Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Commands & Shells, Security

Obfuscating Shell Scripts

Submitted by on August 1, 2018 – 4:04 pm One Comment

Unix shell scripting language is run by the command-line interpreter and, as such, can be read and understood by anyone with sufficient access and experience. Sometimes this is not a good thing. Sometimes you want people and applications to be able to run the script but not necessarily look under its hood.

Various obfuscation techniques for Unix shell scripts go back decades. The methods include replacing variable names with odd-looking strings; removing or adding spaces and comments; inserting bogus functions that do nothing; replacing Latin letters with international or extended characters.

This by no means truly conceals a script’s nature, but obfuscation can render the script nearly indecipherable. This is especially true for more complex scripts. Here’re some of the script obfuscation tools you can use.

The good old obfsh you can get from here. Just run obfsh -h to see a summary of available options. You can add this convenient alias to your .bashrc so you don’t have to remember those options:

Consider this simple script that tells you if the argument is a positive or negative integer (or not an integer at all):

And here’s the obfuscated version using the alias set above:

Not terribly confusing, but better than nothing.

Another option that produces a somewhat more confusing output is bash-obfuscate Node.js CLI utility. You can check it out here. Here’s what it does to the script from the previous example:

The result is much better, but still fairly easy to figure out and reverse:

Perhaps the best option I’ve found so far is the shell compiler. Here’s a quick example:

To an extent, this can even be used to obfuscate a password inside the compiled script. For example, if you run strings testbin | grep test you will see nothing. Having said that, there is a better way to hide passwords in interactive scripts using gpg.

Print Friendly, PDF & Email

One Comment »

  • Avatar Ed says:

    “The result is much better, but still fairly easy to figure out and reverse:”
    So how to reverse this? Some files I was analyzing had a similar script running, but havent figured out how to decrypt it and see what is actually happening.

Leave a Reply

%d bloggers like this: