OffShell – Xonsh-Powered Framework to Build Shells Designed with Pentesting in Mind.


This project includes tools to build portable images of a Python shell (powered by xonsh and with xxh support) destinated to be used for pentesting and bug bounties (among others, ethical, hacking purposes).

It includes an easy way to build custom appimages with a portable shell (that could be run in Linux, Unix, Windows and others OS without any trouble) that supports Python sintax and may include additional toosl.

This image is intended to be used along with xxh proyect so you could extend it’s functionality through the network using ssh connections. For example: you could connect to an old Solaris machine using xxh and easily run your portable image with all your plugins, configurations and additionally installed tools.

Built With

  • Xonsh – Python-powered shell.
  • xxh – Bring your favorite shell wherever you go through the ssh.

Compatible with

  • Wazuh – The Open Source Security Platform: Wazuh is a tool that can be used to gather, decode and analyze logs. Offshell can be integrated with Wazuh by sending the logs generated by our history backend plugin to Wazuh to be analyzed and indexed into a search engine such as Elasticsearch (or OpenSearch, soon). Also, Wazuh can analyze the received logs and generate alerts based on some pre-defined rules for interesting security events such as detected vulnerabilities or privilege escalations.

Getting Started


It is not required to install Xonsh, you only need to download the last built appimage and make it executable to run the shell.

Download Xonsh:

sudo wget -O /bin/xonsh
sudo chmod a+x /bin/xonsh

The appimage includes the xxh package but not the configuration file. You should also download the configuration file for xonsh:

curl -o ~/.xonshrc
mkdir -p ~/.config/xxh/
curl -o ~/.config/xxh/config.xxhc

Make it default

Optionally, you could make this your default shell by running:

$ echo "/bin/xonsh" >> /etc/shells
# chsh -s /bin/xonsh

Log data collection

After running the shell, the offshell syslog data collection plugin would be enabled, you just need to run the following command for more informatio-

history info

Integration with Wazuh

To integrate this with Wazuh, you need a Wazuh Manager server running in another machine. Then, you have to install Wazuh agent in your server by following this guide:

You would check (among other things) your syslog filename. You should mark it for being analyzed in Wazuh configuration using a block like this one:


After adding that block to your ossec.conf file, if you agent is correctly connected to a Wazuh manager it woud start sending information about exeuted commands to your server and it will index it to a Elasticsearch index.

Finally, you would need to add the rules and decoders from to /var/ossec/etc/rules and /var/ossec/etc/decoders/


You can modify this proyect and build your own appimages using the tools included in the build_appimage directory.

For example, to include more python depedencies in the appimage you only need to modify the pre-requirements.txt file.

You could also modify the xonsh/xxh configuration file to add functionalities, plugins, aliases, etc..


Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *