Cookie Consent by Free Privacy Policy Generator Aktuallisiere deine Cookie Einstellungen ๐Ÿ“Œ ShellSweep - PowerShell/Python/Lua Tool Designed To Detect Potential Webshell Files In A Specified Directory
Team IT Security Nachrichtenportal Logo


๐Ÿ“š ShellSweep - PowerShell/Python/Lua Tool Designed To Detect Potential Webshell Files In A Specified Directory


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: kitploit.com

Tags: Aspx, Encryption, Entropy, Hashes, Malware, Obfuscation, PowerShell, Processes, Scan, Scanning, Scripts, Toolbox, ShellSweep



ShellSweep - ShellSweeping the evil.


Shellsweep - Shellsweeping The Evil.


ShellSweep - ShellSweeping The Evil.



ShellSweep

ShellSweeping the evil

Why ShellSweep

"ShellSweep" is a PowerShell/Python/Lua tool designed to detect potential webshell files in a specified directory.

ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. - It only processes files with certain extensions (.asp, .aspx, .asph, .php, .jsp), which are commonly used in webshells. - Certain directories can be excluded from scanning. - Files with certain hashes can be ignored during the scan.


How does ShellSweep find the shells?

Entropy, in the context of information theory or data science, is a measure of the unpredictability, randomness, or disorder in a set of data. The concept was introduced by Claude Shannon in his 1948 paper "A Mathematical Theory of Communication".

When applied to a file or a string of text, entropy can help assess the randomness of the data. Here's how it works: If a file consists of completely random data (each byte is just as likely to be any value between 0 and 255), the entropy is high, close to 8 (since log2(256) = 8).

If a file consists of highly structured data (for example, a text file where most bytes are ASCII characters), the entropy is lower. In the context of finding webshells or malicious files, entropy can be a useful indicator: - Many obfuscated scripts or encrypted payloads can have high entropy because the obfuscation or encryption process makes the data look random. - A normal text file or HTML file would generally have lower entropy because human-readable text has patterns and structure (certain letters are more common, words are usually separated by spaces, etc.). So, a file with unusually high entropy might be suspicious and worth further investigation. However, it's not a surefire indicator of maliciousness -- there are plenty of legitimate reasons a file might have high entropy, and plenty of ways malware might avoid causing high entropy. It's just one tool in a larger toolbox for detecting potential threats.

ShellSweep includes a Get-Entropy function that calculates the entropy of a file's contents by: - Counting how often each character appears in the file. - Using these frequencies to calculate the probability of each character. - Summing -p*log2(p) for each character, where p is the character's probability. This is the formula for entropy in information theory.

ShellScan

ShellScan provides the ability to scan multiple known bad webshell directories and output the average, median, minimum and maximum entropy values by file extension.

Pass ShellScan.ps1 some directories of webshells, any size set. I used:

  • https://github.com/tennc/webshell
  • https://github.com/BlackArch/webshells
  • https://github.com/tarwich/jackal/blob/master/libraries/

This will give a decent training set to get entropy values.

Output example:

Statistics for .aspx files:
Average entropy: 4.94212121048115
Minimum entropy: 1.29348709979974
Maximum entropy: 6.09830238020383
Median entropy: 4.85437969842084
Statistics for .asp files:
Average entropy: 5.51268104400858
Minimum entropy: 0.732406213077191
Maximum entropy: 7.69241278153711
Median entropy: 5.57351177724806

ShellCSV

First, let's break down the usage of ShellCSV and how it assists with identifying entropy of the good files on disk. The idea is that defenders can run this on web servers to gather all files and entropy values to better understand what paths and extensions are most prominent in their working environment.

See ShellCSV.csv as example output.

ShellSweep

First, choose your flavor: Python, PowerShell or Lua.

  • Based on results from ShellScan or ShellCSV, modify entropy values as needed.
  • Modify file extensions as needed. No need to look for ASPX on a non-ASPX app.
  • Modify paths. I don't recommend just scanning all the C:\, lots to filter.
  • Modify any filters needed.
  • Run it!

If you made it here, this is the part where you iterate on tuning. Find new shell? Gather entropy and modify as needed.

Questions

Feel free to open a Git issue.

Thank You

If you enjoyed this project, be sure to star the project and share with your family and friends.



...



Sharing is caring on Social Media

๐Ÿ”— Reddit
๐Ÿ”— Telegram
๐Ÿ”— LinkedIn
๐Ÿ”— Xing
๐Ÿ”— Twitter
๐Ÿ”— Whatsapp
๐Ÿ”— Facebook
๐Ÿ”— Flipboard

Join the Team IT Security Community

๐Ÿ”— "IT Sicherheit" Reddit-Gruppe
๐Ÿ”— "IT Sicherheit" Telegramm-Seite

๐Ÿ“Œ ShellSweep - PowerShell/Python/Lua Tool Designed To Detect Potential Webshell Files In A Specified Directory


๐Ÿ“ˆ 94.19 Punkte

๐Ÿ“Œ WordPress webshell plugin for RCE: webshell plugin and interactive shell for pentesting a WordPress website


๐Ÿ“ˆ 42.38 Punkte

๐Ÿ“Œ [Java] Get file list from specified directory


๐Ÿ“ˆ 27.77 Punkte

๐Ÿ“Œ ROPDump - A Command-Line Tool Designed To Analyze Binary Executables For Potential Return-Oriented Programming (ROP) Gadgets, Buffer Overflow Vulnerabilities, And Memory Leaks


๐Ÿ“ˆ 27.77 Punkte

๐Ÿ“Œ Shodan-Eye - Tool That Collects All The Information About All Devices Directly Connected To The Internet Using The Specified Keywords That You Enter


๐Ÿ“ˆ 26.87 Punkte

๐Ÿ“Œ RepoReaper - An Automated Tool Crafted To Meticulously Scan And Identify Exposed .Git Repositories Within Specified Domains And Their Subdomains


๐Ÿ“ˆ 26.87 Punkte

๐Ÿ“Œ Wsb-Detect - Tool To Detect If You Are Running In Windows Sandbox ("WSB")


๐Ÿ“ˆ 26.67 Punkte

๐Ÿ“Œ Strafer - A Tool To Detect Potential Infections In Elasticsearch Instances


๐Ÿ“ˆ 26.65 Punkte

๐Ÿ“Œ pyHAWK - Searches The Directory Of Choice For Interesting Files. Such As Database Files And Files With Passwords Stored On Them


๐Ÿ“ˆ 25.7 Punkte

๐Ÿ“Œ I am thinking of writing a tool for deleting files and saving hashes of deleted files, so that other versions of these files can be identified and deleted later


๐Ÿ“ˆ 24.8 Punkte

๐Ÿ“Œ Facial Recognition Designed To Detect Around Face Masks Is Failing, Study Finds


๐Ÿ“ˆ 22.81 Punkte

๐Ÿ“Œ Tesla Can Detect Aftermarket Hacks Designed To Defeat EV Performance Paywalls


๐Ÿ“ˆ 22.81 Punkte

๐Ÿ“Œ Google DeepMind Introduces the Frontier Safety Framework: A Set of Protocols Designed to Identify & Mitigate Potential Harms Related to Future AI Systems


๐Ÿ“ˆ 22.8 Punkte

๐Ÿ“Œ uDork - Tool That Uses Advanced Google Search Techniques To Obtain Sensitive Information In Files Or Directories, Find IoT Devices, Detect Versions Of Web Applications, And So On


๐Ÿ“ˆ 22.43 Punkte

๐Ÿ“Œ Sandfly-Entropyscan - Tool To Detect Packed Or Encrypt ed Binaries Related To Malware, Finds Malicious Files And Linux Processes And Gives Output With Cryptographic Hashes


๐Ÿ“ˆ 22.43 Punkte

๐Ÿ“Œ TIL you can wake up your computer from suspend at a specified time using rtcwake utility


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ AOC 16T2, hands on: A well-specified portable 15.6-inch touch-screen monitor


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ FIXED: The System Cannot Find the File Specified (Error)


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ A Device Which Does Not Exist Was Specified: 5 Easy Fixes


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Bash Substring after a Specified Character


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ How to sort data by specified fields in @visactor/vchart?


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ FSlint GUI: only show results if file is in one of the specified directories


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ FIXED: The System Cannot Find the File Specified (Error)


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Do NOT ..For any reason .. modify the boot sector of a different physical drive - unless specified by the user.


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Fierce - Semi-Lightweight Scanner That Helps Locate Non-Contiguous IP Space And Hostnames Against Specified Domains


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ DLLirant v0.4 releases: automatize the DLL Hijacking research on a specified binary


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ What would you call a program that auto corrects user-specified words as you type and does it across all programs?


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ SyncTwoFolders 2.4.7 - Syncs two user-specified folders.


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ A specified logon session does not exist โ€“ Task Scheduler Error


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ The specified account name is not valid โ€“ Task Scheduler Error


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Are application-wide default shortcuts (like ctrl+c for copying) specified anywhere?


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ CVE-2021-44694 | Siemens SIMATIC Drive Controller Family Packet improper validation of specified type of input (ssa-382653)


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ How to Fix A Specified Logon Session Does not Exist [3 Ways]


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Fix: BOOTREC rebuild BCD System Cannot Find The Path Specified


๐Ÿ“ˆ 21.9 Punkte

๐Ÿ“Œ Error 80070002, The system cannot find the file specified while adding School account


๐Ÿ“ˆ 21.9 Punkte











matomo