Hello, and welcome to this course in which we're talking about Python for exfiltration. In this video, we're going to talk about non-application layer protocols, and how they can be applied to data exfiltration and why it might be desirable to do so. And so you probably know that most data transfers are performed using application-layer protocols. So you have things like HTTP, which is designed to carry web traffic, and so you have a request that might either be a small GET request or a large post request that sends data to the server, which can send data back in response. A large file in response to a GET or maybe something smaller in response to a post. We also have protocols like SMTP, which is used for emails. You probably know, email can definitely used for data transfer, whether in the body of the message itself or within its attachments. There are also other common application layer protocols for data transfer like FTP, IRC, even SSH. And so the fact that most data transfers occur at the application layer means that the focus for detecting command and control and data exfiltration also typically occurs at the application-layer. However, it's important to note that the application layer is not the only layer that's capable of carrying data. In fact, many other non-application layer protocols are able to carry data. So many low level types of traffic, like network ping, has the ability to carry data, whether it's in a payload, or in other fields that are built into the traffic. In some cases, certain fields need to maintain a proper value, say an IP address, you need to keep it as a value that the attacker controls. But other fields might be a little bit more flexible. For example, ICMP has a type in the code value and there's some level of flexibility in what those values can be. Only certain types are defined, only certain codes are defined, but if a network layer or network level system like a router etc or security software isn't scanning for unusual values there, then ICMP can definitely be used for data transfer. And so why would you want to use these non-application layer protocols for data transfer? Answer would be subtlety. If you're using application-layer protocols for data transfer, people know that's what they're for and so there's a higher probability that those protocols are going to be monitored for attempted data exfiltration. On the other hand, something that no one considers as a potential data transfer medium might be able to sneak by without detection. There's certainly trade offs, for example, if you're using ICMP for data transfer and only using one field value for it, then you're able to push out one bite at a time, which is rather slow. And if you need to push out any volume of traffic would be very detectable. However, for a low and slow exfiltration, especially of small amounts of data, then ICMP might be a viable option for data exfiltration that is designed to fly up to the radar. And so in the next video, we're going to be looking at how we can apply Python to non-application layer data exfiltration. Discus how we can build a client and a server that communicate with one another over a non-application layer so that we can maybe hide this data exfiltration in a protocol that no one would expect to look for. Thank you.
