• Stars
    star
    293
  • Rank 141,748 (Top 3 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created about 8 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A webshell framework for penetration testers.

Build Status npm npm

novahot

novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.

Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

Installation

Install the executable directly from npm:

[sudo] npm install -g novahot

Then seed a config file:

novahot config > ~/.novahotrc

Usage

  1. View the available trojans with novahot trojan list.

  2. Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex: novahot trojan view basic.php > ~/my-trojan.php)

  3. Change the control password in the newly-created trojan.

  4. Upload the trojan to a web-accessible location on the target.

  5. Configure target information in the targets property in ~/.novahotrc.

  6. Run novahot shell <target> to open a shell.

Shell Modes

Internally, novahot uses "modes" and "adapters" to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.

To change novahot's mode, issue the appropriate "dot command":

.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }

(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)

For example, the mysql mode makes it possible to directly run queries like the following:

mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;

There additionally exists a payload mode that can be used to POST arbitrary data to the trojan. See the wiki for more information.

Virtual Commands

novahot implements four "virtual commands" that utilize payloads built in to the trojans to extend the functionality of the shell:

download

download <remote-filename> [<local-filename>]

Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> if specified.

upload

upload <local-filename> [<remote-filename>]

Uploads <local-filename> to the shell's cwd, and optionally renames <local-filename> to <remote-filename> if specified.

view

view <remote-filename> [<local-filename>]

Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> After downloading, the file will be opened by the "viewer" application specified in the configs.

edit

edit <remote-filename>

Downloads <remote-filename> to a temporary file, and then opens that file for editing using the "editor" specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.

Provisioning a Test Environment

This repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application ("DVWA"). Steps for provisioning the environment vary depending on the capabilities of your physical host.

Using docker-compose

If you have docker and docker-compose installed on your physical host, you may simply do the following:

  1. Clone and cd to this repository
  2. Run: docker-compose up

After the docker container starts, the DVWA will be accessible at http://localhost:80.

Using vagrant

If docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:

  1. Clone and cd to this repository
  2. Provision a virtual machine: vagrant up
  3. SSH into the virtual machine: vagrant ssh
  4. Start the docker container: sudo su; cd /vagrant; docker-compose up

The DVWA will be accessible at http://localhost:8000.

Configuring novahot against the laboratory environment

Specify the following connection strings in your ~/.novahotrc file to connect the novahot client to the PHP trojan embedded in the DVWA container:

{

  "targets": {
    "dvwa" : {
      "uri"      : "http://localhost:8000/novahot.php",
      "password" : "the-password",

      "mysql" : {
        "username": "root",
        "password": "vulnerables",
        "database": "dvwa"
      }
    }
  }

}

You may then establish a webshell via:

novahot shell dvwa

Additional Information

Additional information can be found in the wiki:

More Repositories

1

drek

A static-code-analysis tool for performing security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.
HTML
131
star
2

watchtower

Watchtower is a Static Code Analysis tool designed to assist security auditors who are tasked with performing manual code reviews. It is platform- and language-agnostic.
Ruby
112
star
3

node-did

A dead-simple, cli-based task journaler.
JavaScript
52
star
4

wash

`wash` is a framework for creating and interfacing with trojans that can establish a "web shell" on a compromised web server. It is designed with penetration testers in mind, and thus is highly versatile and extensible.
JavaScript
28
star
5

wit-cms

A flat-file, markdown-based, blog-aware content-management system for Express.
JavaScript
27
star
6

cdash

A minimalist cryptocurrency portfolio dashboard for the command-line that draws market data from the Coin Market Cap API.
Go
14
star
7

drek-signatures

Example signature files for drek.
11
star
8

pharse

A command-line option-parsing class for PHP
PHP
10
star
9

git-weekly-report

A tool to quickly generate weekly work summaries based off of git commit messages
Ruby
10
star
10

node-nvidia-smi

Node wrapper around nvidia-smi.
JavaScript
7
star
11

balance-of-power

Pico8 tactics
Lua
7
star
12

github-local-backup

Backs up Github repositories to your local filesystem.
JavaScript
7
star
13

arduino-radioshack-tri-color-led-strip-2760339

In progress
C++
5
star
14

clinc

A minimalist, scriptable command-line interface for GRBL.
JavaScript
4
star
15

wit-cms-bootstrap

An example site built around wit-cms.
HTML
3
star
16

git-ripped

git-ripped is a git post-commit script that encourages you to take an exercise break after every commit.
Python
3
star
17

tiny-and-weird

"Tiny and Weird" is a lightweight tool designed to minify and obfuscate PHP code - it makes it tiny and weird!
PHP
3
star
18

presentation-timer-pro

A presentation timer written in PhoneGap. It provides configurable color cues at different points in your presentation to help you stay on pace.
JavaScript
3
star
19

mind-machine

A "mind machine" for Google Cardboard.
JavaScript
2
star
20

llm

Bring large-language models to the CLI.
Go
2
star
21

st

Personal fork of suckless st.
C
1
star
22

streamify-string

Accepts a string and returns a readable stream that outputs the string.
JavaScript
1
star
23

torque-honda-civic-gen-8-themeset

A Torque themeset for the generation 8 Honda Civic.
1
star
24

mock-email-list

Generates a list of mock email addresses and writes them to stdout.
Go
1
star