Hello and welcome this course in which

we're talking about establishing command and

control infrastructure with Python. And so in this course we're going
to start out with this video where we're talking about an introduction
to command and control. Laying the groundwork and describing what our objectives
are with
our Python code in this course. And so we're going to have
two sections to this video. We'll start out with some
introduction to command and control, discussing what command and control is,
why we need it and some of our needs for our command and control infrastructure.
After that, we'll start looking at how we can automate
that command and control process. So starting at one point and
moving through to hopefully having a usable command and
control infrastructure at the end. And so, let's get started. So at this point in
the process we've
got a foothold on the target network. And so a foot holds great. But there's a big
difference
between having a foothold and achieving objectives. And one of the parts that makes
up that
difference is having communications infrastructure or command and
control infrastructure. So if we've got a foothold
we have initial access, maybe we have successfully performed
that credential stuffing attack, and we have a foothold on the target network. And
so from there we need to build
the ability to say, maybe drop additional malware software on the network because
what we did to achieve that foothold doesn't give us the capabilities that
we need to achieve our objectives. So maybe the terms of engagement for
this ethical hacking exercise is to perform data exfiltration or
demonstrate that it's possible. What you've used to gain your initial
foothold might not be able to perform data exfiltration. Might not even be able to
find
the data that you need to exfiltrate. And so you might need to drop additional
software to take the next step towards achieving those goals. And once that
software is there, you
need to be able to communicate with it. And so this includes the ability to send
commands out and receive responses back. And so we need command and control or
communications infrastructure for that. And then finally, you might need
the ability to exfiltrate large amounts of data from the network as part
of demonstrating that yes, a data breach is possible because
we access the target data set and were able to move it out without
detection by your controls. And so that could genuinely be part or one of the
objectives of your
ethical hacking engagement. And so being able to communicate and
having command and control infrastructure are two
very different things. You can communicate any old way,
but command and control infrastructure
needs to be stealthy. And the reason for that is that if
you're too loud when communicating, you can expose your
presence on the network. And so if you've gone through
all of this trouble and establishing a foothold and then you're
essentially yelling hi here I am, someone's going to pick
up on that hopefully. And so the blue team, the defenders
will be like there's someone here, here's where they are or
quarantine will remediate will fix it. And then all of your hard work gaining
that foothold on the network is essentially wasted. And so we need to be stealthy
so that you're more whispering than
shouting when you're communicating. And beyond that revelation
of your presence. Command and control can also provide
important insights to those defenders. So command and control typically
occurs over the network and most organizations have some level
of network level protections. So that might just be a firewall or they might have a
fairly sophisticated
network traffic analysis suite. And so
if you're really watching the traffic and you're able to identify that command and
control traffic, you might be able to read it and
figure out what's going on. And that's only going to help
with rolling up the foothold or the infection if the defenders know,
okay, he got on this way and this is exactly what he did from that
point then no matter what persistence mechanism you put in place, additional
malware you've dropped, etcetera, there's a good chance we'll be able to
find everything and fix everything. And then we're back to square one again. So we
need command and
control infrastructure that allows us to be stealthy when word carrying out
the next steps of our engagement. And so we know we need command and
control infrastructure. Where's Python come in to play. And so ideally our command
and control traffic is going to blend in
with the normal traffic on the network. So one of the advantages that
we have here is that a modern enterprise network has a lot of traffic. Reason why
is employees are using
the network as part of their daily duties, their browsing the web, visiting,
social media, etcetera. Also a lot of applications
used network traffic. And so
there's a lot of stuff going on there. And so with all that noise, we just have
to look normal enough because if we look like everyone else, there's not a great
chance that someone's going to find our particular connection and
start digging into it. And so by definition, a good C2
protocol is one that's stealthy and lets us blend in. And so how do we determine
what makes a good C2 protocol. That's where Python comes in. And so our diagram
here at the bottom
of the slide shows the different pieces of Python code we're
going to be using here and how they're going to fit
together to help us achieve and automate this process of building our
command and control infrastructure. So at the far left, we're going to
start out with network traffic. So presumably if we're on the network
we at least have the ability to monitor our own compromise
systems network traffic. And we might have visibility into
the traffic on the network in general. And so that visibility allows us to
start determining what's normal for the network and what normal traffic we
might want to try to blend in with. And so our traffic analysis script
is going to start looking for traffic that meets certain criteria for
us. So one is that it's got
to be fairly common. It could be that we find this perfect
protocol that would be absolutely perfect for us but it never happens. If we use
that, there's a good chance
someone's going to pick it out being like, okay, this never happens. Why is it
suddenly happening? So we need something that's common. Another thing that we need
is something
with a reasonable amount of bandwidth. So when we're sending commands in and data
out, we need to be able to send a certain number of bytes with each command or
each piece of data exfiltration. So if you're trying to demonstrate that
you can exfiltrate a gigabyte of data out of a network, and you're only able to
send it one bit at a time within a certain type of packet, it doesn't matter that
that packet might blend in really well. If you need to send a gigabyte
of data one bit at a time, you're going to stand out just from the
sheer volume of traffic you need to use. And so
we need something that gives you enough volume in the field that we're using for
that exfiltration so that you actually can have a usable
communications infrastructure and it's not send a command come
back next week for the response. And so if we've got those,
we've got a starting point and so now we need to make sure that
what we're using the traffic for isn't going to look too unusual or
suspicious. And so that's what our two helper
functions here where we're looking at entropy and encodings are for. And so first
of these entropy. Entropy is a measure of the randomness and
data. And so something with a high entropy
means that the data that contains is not very predictable and
that's good for us. Because we want to be
able to send data out and probably data that this field
is not intended to carry. And so if we've got a field that's common,
it's high bandwidth but it's always one of five different
responses, it's not really helpful. We need to be able to send what we want to
send out without it looking weird. And so we're going to take a look
at the entropy of different fields to see how much
randomness is in this field. Is that enough that if we put our data
in it's probably going to be okay. The other thing we're going to
look at is encodings. And this is to help protect against simple
keyword searches on network traffic. So encodings are a form of data
obfuscation something like encryption but there are lower level for. So if you know
that something is
encoded it's easy to decode it. But, I had encoded piece of data
doesn't fall prey to keyword searches if you have the word password and
it's encoded and someone's looking for the word password you're
not going to match. And so we're looking at encodings in
our traffic because certain fields and network traffic might be encoded or their
normal data might sort
of look like it was encoded. Either one of those works for
us because if we can encode our data and send that encoded data over this
particular type of traffic, we've got a little bit more protection against
those keyword searches and detection. Not as good as encryption but
encryptions completely random data and it might stand out more than
something that's just encoded. And so at the output of our
traffic analysis function here, we're going to have some suggestions for
C2 infrastructure. They might be something like, hey the http user agent field
in a request is great for this. Like we can put whatever we want there and they
have some really weird user
agents anyway, so put your command and control data in there and
no one is probably going to find it. Okay. So we've got suggestions, but there's a
lot of difference between a suggestion and a usable command and
control infrastructure. And so
that's what our last python file and this course is going to
talk about our build C21. It's going to take okay here's the
particular field that you should use and a piece of data that we want to send and
it's going to output the packet
that we could send to do that. And so that's doing a lot of
the heavy lifting for us for actually building our command and
control infrastructure. Because if we can just pipe data in
this function with our suggested choice of field and it pipes out packets, we send
those packets off escapee and were done. And so here we're trying to go
from here is network traffic, find out what's normal and
sort of fits our bill to here's the main building blocks of command and
control infrastructure. And so before we dive into the code,
just a quick recap, started out talking about command and
control infrastructure, what it is and some of our criteria for
command and control infrastructure. And now we just walk through the Python
files that we're going to be using, their purposes and how everything
fits together to allow us to automate this process of building
our C2 infrastructure. And so let's get started. Thank you