Novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.
Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements “virtual commands” that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.
Also ReadFindYara – IDA Python Plugin To Scan Binary With Yara Rules
Install the executable directly from npm:
[sudo] npm install -g novahot Then seed a config file:
novahot config > ~/.novahotrc novahot trojan list.novahot trojan view basic.php > ~/my-trojan.php)targets property in ~/.novahotrc.novahot shell <target> to open a shell.Internally, novahot uses “modes” and “adapters” to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.
To change novahot’s mode, issue the appropriate “dot command”:
.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" } (Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)
For example, the mysql mode makes it possible to directly run queries like the following:
mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users; Novahot implements four “virtual commands” that utilize payloads built in to the trojans to extend the functionality of the shell:
download <remote-filename> [<local-filename>] Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> if specified.
upload <local-filename> [<remote-filename>] Uploads <local-filename> to the shell’s cwd, and optionally renames <local-filename> to <remote-filename> if specified.
view <remote-filename> [<local-filename>] Downloads <remote-filename> to --download-dir, and optionally renames it to <local-filename> After downloading, the file will be opened by the “viewer” application specified in the configs.
edit <remote-filename> Downloads <remote-filename> to a temporary file, and then opens that file for editing using the “editor” specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.
This repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application (“DVWA”). Steps for provisioning the environment vary depending on the capabilities of your physical host.
If you have docker and docker-compose installed on your physical host, you may simply do the following:
cd to this repositorydocker-compose upAfter the docker container starts, the DVWA will be accessible at http://localhost:80.
If docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:
cd to this repositoryvagrant upvagrant sshsudo su; cd /vagrant; docker-compose upThe DVWA will be accessible at http://localhost:8000.
Specify the following connection strings in your ~/.novahotrc file to connect the novahot client to the PHP trojan embedded in the DVWA container:
{
"targets": {
"dvwa" : {
"uri" : "http://localhost:8000/novahot.php",
"password" : "the-password",
"mysql" : {
"username": "root",
"password": "vulnerables",
"database": "dvwa"
}
}
}
} You may then establish a webshell via:
novahot shell dvwa Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…