=5000. Bank authorizes it. |
| Path Traversal | Server's file system API | Web servers that serve files based on user-supplied paths without validation can be walked "up" the directory tree. The attacker escapes the web root and reads any file the server process has access to. | GET ../../../../etc/passwd Reads the Linux user database, often containing password hashes. |
| SSRF | Server's HTTP client | Features that fetch user-supplied URLs on behalf of the user can be pointed at internal services. The server has access to internal networks, metadata endpoints, and credential stores that external users cannot reach directly. | fetch('http://169.254.169.254/latest/meta-data/') On AWS: retrieves IAM credentials with full cloud access. |
| DNS Rebinding | Same-origin policy + DNS TTL | Domain initially resolves to attacker's IP (allowed by same-origin). TTL is zero. DNS then flips to point to an internal IP (127.0.0.1, 192.168.x.x). Browser's same-origin check passes because the hostname didn't change — JavaScript now queries localhost services. | Attacker's JS reads internal router admin panel, exfiltrates network configuration, or accesses local Kubernetes API servers. |
Web Attacks That Defined Security History
Samy Kamkar injected a JavaScript payload into his MySpace profile. The script added him as a friend and copied itself to every visitor's profile. It spread to 1 million profiles in under 20 hours — crashing MySpace's servers.
MySpace filtered many XSS vectors but Kamkar found they allowed certain CSS attributes that could embed JavaScript. He crafted a payload split across multiple CSS properties to bypass the filter, with a CSRF component that forged friend requests and self-replicated the worm.
It demonstrated that XSS could be weaponized for self-replicating worms with zero user interaction beyond visiting a page. The "Samy is my hero" worm didn't steal data — but the same technique could deliver a keylogger to a million users in 20 hours.
MySpace took their site offline to clean infected profiles. Samy Kamkar was convicted under the Computer Fraud and Abuse Act. The incident drove widespread adoption of Content Security Policy (CSP) headers and more rigorous HTML sanitization standards.
Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) — a deserialization flaw in the Content-Type header handling — to gain remote code execution on Equifax's dispute portal. They spent 76 days inside the network before detection.
A single HTTP request with a malicious Content-Type header executed OS commands on the server. Attackers then pivoted through 48 unrelated systems using unencrypted, unrotated internal credentials found in plain text config files. Data was exfiltrated in small encrypted batches to avoid triggering rate-based alerts.
A credit bureau holds the most complete financial profiles of virtually every adult American. SSN + DOB + credit history enables identity theft, loan fraud, and tax refund fraud — harms that victims experience for years. The patch for the Struts vulnerability had been available for 2 months before the breach.
Equifax paid $575 million in FTC settlements and $380+ million in class action settlements. The breach accelerated CISA's "Known Exploited Vulnerabilities" (KEV) catalog. Congress held extensive hearings. The key lesson: patch management and network segmentation are not optional.
Backdoors — Types, Setup & Traffic Patterns
A backdoor is persistent, hidden access that bypasses normal authentication. Once an attacker has a foothold, a backdoor ensures they can return even if the original vulnerability is patched or credentials are rotated.
"The hacker mindset doesn't actually see what happens on the other side, to the victim."
— Bruce Schneier, "Secrets and Lies" — one of the most cited security authors of the past 30 yearsA vulnerability gives one chance. A backdoor gives unlimited, silent, persistent access. Professional attackers install redundant backdoors immediately after initial compromise — specifically designed to survive patching, reboots, and credential changes.
The victim machine initiates outbound connection to the attacker's server. Most firewalls block unsolicited inbound connections but permit outbound — making this the most common post-exploitation technique. Often disguised as HTTPS traffic on port 443.
Interactive shell session, command I/O, file uploads/downloads via base64-encoded cat, port forwarding tunnels. Metasploit's Meterpreter uses encrypted channels and can migrate between processes.
A malicious script (PHP, JSP, ASPX) uploaded to a writable web directory. Accessed like any normal web page — commands passed via URL parameters or POST body. Survives server reboots and patch cycles unless the file is found and deleted.
HTTP/S POST requests with commands. Responses returned as web page body. Visually identical to legitimate web traffic in network logs. Highly persistent — only deleted if discovered.
Attacker appends their SSH public key to the victim's ~/.ssh/authorized_keys. Grants permanent passwordless access regardless of account password changes or MFA — SSH key auth bypasses passwords entirely by design.
Fully encrypted SSH session — interactive shell, SCP/SFTP file transfers, port forwarding for tunneling other protocols through the SSH connection. Indistinguishable from legitimate admin activity.
A scheduled task re-downloads and executes a payload every X minutes. Even if the malware binary is found and deleted, it will be re-fetched at the next cron interval. Designed for resilience against incident response cleanup.
Periodic outbound HTTP/HTTPS GET requests. No persistent open port. Nearly invisible without auditing /etc/cron.d/, /var/spool/cron/, and startup scripts against a known-good baseline.
A malicious Linux kernel module (.ko file) intercepts system calls to hide processes, network ports, and files from the OS. Requires root to install. Invisible to standard tools (ps, netstat, ls, find) — the OS lies to you. Detection requires external memory forensics.
The rootkit manipulates kernel data structures to hide itself completely. Triggers a root shell via a secret magic password, a crafted network packet (knock), or a special file name. Survives as long as the kernel is running.
Data is encoded into DNS query hostnames. Attacker controls the authoritative server for a domain. Malware sends DNS queries like ZXhuZg==.data.attacker.com — the authoritative server logs and decodes every chunk. Two-way communication is possible by encoding commands in DNS response records.
Any data, chunked into DNS subdomain labels. Credit card dumps, private keys, shell commands — disguised as completely normal DNS lookups. Bypasses most network monitoring. Tools: iodine, dnscat2.
What Can Go Through Any Backdoor
Delete audit logs and SIEM events to cover tracks. Add new backdoor user accounts (net user /add). Disable antivirus and EDR. Modify firewall rules to permit new access. Dump LSASS memory for credential extraction. The OS shell is the most dangerous tool on a compromised host.
Copy and exfiltrate customer databases, source code, cryptographic keys, API tokens, or employee records. Upload ransomware payloads for simultaneous detonation across the network. The 2020 SolarWinds attackers spent months silently exfiltrating from ~18,000 organizations before triggering ransomware stages.
Use the compromised machine as a jump host to reach internal systems not accessible from the internet. The inside host is trusted by internal services, databases, and admin interfaces. Techniques: Pass-the-Hash, Kerberoasting, Golden Ticket attacks (in Active Directory environments).
Install a second, third, and fourth backdoor using different mechanisms. Professional red teams and APT groups always assume initial footholds will be discovered. The SolarWinds SUNBURST implant had multiple fallback C2 mechanisms specifically designed to survive partial remediation.
"They were in the system for nine months. We just didn't know it."
— Kevin Mandia, FireEye CEO, describing the SolarWinds supply chain attack that affected 18,000 organizations including US government agencies (2020)Defense — What Works, What's Hard, What's Nearly Impossible
Security is not a product — it's a practice. Layered defense-in-depth means attackers must bypass multiple independent controls. The goal isn't perfection — it's making your organization a harder target than the next one.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles."
— Sun Tzu, "The Art of War" — quoted in virtually every red team curriculum and penetration testing certificationEffective — Do These Now
Hard but Achievable
Near-Impossible to Fully Solve
These aren't bugs — they're architectural decisions made when the internet was designed for trusted researchers. Fully fixing them would require replacing the protocols themselves across every device and provider simultaneously.
| Problem | Why It Can't Be Fully Fixed | Best Available Mitigation |
|---|---|---|
| IP Spoofing | ARP has no authentication. On a local broadcast domain, any machine can claim any IP. Replacing ARP breaks millions of legacy devices globally. | 802.1X NAC + DHCP snooping + Dynamic ARP Inspection on managed switches. BCP38 at ISP level (rarely deployed). |
| DNS Cache Poisoning | 32 bits of entropy (transaction ID + port) is guessable with modern hardware. DNSSEC solves it cryptographically but <10% of zones are signed after 20+ years. | Port randomization (done). DNSSEC where deployed. DNS-over-HTTPS for query privacy. |
| BGP Hijacking | BGP relies entirely on peer trust. Any ISP can announce any IP range. No cryptographic verification of prefix ownership in base protocol. | RPKI (Route Origin Authorizations). Many ISPs still ignore RPKI validity even when deployed by their peers. |
| Spectre / Meltdown (Side-Channels) | CPU speculative execution is fundamental to modern performance. The attack reads memory across isolation boundaries using cache timing. Fixing it completely requires new CPU microarchitecture. | Retpoline (Spectre), KPTI (Meltdown), core isolation. 5–30% performance penalty. New variants continue to emerge. |
| Insider Threat | A legitimate admin with real credentials is indistinguishable from an attacker with stolen identical credentials. Intent cannot be reliably inferred from access patterns without massive false-positive rates. | Just-in-time privilege access, privileged access workstations, UEBA behavioral analytics, mandatory 4-eyes approval for sensitive operations. |
| HTTP Request Smuggling | Disagreements between how proxies and backends parse Content-Length vs Transfer-Encoding allow requests to be "hidden" inside others. It's a specification ambiguity, not a single patchable bug. | Normalize all requests through a single HTTP parser before backend. Disable H/1 keep-alive at edge. But you still trust your parser's correctness. |
Defenses That Create False Confidence
Avoid These
Hacker Quotes from Film & Reality
The hacker ethos — curiosity, persistence, and thinking outside the designed use case — has been captured in film, television, and the words of real practitioners. These aren't just movie lines; they reflect how practitioners actually think.
Give a man a fish and you feed him for a day. Teach a man to phish and he'll own your entire domain.
I am not a criminal. I am a researcher. I find holes in systems so that others can patch them — preferably before someone worse than me does.
Who am I? That is not the question. The real question is — who am I NOT?
No system is safe. That's not a threat — it's a design constraint.
The world isn't run by weapons anymore, or energy, or money. It's run by ones and zeros — little bits of data. It's all just electrons.
There is no patch for human stupidity. Social engineering will always be the most effective attack vector — not because people are dumb, but because they're kind.
Hacking is not just about breaking in. Hacking is about understanding a system well enough to make it do something it was never designed to do.
Mess with the best, die like the rest.
I'm in. This is it. I'm hacking the Gibson.
Every normal human being is afraid of the dark. And rightfully so. The dark is where the hackers live.
They watched everything we did. Every transaction. Every communication. And they used it. The truth is, they could do this because we let them.
Assume breach. It's not if you'll be compromised — it's when. Plan your security posture around that reality.
Security is always excessive — until the day it's not enough.
The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards.
Being powerful is like being a lady. If you have to tell people you are, you aren't.
Before you are a hacker, you must be a builder. You cannot break something you don't understand.
The quiet ones are always the most dangerous. The noisy hackers get caught. The ones you never hear about are the ones who own you for years.
I was 16, going on 17. And I was more powerful than the President of the United States.
Terminal Operations &
Security Scripting
Go beyond theory. This track covers real-world use of Linux and Windows terminals, Python scripting for both offensive and defensive security operations, and TLS/SSL certificate management scripts — the toolbox every practitioner needs.
Linux Terminal for Security
Linux is the operating system of servers, IoT devices, and most hacking tools. Mastery of the Bash shell is non-negotiable for both attackers and defenders.
Before exploiting anything, you map the terrain. These commands are used in every engagement — by both red teams discovering targets and blue teams auditing their own exposure.
Nmap is the industry standard for port scanning and service discovery. Every open port is a potential attack surface. Blue teams use it to audit what's exposed; red teams use it to find entry points.
tcpdump captures raw packets from any network interface. Essential for incident response, protocol debugging, and identifying C2 (command and control) traffic patterns.
Logs are the defender's eyes. Knowing how to grep and parse logs quickly is the difference between a 1-hour incident response and a 1-week one. Attackers know this too — they always attempt to delete or corrupt logs.
Before exploiting a web app, enumerate its attack surface. Hidden admin panels, backup files (.bak), and exposed config files are extremely common findings even on production systems.
Netcat reads and writes raw TCP/UDP connections. Used by attackers to establish reverse shells and by defenders to test whether a port is reachable and what banner a service returns.
Windows Terminal & PowerShell for Security
Most enterprise environments run Windows. PowerShell is the most powerful tool for both Windows administration and post-exploitation — attackers use it because it's signed, trusted, and built-in.
PowerShell has direct access to the .NET framework, WMI, and Active Directory. It's the weapon of choice for Windows post-exploitation — which is why blocking it entirely breaks too many things. Defenders must monitor it instead.
Active Directory (AD) is the directory service that controls permissions in Windows enterprise environments. Enumerating AD reveals user accounts, groups, password policies, and privilege paths — the attacker's roadmap to Domain Admin.
Windows Event Logs record every login, process creation, and privileged operation. Defenders use PowerShell to query logs programmatically — finding attack patterns across thousands of events in seconds.
Built-in Windows tools for network enumeration — useful in environments where external tools can't be installed. These commands are also used by attackers during "living off the land" techniques — using only tools already present on the victim machine.
Python for Offensive Security
Python is the most widely used language in offensive security tooling — from proof-of-concept exploits to full frameworks. Understanding how these scripts work makes you a better defender. These examples are for authorized testing only.
Understanding how port scanners work makes you appreciate what information attackers gather before engaging a target. This is a basic TCP connect scanner — the same fundamental logic used by Nmap.
HTTP response headers reveal server technology, misconfiguration, and missing security headers. A 30-second scan of headers tells an attacker which framework you're running and which security controls are absent.
A minimal SQL injection detection script for testing your own web applications. Understanding how automated SQLi tools work helps defenders tune their WAF rules and identify vulnerable parameters before attackers do.
Python for Defensive Security
Blue team Python automates threat hunting, log parsing, anomaly detection, and incident response. These scripts help defenders scale their visibility across complex environments.
Automated detection of brute-force SSH attacks by watching auth.log in real-time. Counts failures per IP and triggers alerts when a threshold is exceeded. This is the foundation of a Host-based Intrusion Detection System (HIDS).
A File Integrity Monitor calculates cryptographic hashes of critical system files and alerts when they change. This detects webshell uploads, binary replacements, and configuration tampering — the core of PCI-DSS compliance requirements.
DNS tunneling tools like iodine and dnscat2 leave detectable fingerprints: unusually long subdomains, high entropy names, and high query volume to a single domain. This script flags suspicious DNS activity in captured traffic.
TLS/SSL Scripting
TLS misconfiguration is responsible for a significant proportion of real-world breaches. These scripts inspect certificates, test cipher suites, and detect downgrade vulnerabilities — essential knowledge for both sides.
Expired TLS certificates cause outages and erode user trust. This script checks certificate expiry for a list of domains — useful for proactive monitoring in blue team operations or verifying targets' certificate hygiene during red team recon.
Weak cipher suites and support for TLS 1.0/1.1 allow downgrade attacks. This script tests which TLS versions a server accepts — identifying misconfigured servers before attackers do, or confirming target security posture during authorized assessments.
Every developer needs to understand certificate generation. This script uses Python + OpenSSL via subprocess to generate a self-signed certificate for local development, testing, or internal service encryption. Never use self-signed certs in production without proper trust chain management.
Glossary
Every term used in this course, defined concisely.