Nimbo-C2 – Yet Another (Simple And Lightweight) C2 Framework

46b5cbcca1c64adf5905d98ffff6ac83ba8d871d0a266d26d3cf4e1d5ab22498

About

Nimbo-C2 is yet another (simple and lightweight) C2 framework.

c1f2f1f07172bb3d3180bc15fa279857d09c2eb223ae7acdf6c49b29a2dd5af5

Nimbo-C2 agent supports x64 Windows & Linux. It’s written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimer and capable only of basic commands, including ELF loading using the memfd technique.

All server components are written in Python:

  • HTTP listener that manages the agents.
  • Builder that generates the agent payloads.
  • Nimbo-C2 is the interactive C2 component that rule’em all!

My work wouldn’t be possible without the previous great work done by others, listed under credits.


Features

  • Build EXE, DLL, ELF payloads.
  • Encrypted implant configuration and strings using NimProtect.
  • Packing payloads using UPX and obfuscate the PE section names (UPX0, UPX1) to make detection and unpacking harder.
  • Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the config.jsonc).
  • Auto-completion in the C2 Console for convenient interaction.
  • In-memory Powershell commands execution.
  • File download and upload commands.
  • Built-in discovery commands.
  • Screenshot taking, clipboard stealing, audio recording.
  • Memory evasion techniques like NTDLL unhooking, ETW & AMSI patching.
  • LSASS and SAM hives dumping.
  • Shellcode injection.
  • Inline .NET assemblies execution.
  • Persistence capabilities.
  • UAC bypass methods.
  • ELF loading using memfd in 2 modes.
  • And more !

Installation

Easy Way

  1. Clone the repository and cd in
git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2
  1. Build the docker image
docker build -t nimbo-dependencies .
  1. cd again into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modify config.jsonc, download and upload files from agents, etc.). For Linux replace ${pwd} with $(pwd).
cd Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 nimbo-dependencies

Easier Way

git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2/Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 itaymigdal/nimbo-dependencies

Usage

First, edit config.jsonc for your needs.

Then run with: python3 Nimbo-C2.py

Use the help command for each screen, and tab completion.

Also, check the examples directory.

Main Window

Nimbo-C2 > help

--== Agent ==--
agent list -> list active agents
agent interact <agent-id> -> interact with the agent
agent remove <agent-id> -> remove agent data

--== Builder ==--
build exe -> build exe agent (-h for help)
build dll -> build dll agent (-h for help)
build elf -> build elf agent (-h for help)

--== Listener ==--
listener start -> start the listener
listener stop -> stop the listener
listener status -> print the listener status

--== General ==--
cls -> clear the screen
help -> print this help message
exit -> exit Nimbo-C2
</ div>

Agent Window

Windows agent

Nimbo-2 [d337c406] > help

--== Send Commands ==--
cmd <shell-command> -> execute a shell command
iex <powershell-scriptblock> -> execute in-memory powershell command

--== File Stuff ==--
download <remote-file> -> download a file from the agent (wrap path with quotes)
upload <loal-file> <remote-path> -> upload a file to the agent (wrap paths with quotes)

--== Discovery Stuff ==--
pstree -> show process tree
checksec -> check for security products
software -> check for installed software

--== Collection Stuff ==--
clipboard -> retrieve clipboard
screenshot -> retrieve screenshot
audio <record-time> -> record audio

--== Post Exploitation Stuff ==--
lsass <method> -> dump lsass.exe [methods: direct,comsvcs] (elevation required)
sam -> dump sam,security,system hives using reg.exe (elevation required)
shellc <raw-shellcode-file> <pid> -> inject shellcode to remote process
assembly <local-assembly> <args> -> execute .net assembly (pass all args as a single string using quotes)
warning: make sure the assembly doesn't call any exit function

--== Evasion Stuff ==--
unhook -> unhook ntdll.dll
amsi -> patch amsi out of the current process
etw -> patch etw out of the current process

--== Persistence Stuff ==--
persist run <command> <key-name> -> set run key (will try first hklm, then hkcu)
persist spe <command> <process-name> -> persist using silent process exit technique (elevation required)

--== Privesc Stuff ==--
uac fodhelper <command> <keep/die> -> elevate session using the fodhelper uac bypass technique
uac sdclt <command> <keep/die> -> elevate session using the sdclt uac bypass technique

--== Interaction stuff ==--
msgbox <title> <text> -> pop a message box (blocking! waits for enter press)
speak <text> -> speak using sapi.spvoice com interface

--== Communication Stuff ==--
sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter
clear -> clear pending commands
collect -> recollect agent data
kill -> kill the agent (persistence will still take place)

--== General ==--
show -> show agent details
back -> back to main screen
cls -> clear the screen
help -> print this help message
exit -> exit Nimbo-C2

Linux agent

Nimbo-2 [51a33cb9] > help

--== Send Commands ==--
cmd <shell-command> -> execute a terminal command

--== File Stuff ==--
download <remote-file> -> download a file from the agent (wrap path with quotes)
upload <local-file> <remote-path> -> upload a file to the agent (wrap paths with quotes)

--== Post Exploitation Stuff ==--
memfd <mode> <elf-file> <commandline> -> load elf in-memory using the memfd_create syscall
implant mode: load the elf as a child process and return
task mode: load the elf as a child process, wait on it, and get its output when it's done
(pass the whole commandline as a single string using quotes)

--== Communication Stuff ==--
sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter
clear -> clear pending commands
collect -> recollect agent data
kill -> kill the agent (persistence will still take place)

--== General ==--
show -> show agent details
back -> back to main screen
cls -> clear the screen
help -> print this help message
exit -> exit Nimbo-C2

Limitations & Warnings

  • Even though the HTTP communication is encrypted, the ‘user-agent’ header is in plain text and it carries the real agent id, which some products may flag it suspicious.
  • When using assembly command, make sure your assembly doesn’t call any exit function because it will kill the agent.
  • shellc command may unexpectedly crash or change the injected process behavior, test the shellcode and the target process first.
  • audio, lsass and sam commands temporarily save artifacts to disk before exfiltrate and delete them.
  • Cleaning the persist commands should be done manually.
  • Specify whether to keep or kill the initiating agent process in the uac commands. die flag may leave you with no active agent (if the unelevated agent thinks that the UAC bypass was successful, and it wasn’t), keep should leave you with 2 active agents probing the C2, then you should manually kill the unelevated.
  • msgbox is blocking, until the user will press the ok button.

Contribution

This software may be buggy or unstable in some use cases as it not being fully and constantly tested. Feel free to open issues, PR’s, and contact me for any reason at (Gmail | Linkedin | Twitter).

Credits

  • OffensiveNim – Great resource that taught me a lot about leveraging Nim for implant tasks. Some of Nimbo-C2 agent capabilities are basically wrappers around OffensiveNim modified examples.
  • Python-Prompt-Toolkit-3 – Awsome library for developing python CLI applications. Developed the Nimbo-C2 interactive console using this.
  • ascii-image-converter – For the awsome Nimbo ascii art.
  • All those random people from Github & Stackoverflow that I copy & pasted their code
    
    .



Original Source


 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn