CyberCode Academy episodes:

• December 17, 2025Course 14 - Wi-Fi Pentesting | Episode 4: Cracking WEP Encryption: Gaining Network Access

  In this lesson, you’ll learn about:
  

  • What WEP encryption is and why it is weak
  • How the RC4 algorithm is used (and broken) in WEP
  • How Initialization Vectors (IVs) cause WEP to fail
  • Capturing WEP traffic using Airodump-ng
  • Cracking WEP keys using Aircrack-ng
  • Speeding up WEP cracking on idle networks
  • Using fake authentication and packet injection
  • Preparing for post-connection attacks after cracking WEP

  Cracking WEP Encryption Why WEP Is Weak WEP (Wired Equivalent Privacy) is an old Wi-Fi encryption method that uses:
  

  • RC4 encryption algorithm
  • A shared secret key for encryption and decryption

  How WEP works:
  

  • The access point generates a 24-bit Initialization Vector (IV)
  • The IV is combined with the network password
  • Together they generate a keystream
  • This keystream encrypts the packets
  • The IV is sent in plain text with every encrypted packet

  Why this is dangerous:
  

  • A 24-bit IV is very small
  • On busy networks:
    • IVs repeat very quickly
  • Repeated IVs allow:
    • Statistical attacks
    • Tools like Aircrack-ng to recover the keystream
    • The WEP password to be cracked

  Cracking WEP in Practice The attack process consists of two main stages: 1. Capturing Data (IV Collection)
  

  • Use Airodump-ng to capture packets
  • Packets are saved into a capture file
  • The “data” counter represents:
    • The number of unique IVs collected
  • The higher the data count:
    • The higher the success rate
  • On busy networks:
    • IVs increase very fast
    • Cracking can take only minutes

  2. Cracking the Key
  

  • Use Aircrack-ng on the captured file
  • Aircrack-ng performs:
    • Statistical analysis
    • RC4 weaknesses exploitation
  • Once the key is recovered:
    • You can connect to the network
    • You gain full network access

  Handling Idle Networks If the network is not busy:
  

  • IV collection becomes extremely slow
  • Cracking may take many hours or longer

  To solve this, attackers force packet generation 1. Fake Authentication (Association) Before injecting packets, the attacker must:
  

  • Associate with the target network
  • Association means:
    • The access point accepts your device
    • Even though you are not fully connected

  This is done using:
  

  • aireplay-ng fake authentication attack
  • This tells the access point:
    • “I am a valid client”

  Association is required so:
  

  • The access point does not ignore injected packets

  2. Packet Injection After successful association:
  

  • The attacker injects packets into the network
  • This forces the access point to:
    • Generate large numbers of new packets
    • Create new IVs very quickly
  • The IV count rises:
    • From a few hundred
    • To tens of thousands in minutes
  • This allows:
    • Very fast WEP cracking
    • Even on a completely idle network

  After Cracking the Key Once the WEP key is recovered:
  

  • You can:
    • Connect to the Wi-Fi network normally
    • Intercept traffic
    • Gather sensitive information
    • Perform man-in-the-middle attacks
    • Modify data in transit
  • This prepares you for:
    • All post-connection attacks
    • Covered in later lessons

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 16, 2025Course 14 - Wi-Fi Pentesting | Episode 3: Targeted Wireless Network Discovery and Pre-Connection Bypasses

  In this lesson, you’ll learn about:
  

  • Sniffing wireless networks on both 2.4 GHz and 5 GHz bands
  • Performing targeted packet capture on a specific access point
  • Saving and analyzing captured wireless traffic
  • Executing deauthentication attacks without knowing the password
  • Discovering the names of hidden wireless networks
  • Reconnecting to hidden networks after revealing their SSIDs
  • How MAC filtering works and how it is bypassed

  Targeted Wireless Discovery & Pre-Connection Access Wireless Band Sniffing (2.4 GHz & 5 GHz) Wireless networks broadcast on two main frequency bands:
  

  • 2.4 GHz
  • 5 GHz

  Key points:
  

  • By default, airodump-ng only sniffs the 2.4 GHz band
  • To sniff 5 GHz, you must use:
    • --band A
  • To sniff both at once:
    • --band ABG
  • Sniffing both bands:
    • Requires a powerful wireless adapter
    • Is usually slower
  • The adapter must support 5 GHz, otherwise no data will be captured from that band

  Targeted Sniffing & Data Capture Instead of capturing all networks, you can focus on:
  

  • One specific target network

  This is done by specifying:
  

  • BSSID: Target network MAC address
  • Channel: Operating channel

  Targeted capture allows you to:
  

  • View only:
    • The target access point
    • Connected clients (stations)
  • Save captured packets to files:
    • .cap files
  • Even though all packets are captured:
    • If the network uses WPA/WPA2
    • The data appears encrypted and unreadable
    • Wireshark will display it as gibberish without the key

  The Deauthentication Attack A deauthentication attack allows you to:
  

  • Disconnect any connected device
  • Without:
    • Knowing the Wi-Fi password
    • Being connected to the network

  How it works:
  

  • The attacker pretends to be:
    • The router when talking to the client
    • The client when talking to the router
  • This forces the device to disconnect

  Tool used:
  

  • aireplay-ng

  Discovering Hidden Networks Hidden networks:
  

  • Do not broadcast their SSID (name)
  • Still broadcast:
    • MAC address
    • Channel
    • Encryption type

  Steps to reveal a hidden SSID:
  

  1. Run airodump-ng against the hidden network only
  2. If a client is connected:
     • Launch a deauthentication attack
     • Send a small number of packets (e.g., 4)
  3. When the client reconnects:
     • It sends the network name in the air
  4. Airodump-ng captures:
     • The previously hidden SSID

  Connecting to Hidden Networks After discovering the SSID:
  

  • The wireless card must return to:
    • Managed mode

  This can be done by:
  

  • airmon-ng stop
  • Or by:
    • Disconnecting and reconnecting the wireless adapter

  If the network manager service is stopped:
  

  • Restart it using:
    • service network-manager start

  Once restored:
  

  • Manually enter:
    • The discovered SSID
    • The correct security type
  • Then connect normally

  Bypassing MAC Filtering MAC filtering controls which devices can connect using:
  

  • Their MAC address

  Two types: Blacklist
  

  • Blocks specific MAC addresses
  • Easily bypassed by:
    • Changing your MAC address to a random one

  Whitelist
  

  • Only allows specific MAC addresses
  • Harder to bypass, but still possible

  Bypassing a whitelist:
  

  1. Use airodump-ng to detect:
     • A client already connected to the target network
  2. That client’s MAC must be:
     • On the whitelist
  3. Use macchanger with:
     • -m to clone that MAC address
  4. Return to managed mode
  5. Connect to the network successfully using the spoofed MAC

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 15, 2025Course 14 - Wi-Fi Pentesting | Episode 2: Network Fundamentals, Wireless Adapter Setup, and Packet Sniffing Basics

  In this lesson, you’ll learn about:
  

  • How wireless networks operate and transmit data
  • Why packet sniffing is possible in Wi-Fi environments
  • The role of external USB wireless adapters in security testing
  • What MAC addresses are and how they function in networks
  • The difference between managed mode and monitor mode
  • Enabling monitor mode using airmon-ng and iwconfig
  • Discovering nearby networks using Airodump-ng

  Wireless Networking & Packet Sniffing Fundamentals Basic Network Operation A wireless network consists of:
  

  • Clients (devices such as laptops and phones)
  • An access point (router or server)

  The access point acts as:
  

  • The only gateway to shared resources
  • The connection point to the internet

  Communication happens through:
  

  • Requests and responses
  • Sent in the form of data packets

  In Wi-Fi networks:
  

  • Packets travel through the air
  • Any device within range can potentially:
    • Capture usernames
    • Capture passwords
    • Capture visited URLs
  • This is what makes wireless packet sniffing possible

  External USB Wireless Adapter Built-in wireless cards:
  

  • Usually do NOT support:
    • Monitor mode
    • Packet injection

  For security testing, you must use:
  

  • A specialized external USB wireless adapter

  Setup inside Kali Linux (VirtualBox):
  

  • Plug in the adapter
  • Attach it using:
    • VirtualBox → Devices → USB
  • Kali will recognize it as an interface such as:
    • wlan0

  Understanding the MAC Address The MAC Address (Media Access Control) is:
  

  • A unique physical address
  • Permanently assigned to each network interface

  Key roles:
  

  • Used inside the local network
  • Directs traffic between devices

  Packet structure includes:
  

  • Source MAC
  • Destination MAC

  Uses of MAC spoofing:
  

  • Increasing anonymity
  • Bypassing MAC filtering
  • Avoiding device tracking

  Wireless Operating Modes Managed Mode (Default)
  

  • The wireless card only:
    • Receives packets sent to its own MAC address
  • Normal internet usage mode

  Monitor Mode
  

  • The wireless card:
    • Captures ALL packets in the air
    • Regardless of destination
  • Required for:
    • Packet sniffing
    • Network attacks
    • Security analysis

  Enabling Monitor Mode Steps used:
  

  1. Stop conflicting processes:
     • airmon-ng check kill
  2. Enable monitor mode:
     • Use iwconfig or airmon-ng start wlan0

  After activation:
  

  • The interface switches to monitor mode
  • It can now capture every wireless packet in range

  Packet Sniffing with Airodump-ng Airodump-ng allows you to:
  

  • Discover all nearby Wi-Fi networks
  • Monitor traffic without connecting

  Displayed network information includes:
  

  • ESSID: Network name
  • BSSID: Router MAC address
  • PWR: Signal strength
  • Channel: Wireless channel used
  • Encryption: WPA, WPA2, WEP
  • Cipher: Encryption algorithm
  • Authentication: Access method

  Successful Airodump-ng output confirms:
  

  • The adapter is working correctly
  • Monitor mode is functioning properly
  • The system is ready for wireless security auditing

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 14, 2025Course 14 - Wi-Fi Pentesting | Episode 1: Setting Up the Virtual Hacking Lab: VirtualBox and Kali Linux

  In this lesson, you’ll learn about:
  

  • How to set up a complete virtual hacking lab
  • The role of VirtualBox in safe security testing
  • Installing and configuring Kali Linux as a virtual machine
  • Understanding NAT networking in virtual environments
  • Navigating the Kali Linux desktop and workspace system

  Building a Virtual Hacking Lab with VirtualBox & Kali Linux Installing VirtualBox VirtualBox is a virtualization platform that allows you to run multiple operating systems on a single physical machine (host), including Windows, macOS, and Linux. Key benefits:
  

  • Runs multiple virtual machines (VMs) inside your main system
  • Provides complete isolation between the host and the lab
  • Prevents damage to the real system if a VM is compromised
  • Supports snapshots for quick restore after experiments

  After installation:
  

  • The VirtualBox Extension Pack must be installed
  • Enables:
    • USB device support
    • Wireless adapters
    • Mouse and keyboard integration

  Installing Kali Linux as the Hacking Machine Kali Linux is a Debian-based operating system designed specifically for:
  

  • Penetration testing
  • Digital forensics
  • Security research

  It comes:
  

  • Pre-installed with hacking tools
  • Fully pre-configured for security testing

  Installation Method
  

  • Download the Kali Linux VirtualBox OVA image
  • Import the OVA file directly into VirtualBox
  • No manual OS installation is required

  Recommended Virtual Machine Settings
  

  • RAM: 1 GB minimum
  • CPU: 1 processor
  • Network Mode: NAT

  Understanding NAT Network Configuration
  

  • NAT creates a virtual private network for all VMs
  • The host system acts as the router
  • All VMs can:
    • Access the internet
    • Communicate with each other
  • No direct exposure to the real external network

  Kali Linux Login Credentials
  

  • Username: root
  • Password: toor

  Kali Linux Desktop Overview Key interface components include:
  

  • Applications Menu
    • Contains all hacking tools grouped by category
  • Places Menu
    • Quick access to important directories such as:
      • /root home directory
  • System Tray
    • Network control
    • Audio
    • Display settings

  Workspaces in Kali Linux
  

  • Kali uses multiple virtual desktops by default
  • Allows separation of:
    • Scanning tasks
    • Exploitation tasks
    • Reporting tools

  Internet & Wireless Considerations
  

  • Internet access works automatically via NAT
  • Connecting directly to Wi-Fi from Kali:
    • Requires an external USB wireless adapter
    • Internal laptop Wi-Fi cannot be directly controlled by Kali inside a VM

  Learning Environment Readiness
  

  • Users are encouraged to:
    • Explore menus
    • Practice navigation
    • Get comfortable with terminal usage
  • This environment will be used throughout the entire course

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 13, 2025Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation

  In this lesson, you’ll learn about:
  

  • How email systems work from a forensic perspective
  • Where and how email evidence can be recovered
  • How headers, protocols, and timestamps help analysts trace message origins
  • Legal considerations affecting email investigations
  • Tools used in forensic email analysis

  Email Analysis & Forensic Investigation Forensic Locations and Evidence Recovery Email evidence can reside in multiple places, so investigators must consider:
  

  • Client/Suspect Machine: Local email clients, temporary files, swap space, browser cache, slack space.
  • Mail Server: Messages stored during transit or retained copies.
  • Recipient’s System: Evidence often found in the receiver’s mailbox or client.
  • Intermediate Entities: ISPs may also hold relevant artifacts.

  Effective investigation requires understanding email systems, storage behaviors, and how different clients manage local vs. server-side data. Email Structure & Protocols Email messages consist of two main components: Header
  

  • Contains trace information, routing data, and metadata.
  • Fields are generated by the sender, their client, and each server the message passes through.
  • Crucial for tracking the message back to its true point of origin.

  Body
  

  • The actual message content, which may include attachments.

  Protocols
  

  • SMTP (port 25) – responsible for sending mail.
  • POP3 (port 110) – retrieves email, often removing it from the server.
  • IMAP – keeps messages stored server-side for synchronization.
  • Ports may be customized, so correct port filtering is essential.

  Encoding
  

  • MIME – standard encoding for transmitting messages and attachments across networks.
  • S/MIME & PGP – used for secure, encrypted email communications.

  Message Storage & Client Forensics Email storage varies depending on configuration:
  

  • Stored only on the server
  • Stored on both client and server
  • Deleted from the server after retrieval by client settings

  Important points:
  

  • Client settings (like in Outlook) may be overridden by the server.
  • Browser-based clients store less structured email data but may leave:
    • Cached message views
    • Temporary HTML copies
    • Thumbnails

  Outlook & PST Files
  

  • Outlook stores email data in PST files, which are typically the largest and most valuable evidence sources.

  Email Tracing & Header Analysis Technical headers provide the primary means to trace an email’s path. How to Trace an Email
  

  • Analyze the Received: header fields.
  • Begin from the bottom entry (earliest hop).
  • Move upward to reconstruct the route.
  • Evaluate timestamps and time zone offsets carefully to avoid misinterpreting the message flow.

  Key Considerations
  

  • Some header fields can be spoofed, but not all.
  • Tools for verification include:
    • Sam Spade
    • DNS lookup tools
    • WHOIS

  BCC Field
  

  • If the BCC field appears in a header, it simply confirms a blind copy was sent, though the recipient remains hidden.

  Legal & Investigative Factors The level of legal protection depends on message age and state:
  

  • Unopened emails (< 90 days) → Highly protected, often requiring a warrant.
  • Opened emails → Lower level of protection.
  • Unopened emails (> 90 days) → Reduced protection.
  • Emails (> 180 days) → Minimal protection regardless of status.

  Legal guidance is critical, especially during investigations involving phishing or other malicious email-based attacks. Tools & Monitoring Techniques Investigators rely on several forensic tools: Forensic Suites
  

  • FTK (AccessData)
  • EnCase (Guidance Software)
    • Both support PST extraction and email analysis.

  Network Monitoring Tools Used to examine raw email traffic, especially SMTP:
  

  • Wireshark
  • Microsoft Network Monitor
  • TCPdump
  • TShark

  Typical filtering involves isolating traffic on port 25 (SMTP) or any non-standard port used by the mail service.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 12, 2025Course 13 - Network Forensics | Episode 7: Web Traffic Analysis and Browser Forensics: Handshakes, DNSSEC, and Cookies

  In this lesson, you’ll learn about:
  

  • How to identify and analyze web traffic using network forensics techniques
  • The role of DNSSEC in securing DNS infrastructure
  • Browser forensics across IE, Firefox, Chrome, Edge, and Safari
  • How history files, caches, and artifacts differ between browsers
  • The forensic value of cookies and how they are stored and analyzed

  1. Network Traffic Analysis Fundamentals A core skill in network forensics is the ability to recognize and interpret the TCP three-way handshake.
  This handshake—SYN → SYN/ACK → ACK—is the best indicator of:
  

  • A new connection forming
  • Impending data transfer
  • The type of communication taking place

  Identifying Web Traffic
  

  • Port 80 typically indicates HTTP web traffic
    • A GET request usually confirms this
  • Port 23 indicates Telnet, which sends data in plaintext

  Older packet captures may reveal metadata about the remote system:
  

  • Example: Seeing IIS5 suggests the server was running Windows 2000

  Being able to identify OS fingerprints and protocol behavior is critical for traffic analysis. 2. Enhancing Security with DNSSEC DNSSEC (DNS Security Extensions) is recommended to strengthen DNS infrastructure. Key Benefits of DNSSEC
  

  • Cryptographic signing of records prevents unauthorized changes
  • Makes DNS poisoning or zone file tampering extremely difficult
  • If a compromise occurs, DNSSEC provides detailed forensic evidence
    • Signatures
    • Validation failures
    • Tampered data traces

  DNSSEC does not fix DNS’s entire design, but it dramatically increases integrity and trust. 3. Browser and Client-Side Forensics Different browsers store history, cache, and session data in different formats and file locations. These paths also vary across operating systems. Understanding these artifacts is essential for analyzing user activity. Internet Explorer (IE) Key artifact: index.dat
  

  • A binary file that logs significant browsing activity
  • Cannot be opened with Notepad or standard editors
  • Requires specialized tools or index.dat viewers
  • Older systems stored IE artifacts under:
    Local Settings\Temporary Internet Files

  IE’s structure makes it rich in recoverable artifacts even after attempted deletion. Firefox Key artifact: history.dat
  

  • Stored in ASCII format, viewable in plain text
  • Easier to read than IE’s binary format
  • However, it does not directly link visited sites with cached pages
    • Reconstruction of user view is harder
  • Stored under the user profile in Application Data > Firefox folders

  Firefox’s structured but separated data can make page reconstruction challenging. 4. The Forensic Significance of Cookies A cookie is a small text file saved by websites to store:
  

  • Language preferences
  • Activity
  • Session identifiers
  • Visit frequency

  Cookies are critical in forensics because they persist even when:
  

  • History is deleted
  • Cache is wiped
  • Private browsing was used

  Why Cookies Matter
  

  • Show repeated visits vs. “accidental” single access
  • Reveal behavior and browsing patterns
  • Tie activity to specific sessions or visits
  • Help reconstruct long-term user engagement

  Cookie Characteristics
  

  • Minimum expected size: 4 KB
  • Contain six components (e.g., name, value, expiration date, domain, path, flags)
  • Session cookies: deleted when browser closes
  • Persistent cookies: stored long-term and replayed on revisit
  • Often used for access control and session management

  Tampering and Manipulation Cookies can be intercepted or modified using tools such as:
  

  • Burp Suite
  • Browser developer tools

  Examples include:
  

  • Modifying session cookies
  • Changing identifiers
  • Influencing e-commerce machine-learning systems that adjust prices based on user interest/visit frequency

  Storage Locations Each browser (IE, Edge, Chrome, Firefox, Safari) stores cookies in different folders and formats, often encoded or indexed. Precise knowledge of these locations is required during forensic acquisition or investigation.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 11, 2025Course 13 - Network Forensics | Episode 6: Wireless Network Analysis, Standards, and Security Forensics

  In this lesson, you’ll learn about:
  

  • Wireless networking fundamentals, standards, and modulation techniques
  • Key 802.11 amendments and operating modes
  • The evolution of Wi-Fi security from WEP to WPA2 Enterprise
  • Common wireless threats and attack techniques
  • Forensic considerations when investigating compromised wireless devices

  1. Wireless Fundamentals and Standards Wireless LANs rely on several core components:
  

  • Access Points (APs)
  • Wireless NICs
  • Antennas, such as Yagi, parabolic, and omnidirectional models

  Wi-Fi operates mainly in unlicensed frequency bands, typically 2.4 GHz and 5.8 GHz. Spread Spectrum Techniques These methods reduce interference and support reliable wireless communication:
  

  • Frequency Hopping Spread Spectrum (FHSS)
    • Used in early 802.11
    • Continuously hops frequencies to resist narrowband interference from devices like Bluetooth or microwaves
  • Direct Sequence Spread Spectrum (DSSS)
    • Used in 802.11b/g
    • Works best on the non-overlapping channels (1, 6, 11) in 2.4 GHz
    • Limited channel spacing drove the move to 5.8 GHz (802.11a/ac), enabling more adjacent APs with less interference

  Key 802.11 Amendments
  

  • 802.11c – Enabled MAC bridging to connect facilities
  • 802.11e – Introduced QoS for reliable audio/video transmission
  • 802.11f – Developed roaming capabilities between APs
  • 802.11i – Major security upgrade and foundation of WPA2 Enterprise
    • Enabled port-level authentication with RADIUS and smart cards

  Operational Modes
  

  • Infrastructure Mode (BSS) – Uses an AP
  • Ad Hoc Mode (IBSS) – Peer-to-peer without an AP

  Wireless Application Protocol (WAP)
  

  • Used older mobile devices
  • Pages structured using WML, based on XML, divided into decks and cards

  2. Evolution of Wireless Security Protocols WEP (Wired Equivalent Privacy)
  

  • Early Wi-Fi security but fundamentally flawed
  • Claimed “64-bit encryption,” but truly offered 40-bit key strength
  • Used a 24-bit IV, transmitted in clear text
    • IV space exhausted quickly → collisions → RC4 encryption breaks
  • Relied on static keys and manual distribution

  WPA (Wi-Fi Protected Access) Created as a temporary fix to WEP’s failures:
  

  • Increased IV space from 24 to 48 bits
  • Used 128-bit keys
  • Introduced TKIP for dynamic key generation
  • Initially used RC4, later transitioned to AES + TKIP

  WPA2 Enterprise Introduced via 802.11i:
  

  • Uses AES encryption (later with ECC)
  • Implements port-level authentication through RADIUS
  • Supports enterprise credentials and smart cards
  • Considered the standard for strong Wi-Fi security

  3. Wireless Threats and Attack Techniques Misconceptions and Weak Protections
  

  • SSID Hiding
    • Ineffective—SSID appears in clear text in management frames
  • MAC Filtering
    • Easily bypassed via MAC spoofing

  Common Wireless Attacks
  

  • Eavesdropping (passive sniffing)
  • War Driving (locating WLANs while moving)
  • DoS Attacks
    • Flooding deauthentication frames
    • Spoofing AP messages
  • DNS Poisoning
  • Rogue Access Points
    • Attackers create a fake AP with the same SSID
    • Tools like the WiFi Pineapple attract clients using a stronger signal

  Bluetooth Threats
  

  • Bluejacking – Sending unsolicited messages
  • Bluesnarfing – Stealing data via unauthorized Bluetooth access

  Link Encryption Concerns
  

  • Wi-Fi uses link-layer encryption, meaning:
    • Data is decrypted and re-encrypted at every hop
    • Each hop creates an additional point of vulnerability

  4. Wireless Forensics and Investigation To investigate compromised wireless devices, analysts must understand:
  

  • How authentication and association occur
  • That Wi-Fi uses symmetric, shared-key encryption
    • The same key encrypts data on the client and decrypts it on the AP
  • How to detect abnormal wireless activity

  Key Forensic Techniques
  

  • Conduct wireless site surveys
  • Use tools such as:
    • NetStumbler (network discovery)
    • Wireshark (packet capture and analysis)
  • Examine management frames, signal strength patterns, and authentication logs

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 10, 2025Course 13 - Network Forensics | Episode 5: TCP/IP Layers, Data Flow, and Network Tools

  In this lesson, you’ll learn about:
  

  • The fundamentals of protocol analysis and how data flows through network layers
  • The TCP/IP and OSI networking models
  • Encapsulation and decapsulation processes
  • Key Layer 3 and Layer 4 protocols
  • Essential tools for analyzing network traffic, including Wireshark and Nmap

  1. Introduction to Protocol Analysis This lesson provides foundational knowledge of how network communications work, focusing on:
  

  • The structure and behavior of networking models
  • How data moves across a network
  • How to use analysis tools to understand packet content

  The lesson contrasts:
  

  • The TCP/IP Model (4 layers): Application, Transport, Internet, Network Access
  • The OSI Model (7 layers), widely used in academic settings for conceptual understanding

  2. Data Encapsulation and Flow Encapsulation Explained (“Onion” Model) As data travels down the network stack:
  

  • It starts as the original message (the “core” of the onion)
  • Each layer adds its own headers and sometimes trailers
  • These layers wrap the message to form a complete network frame

  Layer-by-Layer Wrapping
  

  • Transport Layer (Layer 4)
    Adds source/destination ports and TCP flags
  • Internet Layer (Layer 3)
    Adds source/destination IP addresses
  • Network Access Layer
    Adds MAC addresses and prepares data for physical transmission

  At the receiving end, layers are removed one by one (decapsulation) until the message reaches the Application Layer. 3. Key Network Layers and Protocols A. Layer 3 – Internet Layer / IP Layer 3 is responsible for addressing and routing. Core Functions
  

  • Identifying devices using unique IP addresses
  • Adding source/destination IPs to each packet
  • Determining routing paths across networks

  IP Addressing Concepts
  

  • IP addresses use 4 octets (8 bits each → 0–255)
  • Five IP address classes are defined historically
  • Private IP ranges include:
    • 10.x.x.x
    • 172.16.x.x – 172.31.x.x
    • 192.168.x.x

  Subnetting and CIDR
  

  • Subnet Mask: Similar to a zip code that defines network boundaries
  • CIDR / Slash Notation (e.g., /24, /12) provides flexible subnetting
  • Helps efficiently allocate IP space

  Types of IP Transmission
  

  • Unicast – one-to-one
  • Broadcast – one-to-everyone on the network
  • Multicast – one-to-a specific group

  B. Layer 4 – Transport Layer / TCP & UDP Layer 4 provides end-to-end communication. TCP (Transmission Control Protocol)
  

  • Reliable, connection-oriented
  • Ensures order delivery and handles retransmissions
  • Uses the three-way handshake: SYN → SYN-ACK → ACK
  • Session shutdown uses the FIN–ACK process

  UDP (User Datagram Protocol)
  

  • Lightweight, connectionless
  • Suitable for quick bursts of data (e.g., streaming, gaming)

  Ports and Sockets
  

  • Ports = “lanes on a highway” for different services (e.g., port 80 for HTTP)
  • Sockets combine IP + Port to identify unique connections
    • Works with both TCP and UDP

  4. Protocol Analysis Tools A. Wireshark A powerful packet analysis tool used to inspect and dissect network traffic. Key Features
  

  • Captures packets (“network sniffing”)
  • Allows deep packet inspection
  • Supports protocol tree view (mapped to OSI layers)
  • Provides a hex dump showing raw data

  Wireshark can even reconstruct data streams and extract file content from packet captures. B. Nmap (Network Mapper) A widely used open-source tool for network discovery and service enumeration. What Nmap Can Identify
  

  • Port states (open, closed, filtered)
  • Operating system fingerprints
  • Service versions
  • Network topology

  Nmap understands both:
  

  • Traditional subnet masks
  • CIDR notation (e.g., /24, /22)

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 09, 2025Course 13 - Network Forensics | Episode 4: Log Analysis, SIM Correlation, and Network Attack Signature Detection

  In this lesson, you’ll learn about:
  

  • Log analysis fundamentals and why logging is essential for security visibility
  • SIM (Security Information and Event Management) correlation and event analysis
  • Network attack signature detection using tools such as Snort and packet capture analysis

  1. Introduction to Logging and Security Visibility Effective security monitoring depends on logging the right information and establishing baselines for normal behavior. A common challenge is that security tools—especially IDS sensors—produce many false positives, which can lead analysts to ignore real threats (as seen in major breaches such as Home Depot). 2. Logging Strategy and Log Integrity Logging Strategy Essentials Organizations must implement:
  

  • A clear logging strategy
  • Structured and normalized log data
  • Centralized logging
  • Real-time and continuous monitoring
  • Long-term storage for historical correlation

  What Must Be Logged
  

  • Unsuccessful authentication attempts
    • Example: 100 → 10,000 attempts indicates brute-force or dictionary attacks
  • Successful authentication attempts
    • Example: 1,000 → 20,000 successful logins indicates compromised credentials being reused

  Maintaining Log Integrity Logs must be treated like financial ledgers:
  

  • Log storage must be read-only
  • Use hashing to ensure logs are not modified
  • Use encryption to protect confidentiality
  • Large storage capacity is required to retain logs for long-term, low-and-slow attack correlation
  • Syslog is the most common centralized log transport and storage method

  3. SIM (Security Information and Event Management) Correlation What SIMs Do SIM systems do not store logs; they:
  

  • Collect and centralize logs from many devices (nodes, routers, switches, appliances)
  • Correlate and analyze events
  • Provide near real-time security violation alerts
  • Reveal attack patterns that individual log sources might not show

  Log Sources for SIM Analysis SIMs typically gather logs from:
  

  • Files (data logs)
  • Operating Systems
  • Network traffic
  • Applications

  Audit Reduction Tools Because audit logs can be massive, tools are used to:
  

  • Eliminate unnecessary data
  • Focus analysts on events of significance

  4. Network Attack Signature Detection Signature detection identifies patterns that indicate malicious activity. Tools such as Snort and packet capture analysis are commonly used. Types of Signatures A. Standard Communication Signatures
  

  • ICMP ping has a predictable payload (A B C D …)
  • TCP three-way handshake (SYN, SYN-ACK, ACK) helps identify typical connections such as FTP (21) or Telnet (23)

  B. Reconnaissance Scans
  

  1. Ping Sweeps
     • Echo requests sent to incrementing IP addresses
  2. Port Scans
     • One source IP sending SYN packets to many ports on one host
     • Modern scanners use non-sequential methods
  3. Stealth Scans (used to evade detection)
     • ACK scans
     • SYN stealth scans
     • FIN scans (only FIN flag)
     • NULL scans (no flags)
  4. Christmas (Xmas) Scans
     • Flags typically set: FIN, URG, PUSH
     • Snort distinguishes traditional Xmas scans from tools like Nmap (which uses only FUP flags)

  C. Denial of Service (DoS) Attacks
  

  • Ping of Death – oversized ICMP packets
  • SYN Flood – large numbers of half-open TCP connections exhausting port capacity

  D. Trojans and Backdoors
  

  • Identified by traffic on known Trojan ports
    • Example:
      • Netbus → port 12345
      • Back Orifice → port 31337

  5. The Objective of Correlation and Detection The primary goal is to:
  

  • Detect attack patterns before they complete
  • Combine behavior-based insight with signature-based detection
  • Continuously update rules and detection logic as threats evolve

  Tools like Snort rely on constantly updated rule sets to stay effective against modern attacks.
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• December 08, 2025Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture

  In this lesson, you’ll learn about:
  

  • The purpose and scope of Network Forensics
  • Key evidence sources across a networked environment
  • Essential security tools: scanners, sniffers, IDS/IPS
  • Defensive architecture: firewalls, DMZs, bastion hosts
  • Core security protocols: Kerberos, VPNs, SSH, SSL/TLS
  • Integrity monitoring and log management systems

  1. What Is Network Forensics?
  

  • Network forensics is a branch of digital forensics focused on analyzing network traffic to gather evidence, detect intrusions, and understand attacker behavior.
  • It allows investigators to determine:
    • How an intruder entered
    • The intrusion path taken
    • The techniques used
  • Requires systematic tracking of inbound/outbound traffic and knowledge of “normal” behavior to spot anomalies.
  • Skilled attackers are harder to trace, but all intruders leave artifacts somewhere.

  Key Evidence Sources
  

  • Firewalls
  • Routers
  • IDS/IPS systems
  • Packet sniffers
  • Proxy servers
  • Authentication servers
  • Logs from these devices form the foundation of network investigation.

  Role of Other Forensics
  

  • Network forensics complements computer/memory forensics. Examples:
    • Packet analysis may reveal what to look for on a compromised machine.
    • Memory forensics may indicate specific encrypted packets that require deeper analysis.
  • Tools like tcpdump extract raw packet data.
  • Attacker attribution sometimes requires legal processes (e.g., subpoenas to ISPs or Wi-Fi providers).

  2. Security Tools & OSI Layer Weaknesses
  

  • The OSI model helps identify where vulnerabilities exist.
  • Layers 1, 2, 6, and 7 tend to be weaker than layers 3, 4, and 5.

  Key Security Tools
  

  • Port Scanners
    • Identify open ports and exposed services.
    • Example: Nmap.
  • Packet Sniffers / Analyzers
    • Wireshark (analyzer that can sniff)
    • tcpdump (pure command-line sniffer)
  • Intrusion Detection Systems (IDS)
    • Example: Snort.
    • Works like a sniffer with rules; alerts on malicious patterns.
  • Intrusion Prevention Systems (IPS)
    • Active responses: modify packets, block ports, shut down segments.
    • Must be configured carefully to avoid accidental denial-of-service events.

  3. Defensive Network Architecture Firewalls
  

  • Hardware + software systems controlling access based on packet characteristics.

  Types of Firewalls
  

  1. Packet Filtering (Layer 3)
     • Early model, examines only IP and port.
     • Does not track session state.
  2. Stateful Firewalls (Layer 4)
     • Track session state and connection flows.
     • Prevent forged packets unless the session was legitimately initiated.
  3. Application-Layer Firewalls (Layers 6–7)
     • Deep packet inspection.
     • Can enforce command-level rules (e.g., allow FTP GET but block FTP PUT).

  DMZ (Demilitarized Zone)
  

  • A network segment between internal LAN and the external internet.
  • Hosts public-facing resources (web, mail servers).

  Bastion Host
  

  • Hardened system placed in the untrusted network zone (DMZ).
  • Common examples: web servers, mail servers.

  4. Authentication, Encryption & Secure Protocols Kerberos (SSO Authentication)
  

  • A trusted third-party authentication system.
  • Uses a ticket-granting server to authenticate:
    • Client → Kerberos → Resource (e.g., printer)
  • Commonly used for Single Sign-On.

  VPNs (Virtual Private Networks)
  

  • Encrypt traffic between two endpoints.
  • Important note: VPNs do not create isolated physical paths; they still traverse the same routers.
  • Encryption layers:
    • Layer 2 → L2TP
    • Layer 3 → IPSec
    • Layers 5–7 → SSL/TLS
  • Purpose: privacy, not magical invisibility.

  SSH (Secure Shell)
  

  • Commonly used for encrypted remote access, tunneling, and file transfer.
  • Operates on port 22.

  SSL/TLS Process A hybrid crypto model:
  

  1. Browser creates a secret session key.
  2. Browser encrypts this key using the server’s public key.
  3. Server decrypts it using its private key.
  4. Both sides now share the secret and switch to symmetric encryption for the session.

  5. File Integrity & Log Management File Integrity Checking
  

  • Tools like Tripwire monitor critical files.
  • Use hashing to detect unauthorized changes.
  • Alerts admins when files are modified.

  Log Management & SIEM
  

  • SIEM solutions combine:
    • Security Information Management (SIM)
    • Security Event Management (SEM)
  • Examples: LogRhythm, Splunk.
  • Aggregate logs from across the environment, correlate events, and identify patterns.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---