Novahot - A Webshell Framework For Penetration Testers


novahot is a webshell framework for penetration testers. It implements a JSON-based API that tin communicate alongside trojans written inwards whatsoever language. By default, it ships alongside trojans written inwards PHP, ruby, together with python.
Beyond executing organization commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, together with psql. It additionally implements "virtual commands" that cash inwards one's chips inwards possible to upload, download, edit, together with thought remote files locallly using your preferred applications.

Installation
Install the executable require from npm:
[sudo] npm install -g novahot
Then seed a config file:
novahot config >  /.novahotrc

Usage
  1. View the available trojans alongside novahot trojan list.
  2. Select a trojan inwards a linguistic communication that is appropriate for your target, therefore re-create its source to a novel file. (Ex: novahot trojan thought basic.php > /my-trojan.php)
  3. Change the command password inwards the newly-created trojan.
  4. Upload the trojan to a web-accessible place on the target.
  5. Configure target information inwards the targets belongings inwards /.novahotrc.
  6. Run novahot vanquish to opened upwardly a shell.

Shell Modes
Internally, novahot uses "modes" together with "adapters" to emulate diverse interactive clients, currently including the mysql, psql (postgres), together with sqlite3 clients.
To alter novahot's mode, lawsuit the appropriate "dot command":
.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }
(Connection parameters may hold upwardly specified every bit JSON spell changing modes, or alternatively saved every bit target configuration information inwards /.novahotrc.)
For example, the mysql manner makes it possible to require run queries similar the following:
mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;
There additionally exists a payload manner that tin hold upwardly used to POST arbitrary information to the trojan. See the wiki for to a greater extent than information.

Virtual Commands
novahot implements 4 "virtual commands" that utilize payloads built inwards to the trojans to extend the functionality of the shell:

download
download  []
Downloads to --download-dir, together with optionally renames it to if specified.

upload
upload  []
Uploads to the shell's cwd, together with optionally renames to if specified.

view
view  []
Downloads to --download-dir, together with optionally renames it to After downloading, the file volition hold upwardly opened yesteryear the "viewer" application specified inwards the configs.

edit
edit 
Downloads to a temporary file, together with therefore opens that file for editing using the "editor" specified inwards the configs. Afterward, if changes to the file are saved locally, the file volition hold upwardly re-uploaded to the server automatically.

Provisioning a Test Environment
This repository contains a laboratory environs built on Vagrant, Docker, together with the Damn Vulnerable Web Application ("DVWA"). Steps for provisioning the environs vary depending on the capabilities of your physical host.

Using docker-compose
If you lot convey docker together with docker-compose installed on your physical host, you lot may merely exercise the following:
  1. Clone together with cd to this repository
  2. Run: docker-compose up
After the docker container starts, the DVWA volition hold upwardly accessible at http://localhost:80.

Using vagrant
If docker is non installed on your physical host, you lot may usage Vagrant/Virtualbox to access a docker-capable virtual-machine:
  1. Clone together with cd to this repository
  2. Provision a virtual machine: vagrant up
  3. SSH into the virtual machine: vagrant ssh
  4. Start the docker container: sudo su; cd /vagrant; docker-compose up
The DVWA volition hold upwardly accessible at http://localhost:8000.

Configuring novahot against the laboratory environment
Specify the next connector strings inwards your /.novahotrc file to connect the novahot customer to the PHP trojan embedded inwards the DVWA container:
{    "targets": {     "dvwa" : {       "uri"      : "http://localhost:8000/novahot.php",       "password" : "the-password",        "mysql" : {         "username": "root",         "password": "vulnerables",         "database": "dvwa"       }     }   }  }
You may therefore constitute a webshell via:
novahot vanquish dvwa

Additional Information
Additional information tin hold upwardly found inwards the wiki: