Ryan Nelson's Blog

Stealing Fire: Why My New Open Source Tools Borrow from Hackers

• By Ryan Nelson
AI generated image of a hospital crashcart covered in tech company stickers in a datacenter
AI generated image of a hospital crashcart

I came to New York City in 1995. The dotcom explosion was happening. I was working as a sysadmin at an ISP.

I went to school for Electrical and Computer Engineering. But the reality is that I came to this industry from an apprentice, self-taught angle. I learned by breaking things.

In 1996, the best investment I ever made was buying a Sun SPARC workstation on eBay. I wanted "mess around" experience on enterprise gear. I wanted to see what happened when I broke the OS, without getting fired.

Here is a statistic that might terrify a modern Hiring Manager: I have never held a job where I did not have "root." I have also never held a job where I wasn't the person responsible for debugging and fixing things in live production.

This is "crazy bad-practice" according to the SRE Bible. It is "gonzo-sysops." But you learn things when you are five hops deep in a server that is currently on fire. You learn to value tools that work in hostile environments.

Stealing from hackers

I admitted in the last post that I effectively reinvented a Command & Control (C2) framework while trying to manage my AI infrastructure. Funny, right? Except that C2 frameworks solve the exact problem I have: running commands reliably in hostile environments.

I am a "veteran of the industry" (old white guy). I don't need to hammer a specific "offensive security" tool into a tight spot just because it looks cool on a slide deck. I just want to run tcpdump in a production container now and then without waking up the security team.

Living off the land

I don't want to deploy Metasploit to my cluster. I want to steal its architecture.

The security world has a concept called "Living off the Land" (LotL)1. It means using the tools already present in the environment to achieve your goals. For a hacker, that means using PowerShell to steal credentials. For a DevOps engineer, it means utilizing the native physics of the OS to survive in a broken environment.

I'm working towards a release of a suite of open-source tools to handle this. They won't install a C2 agent. They'll simply borrow the techniques that make C2 agents so resilient.

What I'm borrowing

Here's how I'm mapping the genius of "offensive" tools into a smartly-lean DevOps toolkit.

1. Shell Stabilization (Borrowed from pwncat-cs2) Raw shells are garbage. They hang. They lack history. They die if you Ctrl+C at the wrong time. The tool pwncat-cs solves this by acting as a proxy that "upgrades" the connection to a fully interactive PTY.

• My take: I'm implementing the stabilization logic in a lightweight wrapper. Skip the full pwncat binary, keep the technique. The goal is a shell that feels local even when you're working on a remote container with no public IP.

2. Tunneling (Borrowed from chisel3) Sometimes you need to punch a hole through a network. chisel is brilliant because it tunnels TCP/UDP over a single HTTP connection. It is hella robust compared to standard SSH forwarding.

• My take: Skip the binary, keep the technique. My tools handle dynamic port forwarding over existing protocol streams so you can hit that internal API without setting up a VPN.

3. The "Busybox" Approach (Borrowed from static-binaries4) You cannot rely on apt or yum inside a scratch container. It just won't work.

• My take: I'm adopting the "drop one file" philosophy. My upcoming release includes statically compiled versions of essential debugging tools like socat and tcpdump. No dependencies. No libraries. Just drop it in and it runs.

crashcart-ng

We ignore the security community at our peril. They've spent twenty years figuring out how to operate reliably in hostile environments.

I'm putting these theories into practice right now. I've started a new project called crashcart-ng.

You can see the work in progress here: https://github.com/ryancnelson/crashcart-ng

It is early days. But the goal is to take the lessons from the "gonzo-sysops" era and wrap them in something you can actually commit to a corporate repo. Even if you don't have root.

There is a joke up there about "stealing." It was subtle. My next post will be the deep dive into that repo. Don't say I didn't warn you.

References

  1. Living off the Land (LotL): A technique where attackers use legitimate, pre-installed tools (like PowerShell, WMI, or Bash) to conduct operations, blending in with normal system activity. (There's a joke here somewhere about frontier-model → homesteaders → living-off-the-land, but my welbutrin hasn't kicked in yet today.)
  2. pwncat-cs: (github.com/calebstewart/pwncat) A fancy proxy that sits between you and the raw shell. It auto-stabilizes the shell, gives you a PTY, and handles file upload/download via magic bytes.
  3. chisel: (github.com/jpillora/chisel) A fast TCP/UDP tunnel over HTTP. Much more robust than ssh -D. Allows you to punch a VPN-like hole through a single HTTP/SSH connection.
  4. static-binaries: (github.com/andrew-d/static-binaries) Collections of tools (socat, nmap, tcpdump) compiled statically to run on any system without dependencies.