How To: Build an Evasive Shell in Python, Part 1: Introduction & Concepts

Build an Evasive Shell in Python, Part 1: Introduction & Concepts

Hello, everyone. Stealth is a large part of any successful hack; if we don't get noticed, we're much less likely to be caught. In these next few articles, we'll be building a shell based on keeping us hidden from a firewall.

There are many ways to stay hidden from a firewall, but we'll only be incorporating a couple into our shell. This article will outline and explain these evasion concepts and techniques.

The two techniques that we'll be using are rather simple: well-known ports and trust exploitation. We'll explain these concepts deeper.

Using Well-Known Ports for Evasion

Ports are used to make connections. Some ports are used for certain services (the entire range of ports is 0-1023), such as port 80 for HTTP and port 443. When using our shell, we'll need to transfer data to and from the victim, and using these ports will give us an extra layer between us and any firewall.

By using one of these well-known ports, the firewall is less likely to be suspicious of anything coming in and out of them. We'll be binding the shell to port 80, and communicating to the attacking machine on port 80 as well.

Now that we know about the simple concept of well-known ports, let's move on to trust exploitation, which is slightly more complex.

Using Trust Exploitation for Evasion

There can be instances where firewalls have exceptions. It may filter out connections to a specific address while allowing connections to another. If we can exploit this naive trust, we can gain unsuspected control of our shell, and the firewall will be none the wiser.

We'll essentially be spoofing our IP address while we're in control of the shell. We'll be performing this through ARP spoofing. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. If we can replace the known MAC address of a trusted address with our own, we can connect to the victim while spoofing the IP address of the trusted source. In the proper instances, this will allow us another extra layer of stealth.

Now that we've covered our concepts, let's wrap up this introduction...

Wrapping Up

In the next article, we'll build the script for the victim—the shell. This will accept commands through a socket, execute them, and will send the output back to the attacking machine. In the article after that, we'll build the shell controller that will run on the attacker's machine. We'll be using Ubuntu as our victim OS, and we'll be using Kali (obviously) as our attacking OS.

That covers everything we need to know about the ideas and concepts that we'll be using in our evasive shell. If you have any questions, leave them in the comments below and I'll do my absolute best to answer them.

Thank you for reading!


Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Image of firewall via Shutterstock; Cover image via 1wallpaper

1 Comment

Actually you will get one of those "Address Already in Use" error messages. The two IPs should work but, in that case you need to bind your socket to the specific interface you want to use. This is done with the option SO_BINDTODEVICE and the system call setsockopt (man 7 socket).

If you do not have two network adapters (you should have, nowadays a wired and a wireless, but just in case), you can quickly check, bringing up a virtual interface. Something like this

ifconfig eth0:1 netmask

Good tutorial Defalt!

Share Your Thoughts

  • Hot
  • Latest