← Back to all projects

LEARN NETWORK SECURITY BY DOING

Learn Network Security: From Packet Watcher to Protocol Master

Goal: Deeply understand network security by building the offensive tools that break networks and the defensive systems that protect them.

Why Network Security Matters

Network security isn’t just about configuring firewalls; it’s about understanding how data moves through a wire (or air), how trust is established between machines, and how easily that trust can be broken.

To master this, you must stop seeing “internet traffic” and start seeing packets. You need to understand the bytes, the headers, the flags, and the handshakes.

After completing these projects, you will:

  • Read hex dumps like the Matrix.
  • Understand exactly how Man-in-the-Middle (MITM) attacks work.
  • Know how firewalls make decisions.
  • Understand how encryption tunnels (VPNs) are constructed.
  • See the network the way a kernel sees it.

Core Concept Analysis

The OSI Model (Real-World Version)

You need to understand where security lives:

  1. Layer 2 (Link): MAC addresses, ARP. Attack surface: Spoofing, VLAN hopping.
  2. Layer 3 (Network): IP addresses, Routing. Attack surface: Route injection, IP spoofing.
  3. Layer 4 (Transport): TCP/UDP ports. Attack surface: Port scanning, SYN floods.
  4. Layer 7 (Application): HTTP, DNS, SSH. Attack surface: Payload injection, Phishing.

Project List

Projects are ordered from “Passive Observation” to “Active Manipulation” to “Defensive Architecture.”

Project 1: The Raw Packet Sniffer

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: C, Go, Rust
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 1: Beginner
  • Knowledge Area: Network Visibility / PCAP
  • Software or Tool: Wireshark (for verification), Scapy (Python library)
  • Main Book: “Black Hat Python, 2nd Edition” by Justin Seitz

What you’ll build: A tool that listens to the network card in “promiscuous mode,” captures raw binary data, and parses the Ethernet, IP, and TCP headers manually to display source/destination IPs and ports.

Why it teaches Network Security: Security starts with visibility. You cannot secure what you cannot see. This forces you to understand the structure of a packet—where the IP header ends and the TCP header begins.

Core challenges you’ll face:

  • Promiscuous Mode: Making your network card accept traffic not destined for it.
  • Binary Unpacking: Converting raw bytes (e.g., \x08\x00) into human-readable protocols (e.g., IPv4).
  • Endianness: Handling Network Byte Order (Big Endian) vs. Host Byte Order (Little Endian).

Key Concepts:

  • Raw Sockets: “UNIX Network Programming” - W. Richard Stevens
  • Ethernet Frames: RFC 894

Real world outcome:

$ sudo ./sniffer
[+] Listening on eth0...
[ETH] Destination: 00:11:22:33:44:55, Source: 66:77:88:99:aa:bb, Protocol: 2048
  [IP] Src: 192.168.1.5, Dst: 142.250.1.1, TTL: 64, Protocol: 6 (TCP)
    [TCP] Src Port: 54321, Dst Port: 80, Flags: SYN

Implementation Hints: Use socket library. Specifically socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3)) in Linux. This gives you everything, including the Ethernet header. You will need to use the struct module to unpack the bytes based on the standard header lengths (Ethernet is 14 bytes, IP is usually 20 bytes).

Project 2: ARP Cache Poisoner (The LAN Man-in-the-Middle)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Go, C++
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Layer 2 Attacks / Trust
  • Software or Tool: Scapy
  • Main Book: “Practical Packet Analysis” by Chris Sanders

What you’ll build: A script that tricks a target computer (like your phone) into thinking your computer is the Router, and tricks the Router into thinking your computer is the target. This forces all traffic to flow through you.

Why it teaches Network Security: This demonstrates the fragility of Layer 2 trust. The Address Resolution Protocol (ARP) has no authentication; it trusts whatever it hears. This is the foundation of most local network attacks.

Core challenges you’ll face:

  • Race Conditions: You must send packets faster than the real router can correct them.
  • IP Forwarding: If you don’t forward the traffic you intercept, the target loses internet (DoS), and you get caught.
  • Mac Address Resolution: You need to ask “Who has 192.168.1.1?” programmatically.

Key Concepts:

  • ARP Protocol: RFC 826
  • Gratuitous ARP: Sending ARP replies without being asked.

Real world outcome: You will see the HTTP traffic of another device on your network appearing in your Project 1 Sniffer.

Implementation Hints: You need to construct an ARP “is-at” (Opcode 2) packet. To the Victim: “I am the Router (IP), here is my MAC.” To the Router: “I am the Victim (IP), here is my MAC.” Enable sysctl -w net.ipv4.ip_forward=1 on your machine so traffic flows through.

Learning milestones:

  1. Victim loses internet (you forgot to forward packets).
  2. Victim has internet, but you see their traffic (Success).
  3. You implement a cleanup function to restore ARP tables on exit (Stealth).

Project 3: TCP Port Scanner (The Reconnaissance Tool)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Go
  • Alternative Programming Languages: Python, Rust
  • Coolness Level: Level 2: Practical but Forgettable
  • Business Potential: 2. The “Micro-SaaS / Pro Tool”
  • Difficulty: Level 1: Beginner
  • Knowledge Area: Transport Layer / TCP Flags
  • Software or Tool: Nmap (as the gold standard to compare against)
  • Main Book: “Nmap Network Scanning” by Gordon Lyon

What you’ll build: A high-speed concurrent scanner that checks which ports (doors) are open on a target server. You will implement different scan types: Connect Scan (Full handshake) and SYN Scan (Stealth half-open).

Why it teaches Network Security: Security assessment begins with enumeration. You need to understand the TCP State Machine (SYN -> SYN/ACK -> ACK) to know why a port is “Open”, “Closed” (RST), or “Filtered” (No response/Firewall).

Core challenges you’ll face:

  • Concurrency: Scanning 65,535 ports one by one takes forever. You need threads or goroutines.
  • Socket Timeouts: Distinguishing between “Closed” and “Filtered” (dropped packet).
  • Resource Limits: Opening too many file descriptors (sockets) at once will crash your OS.

Key Concepts:

  • TCP Three-Way Handshake: RFC 793
  • File Descriptors: Limits in Linux (ulimit -n).

Real world outcome:

$ ./myscanner -target 192.168.1.10 -mode syn
[+] Scanning 192.168.1.10...
[+] Port 22: OPEN (SSH)
[+] Port 80: OPEN (HTTP)
[+] Port 443: OPEN (HTTPS)
[-] Scan complete in 1.4 seconds.

Implementation Hints: For a “Connect Scan,” just try to connect(). If it succeeds, send close() immediately. For a “SYN Scan” (requires raw sockets/root), send a single SYN packet. If you get SYN/ACK back -> Port is Open (Send RST to close). If you get RST back -> Port is Closed. If you get nothing -> Port is Filtered.

Project 4: Userspace Firewall (The Shield)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: C, Rust
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 3. The “Service & Support” Model
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Packet Filtering / Linux Kernel
  • Software or Tool: NetfilterQueue (NFQueue)
  • Main Book: “Linux Device Drivers” (for understanding kernel modules)

What you’ll build: A program that intercepts packets before they leave or enter your computer, inspects them against a set of rules (e.g., “Block all traffic to Facebook IP”), and decides whether to ACCEPT or DROP them.

Why it teaches Network Security: This teaches you how defensive tools actually work. You aren’t just configuring iptables; you are writing the logic that iptables delegates to. You learn about the hook points in the OS network stack.

Core challenges you’ll face:

  • Kernel-User Interaction: Getting packets out of the kernel to your script and back.
  • Latency: If your script is slow, your internet becomes slow.
  • Protocol Decoding: You have to parse the packet (again) to check IPs/Ports.

Key Concepts:

  • Netfilter Hooks: PREROUTING, FORWARD, INPUT, OUTPUT, POSTROUTING.
  • User-space Queuing: Moving processing out of the kernel.

Real world outcome: You try to ping 8.8.8.8. Your script prints [ALERT] Blocked outgoing ICMP to 8.8.8.8 and the ping command times out.

Implementation Hints: Use iptables to send traffic to a queue: iptables -I OUTPUT -j NFQUEUE --queue-num 1. Then write a Python script using NetfilterQueue that binds to queue 1. For every packet, packet.get_payload(), parse it, check your blocklist, and call packet.accept() or packet.drop().

Project 5: VPN from Scratch (The Tunnel)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: C
  • Alternative Programming Languages: Go, Rust, Python
  • Coolness Level: Level 5: Pure Magic
  • Business Potential: 4. The “Open Core” Infrastructure
  • Difficulty: Level 4: Expert
  • Knowledge Area: Tunneling / Virtual Interfaces
  • Software or Tool: TUN/TAP Interfaces
  • Main Book: “Understanding Linux Network Internals”

What you’ll build: A client and server that create a virtual network interface (utun/tun0). Traffic sent to this interface is encrypted, encapsulated in a UDP packet, sent over the internet to the server, decrypted, and written to the server’s virtual interface.

Why it teaches Network Security: This is the holy grail of network privacy. You will understand encapsulation (packets inside packets), routing tables, and how virtual interfaces allow software to act like hardware.

Core challenges you’ll face:

  • The TUN Interface: Treating a network interface like a file (read()/write()).
  • MTU Issues: Packets getting too big after adding encryption headers.
  • Routing: Configuring the OS to route traffic into your tunnel.

Key Concepts:

  • Encapsulation: Wrapping Layer 3 packets in Layer 4 payloads.
  • TUN vs TAP: Layer 3 (IP) vs Layer 2 (Ethernet) virtual devices.

Real world outcome: You run ./vpn-client on your laptop. You can now ping 10.0.0.1 (the server’s internal VPN IP), and Wireshark on the real interface only shows encrypted UDP garbage.

Implementation Hints:

  1. Open /dev/net/tun.
  2. Use ioctl to bring up the interface (e.g., tun0).
  3. Loop: Read raw IP packet from tun0 -> Encrypt -> Send via UDP socket to server.
  4. Server does the reverse: Read UDP -> Decrypt -> Write to tun0.
  5. Start without encryption (cleartext tunnel) to get the networking right first.

Project 6: DNS Spoofing Tool (The Redirector)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Go
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Application Layer Attacks
  • Software or Tool: Scapy, NFQueue
  • Main Book: “DNS and BIND”

What you’ll build: A tool that listens for DNS queries (e.g., “Where is google.com?”). If it sees a query for a target domain, it races the real DNS server to reply with a fake IP address (your own).

Why it teaches Network Security: This shows why HTTPS/TLS is vital. If you control DNS, you control where the user goes. It demonstrates the lack of authentication in UDP-based protocols.

Core challenges you’ll face:

  • Speed: You must reply faster than the legitimate Google DNS (8.8.8.8).
  • UDP Spoofing: Matching the Source Port and Transaction ID exactly, or the victim’s OS will reject your packet.

Real world outcome: A victim types bank.com in their browser, but the browser loads a page hosted on your local machine that says “You have been hacked.”

Implementation Hints: Combine Project 2 (ARP Spoofing) with this.

  1. MITM the victim.
  2. Sniff for UDP Port 53.
  3. If query == “target.com”, extract Transaction ID.
  4. Forge a DNS Response packet with that ID and your IP.
  5. Send it to the victim.

Project 7: Simple Intrusion Detection System (IDS)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Rust
  • Alternative Programming Languages: C++, Go
  • Coolness Level: Level 4: Hardcore Tech Flex
  • Business Potential: 3. The “Service & Support” Model
  • Difficulty: Level 3: Advanced
  • Knowledge Area: Pattern Matching / Deep Packet Inspection
  • Software or Tool: Snort (Conceptually)
  • Main Book: “Applied Network Security Monitoring”

What you’ll build: A system that analyzes packet payloads in real-time looking for known attack signatures (e.g., the bytes bin/sh in a payload, or specific SQL injection patterns).

Why it teaches Network Security: You move from “header analysis” (firewall) to “content analysis” (IDS). You learn about false positives, pattern matching algorithms (Aho-Corasick), and the difficulty of detecting encrypted attacks.

Core challenges you’ll face:

  • Performance: String matching against gigabits of traffic is CPU intensive.
  • Packet Fragmentation: Attackers split the payload bin/sh into two packets: bin and /sh. Your IDS must reassemble them to detect it.
  • Normalizing Data: Handling HTTP encoding (%20 vs ` `).

Real world outcome:

$ ./myids -i eth0 rules.txt
[ALERT] SHELLCODE detected from 192.168.1.55 (Matched pattern: \x90\x90\x90)
[ALERT] SQL INJECTION detected from 10.0.0.2 (Matched pattern: ' OR 1=1)

Implementation Hints: Use a library like libpcap (C) or pcap (Rust) to get the packets. Implement a simple “signature engine” that checks: if "SELECT * FROM" in packet.payload: alert(). Then, try to optimize it using a Boyer-Moore string search algorithm.

Project 8: SSH Honeypot (The Trap)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python (Twisted/Paramiko)
  • Alternative Programming Languages: Go
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 2. The “Micro-SaaS / Pro Tool”
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Application Security / Logging
  • Software or Tool: Cowrie (Reference)
  • Main Book: “Blue Team Handbook”

What you’ll build: A fake SSH server. It accepts any password. When an attacker logs in, they are placed in a fake shell. You log every command they type to see what automated bots try to run.

Why it teaches Network Security: This teaches you about “IOCs” (Indicators of Compromise). You will see real-world brute force attacks and malware downloading attempts minutes after putting this online.

Core challenges you’ll face:

  • Emulating a Terminal: You need to make the attacker feel like they are in a real Linux box (handling ls, cd, uname commands fake responses).
  • Safe Isolation: Ensuring they can’t actually break out of your script into your real server.

Real world outcome: You leave it running for 24 hours. You check logs.txt and see 500 attempts from IPs in Russia/China trying to download crypto-miners.

Implementation Hints: Use Python’s paramiko library to create a ServerInterface. Override the check_auth_password method to always return AUTH_SUCCESS. Override open_session to provide a custom shell that just prints text responses to commands rather than executing them.

Project 9: Command & Control (C2) Server with Reverse Shell

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Go
  • Alternative Programming Languages: C, Python
  • Coolness Level: Level 4: Hardcore Tech Flex
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 3: Advanced
  • Knowledge Area: Malware Traffic Analysis
  • Software or Tool: Metasploit (Reference)
  • Main Book: “The Art of Mac Malware” (good for C2 concepts)

What you’ll build: A “Client” (malware) that connects out to a “Server” (C2) and waits for instructions. The Server sends a command (e.g., whoami), the Client executes it and sends the result back.

Why it teaches Network Security: Firewalls usually block incoming connections but allow outgoing ones. This project explains why “Reverse Shells” work and how malware communicates. You’ll learn about “Heartbeats” and “Beacons”.

Core challenges you’ll face:

  • Persistence: Reconnecting if the connection drops.
  • Evasion: If you send raw text, IDS will catch it. You need to encode traffic (Base64, XOR, or custom encryption).
  • Traffic Hiding: Making the traffic look like normal HTTP or DNS traffic.

Real world outcome: You run the client on a VM. On your server, you type ls and see the files of the VM.

Implementation Hints: Use HTTP for communication. The client should make a GET /job request every 5 seconds. The server replies with a command in the body. The client POST /result the output.

Project 10: 802.11 WiFi Deauther

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: C (or Python with Scapy)
  • Alternative Programming Languages: C++
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Wireless Security / Layer 1 & 2
  • Software or Tool: Aircrack-ng suite
  • Main Book: “Hacking Exposed Wireless”

What you’ll build: A tool that scans for WiFi networks and sends “Deauthentication” frames to disconnect users from their access point. (Note: Only do this on your own network).

Why it teaches Network Security: WiFi has management frames that are often unencrypted (even on WPA2). This teaches you about the specific vulnerabilities of radio-frequency protocols and the 802.11 state machine.

Core challenges you’ll face:

  • Monitor Mode: putting your WiFi card into a mode where it can inject raw 802.11 frames.
  • Channel Hopping: You must switch channels rapidly to find targets.
  • Structure: 802.11 headers are complex and different from Ethernet.

Real world outcome: You run the tool. Your phone disconnects from your home WiFi immediately.

Implementation Hints: You need a WiFi adapter that supports “Monitor Mode” and “Packet Injection” (e.g., Alpha AWUS036NHA). Construct a frame with Type=0 (Management), Subtype=12 (Deauth). Destination: Victim MAC. BSSID: Router MAC.

Project 11: Network Protocol Fuzzer

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Rust
  • Coolness Level: Level 4: Hardcore Tech Flex
  • Business Potential: 5. The “Industry Disruptor”
  • Difficulty: Level 3: Advanced
  • Knowledge Area: Vulnerability Research
  • Software or Tool: Boofuzz / Scapy
  • Main Book: “Fuzzing: Brute Force Vulnerabilty Discovery”

What you’ll build: A script that sends malformed data to a network service (like an FTP server or a custom HTTP server) to try and crash it.

Why it teaches Network Security: This is how 0-day vulnerabilities are found. You learn that protocols are fragile. If the spec says “4 bytes for length,” what happens if you send 0? Or 4 billion?

Core challenges you’ll face:

  • State Tracking: Knowing if the server crashed.
  • Reproducibility: If it crashes, what exact packet caused it?
  • Protocol Awareness: Fuzzing efficiently requires knowing the protocol structure (smart fuzzing) vs just sending random garbage (dumb fuzzing).

Real world outcome: You write a simple C program that reads a packet into a fixed buffer (buffer overflow vulnerability). You point your fuzzer at it. The C program crashes with Segmentation Fault.

Implementation Hints: Start with a simple protocol (FTP). Connect, wait for banner. Send USER AAAAA... (1000 ‘A’s). Send USER %s%s%s (Format string attack). Send USER \x00. Check if socket is still open after each.

Project 12: Data Exfiltration via ICMP/DNS (Covert Channels)

  • File: LEARN_NETWORK_SECURITY_BY_DOING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Go
  • Coolness Level: Level 5: Pure Magic
  • Business Potential: 1. The “Resume Gold”
  • Difficulty: Level 3: Advanced
  • Knowledge Area: DLP (Data Loss Prevention) / Steganography
  • Software or Tool: Iodine (DNS tunnel)
  • Main Book: “Practical Packet Analysis”

What you’ll build: A tool that reads a secret file, encrypts it, breaks it into chunks, and hides those chunks inside Ping packets (ICMP Echo Request padding) or DNS Queries.

Why it teaches Network Security: Most firewalls allow Ping and DNS. This project shows how data can leave a secure network even if HTTP/TCP is blocked. It teaches you about protocol payload fields that are rarely inspected.

Core challenges you’ll face:

  • Padding Size: ICMP has limited space for data.
  • Reassembly: The receiver must collect all pings and stitch the file back together.
  • Stealth: Sending 1000 pings per second looks suspicious. You need to throttle it.

Real world outcome: You transfer a JPEG image from a “locked down” machine to your server using only Ping commands.

Implementation Hints: Scapy is perfect here. Sender: IP(dst=target)/ICMP()/Raw(load=chunk_of_file) Receiver: Sniff ICMP, extract load, write to file.

Project Comparison Table

Project Difficulty Time Depth of Understanding Fun Factor
Sniffer Beginner Weekend ⭐⭐⭐ ⭐⭐
Port Scanner Beginner Weekend ⭐⭐ ⭐⭐⭐
ARP Spoofer Intermediate 1 Week ⭐⭐⭐ ⭐⭐⭐⭐⭐
SSH Honeypot Intermediate Weekend ⭐⭐⭐ ⭐⭐⭐⭐
Firewall Intermediate 2 Weeks ⭐⭐⭐⭐ ⭐⭐⭐
DNS Spoofer Intermediate 1 Week ⭐⭐⭐ ⭐⭐⭐⭐⭐
WiFi Deauth Intermediate Weekend ⭐⭐ ⭐⭐⭐⭐⭐
IDS Advanced 2 Weeks ⭐⭐⭐⭐ ⭐⭐⭐
VPN Expert 1 Month ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐
Protocol Fuzzer Advanced 2 Weeks ⭐⭐⭐⭐ ⭐⭐⭐⭐

Recommendation

Where to start?

Start with Project 1 (The Sniffer). It is the absolute foundation. If you can’t parse a packet manually, you can’t build the other tools.

What next?

Move to Project 2 (ARP Spoofer). It gives you an immediate “power trip” (seeing other traffic) which is highly motivating, but forces you to handle race conditions and protocol details.

For the aspiring Pro

Project 5 (VPN) is the ultimate test. If you can build a stable VPN, you understand networking better than 95% of developers.

Final Capstone: The “Blue Team” Monitor

What you’ll build: A comprehensive Network Security Monitor (NSM) that integrates your previous projects.

Architecture:

  1. Ingestion: Uses your Sniffer to capture traffic.
  2. Analysis: Passes traffic through your IDS engine to check for signatures.
  3. Action: If a signature matches, it uses your Firewall logic to update iptables and block the IP.
  4. Logging: Saves the event to a database and displays it on a web dashboard.

Why this is the ultimate goal: In the real world, security is a pipeline. Detection triggers Response. Building this pipeline proves you understand the entire ecosystem of network defense.

Summary: All Projects

# Project Name Main Language
1 The Raw Packet Sniffer Python
2 ARP Cache Poisoner Python
3 TCP Port Scanner Go
4 Userspace Firewall Python
5 VPN from Scratch C
6 DNS Spoofing Tool Python
7 Simple Intrusion Detection System (IDS) Rust
8 SSH Honeypot Python
9 C2 Server with Reverse Shell Go
10 802.11 WiFi Deauther C
11 Network Protocol Fuzzer Python
12 Data Exfiltration via ICMP/DNS Python
13 The “Blue Team” Monitor (Capstone) Python/Go