Skip to content
/ linuxmacshell Public

Custom Layer 2 covert shell over raw Ethernet using AES-encrypted MAC frames for stealthy C2 on Linux.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

OzexK/linuxmacshell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
assets
assets
 
 
MACShell_Agent.py
MACShell_Agent.py
 
 
MACShell_Server.py
MACShell_Server.py
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

MACShell V0.1 – Covert MAC-Based Shell Over Ethernet (Layer 2)

MACShell is a stealthy command-and-control shell that operates purely over Layer 2 (Ethernet), bypassing IP-based monitoring and filtering. It uses raw MAC frames for communication and AES encryption for confidentiality — making it ideal for red team engagements and low-noise post-exploitation.

Features

  • AES-256 encrypted payloads using Fernet
  • Pure Layer 2 communication — no IP, TCP, or UDP
  • Custom EtherType 0x1234 for covert signaling
  • Interactive shell interface between server and agent
  • Multi-threaded response sniffer with queuing
  • Linux-only support (tested on Kali)

⚠️ Disclaimer

This tool is provided for educational and authorized penetration testing purposes only.
Unauthorized usage is strictly prohibited. Use at your own risk.

📦 Requirements

Agent & Server (Linux)

Install Dependencies

pip install -r requirements.txt

How It Works

  1. The agent sends a hello packet using a custom EtherType 0x1234.
  2. The server listens, learns the agent's MAC, and initiates an interactive shell.
  3. All communication (commands/responses) is encrypted with AES and transmitted via Ethernet frames.
  4. Raw sockets are used to craft and sniff packets using Scapy.

AES Key Sharing

The AES key is pre-shared in both scripts using Python’s Fernet:

key = b"q3yHiYdGNwFqkugDaG9f6_PRAolbQkAe6bQYRE3GE9s="  # Replace for real ops

To generate your own key:

python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

Usage

1. Start the Agent (on the target)

sudo python3 agent.py

2. Start the Server (on the attacker box)

sudo python3 server.py

3. Command Shell Example

agent> whoami
agent> uname -a
agent> id

🎬 Demo

MACShell Demo

Testing Notes

  • Both agent and server must be on the same Ethernet segment (L2).
  • Ensure the correct iface (e.g., eth0, ens33) is set in both scripts.
  • Traffic may not work over tun0 or Wi-Fi unless in promiscuous mode.
  • Packets typically bypass firewalls/iptables due to operating below IP.

Limitations & Detection

  • May be detected by advanced IDS/IPS inspecting raw Ethernet frames.
  • Can be blocked by network devices filtering unknown EtherTypes.
  • Switches with MAC learning/flood protection may hinder operation.

Tip for Stealth

  • Avoid default EtherType 0x1234 in real-world scenarios.
  • Use obfuscation, encryption rotation, and randomized beaconing for better OpSec.

Made with ❤️ by Ozex for educational red teaming.

About

Custom Layer 2 covert shell over raw Ethernet using AES-encrypted MAC frames for stealthy C2 on Linux.

Topics

python3 cybersecurity post-exploitation ethernet offensive-security mac-address covert-channel fernet raw-socket layer2 packet-injection command-and-control redteam encrypted-shell c2-framwork macshell covert-shell edr-evastion evastion

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages