How to Build an Evasive Shell in Python, Part 4: Testing the Shell

Feb 13, 2016 09:55 PM

Mar 2, 2016 10:13 PM

Welcome back, everyone. In the previous part of this rapid-fire miniseries, we built the attacker portion of the shell. In this article, we'll just be testing it to see if everything works correctly.

First, we'll need to start the victim script. Simply navigate to it and execute it. With that started, let's go ahead and start the attacker script next:

Terminal interface displaying commands for network configuration and IP address spoofing.

We've named our script shellcontrol and we've executed it now. I've entered the victim IP as 10.0.0.33, and the IP to spoof as 10.0.0.55. I've also entered wlan0 as my desired interface.

It should now attempt to gather the victims MAC address and start the spoofing thread. Let's see the output that the attacking script gives us:

Terminal output showing steps in a network spoofing process.

Here we go! We successfully started the interaction with the script. Let's open up Wireshark and take a look at our ARP spoofing:

How to Build an Evasive Shell in Python, Part 4: Testing the Shell

I apologize for the small screenshot, but the Wireshark output is rather lengthy. We can see by this above Wireshark result that we've successfully started our ARP poisoning thread!

Now that we're in control of the victim, let's run some commands. We'll start with a simple ls command:

Terminal window displaying a directory listing in Ubuntu.

We can see by our prompt that the victim executed the script as root, so we OWN this box! I've made a file on the desktop under the name supersecret!; let's try and read this file:

Terminal commands displayed on a computer screen.

There we have it... our shell works!

Now that we know our shell works, let's see how visible we are to the victim. Let's show the ARP cache of the victim and see our fake IP linked to our MAC:

Command line output showing the ARP table with IP addresses and corresponding MAC addresses on a Linux system.

We can see that 10.0.0.55 is mysteriously found at our MAC address, so we're successfully spoofing our IP.

Let's see what we can dig up with a Netstat command:

We can see a mysterious service on port 80 listening for any IP address. This is less likely to be detected by a firewall because of the use of well-known ports. Now that we've confirmed our shell's functionality, let's wrap this miniseries up, shall we?

Wrapping Up

There we have it. Our miniseries is over! We built the victim and attacker scripts and they can successfully interact with each other. This shell is considerably less likely to be detected by a firewall depending on what IP you choose to spoof.

If you have any questions at all, please leave them in the comments below. I'll try my absolute best to answer them.

Thank you for reading!

-Defalt

Previous: Evasive Shell in Python, Part 3: Building the Attacker Script

Cover image via Shutterstock

The next big software update for iPhone is coming sometime in April and will include a Food section in Apple News+, an easy-to-miss new Ambient Music app, Priority Notifications thanks to Apple Intelligence, and updates to apps like Mail, Photos, Podcasts, and Safari. See what else is coming to your iPhone with the iOS 18.4 update.