htshells
htshells is a comprehensive web shell analysis and detection framework that helps security professionals identify, analyze, and remediate web-based backdoors and shells. It includes signature-based detection, behavioral analysis, and a collection of known web shell samples for testing and comparison during incident response.
Installation
섹션 제목: “Installation”# Kali Linux (pre-installed)
htshells --version
# Manual installation
sudo apt-get update
sudo apt-get install htshells
# From GitHub
git clone https://github.com/kalilinux/htshells.git
cd htshells
pip3 install -r requirements.txt
sudo python3 setup.py install
# Verify installation
which htshells
htshells --helpWeb Shell Database
섹션 제목: “Web Shell Database”Shell Repository Access
섹션 제목: “Shell Repository Access”# List available web shells
htshells --list
# Show PHP shells
htshells --list --type php
# Show ASP/ASPX shells
htshells --list --type asp
# Show JSP shells
htshells --list --type jsp
# Show Python shells
htshells --list --type python
# Show shell properties
htshells --list --verboseShell Categories
섹션 제목: “Shell Categories”| Type | Description |
|---|---|
php | PHP web shells (most common) |
asp | Classic ASP shells |
aspx | ASP.NET shells |
jsp | JavaServer Pages shells |
cgi | CGI-based shells |
perl | Perl-based shells |
python | Python-based shells |
shell | Generic shell implementations |
Shell Search and Analysis
섹션 제목: “Shell Search and Analysis”Finding Shells
섹션 제목: “Finding Shells”# Search for shell by name
htshells --search "shell1"
# Find shells with specific features
htshells --search --feature "command-execution"
# Search by author/source
htshells --search --source "Github"
# Find shells supporting specific languages
htshells --search --language php
# Find minimal shells
htshells --list --minimal
# Find advanced shells
htshells --list --advancedDetailed Shell Information
섹션 제목: “Detailed Shell Information”# Get shell details
htshells --info "c99"
# Show shell source code
htshells --show-source "c99"
# Display shell capabilities
htshells --capabilities "weevely"
# Show shell dependencies
htshells --dependencies "shell1"
# View shell detections
htshells --detections "c99"Detection and Scanning
섹션 제목: “Detection and Scanning”File-Based Detection
섹션 제목: “File-Based Detection”# Scan file for known shells
htshells --scan suspicious.php
# Scan multiple files
htshells --scan *.php
# Recursive directory scan
htshells --scan-recursive /var/www/html
# Detailed scan output
htshells --scan-verbose suspicious.php
# Generate detection report
htshells --scan /var/www --report scan_report.htmlSignature-Based Detection
섹션 제목: “Signature-Based Detection”# Use default signature set
htshells --scan --signatures default suspicious.php
# Use aggressive signatures
htshells --scan --signatures aggressive suspicious.php
# Custom signature file
htshells --scan --signatures custom.sig suspicious.php
# Show matched signatures
htshells --scan --show-signatures suspicious.php
# List available signature sets
htshells --list-signaturesBehavioral Analysis
섹션 제목: “Behavioral Analysis”# Analyze file behavior
htshells --analyze suspicious.php
# Check for suspicious functions
htshells --analyze --check-functions suspicious.php
# Examine variable usage
htshells --analyze --variables suspicious.php
# Analyze code patterns
htshells --analyze --patterns suspicious.php
# Full behavioral report
htshells --analyze --verbose suspicious.phpWeb Server Scanning
섹션 제목: “Web Server Scanning”Directory Scanning
섹션 제목: “Directory Scanning”# Scan web directory for shells
htshells --scan-directory /var/www/html
# Scan with pattern matching
htshells --scan-directory /var/www --pattern "*.php"
# Deep recursive scan
htshells --scan-directory / --recursive --depth 10
# Exclude directories
htshells --scan-directory /var/www --exclude "/vendor,/node_modules"
# Generate XML report
htshells --scan-directory /var/www --output xml > findings.xmlNetwork-Based Detection
섹션 제목: “Network-Based Detection”# Scan web server for shells
htshells --scan-url http://target.com
# Scan with authentication
htshells --scan-url http://target.com --auth "user:pass"
# Recursive site crawl
htshells --scan-url http://target.com --crawl
# Scan specific paths
htshells --scan-url http://target.com/admin http://target.com/uploads
# Time-bounded scan
htshells --scan-url http://target.com --timeout 30Detection Workflows
섹션 제목: “Detection Workflows”Post-Compromise Investigation
섹션 제목: “Post-Compromise Investigation”# 1. Scan web directory for shells
htshells --scan-directory /var/www/html --recursive
# 2. Analyze suspicious files
htshells --analyze suspicious_file.php
# 3. Check for known shell signatures
htshells --scan suspicious_file.php --show-signatures
# 4. Generate detailed report
htshells --scan-directory /var/www --report incident_report.html
# 5. Export findings
htshells --scan-directory /var/www --output json > compromised_files.jsonIncident Response Procedures
섹션 제목: “Incident Response Procedures”#!/bin/bash
# Comprehensive web shell incident response
echo "[*] Web Shell Incident Response Script"
echo "[*] Scanning for web shells..."
# Scan all PHP files
echo "[*] Scanning PHP files..."
htshells --scan-directory /var/www --pattern "*.php" > php_scan.txt
# Scan for suspicious patterns
echo "[*] Analyzing file content..."
grep -r "shell_exec\|passthru\|system\|eval" /var/www/html > suspicious_functions.txt
# Generate timeline
echo "[*] Creating modification timeline..."
find /var/www/html -type f -mtime -7 | xargs ls -lt > recent_files.txt
# Create forensic package
echo "[*] Creating forensic package..."
tar czf web_shell_forensics_$(date +%s).tar.gz \
php_scan.txt suspicious_functions.txt recent_files.txt
echo "[*] Investigation complete"Shell Type Analysis
섹션 제목: “Shell Type Analysis”PHP Web Shell Detection
섹션 제목: “PHP Web Shell Detection”# Scan for PHP shells specifically
htshells --scan --type php *.php
# Check for eval() usage
grep -r "eval(" /var/www/html
# Find variable evaluation
grep -r "preg_replace.*\/e" /var/www/html
# Search for suspicious includes
grep -r "include.*\$_" /var/www/html
# Detect obfuscated code
htshells --analyze --check-obfuscation suspicious.phpASP/ASPX Shell Detection
섹션 제목: “ASP/ASPX Shell Detection”# Scan for ASP shells
htshells --scan --type asp *.asp
# Find dangerous Server methods
grep -r "CreateObject\|Server.Execute" /var/www
# Check for shell patterns
grep -r "<%.*@LANGUAGE" /var/www
# Detect ASPX backdoors
htshells --scan --type aspx /var/wwwJSP Shell Detection
섹션 제목: “JSP Shell Detection”# Scan for JSP shells
htshells --scan --type jsp *.jsp
# Find Runtime.exec() calls
grep -r "Runtime.getRuntime().exec" /var/www
# Check for JSP compilation artifacts
grep -r "pageContext.servletContext" /var/www
# Scan application directory
htshells --scan-directory /var/lib/tomcat/webapps --type jspAdvanced Analysis Techniques
섹션 제목: “Advanced Analysis Techniques”Code Obfuscation Detection
섹션 제목: “Code Obfuscation Detection”# Detect base64 encoded content
htshells --analyze --check-obfuscation suspicious.php
# Find hex-encoded strings
grep -r "\\\\x" /var/www/html | head -20
# Identify gzip compression
file /var/www/html/suspicious.php
# Analyze variable reuse
htshells --analyze --variables suspicious.php
# Check for comment hiding
grep -r "/*\|*/" /var/www/html | grep -v "normal" | head -20Function Auditing
섹션 제목: “Function Auditing”# List dangerous functions used
htshells --analyze --dangerous-functions suspicious.php
# Map system calls
grep -r "system\|exec\|passthru\|shell_exec" /var/www
# Track variable sources
htshells --analyze --taint-analysis suspicious.php
# Follow execution flow
htshells --analyze --control-flow suspicious.php
# Identify callback usage
grep -r "call_user_func\|array_walk" /var/wwwOutput and Reporting
섹션 제목: “Output and Reporting”Report Generation
섹션 제목: “Report Generation”# Generate HTML report
htshells --scan-directory /var/www --report output.html
# Create JSON report
htshells --scan-directory /var/www --output json > findings.json
# Generate CSV results
htshells --scan-directory /var/www --output csv > findings.csv
# Create detailed text report
htshells --scan-directory /var/www --verbose > detailed_report.txt
# Include statistics
htshells --scan-directory /var/www --statistics > stats_report.txtData Processing
섹션 제목: “Data Processing”# Parse JSON results
jq '.findings[] | {file: .filename, risk: .risk_level}' findings.json
# Filter high-risk findings
jq '.findings[] | select(.risk_level == "critical")' findings.json
# Generate summary
jq '.findings | length' findings.json
# Create timeline
jq -r '.findings[] | .path + " - " + .detection_date' findings.json
# Export for external tools
jq -r '.findings[].path' findings.json > remediation_list.txtRemediation Workflows
섹션 제목: “Remediation Workflows”Identified Shell Removal
섹션 제목: “Identified Shell Removal”#!/bin/bash
# Safe shell removal workflow
# 1. Backup identified files
mkdir -p ./backups
while read shellfile; do
cp "$shellfile" "./backups/$(basename $shellfile).bak"
echo "[+] Backed up: $shellfile"
done < identified_shells.txt
# 2. Remove shells
while read shellfile; do
rm "$shellfile"
echo "[+] Removed: $shellfile"
done < identified_shells.txt
# 3. Verify removal
echo "[*] Verification scan..."
htshells --scan-directory /var/www --report post_removal.html
# 4. Generate remediation report
echo "Remediation Report: $(date)" > remediation_report.txt
echo "Files removed: $(wc -l < identified_shells.txt)" >> remediation_report.txtWeb Application Hardening
섹션 제목: “Web Application Hardening”#!/bin/bash
# Post-incident web application hardening
echo "[*] Implementing security controls..."
# 1. Disable dangerous functions
cat > /etc/php.ini << EOF
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec
EOF
# 2. Restrict file permissions
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -name "uploads" -type d -exec chmod 750 {} \;
# 3. Remove write permissions on sensitive files
chmod 444 /var/www/html/config.php
# 4. Set appropriate ownership
chown -R www-data:www-data /var/www/html
echo "[+] Hardening complete"Batch Processing
섹션 제목: “Batch Processing”Scan Multiple Sites
섹션 제목: “Scan Multiple Sites”#!/bin/bash
# Scan multiple web applications
sites=(
"/var/www/app1"
"/var/www/app2"
"/var/lib/tomcat/webapps"
"/home/user/public_html"
)
for site in "${sites[@]}"; do
if [ -d "$site" ]; then
echo "[*] Scanning: $site"
htshells --scan-directory "$site" \
--output json \
-o "${site##*/}_scan.json"
fi
done
# Combine results
echo "[*] Generating consolidated report..."
jq -s 'add' *_scan.json > consolidated_findings.jsonAutomated Daily Scanning
섹션 제목: “Automated Daily Scanning”#!/bin/bash
# Daily web shell detection cron job
# Scan configuration
SCAN_DIR="/var/www"
LOG_DIR="/var/log/htshells"
REPORT_DATE=$(date +%Y%m%d)
# Create log directory
mkdir -p "$LOG_DIR"
# Perform scan
htshells --scan-directory "$SCAN_DIR" \
--recursive \
--report "$LOG_DIR/scan_${REPORT_DATE}.html" \
--output json > "$LOG_DIR/scan_${REPORT_DATE}.json"
# Check for findings
FINDINGS=$(jq '.findings | length' "$LOG_DIR/scan_${REPORT_DATE}.json")
if [ "$FINDINGS" -gt 0 ]; then
echo "ALERT: $FINDINGS web shells detected on $REPORT_DATE" | \
mail -s "Web Shell Detection Alert" admin@example.com
fiIntegration with Other Tools
섹션 제목: “Integration with Other Tools”Network Monitoring Integration
섹션 제목: “Network Monitoring Integration”# Scan files uploaded in last 24 hours
find /var/www/uploads -mtime -1 -type f | while read file; do
htshells --scan "$file"
done
# Monitor file system changes
inotifywait -m -e close_write /var/www/html | while read path action file; do
htshells --scan "$path$file"
doneSIEM Integration
섹션 제목: “SIEM Integration”#!/bin/bash
# Send findings to SIEM
htshells --scan-directory /var/www --output json | \
jq '.findings[]' | \
while read finding; do
# Send to SIEM
curl -X POST http://siem.example.com/api/events \
-H "Content-Type: application/json" \
-d "$finding"
doneCommon Web Shells
섹션 제목: “Common Web Shells”| Shell | Type | Features |
|---|---|---|
| C99 | PHP | Full features, obfuscated |
| r57 | PHP | File manager, database tools |
| Weevely | Python | Stealth, evasion techniques |
| WSO | PHP | Backdoor, server info |
| China Chopper | ASP/PHP | Command execution, upload |
| Aspxrar | ASPX | RAR extraction, file handling |
| JBoss Invoke | JSP | Unsafe reflection, RCE |
Troubleshooting
섹션 제목: “Troubleshooting”# Permission denied on scan
sudo htshells --scan-directory /var/www
# Timeout on large directory
htshells --scan-directory /var/www --timeout 300
# Memory issues
htshells --scan-directory /var/www --batch-size 100
# Encoding problems
file suspicious.php # Check file type
iconv -f ISO-8859-1 -t UTF-8 suspicious.php > suspicious_utf8.php
# False positives
htshells --scan suspicious.php --analyze --verboseDetection Evasion Awareness
섹션 제목: “Detection Evasion Awareness”# Understand encoding techniques
htshells --analyze --check-obfuscation encoded_shell.php
# Detect polyglot shells
file suspicious.php suspicious.jpg
# Find packed archives
7z l suspicious.zip
# Analyze suspicious archives
unzip -l suspicious.zipBest Practices
섹션 제목: “Best Practices”- Regularly scan production web servers
- Maintain baseline of legitimate files
- Monitor for unexpected file modifications
- Disable dangerous PHP functions
- Implement proper access controls
- Use Web Application Firewalls (WAF)
- Keep backup copies of findings
- Document all detection and remediation
- Perform post-incident hardening
- Establish incident response procedures
Tips for Detection
섹션 제목: “Tips for Detection”- Monitor uploads directories closely
- Check recently modified files
- Scan after reported compromises
- Use multiple detection techniques
- Cross-validate findings
- Maintain audit logs
- Implement file integrity monitoring
- Test detection with known samples
htshells is critical for detecting and responding to web-based compromises, helping security teams identify backdoors and shells during incident investigations.