# August Highlights

## **Network Basics — Vishal Vaishishth**

### View the slide deck for this talk [**here**](https://speakerdeck.com/breachforce/network-101-the-foundation-beneath-security)

**Evolution of communication systems**

Marconi (wireless telegraphy) → One-way radio → Two-way radio (interactive comms) → Digital networks (Ethernet frames, VoIP, etc.)

* **Guglielmo Marconi** → credited with inventing wireless telegraphy (early **radio**), which was **one-way communication** (just sending signals).
    
* Later, radio tech evolved into **two-way communication** (walkie-talkies, mobile phones, etc.) where both ends could talk.
    
* Then we moved into **digital communication** → carrying not just analog voice but also **data**.
    
* Today, even **voice calls** are chopped into **frames/packets** (like Ethernet frames in computer networks) when sent over digital/VoIP systems.
    

OSI Layer

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756780753939/24c8b9a8-ca63-4ad4-8889-f44f3092d6af.png align="center")

### Physical Layer

* The **Physical Layer (Layer 1)** is responsible for transmitting raw bits over physical media.
    
* Supports **various transmission media**:
    
    * **Wires/Cables:** Copper (Ethernet CAT5/6/7), Coaxial
        
    * **Optical Fiber:** High-speed long-distance communication (up to 58 Gbps with Ethernet over fiber)
        
    * **Radio Waves:** Wireless transmission for WiFi, Bluetooth, and cellular networks.
        
* **WiFi** is actually **Layer 2 (Data Link)**, but it relies on radio waves as the physical medium.
    
* **Key protocols at Layer 1:** IDE, SCSI, Ethernet physical specifications.
    
* **Ethernet** uses **packet switching** rather than circuit switching:
    
    * Packet switching sends data in discrete frames, making networks more flexible.
        
    * Circuit switching requires pre-allocated bandwidth for the duration of the communication, which is less efficient for shared networks.
        
* Layer 1 also defines **electrical/optical signal standards**, connector types, and transmission speeds
    

### **Data Link Layer**

* The **Data Link Layer (Layer 2)** operates on top of the Physical Layer, ensuring devices can communicate reliably over physical media.
    
* **Compatibility is crucial:** Protocols are needed so devices from different manufacturers can exchange data.
    
* **Standard Ethernet Frame:** Encapsulates data for Layer 2 transmission.
    
* **MAC Address (Media Access Control):**
    
    * Needed to identify devices on the same network.
        
    * If only two devices are connected on a single cable, addresses aren’t required.
        
    * When networks scale beyond two devices, MAC addresses allow correct packet delivery.
        
    * Originally sufficient for small, room-scale networks; now critical for larger, multi-device environments.
        
* **Address Management:**
    
    * Managed at Layer 2 (MAC) and Layer 3 (IP).
        
    * DHCP on routers assigns IP addresses; devices cannot safely overwrite these without risk.
        
* **Why not just MAC?**
    
    * MAC addresses are **not extensible** beyond local networks.
        
    * They are **hardware-burned**, making replacement difficult.
        
    * IP addresses are required for **network-wide routing** and scalability.
        
* **ARP Protocol (Address Resolution Protocol):**
    
    * Maps IP addresses to MAC addresses for local communication.
        
    * Vulnerable to **ARP spoofing** and **cache poisoning attacks**.
        
* **VLANs & Trunking:**
    
    * Segment networks into isolated broadcast domains, enhancing security.
        
    * Misconfigurations can lead to attacks like **VLAN hopping** via switch spoofing or double tagging.
        
    * Tagged VLANs help prevent unauthorized access between segments.
        
    * **ARP spoofing:** Attackers send fake ARP replies to associate their MAC with a victim’s IP.
        
* **MOII & MAC Security:** MAC spoofing detection is used to enhance Layer 2 security.
    

### Network Layer

* **IP Addressing:** Enables devices to communicate across different networks using IPv4 or IPv6.
    
* **IPv4 vs IPv6:**
    
    * IPv4 uses 32-bit addresses; IPv6 uses 128-bit, allowing vastly more unique addresses.
        
    * IP Classes organize IPv4 addresses for network segmentation.
        
* **Documentation IP Blocks (RFC 5737):**
    
    * 192.0.2.0/24 (TEST-NET-1)
        
    * 198.51.100.0/24 (TEST-NET-2)
        
    * 203.0.113.0/24 (TEST-NET-3)
        
    * Reserved for testing; **not for production use**.
        
* ### IPv6 Documentation Prefix: `2001:DB8::/32`
    
    * A special IPv6 block reserved by the IETF (RFC 3849) for documentation, examples, and training.
        
    * Prevents misuse of real IPv6 addresses in books, blogs, and lab setups.
        
    * Avoids confusion, accidental traffic leaks, and security risks.
        
    * Non-routable; any traffic to this range is dropped by routers.
        
    * Recognized globally as a safe prefix for educational use.
        
    * Can be subnetted (e.g., `2001:DB8:1::/48`) to model real-world configurations.
        
    * Similar to movie phone numbers starting with **555**—looks authentic but never connects.
        
    * Ensures documentation is professional, consistent, and conflict-free.
        
    * Example addresses:
        
        * `2001:DB8:1234::1/64`
            
        * `2001:DB8:abcd:5678::/64`
            
    
* **Private Addresses:** 100.64.0.0 - 100.64.128.255 (used by ISPs and Tailscale; avoids collisions).
    
* **DHCP Reservations:**
    
    * Assign fixed IPs without relying on sequential allocation.
        
* **Routing:**
    
    * Direct tapping of Ethernet wires is expensive and impractical; port mirroring on destination devices is preferred.
        
    * Layer 2 MITM attacks are easier to detect; higher layers offer better protection.
        
    * Routing protocols: **OSPF**, **BGP**, **ISIS** (mostly for carrier networks).
        
        * **Common Routing Attacks:**
            
            * **BGP:** Prefix hijack, route leaks, manipulation
                
            * **OSPF:** LSA injection, falsification, evil twin, LSU spoofing
                
            * **ISIS:** Route spoofing, session hijacking
                
    
    ### Transport Layer
    
    * **Protocols:** TCP, UDP, and ICMP form the core of the Transport Layer.
        
    * **NAT (Network Address Translation):**
        
        * Allows multiple devices to share a single public IP.
            
        * the purpose of NAT is to saves IPv4 addresses and hides internal network structure for security
            
        * Types: **Static NAT, Dynamic NAT, PAT (NAT Overload), Port Address NAT.**
            
    * Packet Wrapping
        
        * TCP traffic can be encapsulated inside UDP packets for tunneling.
            
        * Reliability is still ensured through TCP sequencing and acknowledgments.
            
        * Useful when networks restrict or block certain protocols.
            
        * Enables communication to pass through firewalls, NAT devices, or strict network policies.
            
        * Common in VPNs and tunneling tools where flexibility and traversal of blocked paths are required.
            
        
        **Security & Protections:**
        
        * Maintain **ACLs** to control access.
            
        * Change default ports to reduce attack surface.
            
        * Use **VPNs and tunneling** to secure communication.
            
    * **Packet Analysis:**
        
        * Tools: **tcpdump** with drivers like **usbpcap** and **ncap** capture interface packets for analysis.
            
    * **Real-World Topologies:**
        
        * Designed for **carrier gateways** and **high availability networks**.
            
        * For real carrier gateways & high availability infra networks
            
            * Ref: [https://robert.penz.name/779/howto-setup-a-redundant-and-secure-bgp-fulltable-internet-connection-with-mikrotik-routers/](https://robert.penz.name/779/howto-setup-a-redundant-and-secure-bgp-fulltable-internet-connection-with-mikrotik-routers/)
                
    * **TCP Flags:**
        
        * **PSH (Push):** Packet must be processed immediately.
            
        * **URG (Urgent):** Specifies high-priority packets
            
    * **ICMP, Ping, and Traceroute:**
        
        * Used for error reporting, diagnostics, and status messages.
            
        * **Traceroute** works by incrementing **TTL** to map the route to the destination.
            

### WiFi Highlights

* **WiFi operates at Layer 2 (Data Link),** while radio waves act as the physical carrier medium at Layer 1.
    
* **Security Protocols:**
    
    * WPA2 (non-PKS versions) can potentially be decrypted if misconfigured.
        
    * **RADIUS and other authentication protocols** manage secure access.
        

### Miscellaneous / Performance Highlights

* **Ethernet Performance:** CAT cables can support speeds up to **58 Gbps** in optimal conditions.
    
* **Data Flow:** Every packet leaving a device enters the network for processing.
    
* **Passive Wiretap:** Operates at Layer 2 and can intercept traffic without detection, highlighting the importance of network security
    

The session ended at the Transport Layer, while the higher layers :- Session, Presentation, and Application were left out. These will be covered in Application Security (AppSec), keeping the focus here on core networking basics first

---

## Hardware Arsenal

### View the slide deck for this talk [**here**](https://speakerdeck.com/breachforce/hardware-arsenal)

**What is it?**

* Hardware/Hacking Arsenal → Tools designed for specific protocols with compromise as the ultimate goal.
    
* Focus → How much can you breach without breaking cover?
    
* Uses → Military operations, physical red teaming, and fun research.
    

**P4wnP1 A.L.O.A**

* Turns Raspberry Pi Zero W / Pico W into a powerful, low-cost pentesting tool.
    
    (Reference:-[https://www.raspberrypi.com/documentation/](https://www.raspberrypi.com/documentation/))
    
* Acts like a WiFi Rubber Ducky with HIDScript (DuckyScript-style payloads).
    
    (Refrence:-[https://github.com/majdsassi/Pico-WIFI-Duck](https://github.com/majdsassi/Pico-WIFI-Duck))
    
* Can emulate keyboard, mouse, storage, and more for red teaming & research.
    

**Pwnagotchi**

* AI-powered WiFi sniffer (A2C + bettercap) that learns from its environment.
    
* Captures WPA handshakes & PMKIDs (saved as PCAPs for hashcat)
    
* PMKID (Pairwise Master Key Identifier) is a unique value in WPA/WPA2 Wi-Fi that speeds up roaming but can also be captured for offline password cracking.
    
* A digital pet for hackers running on Raspberry Pi Zero W/2W, 3, and 4.
    
    (Refrence:-[https://github.com/JakerHuber/Jakes-Pwnagotchi-Tutorial.git](https://github.com/JakerHuber/Jakes-Pwnagotchi-Tutorial.git))
    

**Flipper Zero**

* Portable multi-tool for pentesters & hackers in a toy-like body.
    
* Hacks radio, access control, hardware, and more.
    
* Open-source & customisable with modular extensions.
    

**PortaPack (for HackRF)**

* Add-on with touchscreen, controls, SD slot, clock, and case.
    
* Turns HackRF into a portable spectrum explorer (few MHz – 6 GHz).
    
    (Refrence:-[https://github.com/pavsa/hackrf-spectrum-analyzer.git](https://github.com/pavsa/hackrf-spectrum-analyzer.git))
    
* Runs on USB battery + proper antenna. (Can be misused for illegal activity)
    

**Keyless Entry & Rolling Code**

* Used in cars & garage doors for remote lock/unlock.
    
* Rolling Code: generates single-use passcodes so codes don’t repeat.
    
* Exploit angle → If the signal doesn’t reach the car, the sequence can be intercepted & abused.
    

**USB-C**

* 24-pin reversible connector, replacing older USB types.
    
* EU mandate:
    
    * Phones, tablets, cameras & headphones → by Dec 28, 2024
        
    * Laptops → by Apr 28, 2026
        
* Goal: One universal charger/cable.
    

**BAD USB-C (Overview)**

* ESP32 Pico-based USB-C implant for executing keystrokes.
    
* Can run scripts, payloads, admin/root commands.
    
* With WiFi onboard, it can even bypass air-gapped systems (requires physical access).
    

**Example:**

BAD USB-C is an ESP32 Pico-based implant disguised as a USB-C device. It behaves like a normal USB peripheral, but in reality, it executes automated keystrokes and connects over WiFi.

**How It Works**

1. Physical Access → Connect the BAD USB-C to the target computer.
    
2. Remote Control → Connect to the device from your laptop, VM, or even a smartphone hotspot.
    
3. Payload Execution → BAD USB-C injects keystrokes on the victim’s machine as if typed by a user.
    

**Example Attack Scenario**

* Prepare a payload script (PowerShell or Batch).
    
* BAD USB-C executes automatically once plugged in:
    
    * Opens Command Prompt or PowerShell.
        
    * Elevates to Administrator (via keystroke sequence).
        
    * Executes your script, e.g.:
        
        * Copies documents, credentials, or browser data.
            
        * Compresses them into a hidden archive.
            
        * Sends them back over WiFi.
            

**Air-Gapped Bypass**

An air-gapped system is normally secure because it’s isolated from any network. BAD USB-C, powered by ESP32 Pico with WiFi, can still bypass this protection.

1. Injects payloads via keystrokes (e.g., open CMD/PowerShell).
    
2. Collects files (docs, creds, logs).
    
3. Exfiltrates data over WiFi directly to the attacker’s device.
    
4. Stealth mode: BAD USB-C can connect to a hidden SSID (like a mobile hotspot) for operational security.
    

**Example:-**

* Plug BAD USB-C into an air-gapped PC → it runs a script to zip “.docx” files → connects to your hidden mobile hotspot → sends data over WiFi to your laptop.
    
* The air-gap is silently bypassed.Key point: Unlike normal USB-C, BAD USB-C is both injector and covert channel, making it far more dangerous.
    

The session showed a clear journey of how communication has evolved and how today’s networks work.

Along with this, the hardware segment showcased practical tools like P4wnP1, Pwnagotchi, Flipper Zero, and PortaPack, giving a glimpse into hardware hacking and security.
