Penetration Testing for dummies – Part 3: Networking basics

In the last part of the blog series we have seen the history of internet & the basics of web applications. I hope you understood how to create a simple server. Now, you know what is Apache. We know what a client is. Finally we have connected to our simple web application from another machine’s browser in the same LAN(networking basics starts here 🙂 ) . That’s where we are so far. 

But this needs to be taken to next level and we need to access our application from anywhere around the globe. How? You’d answer this question by yourself once you are done reading this article. There are a lot of key concepts you need to understand. Hold my beer and let’s get started. 

Networking basement: Understanding IP address

The first thing everyone would start with when talking about networking is, IP address. So we expect the internet to find our web application by some means. Just think about the analogy of letter posting. In order for someone to send you a letter, they should write down your home address clearly. Only then, the post office system and later the postman can deliver you the letter. Yes, we are talking about an address which can be used by anyone to understand your computer. And it is called the IP address

An IP address is a set of numbers. To be more clear, it’s a 32 bit long number grouped into four octets. Have a look at the diagram below:

We know that an octet is a set of 8 binary digits. That means, the maximum value an octet can contain is 11111111 or 255 in decimal. The minimum value should be 0. So, IP addresses range from to that makes a total of 4,294,967,296 addresses available. Well, that’s a significantly huge number. But.. ahem, I still have a doubt. The world of computing is getting bigger day by day. So, would this number suffice to represent all the computers in the whole world? 

Great question! And the answer is NO. And, that’s why Internet Engineering Task Force (IETF) have introduced IPv6. What we have seen above is the IPv4 address and IPv6 set of addresses are much bulkier in number and it solves the need of more IPs. I’m not going to explain this here. Go ahead and have a little research.

Let’s comeback to our topic and see how IPv4 addresses are classified.

Classification of IP address

The Internet Assigned Numbers Authority (IANA) have reserved the following IP address for certain set of functions:

  • This IP represents the default network. A machine can have more than one IP if it is connected to more than one networking interface. In that case, if you want to listen incoming traffic on both the interfaces, then this IP can be used.
  • It is reserved for network broadcasts. We will discuss more of these networking concepts on the go.
  • It is the loopback address. For simplicity let’s think it as the address of localhost as mentioned in the last part of the blog series. In reality, loopback is a range of IP addresses from to They all are reserved.
  • to When you are turning on the internet connection on your mobile phone or connecting the modem with your computer, an IP will be assigned to your device(mobile or computer). This is done accordingly to a protocol called DHCP. Now, when the DHCP fails to assign an IP address, then the computer will itself choose an unallocated IP fom this pool. This is a feature for Windows only and it is called Automatic Private IP Addressing (APIPA).

Apart from this, there is another type of IP reservation based on subnet as follows. They are called private IP addresses.

Private vs Public IP address

We know that we are short of IPs (IPv4s to be precise). So, we have two types of addresses to overcome the problem, viz Private and Public Ip address. 

A private address is assigned to devices within your network. This IP address is used to uniquely identify your device within the network. This is the IP address assigned to your machine by the router. When you type ifconfig to the terminal, what you see is the private IP of your computer. Let’s see which are the reserved private IPs.

  • to — This falls within the Class A address range of to
  • to — This falls within the Class B address range of to
  • to — This falls within the Class C range of through

Apart from these there are few more IP addresses which are reserved for subnets.

  • Multicast (formerly called Class D) — The first four bits in the address are 1110, with addresses ranging from to
  • Reserved for future/experimental use (formerly called Class E) — addresses to

From the above networking diagram diagram, I hope you are clear with Public IP. It is the IP assigned by your internet provider to your router. In other words, the public IP of all the devices falling under that router will have the same Public IP address. 

The easiest way to see your public IP would be asking Google.

How to map my web application with my public IP?

Let me tell you the key takeaway from the last paragraph. If two computers in the same LAN needs to communicate, we use their private IP address. But if the computers are from a totally different LAN (or even from a different country) then we have to use the Public IP for communication. You are following me, aren’t you?

Now let’s dig a bit more to this networking and think of how someone sitting in Alaska can access the web application hosted by me in my computer in India. We are so sure that my Public IP address is the only way this can be done. But what will happen if someone calls my Public IP address from Alaska? Imagine that he had inserted is my public IP) into his url bar from Alaska. His request will come straight into my router. But, is my router running a web server? Nope. The web server is running inside a machine under the LAN controlled by the router. So, when the router receives the request from some user to access my web server, it has to forward that request to my machine. Then only he will be able to access my web application. And that process is called port forwarding. That is, when the router sees a request to access my web application, it will forward that request to the port 80 of my machine (where my Apache server is running).

Now, here is my question. Is it safe and reliable to host your web application in your own machine and in your own network? Are you sure that you can provide services 24/7? 

Need for cloud hosting

Let us discuss why hosting a web application in your own machine is a bad idea. We will make bullet points:

  • There can be 1000s or millions of people will be connecting to your web application. In order to serve them all without network latency, you would require an internet connection with really really high speed. In the range of Gbps at times.
  • You would also require huge amount of disk space and memory. Otherwise your machine would hang and burn
  • Imagine that you have all the above things, still you need to keep a 99% uptime 24/7. You would require a dedicated team in support and that’s worse.

to summarise, self hosting isn’t at all a recommended method. 

Now, that’s where hosting providers comes into play. There are dedicated machines available to buy which will do all the necessary port forwarding and stuff. They will have enough system memory based upon your requirement, a very high speed internet connectivity and 24/7 support in most cases if you need any help.

There are many hosting providers available such as Amazon Web Service, Google Cloud, Digital Ocean and so on. When you sign up and add your convenient payment method, you will be shown with a list of machines with various configurations. You can select one. Each of these machines are basically a CPU just like yours. You can install a server application like Apache, install PHP and write some PHP codes and host your own web application there. The hosting provider will do most of all the networking stuff for you. 

How I hosted my WordPress blog in NameCheap web hosting

If you'd like to read how to host a web application in a remote hosting space, click the link and read. This is slightly beyond the scope of this article and I am not going to explain it in Layman's terms here.

Dedicated IP address

Another advantage of having a hosting provider is, you will get a dedicated IP address (Public IP obviously). If you are doing self hosting, then getting a dedicated IP address (we call them static IP address) will be very very costly. For a normal broadband connection, you might have noticed that the public IP is different each time you connect the internet. Do you know why? Each internet provider (such as Verizon or AT&T) will have a pool of IP address in hand. When you try to connect internet, your service provider is assigning a free IP from the pool to you. And hence these are called dynamic IP. Now you know why you can’t consider dynamic IP address for your web application. Don’t you? 

Yes, the clients need to know the current IP address each time they want to connect to your app, which is really annoying. 

So, we have hosted our web application, we have the IP address of our application and now the next part is pointing the IP to a domain name. 

Domain names

What is the need of a domain name? In day to day life all of us will be dealing with many web applications such as Facebook, Google and LinkedIn. Will you be able to remember all of their IP addresses? Of course not, and that’s where domain names come into play. You can purchase a domain name you like from sources such as GoDaddy or NameCheap. Today, the Internet Corporation for Assigned Names and Numbers (ICANN) manages the top-level development and architecture of the Internet domain name space. It authorizes domain name registrars, through which domain names may be registered and reassigned. 

The above figure is self explanatory, isn’t it? If you are interested, go ahead and read more on the breakdown of a domain name. Once you have bought the domain you can assign them to your web application using the static IP address provided by your hosting service. Pointing the IP to a domain name is basicalle called an A Record in the DNS terms. There are other types of records such as CNAME, TXT, AAAA, MX and so on. Each one has its own purpose. So, we are talking DNS. But how does it actually store all the IP-domain mappings and serve along the globe whenever required? That’s another interesting big story.

We have covered only the very basics of networking in this article. Networking is a broad term and I have tried to make is simple and was trying to explain it in terms of web applications. There is more to networking. Come back to this space soon to read about DNS and consider buying me a coffee if you like the article. 

Leave a Comment

Recent Posts

How to migrate from LastPass to Bitwarden

As a LastPass user, you might have noticed the changes introduced last day. The message… Read More

2 years ago

Amazon AWS network security checklist

This post presents with a few bunches of AWS network security checklist. It is basically… Read More

3 years ago

The long curated web security checklist based on OWASP

What is this web security checklist? Here is a curated web security checklist for developers… Read More

3 years ago

Penetration Testing for dummies – Part 2: Understanding web applications

Welcome back budding pen-testers. :) In the first part of the blog series we have… Read More

4 years ago

How to enable SSH on Google Cloud Compute Engine

Last day I was riddling with Evilginx, a phishing attack tool. It needs to be… Read More

4 years ago

Kali/Ubuntu stuck at blank screen; No icons, unity or gnome : Fixed

I have been using an older version of Kali Linux. I used to update occasionally.… Read More

4 years ago