Novahot - A Webshell Framework For Penetration Testers
novahot
is a webshell framework for penetration testers. It implements a JSON-based API that tin communicate alongside trojans written inwards whatsoever language. By default, it ships alongside trojans written inwards PHP, ruby, together with python. Beyond executing organization commands,
novahot
is able to emulate interactive terminals, including mysql
, sqlite3
, together with psql
. It additionally implements "virtual commands" that cash inwards one's chips inwards possible to upload, download, edit, together with thought remote files locallly using your preferred applications.Installation
Install the executable require from npm:
[sudo] npm install -g novahot
novahot config > /.novahotrc
Usage
- View the available trojans alongside
novahot trojan list
.
- Select a trojan inwards a linguistic communication that is appropriate for your target, therefore re-create its source to a novel file. (Ex:
novahot trojan thought basic.php > /my-trojan.php
)
- Change the command password inwards the newly-created trojan.
- Upload the trojan to a web-accessible place on the target.
- Configure target information inwards the
targets
belongings inwards/.novahotrc
.
- Run
novahot vanquish
to opened upwardly a shell.
Shell Modes
Internally,
novahot
uses "modes" together with "adapters" to emulate diverse interactive clients, currently including the mysql
, psql
(postgres), together with sqlite3
clients.To alter
novahot
's mode, lawsuit the appropriate "dot command":.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }
/.novahotrc
.)For example, the
mysql
manner makes it possible to require run queries similar the following:mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;
payload
manner that tin hold upwardly used to POST
arbitrary information to the trojan. See the wiki for to a greater extent than information.Virtual Commands
novahot
implements 4 "virtual commands" that utilize payloads built inwards to the trojans to extend the functionality of the shell:download
download []
to --download-dir
, together with optionally renames it to
if specified.upload
upload []
to the shell's cwd
, together with optionally renames
to
if specified.view
view []
to --download-dir
, together with optionally renames it to
After downloading, the file volition hold upwardly opened yesteryear the "viewer" application specified inwards the configs.edit
edit
to a temporary file, together with therefore opens that file for editing using the "editor" specified inwards the configs. Afterward, if changes to the file are saved locally, the file volition hold upwardly re-uploaded to the server automatically.Provisioning a Test Environment
This repository contains a laboratory environs built on Vagrant, Docker, together with the Damn Vulnerable Web Application ("DVWA"). Steps for provisioning the environs vary depending on the capabilities of your physical host.
Using docker-compose
If you lot convey
docker
together with docker-compose
installed on your physical host, you lot may merely exercise the following:- Clone together with
cd
to this repository - Run:
docker-compose up
Using vagrant
If
docker
is non installed on your physical host, you lot may usage Vagrant/Virtualbox to access a docker-capable virtual-machine:- Clone together with
cd
to this repository - Provision a virtual machine:
vagrant up
- SSH into the virtual machine:
vagrant ssh
- Start the docker container:
sudo su; cd /vagrant; docker-compose up
Configuring novahot against the laboratory environment
Specify the next connector strings inwards your
/.novahotrc
file to connect the novahot
customer to the PHP trojan embedded inwards the DVWA container:{ "targets": { "dvwa" : { "uri" : "http://localhost:8000/novahot.php", "password" : "the-password", "mysql" : { "username": "root", "password": "vulnerables", "database": "dvwa" } } } }
novahot vanquish dvwa
Additional Information
Additional information tin hold upwardly found inwards the wiki: