htshells

htshells is a comprehensive web shell analysis and detection framework that helps security professionals identify, analyze, and remediate web-based backdoors and shells. It includes signature-based detection, behavioral analysis, and a collection of known web shell samples for testing and comparison during incident response.

Installation

# Kali Linux (pre-installed)
htshells --version

# Manual installation
sudo apt-get update
sudo apt-get install htshells

# From GitHub
git clone https://github.com/kalilinux/htshells.git
cd htshells
pip3 install -r requirements.txt
sudo python3 setup.py install

# Verify installation
which htshells
htshells --help

Web Shell Database

Shell Repository Access

# List available web shells
htshells --list

# Show PHP shells
htshells --list --type php

# Show ASP/ASPX shells
htshells --list --type asp

# Show JSP shells
htshells --list --type jsp

# Show Python shells
htshells --list --type python

# Show shell properties
htshells --list --verbose

Shell Categories

Type	Description
php	PHP web shells (most common)
asp	Classic ASP shells
aspx	ASP.NET shells
jsp	JavaServer Pages shells
cgi	CGI-based shells
perl	Perl-based shells
python	Python-based shells
shell	Generic shell implementations

Shell Search and Analysis

Finding Shells

# Search for shell by name
htshells --search "shell1"

# Find shells with specific features
htshells --search --feature "command-execution"

# Search by author/source
htshells --search --source "Github"

# Find shells supporting specific languages
htshells --search --language php

# Find minimal shells
htshells --list --minimal

# Find advanced shells
htshells --list --advanced

Detailed Shell Information

# Get shell details
htshells --info "c99"

# Show shell source code
htshells --show-source "c99"

# Display shell capabilities
htshells --capabilities "weevely"

# Show shell dependencies
htshells --dependencies "shell1"

# View shell detections
htshells --detections "c99"

Detection and Scanning

File-Based Detection

# Scan file for known shells
htshells --scan suspicious.php

# Scan multiple files
htshells --scan *.php

# Recursive directory scan
htshells --scan-recursive /var/www/html

# Detailed scan output
htshells --scan-verbose suspicious.php

# Generate detection report
htshells --scan /var/www --report scan_report.html

Signature-Based Detection

# Use default signature set
htshells --scan --signatures default suspicious.php

# Use aggressive signatures
htshells --scan --signatures aggressive suspicious.php

# Custom signature file
htshells --scan --signatures custom.sig suspicious.php

# Show matched signatures
htshells --scan --show-signatures suspicious.php

# List available signature sets
htshells --list-signatures

Behavioral Analysis

# Analyze file behavior
htshells --analyze suspicious.php

# Check for suspicious functions
htshells --analyze --check-functions suspicious.php

# Examine variable usage
htshells --analyze --variables suspicious.php

# Analyze code patterns
htshells --analyze --patterns suspicious.php

# Full behavioral report
htshells --analyze --verbose suspicious.php

Web Server Scanning

Directory Scanning

# Scan web directory for shells
htshells --scan-directory /var/www/html

# Scan with pattern matching
htshells --scan-directory /var/www --pattern "*.php"

# Deep recursive scan
htshells --scan-directory / --recursive --depth 10

# Exclude directories
htshells --scan-directory /var/www --exclude "/vendor,/node_modules"

# Generate XML report
htshells --scan-directory /var/www --output xml > findings.xml

Network-Based Detection

# Scan web server for shells
htshells --scan-url http://target.com

# Scan with authentication
htshells --scan-url http://target.com --auth "user:pass"

# Recursive site crawl
htshells --scan-url http://target.com --crawl

# Scan specific paths
htshells --scan-url http://target.com/admin http://target.com/uploads

# Time-bounded scan
htshells --scan-url http://target.com --timeout 30

Detection Workflows

Post-Compromise Investigation

# 1. Scan web directory for shells
htshells --scan-directory /var/www/html --recursive

# 2. Analyze suspicious files
htshells --analyze suspicious_file.php

# 3. Check for known shell signatures
htshells --scan suspicious_file.php --show-signatures

# 4. Generate detailed report
htshells --scan-directory /var/www --report incident_report.html

# 5. Export findings
htshells --scan-directory /var/www --output json > compromised_files.json

Incident Response Procedures

#!/bin/bash
# Comprehensive web shell incident response

echo "[*] Web Shell Incident Response Script"
echo "[*] Scanning for web shells..."

# Scan all PHP files
echo "[*] Scanning PHP files..."
htshells --scan-directory /var/www --pattern "*.php" > php_scan.txt

# Scan for suspicious patterns
echo "[*] Analyzing file content..."
grep -r "shell_exec\|passthru\|system\|eval" /var/www/html > suspicious_functions.txt

# Generate timeline
echo "[*] Creating modification timeline..."
find /var/www/html -type f -mtime -7 | xargs ls -lt > recent_files.txt

# Create forensic package
echo "[*] Creating forensic package..."
tar czf web_shell_forensics_$(date +%s).tar.gz \
    php_scan.txt suspicious_functions.txt recent_files.txt

echo "[*] Investigation complete"

Shell Type Analysis

PHP Web Shell Detection

# Scan for PHP shells specifically
htshells --scan --type php *.php

# Check for eval() usage
grep -r "eval(" /var/www/html

# Find variable evaluation
grep -r "preg_replace.*\/e" /var/www/html

# Search for suspicious includes
grep -r "include.*\$_" /var/www/html

# Detect obfuscated code
htshells --analyze --check-obfuscation suspicious.php

ASP/ASPX Shell Detection

# Scan for ASP shells
htshells --scan --type asp *.asp

# Find dangerous Server methods
grep -r "CreateObject\|Server.Execute" /var/www

# Check for shell patterns
grep -r "<%.*@LANGUAGE" /var/www

# Detect ASPX backdoors
htshells --scan --type aspx /var/www

JSP Shell Detection

# Scan for JSP shells
htshells --scan --type jsp *.jsp

# Find Runtime.exec() calls
grep -r "Runtime.getRuntime().exec" /var/www

# Check for JSP compilation artifacts
grep -r "pageContext.servletContext" /var/www

# Scan application directory
htshells --scan-directory /var/lib/tomcat/webapps --type jsp

Advanced Analysis Techniques

Code Obfuscation Detection

# Detect base64 encoded content
htshells --analyze --check-obfuscation suspicious.php

# Find hex-encoded strings
grep -r "\\\\x" /var/www/html | head -20

# Identify gzip compression
file /var/www/html/suspicious.php

# Analyze variable reuse
htshells --analyze --variables suspicious.php

# Check for comment hiding
grep -r "/*\|*/" /var/www/html | grep -v "normal" | head -20

Function Auditing

# List dangerous functions used
htshells --analyze --dangerous-functions suspicious.php

# Map system calls
grep -r "system\|exec\|passthru\|shell_exec" /var/www

# Track variable sources
htshells --analyze --taint-analysis suspicious.php

# Follow execution flow
htshells --analyze --control-flow suspicious.php

# Identify callback usage
grep -r "call_user_func\|array_walk" /var/www

Output and Reporting

Report Generation

# Generate HTML report
htshells --scan-directory /var/www --report output.html

# Create JSON report
htshells --scan-directory /var/www --output json > findings.json

# Generate CSV results
htshells --scan-directory /var/www --output csv > findings.csv

# Create detailed text report
htshells --scan-directory /var/www --verbose > detailed_report.txt

# Include statistics
htshells --scan-directory /var/www --statistics > stats_report.txt

Data Processing

# Parse JSON results
jq '.findings[] | {file: .filename, risk: .risk_level}' findings.json

# Filter high-risk findings
jq '.findings[] | select(.risk_level == "critical")' findings.json

# Generate summary
jq '.findings | length' findings.json

# Create timeline
jq -r '.findings[] | .path + " - " + .detection_date' findings.json

# Export for external tools
jq -r '.findings[].path' findings.json > remediation_list.txt

Remediation Workflows

Identified Shell Removal

#!/bin/bash
# Safe shell removal workflow

# 1. Backup identified files
mkdir -p ./backups
while read shellfile; do
    cp "$shellfile" "./backups/$(basename $shellfile).bak"
    echo "[+] Backed up: $shellfile"
done < identified_shells.txt

# 2. Remove shells
while read shellfile; do
    rm "$shellfile"
    echo "[+] Removed: $shellfile"
done < identified_shells.txt

# 3. Verify removal
echo "[*] Verification scan..."
htshells --scan-directory /var/www --report post_removal.html

# 4. Generate remediation report
echo "Remediation Report: $(date)" > remediation_report.txt
echo "Files removed: $(wc -l < identified_shells.txt)" >> remediation_report.txt

Web Application Hardening

#!/bin/bash
# Post-incident web application hardening

echo "[*] Implementing security controls..."

# 1. Disable dangerous functions
cat > /etc/php.ini << EOF
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec
EOF

# 2. Restrict file permissions
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -name "uploads" -type d -exec chmod 750 {} \;

# 3. Remove write permissions on sensitive files
chmod 444 /var/www/html/config.php

# 4. Set appropriate ownership
chown -R www-data:www-data /var/www/html

echo "[+] Hardening complete"

Batch Processing

Scan Multiple Sites

#!/bin/bash
# Scan multiple web applications

sites=(
    "/var/www/app1"
    "/var/www/app2"
    "/var/lib/tomcat/webapps"
    "/home/user/public_html"
)

for site in "${sites[@]}"; do
    if [ -d "$site" ]; then
        echo "[*] Scanning: $site"
        htshells --scan-directory "$site" \
            --output json \
            -o "${site##*/}_scan.json"
    fi
done

# Combine results
echo "[*] Generating consolidated report..."
jq -s 'add' *_scan.json > consolidated_findings.json

Automated Daily Scanning

#!/bin/bash
# Daily web shell detection cron job

# Scan configuration
SCAN_DIR="/var/www"
LOG_DIR="/var/log/htshells"
REPORT_DATE=$(date +%Y%m%d)

# Create log directory
mkdir -p "$LOG_DIR"

# Perform scan
htshells --scan-directory "$SCAN_DIR" \
    --recursive \
    --report "$LOG_DIR/scan_${REPORT_DATE}.html" \
    --output json > "$LOG_DIR/scan_${REPORT_DATE}.json"

# Check for findings
FINDINGS=$(jq '.findings | length' "$LOG_DIR/scan_${REPORT_DATE}.json")

if [ "$FINDINGS" -gt 0 ]; then
    echo "ALERT: $FINDINGS web shells detected on $REPORT_DATE" | \
        mail -s "Web Shell Detection Alert" admin@example.com
fi

Integration with Other Tools

Network Monitoring Integration

# Scan files uploaded in last 24 hours
find /var/www/uploads -mtime -1 -type f | while read file; do
    htshells --scan "$file"
done

# Monitor file system changes
inotifywait -m -e close_write /var/www/html | while read path action file; do
    htshells --scan "$path$file"
done

SIEM Integration

#!/bin/bash
# Send findings to SIEM

htshells --scan-directory /var/www --output json | \
    jq '.findings[]' | \
    while read finding; do
        # Send to SIEM
        curl -X POST http://siem.example.com/api/events \
            -H "Content-Type: application/json" \
            -d "$finding"
    done

Common Web Shells

Shell	Type	Features
C99	PHP	Full features, obfuscated
r57	PHP	File manager, database tools
Weevely	Python	Stealth, evasion techniques
WSO	PHP	Backdoor, server info
China Chopper	ASP/PHP	Command execution, upload
Aspxrar	ASPX	RAR extraction, file handling
JBoss Invoke	JSP	Unsafe reflection, RCE

Troubleshooting

# Permission denied on scan
sudo htshells --scan-directory /var/www

# Timeout on large directory
htshells --scan-directory /var/www --timeout 300

# Memory issues
htshells --scan-directory /var/www --batch-size 100

# Encoding problems
file suspicious.php  # Check file type
iconv -f ISO-8859-1 -t UTF-8 suspicious.php > suspicious_utf8.php

# False positives
htshells --scan suspicious.php --analyze --verbose

Detection Evasion Awareness

# Understand encoding techniques
htshells --analyze --check-obfuscation encoded_shell.php

# Detect polyglot shells
file suspicious.php suspicious.jpg

# Find packed archives
7z l suspicious.zip

# Analyze suspicious archives
unzip -l suspicious.zip

Best Practices

1. Regularly scan production web servers
2. Maintain baseline of legitimate files
3. Monitor for unexpected file modifications
4. Disable dangerous PHP functions
5. Implement proper access controls
6. Use Web Application Firewalls (WAF)
7. Keep backup copies of findings
8. Document all detection and remediation
9. Perform post-incident hardening
10. Establish incident response procedures

Tips for Detection

• Monitor uploads directories closely
• Check recently modified files
• Scan after reported compromises
• Use multiple detection techniques
• Cross-validate findings
• Maintain audit logs
• Implement file integrity monitoring
• Test detection with known samples

htshells is critical for detecting and responding to web-based compromises, helping security teams identify backdoors and shells during incident investigations.