How to Build an Evasive Shell in Python, Part 4: Testing the Shell

Feb 13, 2016 09:55 PM
Mar 2, 2016 10:13 PM
635925248236473566.jpg

Welcome back, everyone. In the previous part of this rapid-fire miniseries, we built the attacker portion of the shell. In this article, we'll just be testing it to see if everything works correctly.

First, we'll need to start the victim script. Simply navigate to it and execute it. With that started, let's go ahead and start the attacker script next:

635909565521727727.jpg

We've named our script shellcontrol and we've executed it now. I've entered the victim IP as 10.0.0.33, and the IP to spoof as 10.0.0.55. I've also entered wlan0 as my desired interface.

It should now attempt to gather the victims MAC address and start the spoofing thread. Let's see the output that the attacking script gives us:

635909566537821356.jpg

Here we go! We successfully started the interaction with the script. Let's open up Wireshark and take a look at our ARP spoofing:

635925244332879737.jpg

I apologize for the small screenshot, but the Wireshark output is rather lengthy. We can see by this above Wireshark result that we've successfully started our ARP poisoning thread!

Now that we're in control of the victim, let's run some commands. We'll start with a simple ls command:

635909568912665969.jpg

We can see by our prompt that the victim executed the script as root, so we OWN this box! I've made a file on the desktop under the name supersecret!; let's try and read this file:

635909570006417035.jpg

There we have it... our shell works!

Now that we know our shell works, let's see how visible we are to the victim. Let's show the ARP cache of the victim and see our fake IP linked to our MAC:

635909571120165140.jpg

We can see that 10.0.0.55 is mysteriously found at our MAC address, so we're successfully spoofing our IP.

Let's see what we can dig up with a Netstat command:

635909572023446348.jpg

We can see a mysterious service on port 80 listening for any IP address. This is less likely to be detected by a firewall because of the use of well-known ports. Now that we've confirmed our shell's functionality, let's wrap this miniseries up, shall we?

Wrapping Up

There we have it. Our miniseries is over! We built the victim and attacker scripts and they can successfully interact with each other. This shell is considerably less likely to be detected by a firewall depending on what IP you choose to spoof.

If you have any questions at all, please leave them in the comments below. I'll try my absolute best to answer them.

Thank you for reading!

-Defalt

Cover image via Shutterstock

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!