How to Build an Evasive Shell in Python, Part 1: Introduction & Concepts

Feb 13, 2016 07:06 PM
Mar 1, 2016 08:46 PM
635909258124863788.jpg

Hello, everyone. Stealth is a large part of any successful hack; if we don't get noticed, we're much less likely to be caught. In these next few articles, we'll be building a shell based on keeping us hidden from a firewall.

635924315271271613.jpg

There are many ways to stay hidden from a firewall, but we'll only be incorporating a couple into our shell. This article will outline and explain these evasion concepts and techniques.

The two techniques that we'll be using are rather simple: well-known ports and trust exploitation. We'll explain these concepts deeper.

Using Well-Known Ports for Evasion

Ports are used to make connections. Some ports are used for certain services (the entire range of ports is 0-1023), such as port 80 for HTTP and port 443. When using our shell, we'll need to transfer data to and from the victim, and using these ports will give us an extra layer between us and any firewall.

By using one of these well-known ports, the firewall is less likely to be suspicious of anything coming in and out of them. We'll be binding the shell to port 80, and communicating to the attacking machine on port 80 as well.

Now that we know about the simple concept of well-known ports, let's move on to trust exploitation, which is slightly more complex.

Using Trust Exploitation for Evasion

There can be instances where firewalls have exceptions. It may filter out connections to a specific address while allowing connections to another. If we can exploit this naive trust, we can gain unsuspected control of our shell, and the firewall will be none the wiser.

635924325441086899.jpg

We'll essentially be spoofing our IP address while we're in control of the shell. We'll be performing this through ARP spoofing. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. If we can replace the known MAC address of a trusted address with our own, we can connect to the victim while spoofing the IP address of the trusted source. In the proper instances, this will allow us another extra layer of stealth.

Now that we've covered our concepts, let's wrap up this introduction...

Wrapping Up

In the next article, we'll build the script for the victim—the shell. This will accept commands through a socket, execute them, and will send the output back to the attacking machine. In the article after that, we'll build the shell controller that will run on the attacker's machine. We'll be using Ubuntu as our victim OS, and we'll be using Kali (obviously) as our attacking OS.

That covers everything we need to know about the ideas and concepts that we'll be using in our evasive shell. If you have any questions, leave them in the comments below and I'll do my absolute best to answer them.

Thank you for reading!

-Defalt

Image of firewall via Shutterstock; Cover image via 1wallpaper

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!