Novahot – A Webshell Framework For Penetration Testers

Novahot - A Webshell Framework For Penetration Testers

novahot is a webshell framework for penetration testers. It implements a JSON-based mostly API that may talk with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.

Beyond executing system instructions, novahot is ready to emulate interactive terminals, together with mysql, sqlite3, and psql. It moreover implements “virtual commands” that make it doable to add, obtain, edit, and think about distant information locallly utilizing your most well-liked functions.

Install the executable straight from npm:

[sudo] npm set up -g novahot

Then seed a config file:

novahot config > ~/.novahotrc


  1. View the obtainable trojans with novahot trojan record.
  2. Select a trojan in a language that’s acceptable on your goal, then copy its supply to a brand new file. (Ex: novahot trojan view primary.php > ~/my-trojan.php)
  3. Change the management password within the newly-created trojan.
  4. Upload the trojan to an internet-accessible location on the goal.
  5. Configure goal data within the targets property in ~/.novahotrc.
  6. Run novahot shell <goal> to open a shell.

Shell Modes
Internally, novahot makes use of “modes” and “adapters” to emulate varied interactive shoppers, presently together with the mysql, psql (postgres), and sqlite3 shoppers.
To change novahot‘s mode, challenge the suitable “dot command”:

.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }

(Connection parameters could also be specified as JSON whereas altering modes, or alternatively saved as goal configuration knowledge in ~/.novahotrc.)
For instance, the mysql mode makes it doable to straight run queries like the next:

mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;

There moreover exists a payload mode that can be utilized to POST arbitrary knowledge to the trojan. See the wiki for more information.

Virtual Commands
novahot implements 4 “virtual commands” that make the most of payloads in-built to the trojans to increase the performance of the shell:


obtain <distant-filename> [<local-filename>]

Downloads <distant-filename> to --download-dir, and optionally renames it to <native-filename> if specified.


add <native-filename> [<remote-filename>]

Uploads <native-filename> to the shell’s cwd, and optionally renames <native-filename> to <distant-filename> if specified.


view <distant-filename> [<local-filename>]

Downloads <distant-filename> to --download-dir, and optionally renames it to <native-filename> After downloading, the file will likely be opened by the “viewer” utility specified within the configs.


Downloads <distant-filename> to a brief file, after which opens that file for modifying utilizing the “editor” specified within the configs. Afterward, if adjustments to the file are saved regionally, the file will likely be re-uploaded to the server robotically.

Provisioning a Test Environment
This repository accommodates a laboratory setting constructed on Vagrant, Docker, and the Damn Vulnerable Web Application (“DVWA”). Steps for provisioning the setting differ relying on the capabilities of your bodily host.

Using docker-compose
If you’ve docker and docker-compose put in in your bodily host, you could merely do the next:

  1. Clone and cd to this repository
  2. Run: docker-compose up

After the docker container begins, the DVWA will likely be accessible at http://localhost:80.

Using vagrant
If docker will not be put in in your bodily host, you could use Vagrant/Virtualbox to entry a docker-succesful digital-machine:

  1. Clone and cd to this repository
  2. Provision a digital machine: vagrant up
  3. SSH into the digital machine: vagrant ssh
  4. Start the docker container: sudo su; cd /vagrant; docker-compose up

The DVWA will likely be accessible at http://localhost:8000.

Configuring novahot towards the laboratory setting
Specify the next connection strings in your ~/.novahotrc file to attach the novahot consumer to the PHP trojan embedded within the DVWA container:


  "targets": {
    "dvwa" : {
      "uri"      : "http://localhost:8000/novahot.php",
      "password" : "the-password",

      "mysql" : {
        "username": "root",
        "password": "vulnerables",
        "database": "dvwa"


You could then set up a webshell by way of:

Additional Information
Additional data may be discovered within the wiki:


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.