Art of the pivot: reverse VPNs with revsh

Presented at ToorCon San Diego 18 (2016), Oct. 16, 2016, 2 p.m. (20 minutes)

I’ll be releasing a new tool at Toorcon. I’ve been told that it is super cool and would make for an interesting talk. I’m happy to do a 20 min talk about the tool itself, or a longer 50 minute talk about the current state of the art in pivoting techniques, and then introduce the tool as the next step, with demos. The tool is called revsh (short for “reverse shell”). It started as a reverse shell tool with TTY support. It has evolved and features added as I needed them for pentesting. It currently supports SSL encryption, proxy support (point to point and socks) and TUN/TAP forwarding of raw ip packets and ethernet frames. The TUN/TAP support turns it from a reverse shell into a reverse vpn. The demo will show me pivoting from a sandboxed network, through a dual homed Linux host, and attacking a host on a separate target network by connecting with revsh to the dual homed host… then simply dhcp’ing an ip address on the target network! This means that all of the network scan /attack tools in kali work natively and there is no need for proxychains. It also acts as a counter forensic strategy by reducing the number of tools that must be moved over to the compromised pivot box. The features all work currently. The code is still in development, but all that is remaining is documentation and cleaning up the getopt() switch parsing. An older version with only tty support but no proxies / tun/tap is available at: The code I will release at Toorcon currently lives in the “devel” branch, so you’ll need to git checkout devel to inspect it. The presentation isn’t fully fleshed out yet and I’m open to other directions for the talk, as well as other names. Feel free to contact me for an in person demo.


  • Bren Mills / @emptymonkey as Bren Mills / @emptymonkey
    I’m a member of Qualcomm’s ISRM Application Security team. I’ve been with Qualcomm 12 years. My background includes systems programming, Linux internals, and cyber security. In my spare time I conduct research on Linux security issues.

Similar Presentations: