Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity I · Module 4

Cybersecurity I, Unit 4: Networking Fundamentals

From 'wifi just works' to seeing the actual packets. Students leave this unit able to read a network diagram, run ping/traceroute/nslookup, and walk a Wireshark capture line by line.

Length
240 min
Level
foundational
Track
Cyber I
Cadence
Semester 1

Career paths

Network DefenderFoundations
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 4: Networking Fundamentals

Lesson at a glance

| Item | Detail | | --------------------- | ------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Weeks 5–6 of Cybersecurity I | | Prerequisite | Working VM lab from Unit 3 | | Materials | Kali VM, Ubuntu/Win target VMs, Wireshark, included PCAP file | | Required network mode | Host-only (no external scans) |

Safety: All scans, traceroutes, captures, and DNS queries are run only against lab VMs or known-public services with explicit permission. Running nmap against the school network or 8.8.8.8 is unauthorized testing and is a course violation. Reread Unit 1 if needed.

Standards & credential alignment

  • EHE Domain 3: Network-Level Attacks and Countermeasures.
  • VA CTE: Demonstrate networking concepts; identify ports, protocols, devices.
  • CompTIA Network+ overlap: TCP/IP, OSI, common ports, network devices.

Learning objectives

By the end of this unit, students can:

  1. Distinguish LAN, WAN, internet, and cloud at the diagram level.
  2. Map the TCP/IP and OSI models to one another and to real protocols.
  3. Read an IP address and determine its class, subnet mask, and likely role.
  4. Identify the top 15 common ports/protocols by name and number.
  5. Use ipconfig/ip a, ping, traceroute/tracert, nslookup/dig correctly.
  6. Open a Wireshark capture and identify a DNS query, a TLS handshake, and an HTTPS request.
  7. Sketch a simple network diagram with a router, switch, AP, server, and clients.

Vocabulary

  • LAN / WAN - Local network (your house, your school) / wide-area network (between sites).
  • TCP/IP model - Link, Internet, Transport, Application.
  • OSI model - 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.
  • IP address - Logical address of a device (192.168.1.10).
  • MAC address - Physical hardware address (AA:BB:CC:DD:EE:FF).
  • Subnet mask - Says which part of an IP is the network and which is the host.
  • DNS - Phone book for the internet. Names → IPs.
  • DHCP - Auto-assigns IP/subnet/gateway to a device joining a network.
  • HTTPS - HTTP wrapped in TLS. Encrypted web traffic.
  • Port - Numbered door on a host. Each service listens on its own.
  • Router / switch / AP / firewall - Connects networks / connects devices in a LAN / wireless gateway / enforces traffic rules.

Teacher background

The mental shift students need: the internet is not magic; it is layers of well-documented protocols that any high schooler can learn to read. Wireshark is the one tool that physically demonstrates this. Once a student sees their own DNS query and TLS handshake go by, the rest of the course is downhill.

Two specific teaching moves:

  1. Make the OSI model concrete. "Layer 7 is what your eyeballs see. Layer 1 is the actual cable or radio waves. Everything between is how those two communicate."
  2. The famous ports list is not optional. Students must know 22, 53, 80, 443, 3389, 445, 25, 110, 143, 21, 23, 67/68, 161, 3306, 1433. Drill it like multiplication tables.

Materials checklist

  • [ ] Kali VM (running Wireshark)
  • [ ] Ubuntu Server VM and Windows VM as targets (host-only network)
  • [ ] Sample PCAP file (provided in /content/labs/unit-04/sample-traffic.pcap)
  • [ ] Whiteboard for diagram drills
  • [ ] Printed port-number flashcards
  • [ ] Worksheet PDF

Pacing - Day 1 (60 min): Networks and addressing

| Time | Segment | Notes | | ----------- | ---------------------------------------- | ------------------------------------------------ | | 0:00 – 0:15 | Mini-lesson - networks at every scale | LAN → WAN → internet → cloud. | | 0:15 – 0:35 | Mini-lesson - IP addressing + subnetting | Whiteboard /24, /16, private ranges. | | 0:35 – 0:55 | Activity - read these IPs | Ten IPs; classify private/public, network/host. | | 0:55 – 1:00 | Exit ticket | "What's the difference between an IP and a MAC?" |

Day 1 - The clean addressing summary

| Range | What it is | | --------------- | ---------------------------------- | | 10.0.0.0/8 | Private - large enterprise/AWS VPC | | 172.16.0.0/12 | Private - mid-sized | | 192.168.0.0/16 | Private - home / small business | | 169.254.0.0/16 | APIPA - your DHCP failed | | 127.0.0.0/8 | Loopback - yourself | | Everything else | Public (with exceptions) |

Pacing - Day 2 (60 min): TCP/IP, OSI, and ports

| Time | Segment | Notes | | ----------- | -------------------------------------------- | ----------------------------------------------------------- | | 0:00 – 0:25 | Mini-lesson - OSI ↔ TCP/IP ↔ real protocols | Side-by-side, with examples. | | 0:25 – 0:45 | Activity - port flashcard race | Pairs drill the top 15. | | 0:45 – 0:55 | Mini-lesson - what each device actually does | Router vs. switch vs. AP vs. firewall. | | 0:55 – 1:00 | Exit ticket | "Name three ports your laptop uses just opening a webpage." |

Day 2 - The ports table

| Port | Protocol | Why it matters | | ----------- | -------------- | -------------------------------------------------- | | 22 | SSH | Remote admin - defenders watch this religiously | | 53 | DNS | Every connection starts here | | 80 | HTTP | Unencrypted web | | 443 | HTTPS | Encrypted web | | 3389 | RDP | Windows remote desktop - top ransomware vector | | 445 | SMB | Windows file sharing - also a major attack surface | | 25 / 587 | SMTP | Sending email | | 110 / 143 | POP3 / IMAP | Receiving email | | 21 / 23 | FTP / Telnet | Legacy; if you see these, ask why | | 67 / 68 | DHCP | IP assignment | | 3306 / 1433 | MySQL / MS SQL | Databases - should never be internet-exposed |

Pacing - Day 3 (60 min): Hands-on with the basic tools

| Time | Segment | Notes | | ----------- | ------------------------------------------ | ------------------------------------------------------ | | 0:00 – 0:50 | Lab - ipconfig, ping, traceroute, nslookup | Walk-through on Kali. | | 0:50 – 1:00 | Activity - diagram a webpage load | Whiteboard the trip from "type URL" to "page renders." |

Day 3 - Lab commands (do these together)

# Identify yourself
ip a           # Linux
# ipconfig /all  on Windows

# Reach a target
ping 192.168.56.10        # lab target
ping -c 4 example.com     # outside reachability

# Trace the path
traceroute example.com    # tracert on Windows

# Resolve names
nslookup example.com
dig example.com +short
dig MX example.com

# What does my host think it can reach?
ip route

Day 3 - Anatomy of a webpage load (whiteboard)

  You type "https://example.com" and press Enter
        |
        v
  1. Browser asks DNS resolver: "What's example.com?"
        |  (UDP 53 typically; UDP/TCP for larger answers)
        v
  2. DNS replies: "93.184.216.34"
        |
        v
  3. TCP three-way handshake to 93.184.216.34:443
     SYN -> SYN-ACK -> ACK
        |
        v
  4. TLS handshake: ClientHello, ServerHello, certificate, key exchange
        |
        v
  5. HTTPS request: GET / HTTP/1.1   Host: example.com
        |
        v
  6. Server responds with HTML/CSS/JS
        |
        v
  7. Browser renders

Land the line: "Every box on the diagram is a place a defender can watch - and a place an attacker can hide."

Pacing - Day 4 (60 min): Wireshark walk

| Time | Segment | Notes | | ----------- | ----------------------------------------- | ------------------------------------------------------ | | 0:00 – 0:10 | Mini-lesson - what Wireshark is and isn't | It's a passive listener, not a scanner. | | 0:10 – 0:55 | Lab - open the sample PCAP | Find DNS, TLS, HTTPS. | | 0:55 – 1:00 | Exit ticket | "What was the first thing you noticed in the capture?" |

Day 4 - Wireshark walk-through

Open sample-traffic.pcap. Have students do these in order:

  1. Filter: dns. Find a query for example.com. Right-click → Follow → UDP Stream.
  2. Filter: tls.handshake.type == 1 (Client Hello). Look at SNI - that's where the destination hostname appears even in encrypted traffic.
  3. Filter: http. Find a GET request. Note the User-Agent, Host, and request path.
  4. Filter: tcp.port == 4444. (Surprise.) This is a Metasploit default callback. Discuss what it means that this is in the capture.

Defender-can-see / cannot-see table:

| Defender CAN see (even with TLS) | Defender CANNOT see | | --------------------------------- | ------------------------------------------ | | Source/destination IP | The actual webpage content | | Destination port (443, 22, etc.) | Form data submitted | | SNI (hostname) | Cookies and session tokens | | Packet sizes and timing | Username/password (under proper TLS) | | When the connection started/ended | The plaintext of any TLS-protected payload |

Common misconceptions

  • "HTTPS makes me invisible." - It encrypts payload, not metadata. The defender still sees who you talked to, when, and how much.
  • "Wireshark hacks things." - It's a passive sniffer. It does not send packets in capture mode.
  • "Private IP = secure." - Private IPs are unroutable on the internet, but they are completely reachable inside the LAN. Lateral movement is the whole point of half this curriculum.

Differentiation

  • Slow learners on subnetting: stick to /24 vs. /16 vs. /8 - don't push variable-length subnetting until Cyber II.
  • Visual learners: pre-print the OSI/TCP-IP/protocol stack as a wall poster.
  • Reading support: Wireshark walk-through has screenshots for each filter.

Assessment

  • Day 1 IP-classification worksheet - 10 questions, 1 point each.
  • Day 4 Wireshark deliverable - screenshot of a filtered DNS, TLS, and HTTP packet, each annotated.
  • Port-number quiz - graded as a flashcard race; 15/15 expected by the end of the unit.

Career connection

Tier-1 SOC analysts read PCAPs and Wireshark output every shift. Network engineers and pen testers live in this material. The salary band for network-aware roles starts around $60K and climbs fast.

Homework / next class

Capture your own home network for 60 seconds (with permission of the network owner) and identify three different protocols. Submit screenshots with annotations.

Ready to use this in class?

Unlock the full Cybersecurity I edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum