
Documentation | Your exe file | Buy Me a Coffee
EtherGhost is an open-source Webshell Management tool that provides a more convenient interface and simpler-to-use features. It can be paired or used as an alternative to other Webshell Management tools, helping users control target machines in various penetration testing environments.
EtherGhost supports not only common single-line Webshells and common Webshell Management tools but also supports proxy Webshells and integrates any Webshell to facilitate connecting via AntSword. Users can connect to proxy Webshells using AntSword, use various plugins on the proxy Webshell, and enjoy the immersive experience of AntSword while benefiting benefiting from the high flow encryption and anti-traffic analysis characteristics.
EtherGhost uses a B/S architecture, allowing it to be deployed on a server, connected via a local browser, and bypassing the local machine's detection risks.
EtherGhost comes with built-in RSA2048+AES256-CBC strong encryption. The AES key is generated during the connection process and transmitted via RSA encryption, effectively preventing replay attacks and traffic analysis.



Download the Blue exe exe from the Release page.
Note: The Blue exe may be reported as a virus by Windows Defender, but I don't know why. However, for those confident in its use, you can directly run the source code or manually unpack the exe.
If using pip, the same goes for creating a virtual environment and activating it. After installing all dependencies, simply run python -m ether_ghost.
If using poetry, you can directly install all dependencies with poetry and run python -m ether_ghost.
Note: Even when downloading the source code, the test Webshell file may still be detected by antivirus software, deleting the entire test_environment folder, but this does not affect program execution.
Create a virtual environment, install all dependencies, then review the pyinstaller_package.bat file and replace the fake environment path with your site-packages folder, then run.
Note: If you have previously unpacked an old version, you may need to recreate the virtual environment.
pip install ether-ghost
ether_ghost # Start
# or python -m ether_ghost
Install and unpack:
cd EtherGhost
python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt
python -m ether_ghost
To use:
cd EtherGhost
. .venv/bin/activate
python -m ether_ghost
Install and unpack:
cd EtherGhost
poetry install
poetry shell
python -m ether_ghost
To use:
cd EtherGhost
poetry shell
python -m ether_ghost
I have been using AntSword since I started learning penetration. AntSword is a very excellent Webshell Management tool, but when I wanted to start AntSword again, I found that AntSword has some issues that prevent me from achieving the desired functionality. Specifically:
php_raw combined with encoders to connect to proxy Webshells, AntSword's plugin lifecycle only supports PHP-type Webshells and cannot use various plugins on proxy Webshells.AntSword's encoder lifecycle and plugin lifecycle are still quite cumbersome. The encoder can directly use Python to call Node.js for encryption, while plugins are less convenient to develop, allowing EtherGhost to be mistaken for a Webshell, where commands passed from AntSword can be resolved.
Behinder can choose AES CBC encryption or XOR encryption. Viewed as providing encryption for the payload, making it harder to detect. However, XOR encryption has some cryptographic pitfalls, allowing intermediate persons to obtain the encryption key through some characteristics and decrypt all payloads.
What about AES CBC? Shouldn't it be secure? It isn't, as Behinder uses an all-zero IV when using AES CBC, causing AES CBC to be reversible, losing randomness (especially the first 16 bytes), and having some cryptographic pitfalls. This makes it easier for middle persons to detect. Additionally, Behinder's AES vulnerabilities are written into the Webshell file, making it currently impossible to resolve with other means.
If you need strong encryption, consider using proxy PHP Webshells in EtherGhost and opening the strong encryption option. This part is optional and can be determined based on specific needs.
docs/ directoryHigh-flow strong encryption was initially designed for AWD, mainly to prevent high-flow replay attacks and prevent high-flow analysis of the actual execution operations of Webshells. After opening high-flow strong encryption, in theory, Webshell existence can be split and analyzed on the traffic analysis side, but actual command or code execution cannot be split out.
Current high-flow encryption and the overall grip function still require code execution on the target machine, which is a completely clear process. Even if middle persons do not know the actual grip code, they can split out the encrypted plaintext PHP code related to decryption, but cannot split out the executed commands or code.
This function is still imperfect. Currently, the encryption process needs to be mirrored into the single-line tree similar to Onion, which requires modifying the entire single-line tree. However, this also introduces the need for EtherGhost to have its own Webshell.
In addition to the new functionality, there is a plan to add high-flow XOR Webshell, which is Webshell stream packaging as images for transmission, which can be added based on the above functions.
This notice is intended for anyone using this tool or technique. Before conducting any network security activities, please carefully read and understand the following notice:
1. Purpose: The purpose of this notice is to educate and train users, and cyber attacks may involve illegal risks and may harm others.
2. Legality: Be aware that unauthorized network security attacks are illegal and may result in legal consequences. This tool and technique are not encouraged or supported for any illegal activities. Users must ensure their actions comply with applicable laws, regulations, and ethical standards.
3. Authorization: Users must ensure their actions comply with the limits of authorization, applicable laws, and legal requirements. Unauthorized access or interference with others' networks, systems, or data is illegal.
4. Indemnification: The source code of this tool is fully open. Any risks or damages caused by using this tool or technique are borne by the user. For any direct or indirect losses, including but not limited to data loss, system crashes, legal liabilities, or other damages, we do not assume any responsibility.
5. Educational Purpose: This tool is only provided for educational and research purposes and is to be used within the limits of compliance with laws and legal regulations for network security testing, penetration testing, or other authorized activities.
6. Shared Responsibility: Users should be aware that cybersecurity is a shared responsibility, ensuring that others' rights and privacy are not violated throughout the process.
Please use this tool with caution and ensure that all activities are conducted legally, ethically, and responsibly.
```
$ claude mcp add EtherGhost \
-- python -m otcore.mcp_server <graph>