Models, IP & NAT

Before you can break a network, you need to understand how it's built. Every scan you run, every packet you craft, and every exploit you deliver travels through layers of abstraction defined by two foundational models. Understanding those layers - and the addressing scheme that makes them work - is the baseline for everything in offensive and defensive security.

The OSI Model

The Open Systems Interconnection (OSI) model is a conceptual framework that divides network communication into seven distinct layers. No real-world protocol maps perfectly to it, but it gives you a shared vocabulary for describing exactly where in the stack something is happening.

The hacker's shortcut: "All People Seem To Need Data Processing" (Application → Physical). More practically, most attack techniques operate at layers 3-7. SQL injection lives at layer 7. A SYN flood is layer 4. ARP spoofing is layer 2.

The TCP/IP Model

The TCP/IP model (also called the Internet model) is what actually runs the internet. It collapses OSI's seven layers into four practical ones:

The TCP/IP model is what engineers actually implement. When a security tool like nmap operates, it constructs packets layer by layer following TCP/IP, not OSI. You'll hear OSI in certifications and vendor docs; you'll see TCP/IP in actual code and packet captures.

Encapsulation: How Data Travels

Encapsulation is the process of wrapping data with headers (and sometimes trailers) at each layer as it moves down the stack on the sending side. The receiving side strips them back off.

Application data:   [ HTTP request body                      ]
Transport adds:     [ TCP header | HTTP request body         ]
Network adds:       [ IP header  | TCP header | HTTP body    ]
Link adds:          [ Eth header | IP header | TCP | HTTP | Eth trailer ]

Each layer calls its chunk a different name:

• Layer 7: message or data
• Layer 4: segment (TCP) or datagram (UDP)
• Layer 3: packet
• Layer 2: frame
• Layer 1: bits

Why this matters offensively: When you capture packets with Wireshark, you're reading these headers. When you craft raw packets with Scapy, you're building them manually. Knowing encapsulation means knowing exactly which fields you can manipulate to confuse firewalls, bypass filters, or spoof identities.

IPv4 Addressing

An IPv4 address is a 32-bit number written as four decimal octets separated by dots (e.g., 192.168.1.100). It identifies a host's location on the network at layer 3.

Public vs Private Ranges

RFC 1918 reserves three address ranges for private networks (not routable on the public internet):

Everything else is public - directly reachable from the internet (subject to routing and firewalls).

Hacker relevance: When you're doing external recon, you target public IPs. When you land on a box and see an internal IP range on an interface, you've found a pivot point to a network segment that isn't exposed externally. That's lateral movement territory.

Loopback

127.0.0.1 (loopback, also localhost) always refers to the local machine itself. The entire 127.0.0.0/8 range is reserved for this. If a service is bound only to 127.0.0.1, it can't be reached from the network - only from the local machine. Finding services bound to loopback on a target you have shell access to is often a privilege escalation or lateral movement lead.

Special Ranges

IPv6 Addressing

IPv6 uses 128-bit addresses written in eight groups of four hex digits separated by colons:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Zero groups can be compressed: 2001:db8:85a3::8a2e:370:7334

Key IPv6 address types:

• ::1 - loopback (equivalent to 127.0.0.1)
• fe80::/10 - link-local (not routed beyond the local link)
• 2000::/3 - global unicast (the public internet range)
• fc00::/7 - unique local (private, RFC 4193)

Hacker relevance: Many tools and firewalls are still misconfigured for IPv6. A target might have strict IPv4 filtering but accept connections on its IPv6 address. Running nmap -6 against an IPv6-enabled target or finding forgotten AAAA records in DNS can expose services that appear "closed" from IPv4 scans.

NAT: Network Address Translation

NAT is why the internet hasn't run out of IPv4 addresses. Your home router has one public IP from your ISP; every device inside your network has a private IP. When you connect to a website, NAT rewrites the source IP in outbound packets from your private IP to the router's public IP, and keeps a translation table to route replies back correctly.

Internal: 192.168.1.105:54321  →  NAT rewrites  →  Public: 203.0.113.1:54321
Server sees: 203.0.113.1:54321
Reply: 203.0.113.1:54321        →  NAT rewrites  →  192.168.1.105:54321

Types of NAT:

• SNAT (Source NAT): Rewrites source address on outbound packets - what your home router does.
• DNAT (Destination NAT): Rewrites destination address - used to forward external traffic to an internal server (port forwarding).
• PAT / NAPT (Port Address Translation): Multiple internal hosts share one public IP using different source ports - the most common form in home routers.

Hacker relevance: NAT is an obstacle in two directions. It means internal hosts aren't directly reachable from the internet (good for defenders; annoying for attackers who need reverse shells to call home). It also means external enumeration can't see what's behind the router. Getting a foothold on a NAT'd network is the start of internal pivoting.

Subnets and CIDR

A subnet divides a larger IP network into smaller segments. This limits broadcast domains and controls which hosts can talk directly to which.

CIDR notation (Classless Inter-Domain Routing) expresses a network as IP/prefix-length:

• /24 = 256 addresses (254 usable) - typical LAN
• /16 = 65,536 addresses - large enterprise
• /32 = single host
• /8 = 16.7 million addresses

The subnet mask (/24 = 255.255.255.0) tells the OS which bits identify the network vs the host:

IP:   192.168.1.100  →  11000000.10101000.00000001.01100100
Mask: /24            →  11111111.11111111.11111111.00000000
Net:  192.168.1.0    →  11000000.10101000.00000001.00000000  (network address)
BCast:192.168.1.255  →  11000000.10101000.00000001.11111111  (broadcast)

Hacker relevance during recon: When you compromise a host, check its IP and subnet mask. That /24 or /16 tells you the scope of the internal network you can pivot through. 192.168.1.0/24 means 254 potential hosts to enumerate internally; 10.0.0.0/8 means over 16 million.

Key Takeaways

• The OSI model (7 layers) gives you the vocabulary; the TCP/IP model (4 layers) is what actually runs.
• Encapsulation wraps data in headers at each layer - the receiving host strips them back off.
• Private ranges (10/8, 172.16/12, 192.168/16) are not internet-routable; finding one during post-exploitation points to pivoting opportunities.
• 127.0.0.1 is loopback - services bound only here aren't directly exposed to the network.
• NAT hides internal hosts behind one public IP - understanding it explains why reverse shells work better than bind shells against NATted targets.
• CIDR notation tells you the network size; the subnet you find on a compromised host tells you how many machines to pivot to.