Hello, and welcome back to this course. In the previous videos in this course, we've been focusing on identifying a network protocol and the field within the packets of that protocol, for command and control. At this point, we're going to talk about moving from that identification to actually building packets for command and control traffic. At the end of running our traffic analyzer script, we had a listing of the layers and a packet that we might want to use for command and control, all the way down to the individual field that we'd be putting the data in. We've got an example here, where we start out with an Ethernet layer, an IP layer, a TCP layer, HTTP, becoming HTTP response. Then we want to store our data in the raw payload, in this particular case. Say that after running our traffic analyzer script, we determined that this set of layers, in this particular payload field, are the best place to store the data for our command and control traffic. If we're trying to automate our attack chain and make a automatic decision to perform command and control in this way, now we need a way to actually build the packet that we'll be using for command and control. That's what we're looking at in this video. This build c2.py script is designed to take a listing of layers like this one, and create the necessary packet. The first stage in this process is actually building that set of layers from Ethernet, IP, TCP, etc.. To do that we're going to use this build layers function, which will take this string as an input. Our first step in this is to create some of the base layers that we're going to be using in whatever packet we choose. No matter what, we're going to be sending traffic out over Ethernet, and we've got an IP layer inside of that. Here we'll set a couple of values to ensure there what we want them to be. Maybe a source address of 127.0.0.1 and a destination of 8.8.8.8.8. These are some of the high level requirements that we might have for a packet. We might need to tweak other information based off of the unique needs for our network. Maybe we need to specify a particular TCP source port or UDP source port for our traffic, for it to work on our computer and within our network. But at the moment we'll just have these IP addresses as our required parameters. Now, we've got this, and we need to turn it into a packet in Scapy. First we're going to split off of our semicolon, and we're going to start with the third value. The reason why is Ethernet and IP appear here, and we've already got a packet P that includes those layers. Now, what we're going to do is loop over the rest of this, and determine if the section of this string is a layer, and if so, add it to the packet. We're going to use a try and accept to do this. Essentially what we'll do is for each of these, say, TCP, we're going to try to define it as a layer and add it to the packet. If it works, we know it is a layer. If it doesn't work, like once we get to, say, this load, which is a field, then we know we've reached the end and built our packet and just need to put our data in the appropriate field. Our try is every time where it works and we're actually adding a layer, and our accept says, okay, we've gotten to the raw layer. It's built. Now, when we try to do load, it fails. We've got our packet and we return it. We have a couple of challenges here. One is that the name of a layer doesn't necessarily match the constructor for that layer. For example, ATTP space 1 is for the HTTP layer, HTTP space response doesn't have a space in the constructor, etc.. We've got a few lines of code here dealing with some of these corner cases. We're going to take out spaces using the Replace function, which will replace space with nothing. Then if the layer happens to be HTTP 1, so matching this particular case, we're going to use the right name for that constructor. Fixing that solves the first of our two problems. The second is we have a string, and to add a layer, we need a function call, so something like ether here. The string Ethernet or ether, etc., isn't the same as this call to the ether constructor. However, in Python we can call functions with a string. How we do that is through this line of code here, which says globals function, we'll call it with a list containing the string that we want, and then we'll call it as a function. What the result of this will be, when we call it, say, with the string, TCP is a TCP layer of a Scapy packet, which is exactly what we need. With that stored in L, we can call the add payload function to add it to the packet. Remember that with network traffic, each layer is encapsulated within the payload of the previous. We have an Ethernet layer, it has a data section or payload. In that payload, we start with our IP layer. Our IP layer has a data payload section, and in this particular case, the very beginning of that will be the TCP header, etc.. By adding payloads with our new layer, we're adding additional layers to our packet to get to eventually the HTTP response with a raw payload that we want. When our build layers function is done, we can return a valid packet. We've got our packet now, but we don't have the command and control data that we want to put in that packet. In this case, we can say that our command and control data is just the word hello. We want to set that as the payload in a particular location. In this case, it actually is the payload, but it could be an HTTP header, it could be part of a DNS request, etc. We'll call a set payload function. We'll pass in the packet that we built previously, the list of layers, and then the data that we want to put at that particular location. For this, we're going to do a bit of walking down the stack of the layers within the packet. Again, we'll split those layers off of a semicolon and we'll walk to the second to last place. Because the second to last one will be the last one before we call a field value that we want to set the value up. See you in the end, we'll call set field value with the last layer. That says, "Make the value of load equal to data". But first we have to get to the raw section where that load field is defined. How we can do that is we can loop over the various layers that we've got here, and we have to test to see if we've got a layer or if we've got a field value, because in some cases like DNS, you can have some nested fields. For example, the answer to a DNS request, the answer will be a collection of field values within the DNS packet. We need to say, "We want to go into that answer layer and then a particular field within that nested answer". However, that's treated differently than say, "Okay, we're looking to see if there is an HTTP response layer and if so, we want to access that response layer". The way that we can differentiate between these is using scabies haslayer function. Essentially this will return true if the packet has a layer with that name, and it will return false if what we're looking for is actually something like a field. We'll pass that in. If that layer exists, the variable that we're looking at, which we're calling p, which is our bottom layer, or bottom field that eventually will contain the field value that we want to set. We'll set that bottom most location to the layer that we're looking at. Say when we start out, we're going to first we want to look for the Ethernet layer. P is going to point to the Ethernet layer on the packet. Then we'll look for the IP layer, it will point to the IP layer. Then TCP layer, HTTP layer, HTTP response layer, raw layer. Eventually we'll get down to, we're looking at load, which is an a layer, it's a field value. This haslayer will return false. In this case, however, we won't look at load because we only go as far as raw. But if we add something like a DNS request where we need to set a value within the answer. Will hit a point where haslayer returns false instead of setting p to that layer, will set it to the particular nested field value. The answer structure in which we can get to the particular field that we want. Once we've gotten to that bottom layer that contains that field we want, we can then call set field value to put our payload in that value and then return the packet and update it. In the end, we're going from a listing of the layers that we want in our packet and the data that we want to send to what's hopefully a packet that we could send over the network that accomplishes that goal. We can call this using Build C2, hit "Enter", give it a moment. In the end we've called packet.show, so it prints the packet we built. Walking through we see we've got an Ethernet layer. These are automatically generated like destination and source. We probably have to change that to send the packet. The next layer down, we have our default source and destination addresses here. Then we see we wanted to TCP packet, so we've created that. Notice that the destination port here is the HTTP port, which is good because that's what we want to send. We probably want to change the source port, however, to a higher number random port because you won't go from port 80 to port 80, etc. Now have an HTTP layer, which hold an HTTP response layer matching our request. Then we see there are a bunch of HTTP header fields we haven't set, but we could have used one of these for data transfer. We finally get to our raw layer in which we wanted to set our payload in the value load. We look at that field and it says, "Hello". In the end here we've successfully built a packet that accomplishes our needs, and we've done it completely automatically. If we had a different string here, we could build a completely different packet. This helps us automate the process of determining our C2 infrastructure. Using traffic analyzers script, we determine a string describing the packet that we want and where we want to put the data. Then this script here actually built that packet for sending a particular piece of data to our command and control infrastructure. Thank you.
