A need for a reliable and secure reverse shell

During our redteam engagements, there are plenty of situations where we get an arbitrary code execution but cannot get a direct shell connection using standard reverse shell tools because of some network filtering. More importantly, we need some network pivot capabilities such as proxies or port forwarding. This led to the development of sshimpanzee a static reverse OpenSSH server which offers tunnelling mechanisms such as DNS or ICMP.

How does it work ?

Build options will not be detailed here as they are documented on sshimpanzee’s README.md. Instead, this article will give insight about how sshimpanzee works.

Building a reverse sshd

sshimpanzee brings a set of patches to OpenSSH’s sshd. Starting from a standard OpenSSH server it is fairly easy to make it « reverse ». This is due to the fact that both accept() and connect() libc calls (and syscalls) return the same type of object: fd. Thus, when initializing the network part in the listen_on_addrs() function, it is possible to remove every call to bind and listen.