Hello and welcome to this course in which we're talking about using Python for data exfiltration. In this video, we're going to talk about using a non-application protocol for data exfiltration. The reason why we're calling this out, in particular as a non-application protocol, is because application protocols are typically the protocols used for data exfiltration. Use things like HTTP, DNS, FTP, SSH, etc. However, it's not absolutely necessary to use these higher-level protocols for data transfer. It's definitely that most of these protocols, that's what they're designed for is data transfer. But we can also include data that we're exfiltrating in other protocols. That's what we're going to be doing with this Python code. We have a non-application level server and client code here written in Python. Let's start out with the client code on the left here. What we're going to be doing is defining down here in our main function, the IP address to send the stuff to. In this case, this is the IP address of our localhost, a message to be sent, and then we'll call a function called transmit that sends that message to that IP address. What we're going to be doing in this code is taking advantage of ICMP's code field to perform data exfiltration. So this is a bit of a limited method for data exfiltration because we can only send one byte of data at a time, and so, not great for large-scale data transfers. However, for small things that might need to fly more under the radar, this might be a viable option. In our transmit function, we're going to loop over the characters in message and we're going to create a packet sending each one out via ICMP. This first command get_if_hwaddr and the fact that we'll use it defining an ether net layer in our packet, or because we're using the localhost in this case, for both the client and the server. When we're working with Scapy, like we are here on the localhost, it's possible that traffic will be sent over a interface that localhost don't handle well, like loopback. So by using the default interface and getting its MAC address and setting that MAC address as the source and destination address rather than letting Scapy choose by itself, we ensure that this data is going to be transferred on a port that Scapy can actually see. Above the ethernet layer, we're going to define an IP layer. In that, all we have to do is define that we want this to be sent to a particular IP address, the IP address of the host that we've defined down here below. Finally, we can define an ICMP layer, and this is where we're actually going to be performing our data exfiltration. We say that the code field with an ICMP should be filled with the ord of m, which is the integer equivalent of the byte the M is. So we've got the full range of potential byte values here, and so we can transfer data, and we're just going to be using this code field to do so. Finally, we'll use sendp. The p here because we're defining our ether layer and want this sent at layer 2. We're going to send the packet and we're setting verbose equal to false so that we're not providing all of the printing that Scapy often does. That's all there is to the client-side of our transfer. Our server-side is even shorter. We're going to be using sniff, which is a Scapy function that lets you monitor network traffic, and we're going to use an ICMP filters that will only look at ICMP traffic. For any ICMP packets, we're going to call a printData function to print the data that they contain.
