crabby-webshell-generator 2.0.0

Crabby is a tool developed to generate webshells written in - insert your desired webshell language -. It is designed to be used by red teams to aid in lateral movement, privilege escalation, and data exfiltration.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

# Project Documentation

This project is a PHP-based web application that provides various functionalities for server operations.
It is designed to be stealthy, meaning that the operations should not be visible to the user or any monitoring system
without raising any uncommon process tree or disk operation.

## Docker Compose Configuration

The project uses Docker Compose for setting up the development environment. The `docker-compose.yml` file includes
configurations for different PHP versions (5.x, 7.x, 8.x) with Apache, WordPress with a webshell plugin, MariaDB, and
OpenLDAP.

## Wordpress Plugin

The webshell plugin is a PHP script that provides various functionalities once activated.

### Unique features

The WordPress webshell includes all the features of the template webshell, plus:

- [x] Added stealthiness - hides itself from the plugin list once activated.
- [x] Deactivation bypass - hooks into the WordPress activation process to install a persistence mechanism into
  wp-config.php that allows the webshell to self reactivate after deactivation.
- [x] User impersonation - allows to impersonate any user on the WordPress site.
- [x] Administrator creation - allows to create a new administrator user on the WordPress site.
- [x] Users spoofing - hides the created users from the WordPress user list and removes the users counter from the
  dashboard to reduce the chance of detection.

## Webshell Template

The `template.php` file is a PHP script that can be used to perform various operations on a server. The operations
include:

- [x] File extraction (preview and download as base64 encoded string)
- [x] Directory listing using common `ls -lah` result format
- [x] Exfiltration of files from the server or connected shares (with folder extraction and extension filtering
  capabilities)
- [x] Port scanning
- [x] Writing files
- [x] Running commands
- [x] PHP info and loaded extensions
- [x] Querying databases based on the available PHP extensions and drivers
- [x] Querying LDAP (authenticated and anonymously)
- [x] Running BloodHound-like queries (supported but untested)
- [x] Php code evaluation

## Login

The application includes a login system. The username and password are hashed using SHA512 and a salt. The login system
is session-based even if at the current stage the session is practically unused within the webshell itself.

### !!! WARNING Notice !!!

Never directly use the `template.php` file in a production environment as it contains a **development only** backdoor
allowing to bypass the login system.

The backdoor is a simple `if` statement that checks if the `dev` parameter is set in the URL.

The backdoor gets automatically removed by the generator when building the final webshell.

## Database Operations

The application supports querying various types of databases including:

- [x] MySQL
- [x] PostgreSQL
- [x] SQLite
- [x] SQL Server
- [x] Oracle
- [x] MongoDB
- [x] IBM DB2
- [x] Firebird
- [x] ODBC
- [x] Informix
- [x] Sybase

## LDAP Operations

The application supports querying LDAP servers. The LDAP operations include:

- [x] Anonymous bind
- [x] Authenticated bind
- [x] Querying the LDAP server
- [x] Run BloodHound-like queries (supported but untested)

## Exfiltration

The application supports exfiltrating data from the server. The exfiltration includes:

- [x] File exfiltration
- [x] Folder exfiltration
- [x] Extension filtering (optional)
- [x] Recursive exfiltration of files and folders within a given path (optional)
- [x] Stacking multiple exfiltration operations
- [x] Stacking of multiple optional features within the same path

## Port Scanning

The application supports scanning ports on a given IP address. The port scanning includes:

- [x] Scanning a range of ports

## File Writing

The application supports writing files on the server. The file writing includes:

- [x] Writing files with a given content
- [x] Writing binary files decoded from base64 encoded strings

## PHP Info

The application can display the PHP info and loaded extensions.

## Directory Listing

The application supports listing directories on the server or connected shares. The directory listing includes:

- [x] Listing directories using common `ls -lah` result format
- [x] Listing directories with a given path
- [x] Recursive listing of directories within a given path using a given depth

## File Extraction

The application supports extracting files and previewing them from the server or connected shares.

## Stealthiness

The application is designed to be stealthy, meaning that the operations should not be visible to the user or any
monitoring system without raising any uncommon process tree or disk operation. The possibility to get discovered always
exists, but the goal is to make it as hard as possible.