How to Build an Evasive Shell in Python, Part 1: Introduction & Concepts
Hello, everyone. Stealth is a large part of any successful hack; if we don't get noticed, we're much less likely to be caught. In these next few articles, we'll be building a shell based on keeping us hidden from a firewall.
There are many ways to stay hidden from a firewall, but we'll only be incorporating a couple into our shell. This article will outline and explain these evasion concepts and techniques.
The two techniques that we'll be using are rather simple: well-known ports and trust exploitation. We'll explain these concepts deeper.
Ports are used to make connections. Some ports are used for certain services (the entire range of ports is 0-1023), such as port 80 for HTTP and port 443. When using our shell, we'll need to transfer data to and from the victim, and using these ports will give us an extra layer between us and any firewall.
By using one of these well-known ports, the firewall is less likely to be suspicious of anything coming in and out of them. We'll be binding the shell to port 80, and communicating to the attacking machine on port 80 as well.
Now that we know about the simple concept of well-known ports, let's move on to trust exploitation, which is slightly more complex.
There can be instances where firewalls have exceptions. It may filter out connections to a specific address while allowing connections to another. If we can exploit this naive trust, we can gain unsuspected control of our shell, and the firewall will be none the wiser.
We'll essentially be spoofing our IP address while we're in control of the shell. We'll be performing this through ARP spoofing. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. If we can replace the known MAC address of a trusted address with our own, we can connect to the victim while spoofing the IP address of the trusted source. In the proper instances, this will allow us another extra layer of stealth.
Now that we've covered our concepts, let's wrap up this introduction...
In the next article, we'll build the script for the victim—the shell. This will accept commands through a socket, execute them, and will send the output back to the attacking machine. In the article after that, we'll build the shell controller that will run on the attacker's machine. We'll be using Ubuntu as our victim OS, and we'll be using Kali (obviously) as our attacking OS.
That covers everything we need to know about the ideas and concepts that we'll be using in our evasive shell. If you have any questions, leave them in the comments below and I'll do my absolute best to answer them.
Thank you for reading!