Skip to content



Retrouvez toutes nos publications

Les collaborateurs LEXFO sont des experts sécurité avec des profils complémentaires dans différents domaines d’expertise : vulnérabilités, cryptographie, rétro-ingénierie…


A need for a reliable and secure reverse shell

During our redteam engagements, there are plenty of situations where we get an arbitrary code execution but cannot get a direct shell connection using standard reverse shell tools because of some network filtering. More importantly, we need some network pivot capabilities such as proxies or port forwarding. This led to the development of sshimpanzee a static reverse OpenSSH server which offers tunnelling mechanisms such as DNS or ICMP.

How does it work ?

Build options will not be detailed here as they are documented on sshimpanzee’s Instead, this article will give insight about how sshimpanzee works.

Building a reverse sshd

sshimpanzee brings a set of patches to OpenSSH’s sshd. Starting from a standard OpenSSH server it is fairly easy to make it « reverse ». This is due to the fact that both accept() and connect() libc calls (and syscalls) return the same type of object: fd. Thus, when initializing the network part in the listen_on_addrs() function, it is possible to remove every call to bind and listen.

& Références


sshimpanzee is a fork of openssh server packaged with different network tunnels. It currently provides reverse connect as well as ssh over ICMP, DNS or HTTP encapsulation and supports HTTP or SOCKS proxies.