novahot - npm explorer

![Build Status](https://travis-ci.org/chrisallenlane/novahot)
![npm]()
![npm]()

novahot
=======
novahot is a webshell framework for penetration testers. It implements a
JSON-based API that can communicate with trojans written in any language. By
default, it ships with trojans written in PHP, ruby, and python.

Beyond executing system commands, novahot is able to emulate interactive
terminals, including mysql, sqlite3, and psql. It additionally implements
"virtual commands" that make it possible to upload, download, edit, and view
remote files locallly using your preferred applications.

Installation
------------
Install the executable directly from npm:

``sh [sudo] npm install -g novahot`

Then seed a config file:

`sh novahot config > ~/.novahotrc`

Usage ----- 1. View the available trojans withnovahot trojan list.

2. Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex:novahot trojan view basic.php > ~/my-trojan.php)

3. Change the control password in the newly-created trojan.

4. Upload the trojan to a web-accessible location on the target.

5. Configure target information in the targets property in ~/.novahotrc.

6. Run novahot shell to open a shell.

Shell Modes ----------- Internally,novahotuses "modes" and "adapters" to emulate various interactive clients, currently including themysql, psql(postgres), andsqlite3 clients.

To change novahot's mode, issue the appropriate "dot command":

`sh .mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }`

(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in~/.novahotrc.)

For example, the mysqlmode makes it possible to directly run queries like the following:

`sql mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;`

There additionally exists a payload mode that can be used to POSTarbitrary data to the trojan. [See the wiki for more information][payload-mode].

Virtual Commands ----------------novahotimplements four "virtual commands" that utilize payloads built in to the trojans to extend the functionality of the shell:

`$3`

sh
download  []

Downloads to --download-dir, and optionally renames it to if specified.

`$3`

sh
upload  []

Uploads to the shell's cwd, and optionally renames to if specified.

`$3`

sh
view  []

Downloads to --download-dir, and optionally renames it toAfter downloading, the file will be opened by the "viewer" application specified in the [configs][configuration].

`$3`

sh
edit

Downloads to a temporary file, and then opens that file for editing using the "editor" specified in the [configs][configuration]. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.

Provisioning a Test Environment ------------------------------- This repository contains a laboratory environment built on [Vagrant][], [Docker][], and the [Damn Vulnerable Web Application][dvwa] ("DVWA"). Steps for provisioning the environment vary depending on the capabilities of your physical host.

`$3`


If you have

docker and docker-compose

 installed on your physical host, you
may simply do the following:

1. Clone and cdto this repository 2. Run:docker-compose up

After the docker container starts, the DVWA will be accessible at http://localhost:8000.

`$3`

If

docker

 is not installed on your physical host, you may use
Vagrant/Virtualbox to access a docker-capable virtual-machine:

1. Clone and cdto this repository 2. Provision a virtual machine:vagrant up3. SSH into the virtual machine:vagrant ssh4. Start the docker container:sudo su; cd /vagrant; docker-compose up

The DVWA will likewise be accessible at http://localhost:8000.

`$3`


Specify the following connection strings in your

~/.novahotrc

 file to connect
the

novahot client to the PHP trojan embedded in the DVWA container:

`javascript {

"targets": { "dvwa" : { "uri" : "http://localhost:8000/novahot.php", "password" : "the-password",

"mysql" : { "username": "root", "password": "vulnerables", "database": "dvwa" } } }

}`

You may then establish a webshell via:

`sh novahot shell dvwa``

Additional Information
----------------------
Additional information can be found in the [wiki][]:

- [Configuration][configuration]
- [The Client/Trojan API][api]
- [sqlite3 "dot command" conflicts][sqlite-dotcommands]

[Docker]: https://www.docker.com/
[Vagrant]: https://www.vagrantup.com/
[api]: https://github.com/chrisallenlane/novahot/wiki/The-Client-Trojan-API
[configuration]: https://github.com/chrisallenlane/novahot/wiki/Configuring
[dvwa]: http://www.dvwa.co.uk/
[payload-mode]: https://github.com/chrisallenlane/novahot/wiki/The-Client-Trojan-API#payload-mode
[sqlite-dotcommands]: https://github.com/chrisallenlane/novahot/wiki/SQLite3-Mode-%22dot-command%22-Conflicts
[wiki]: https://github.com/chrisallenlane/novahot/wiki