How To: Build an Evasive Shell in Python, Part 1: Introduction & Concepts

Build an Evasive Shell in Python, Part 1: Introduction & Concepts

Hello, everyone. Stealth is a large part of any successful hack; if we don't get noticed, we're much less likely to be caught. In these next few articles, we'll be building a shell based on keeping us hidden from a firewall.

There are many ways to stay hidden from a firewall, but we'll only be incorporating a couple into our shell. This article will outline and explain these evasion concepts and techniques.

The two techniques that we'll be using are rather simple: well-known ports and trust exploitation. We'll explain these concepts deeper.

Using Well-Known Ports for Evasion

Ports are used to make connections. Some ports are used for certain services (the entire range of ports is 0-1023), such as port 80 for HTTP and port 443. When using our shell, we'll need to transfer data to and from the victim, and using these ports will give us an extra layer between us and any firewall.

By using one of these well-known ports, the firewall is less likely to be suspicious of anything coming in and out of them. We'll be binding the shell to port 80, and communicating to the attacking machine on port 80 as well.

Now that we know about the simple concept of well-known ports, let's move on to trust exploitation, which is slightly more complex.

Using Trust Exploitation for Evasion

There can be instances where firewalls have exceptions. It may filter out connections to a specific address while allowing connections to another. If we can exploit this naive trust, we can gain unsuspected control of our shell, and the firewall will be none the wiser.

We'll essentially be spoofing our IP address while we're in control of the shell. We'll be performing this through ARP spoofing. ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. If we can replace the known MAC address of a trusted address with our own, we can connect to the victim while spoofing the IP address of the trusted source. In the proper instances, this will allow us another extra layer of stealth.

Now that we've covered our concepts, let's wrap up this introduction...

Wrapping Up

In the next article, we'll build the script for the victim—the shell. This will accept commands through a socket, execute them, and will send the output back to the attacking machine. In the article after that, we'll build the shell controller that will run on the attacker's machine. We'll be using Ubuntu as our victim OS, and we'll be using Kali (obviously) as our attacking OS.

That covers everything we need to know about the ideas and concepts that we'll be using in our evasive shell. If you have any questions, leave them in the comments below and I'll do my absolute best to answer them.

Thank you for reading!


Image of firewall via Shutterstock; Cover image via 1wallpaper


One question about using common ports:

Say that we already have a service running on a port, let's say Apache2 on port 80. Then we can't bind our shell to that port unless we "merge" it into Apache2, right? (like the meterpreter "migrate" command). Or can we bind our shell to port 80 as usual?

Sorry if this is a noobish question, but I haven't reached that far into networking yet.


If a service is already listening on that port, we must bind to a different port. I'm this example were just assuming that port 80 is free.


TCP protocol i would say nooo,you cant have more than one application subscribing the same port, unless you got 2 network cards, you could have one application listen on 1 IP and the other one on the other IP but using the same port number.

The solution for this would be using the multicasts aka UDP, where you can have more than one application can subscribe the same port.

Hacked by Mr_Nakup3nda

Actually you will get one of those "Address Already in Use" error messages. The two IPs should work but, in that case you need to bind your socket to the specific interface you want to use. This is done with the option SO_BINDTODEVICE and the system call setsockopt (man 7 socket).

If you do not have two network adapters (you should have, nowadays a wired and a wireless, but just in case), you can quickly check, bringing up a virtual interface. Something like this

ifconfig eth0:1 netmask

Good tutorial Defalt!

Share Your Thoughts

  • Hot
  • Latest