Nimbo-C2 is yet another (simple and lightweight) C2 framework.
Nimbo-C2 agent supports x64 Windows & Linux. It’s written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimer and capable only of basic commands, including ELF loading using the memfd technique.
All server components are written in Python:
- HTTP listener that manages the agents.
- Builder that generates the agent payloads.
- Nimbo-C2 is the interactive C2 component that rule’em all!
My work wouldn’t be possible without the previous great work done by others, listed under credits.
- Build EXE, DLL, ELF payloads.
- Encrypted implant configuration and strings using NimProtect.
- Packing payloads using UPX and obfuscate the PE section names (
UPX0,UPX1) to make detection and unpacking harder. - Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the
config.jsonc). - Auto-completion in the C2 Console for convenient interaction.
- In-memory Powershell commands execution.
- File download and upload commands.
- Built-in discovery commands.
- Screenshot taking, clipboard stealing, audio recording.
- Memory evasion techniques like NTDLL unhooking, ETW & AMSI patching.
- LSASS and SAM hives dumping.
- Shellcode injection.
- Inline .NET assemblies execution.
- Persistence capabilities.
- UAC bypass methods.
- ELF loading using memfd in 2 modes.
- And more !
Easy Way
- Clone the repository and
cdin
git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2
- Build the docker image
docker build -t nimbo-dependencies .
cdagain into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modifyconfig.jsonc, download and upload files from agents, etc.). For Linux replace${pwd}with$(pwd).
cd Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 nimbo-dependencies
Easier Way
git clone https://github.com/itaymigdal/Nimbo-C2
cd Nimbo-C2/Nimbo-C2
docker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 itaymigdal/nimbo-dependencies
First, edit config.jsonc for your needs.
Then run with: python3 Nimbo-C2.py
Use the help command for each screen, and tab completion.
Also, check the examples directory.
Main Window
Nimbo-C2 > help--== Agent ==--
agent list -> list active agents
agent interact -> interact with the agent
agent remove -> remove agent data
--== Builder ==--
build exe -> build exe agent (-h for help)
build dll -> build dll agent (-h for help)
build elf -> build elf agent (-h for help)
--== Listener ==--
listener start -> start the listener
listener stop -> stop the listener
listener status -> print the listener status
--== General ==--
cls -> clear the screen
help -> print this help message
exit -> exit Nimbo-C2
div>
Agent Window
Windows agent
Nimbo-2 [d337c406] > help--== Send Commands ==--
cmd -> execute a shell command
iex -> execute in-memory powershell command
--== File Stuff ==--
download -> download a file from the agent (wrap path with quotes)
upload -> upload a file to the agent (wrap paths with quotes)
--== Discovery Stuff ==--
pstree -> show process tree
checksec -> check for security products
software -> check for installed software
--== Collection Stuff ==--
clipboard -> retrieve clipboard
screenshot -> retrieve screenshot
audio -> record audio
--== Post Exploitation Stuff ==--
lsass -> dump lsass.exe [methods: direct,comsvcs] (elevation required)
sam -> dump sam,security,system hives using reg.exe (elevation required)
shellc -> inject shellcode to remote process
assembly -> execute .net assembly (pass all args as a single string using quotes)
warning: make sure the assembly doesn't call any exit function
--== Evasion Stuff ==--
unhook -> unhook ntdll.dll
amsi -> patch amsi out of the current process
etw -> patch etw out of the current process
--== Persistence Stuff ==--
persist run -> set run key (will try first hklm, then hkcu)
persist spe -> persist using silent process exit technique (elevation required)
--== Privesc Stuff ==--
uac fodhelper -> elevate session using the fodhelper uac bypass technique
uac sdclt -> elevate session using the sdclt uac bypass technique
--== Interaction stuff ==--
msgbox
<text> -> pop a message box (blocking! waits for enter press)<br/>speak <text> -> speak using sapi.spvoice com interface</p><p>--== Communication Stuff ==--<br/>sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter<br/>clear -> clear pending commands<br/>collect -> recollect agent data<br/>kill -> kill the agent (persistence will still take place)</p><p>--== General ==--<br/>show -> show agent details<br/>back -> back to main screen<br/>cls -> clear the screen<br/>help -> print this help message<br/>exit -> exit Nimbo-C2<br/></p></code></pre>
</div>
<h3 dir="auto" tabindex="-1">Linux agent</h3>
<div>
<pre><code>Nimbo-2 [51a33cb9] > help<p>--== Send Commands ==--<br/>cmd <shell-command> -> execute a terminal command </p><p>--== File Stuff ==--<br/>download <remote-file> -> download a file from the agent (wrap path with quotes)<br/>upload <local-file> <remote-path> -> upload a file to the agent (wrap paths with quotes)</p><p>--== Post <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="Exploitation" rel="noopener">Exploitation</a> Stuff ==--<br/>memfd <mode> <elf-file> <commandline> -> load elf in-memory using the memfd_create syscall<br/>implant mode: load the elf as a child process and return<br/>task mode: load the elf as a child process, wait on it, and get its output when it's done<br/>(pass the whole <a href="https://www.kitploit.com/search/label/Commandline" target="_blank" title="commandline" rel="noopener">commandline</a> as a single string using quotes)</p><p>--== Communication Stuff ==--<br/>sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter<br/>clear -> clear pending commands<br/>collect -> recollect agent data<br/>kill -> kill the agent (persistence will still take place)</p><p>--== General ==--<br/>show -> show agent details<br/>back -> back to main screen<br/>cls -> clear the screen<br/>help -> print this help message<br/>exit -> exit Nimbo-C2<br/></p></code> </pre>
</div>
<ul dir="auto">
<li>Even though the HTTP communication is encrypted, the ‘user-agent’ header is in plain text and it carries the real agent id, which some products may flag it suspicious.</li>
<li>When using <code>assembly</code> command, make sure your assembly doesn’t call any exit function because it will kill the agent.</li>
<li><code>shellc</code> command may unexpectedly crash or change the injected process behavior, test the shellcode and the target process first.</li>
<li><code>audio</code>, <code>lsass</code> and <code>sam</code> commands temporarily save artifacts to disk before exfiltrate and delete them.</li>
<li>Cleaning the <code>persist</code> commands should be done manually.</li>
<li>Specify whether to keep or kill the initiating agent process in the <code>uac</code> commands. <code>die</code> flag may leave you with no active agent (if the unelevated agent thinks that the UAC bypass was successful, and it wasn’t), <code>keep</code> should leave you with 2 active agents probing the C2, then you should manually kill the unelevated.</li>
<li><code>msgbox</code> is blocking, until the user will press the ok button.</li>
</ul>
<p dir="auto">This software may be buggy or unstable in some use cases as it not being fully and constantly tested. Feel free to open issues, PR’s, and contact me for any reason at (<a href="https://github.com/itaymigdal/Nimbo-C2/blob/main/itaymigdal9@gmail.com" rel="nofollow noopener" target="_blank" title="Gmail">Gmail</a> | <a href="https://www.linkedin.com/in/itay-migdal-b91821116/" rel="nofollow noopener" target="_blank" title="Linkedin">Linkedin</a> | <a href="https://twitter.com/0xTheBruter" rel="nofollow noopener" target="_blank" title="Twitter">Twitter</a>).</p>
<ul dir="auto">
<li><a href="https://github.com/byt3bl33d3r/OffensiveNim" rel="nofollow noopener" target="_blank" title="OffensiveNim">OffensiveNim</a> – Great resource that taught me a lot about leveraging Nim for implant tasks. Some of Nimbo-C2 agent capabilities are basically wrappers around OffensiveNim modified examples.</li>
<li><a href="https://github.com/prompt-toolkit/python-prompt-toolkit" rel="nofollow noopener" target="_blank" title="Python-Prompt-Toolkit-3">Python-Prompt-Toolkit-3</a> – Awsome library for developing python CLI applications. Developed the Nimbo-C2 interactive console using this.</li>
<li><a href="https://github.com/TheZoraiz/ascii-image-converter" rel="nofollow noopener" target="_blank" title="ascii-image-converter">ascii-image-converter</a> – For the awsome Nimbo ascii art.</li>
<li>All those random people from Github & Stackoverflow that I copy & pasted their code
<p></p>
<p>.</li>
</ul></div>
</div>
<p><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script><script>(function(d, s, id){var js, fjs = d.getElementsByTagName(s)[0];if (d.getElementById(id)) return;js = d.createElement(s); js.id = id;js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.5";fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));</script><br />
<br /><br />
<br /><a href="http://www.kitploit.com/2023/05/nimbo-c2-yet-another-simple-and.html">Source link </a></p>
<div class="jeg_post_tags"><span>Tags:</span> <a href="https://ethicalhackingnewshubb.com/tag/cybersecurity/" rel="tag">cybersecurity</a><a href="https://ethicalhackingnewshubb.com/tag/ethical-hacking/" rel="tag">ethical hacking</a><a href="https://ethicalhackingnewshubb.com/tag/hack-android/" rel="tag">hack android</a><a href="https://ethicalhackingnewshubb.com/tag/hack-app/" rel="tag">hack app</a><a href="https://ethicalhackingnewshubb.com/tag/hack-wordpress/" rel="tag">hack wordpress</a><a href="https://ethicalhackingnewshubb.com/tag/hacker-news/" rel="tag">hacker news</a><a href="https://ethicalhackingnewshubb.com/tag/hacking/" rel="tag">hacking</a><a href="https://ethicalhackingnewshubb.com/tag/hacking-tools-for-windows/" rel="tag">hacking tools for windows</a><a href="https://ethicalhackingnewshubb.com/tag/keylogger/" rel="tag">keylogger</a><a href="https://ethicalhackingnewshubb.com/tag/kit/" rel="tag">kit</a><a href="https://ethicalhackingnewshubb.com/tag/kitploit/" rel="tag">kitploit</a><a href="https://ethicalhackingnewshubb.com/tag/password-brute-force/" rel="tag">password brute force</a><a href="https://ethicalhackingnewshubb.com/tag/penetration-testing/" rel="tag">penetration testing</a><a href="https://ethicalhackingnewshubb.com/tag/pentest/" rel="tag">pentest</a><a href="https://ethicalhackingnewshubb.com/tag/pentest-android/" rel="tag">pentest android</a><a href="https://ethicalhackingnewshubb.com/tag/pentest-linux/" rel="tag">pentest linux</a><a href="https://ethicalhackingnewshubb.com/tag/pentest-toolkit/" rel="tag">pentest toolkit</a><a href="https://ethicalhackingnewshubb.com/tag/pentest-tools/" rel="tag">pentest tools</a><a href="https://ethicalhackingnewshubb.com/tag/spy-tool-kit/" rel="tag">spy tool kit</a><a href="https://ethicalhackingnewshubb.com/tag/spyware/" rel="tag">spyware</a><a href="https://ethicalhackingnewshubb.com/tag/tools/" rel="tag">tools</a></div>
</div>
</div>
<div class="jeg_ad jeg_article jnews_content_bottom_ads "><div class='ads-wrapper '></div></div><div class="jnews_prev_next_container"><div class="jeg_prevnext_post">
<a href="https://ethicalhackingnewshubb.com/2023/05/09/expressvpn-vs-privatevpn-which-vpn-wins/" class="post prev-post">
<span class="caption">Previous Post</span>
<h3 class="post-title">ExpressVPN vs PrivateVPN: Which VPN Wins?</h3>
</a>
<a href="https://ethicalhackingnewshubb.com/2023/05/10/siemens-rtu-vulnerability-a-potent-threat-to-the-critical-infrastructure/" class="post next-post">
<span class="caption">Next Post</span>
<h3 class="post-title">Siemens RTU Vulnerability: A Potent Threat to the Critical Infrastructure </h3>
</a>
</div></div><div class="jnews_author_box_container "></div><div class="jnews_related_post_container"></div><div class="jnews_popup_post_container"> <section class="jeg_popup_post">
<span class="caption">Next Post</span>
<div class="jeg_popup_content">
<div class="jeg_thumb">
<a href="https://ethicalhackingnewshubb.com/2023/05/10/siemens-rtu-vulnerability-a-potent-threat-to-the-critical-infrastructure/">
<div class="thumbnail-container animate-lazy size-1000 "><img width="75" height="75" src="https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png" class="attachment-jnews-75x75 size-jnews-75x75 lazyload wp-post-image" alt="" title="" decoding="async" loading="lazy" data-src="https://staging.cipcyber.com/wp-content/uploads/2023/05/AdobeStock_207129950-scaled.jpeg" data-srcset="" data-sizes="auto" data-expand="700" /></div> </a>
</div>
<h3 class="post-title">
<a href="https://ethicalhackingnewshubb.com/2023/05/10/siemens-rtu-vulnerability-a-potent-threat-to-the-critical-infrastructure/">
Siemens RTU Vulnerability: A Potent Threat to the Critical Infrastructure </a>
</h3>
</div>
<a href="#" class="jeg_popup_close"><i class="fa fa-close"></i></a>
</section>
</div><div class="jnews_comment_container"></div>
</div>
</div>
<div class="jeg_sidebar jeg_sticky_sidebar col-md-4">
<div class="jegStickyHolder"><div class="theiaStickySidebar"><div class="widget widget_jnews_module_element_ads" id="jnews_module_element_ads-1"><div class='jeg_ad jeg_ad_module jnews_module_2407_0_647ecce675d9e '><div class='ads-wrapper'><a href='#' target='_blank' rel="nofollow noopener" class='adlink ads_image '>
<img src='https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png' class='lazyload' data-src='https://ethicalhackingnewshubb.com/storage/2022/08/ad_345x345.jpg' alt='' data-pin-no-hover="true">
</a><a href='#' target='_blank' rel="nofollow noopener" class='adlink ads_image_tablet '>
<img src='https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png' class='lazyload' data-src='https://ethicalhackingnewshubb.com/storage/2022/08/ad_345x345.jpg' alt='' data-pin-no-hover="true">
</a><a href='#' target='_blank' rel="nofollow noopener" class='adlink ads_image_phone '>
<img src='https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png' class='lazyload' data-src='https://ethicalhackingnewshubb.com/storage/2022/08/ad_345x345.jpg' alt='' data-pin-no-hover="true">
</a></div></div></div><div class="widget widget_jnews_module_block_21" id="jnews_module_block_21-1"><div class="jeg_postblock_21 jeg_postblock jeg_module_hook jeg_pagination_disable jeg_col_1o3 jnews_module_2407_1_647ecce677434 normal " data-unique="jnews_module_2407_1_647ecce677434">
<div class="jeg_block_heading jeg_block_heading_1 jeg_subcat_right">
<h3 class="jeg_block_title"><span>Recommended</span></h3>
</div>
<div class="jeg_block_container">
<div class="jeg_posts jeg_load_more_flag"><article class="jeg_post jeg_pl_sm format-standard">
<div class="jeg_thumb">
<a href="https://ethicalhackingnewshubb.com/2022/11/25/a-c-utility-for-interacting-with-sccm/"><div class="thumbnail-container animate-lazy size-715 "><img width="120" height="86" src="https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png" class="attachment-jnews-120x86 size-jnews-120x86 lazyload wp-post-image" alt="" title="" decoding="async" loading="lazy" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ZAdfuaPhsN8-Kjti8hbHR8EUdvBLdswDeoEUlXN9lj2_ugapQxtx0ypnqqNIX5uPuXyOZbuY8eajHXuwp1E6bqHZmdml3QhPbVll-_Gu4APgiFi1utmsv8NtTfuF7Lr3mLsD1C9MmPh9HKIdgHFLu8_n27MfNDiQ-wbnXIpejMvm_K4HCdmpQkFeoQ/w640-h432/h121.png" data-srcset="" data-sizes="auto" data-expand="700" /></div></a>
</div>
<div class="jeg_postblock_content">
<h3 class="jeg_post_title">
<a href="https://ethicalhackingnewshubb.com/2022/11/25/a-c-utility-for-interacting-with-sccm/">A C# Utility For Interacting With SCCM</a>
</h3>
<div class="jeg_post_meta"><div class="jeg_meta_date"><a href="https://ethicalhackingnewshubb.com/2022/11/25/a-c-utility-for-interacting-with-sccm/" ><i class="fa fa-clock-o"></i> 6 months ago</a></div></div>
</div>
</article><article class="jeg_post jeg_pl_sm format-standard">
<div class="jeg_thumb">
<a href="https://ethicalhackingnewshubb.com/2022/10/09/microsoft-issues-improved-mitigations-for-unpatched-exchange-server-vulnerabilities/"><div class="thumbnail-container animate-lazy size-715 "><img width="120" height="86" src="https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/img/jeg-empty.png" class="attachment-jnews-120x86 size-jnews-120x86 lazyload wp-post-image" alt="" title="" decoding="async" loading="lazy" data-src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjeUWuPrjVRtuLfvZ08ImJeXt0BdQpRXeQ6I0n0SAV_PvlNadxnD9aN7xs4GdR3dnw4vc_xgBx7ZMfuF4JsmZ8SVjY0DMxorkecTx87m3KMhPPwj-eMcuw7qBH0ZOWX2k0C8AUY_BQjxGr0uihjZw9opxQt8RNXIK3HVcztB-5v-tFUuZFDzyfQoLAw/s728-e1000/ms.jpg" data-srcset="" data-sizes="auto" data-expand="700" /></div></a>
</div>
<div class="jeg_postblock_content">
<h3 class="jeg_post_title">
<a href="https://ethicalhackingnewshubb.com/2022/10/09/microsoft-issues-improved-mitigations-for-unpatched-exchange-server-vulnerabilities/">Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities</a>
</h3>
<div class="jeg_post_meta"><div class="jeg_meta_date"><a href="https://ethicalhackingnewshubb.com/2022/10/09/microsoft-issues-improved-mitigations-for-unpatched-exchange-server-vulnerabilities/" ><i class="fa fa-clock-o"></i> 8 months ago</a></div></div>
</div>
</article></div>
<div class='module-overlay'>
<div class='preloader_type preloader_dot'>
<div class="module-preloader jeg_preloader dot">
<span></span><span></span><span></span>
</div>
<div class="module-preloader jeg_preloader circle">
<div class="jnews_preloader_circle_outer">
<div class="jnews_preloader_circle_inner"></div>
</div>
</div>
<div class="module-preloader jeg_preloader square">
<div class="jeg_square">
<div class="jeg_square_inner"></div>
</div>
</div>
</div>
</div>
</div>
<div class="jeg_block_navigation">
<div class='navigation_overlay'><div class='module-preloader jeg_preloader'><span></span><span></span><span></span></div></div>
</div>
<script>var jnews_module_2407_1_647ecce677434 = {"header_icon":"","first_title":"Recommended","second_title":"","url":"","header_type":"heading_1","header_background":"","header_secondary_background":"","header_text_color":"","header_line_color":"","header_accent_color":"","header_filter_category":"","header_filter_author":"","header_filter_tag":"","header_filter_text":"","post_type":"post","content_type":"all","number_post":"2","post_offset":"","unique_content":"disable","include_post":"","exclude_post":"","include_category":"35,36","exclude_category":"","include_author":"","include_tag":"","exclude_tag":"","sort_by":"random","date_format":"ago","date_format_custom":"","force_normal_image_load":"0","pagination_mode":"disable","pagination_nextprev_showtext":"0","pagination_number_post":"16","pagination_scroll_limit":"","boxed":"0","boxed_shadow":"0","el_id":"","el_class":"","scheme":"normal","column_width":"auto","title_color":"","accent_color":"","alt_color":"","excerpt_color":"","css":"","paged":1,"column_class":"jeg_col_1o3","class":"jnews_block_21"};</script>
</div></div></div></div></div> </div>
<div class="jeg_ad jeg_article jnews_article_bottom_ads">
<div class='ads-wrapper '></div> </div>
</div>
</div>
</div>
</div>
<div id="post-body-class" class="post-template-default single single-post postid-2407 single-format-standard wp-embed-responsive jeg_toggle_dark jeg_single_tpl_1 jnews jeg_boxed jsc_normal wpb-js-composer js-comp-ver-6.8.0 vc_responsive"></div>
</div>
<div class="post-ajax-overlay">
<div class="preloader_type preloader_dot">
<div class="newsfeed_preloader jeg_preloader dot">
<span></span><span></span><span></span>
</div>
<div class="newsfeed_preloader jeg_preloader circle">
<div class="jnews_preloader_circle_outer">
<div class="jnews_preloader_circle_inner"></div>
</div>
</div>
<div class="newsfeed_preloader jeg_preloader square">
<div class="jeg_square"><div class="jeg_square_inner"></div></div>
</div>
</div>
</div>
</div>
<div class="footer-holder" id="footer" data-id="footer">
<div class="jeg_footer jeg_footer_custom">
<div class="jeg_container">
<div class="jeg_content">
<div class="jeg_vc_content">
<style type='text/css' scoped> .jnews_647ecce67e080 { color : #ffffff; } .jnews_647ecce67e080.footer_light a, .jnews_647ecce67e080.footer_dark a { color : #4686c6; } .jeg_footer .jnews_647ecce67e080 .widget h2, .jeg_footer .jnews_647ecce67e080.footer_light .jeg_footer_heading h3, .jnews_647ecce67e080.footer_dark .jeg_footer_heading h3 { color : #ffffff; }</style><div data-vc-full-width="true" data-vc-full-width-init="false" class="row vc_row wpb_row vc_row-fluid vc_custom_1660665390302 vc_row-has-fill jnews_647ecce67e080 footer_dark"><div class="jeg-vc-wrapper"><div class="wpb_column jeg_column vc_column_container vc_col-sm-4"><div class="jeg_wrapper wpb_wrapper">
<div class="wpb_single_image wpb_content_element vc_align_left">
<figure class="wpb_wrapper vc_figure">
<a href="https://ethicalhackingnewshubb.com/" target="_self" class="vc_single_image-wrapper vc_box_border_grey"><img width="300" height="169" src="https://ethicalhackingnewshubb.com/storage/2022/07/Ethical-Haching-White--300x169.png" class="vc_single_image-img attachment-medium" alt="" decoding="async" loading="lazy" title="Ethical-Haching-(-White-)" srcset="https://ethicalhackingnewshubb.com/storage/2022/07/Ethical-Haching-White--300x169.png 300w, https://ethicalhackingnewshubb.com/storage/2022/07/Ethical-Haching-White--768x432.png 768w, https://ethicalhackingnewshubb.com/storage/2022/07/Ethical-Haching-White--750x422.png 750w, https://ethicalhackingnewshubb.com/storage/2022/07/Ethical-Haching-White-.png 1000w" sizes="(max-width: 300px) 100vw, 300px" /></a>
</figure>
</div>
<div class="wpb_text_column wpb_content_element " >
<div class="wpb_wrapper">
<p>© <span id="currentYear"></span> <a href="https://ethicalhackingnewshubb.com/">Ethical Hacking News Hubb</a> All rights reserved.</p>
<p>Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the <a href="https://ethicalhackingnewshubb.com/privacy-policy/">Privacy Policy and Terms & Conditions.</a></p>
<p><script>
var currentYear = new Date().getFullYear();
document.getElementById("currentYear").textContent = currentYear;
</script></p>
</div>
</div>
</div></div><div class="wpb_column jeg_column vc_column_container vc_col-sm-4"><div class="jeg_wrapper wpb_wrapper"><div class="vc_wp_custommenu wpb_content_element"><div class="widget widget_nav_menu"><h2 class="widgettitle">Navigate Site</h2><div class="menu-main-navigation-container"><ul id="menu-main-navigation" class="menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-61"><a href="https://ethicalhackingnewshubb.com/">Home</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-717"><a href="https://ethicalhackingnewshubb.com/category/news/">News</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-716"><a href="https://ethicalhackingnewshubb.com/category/ethical-hackers/">Ethical Hackers</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-103"><a href="https://ethicalhackingnewshubb.com/contact/">Contact</a></li>
</ul></div></div></div></div></div><div class="wpb_column jeg_column vc_column_container vc_col-sm-4"><div class="jeg_wrapper wpb_wrapper"><h2 style="font-size: 18px;color: #ffffff;text-align: left;font-family:Poppins;font-weight:400;font-style:normal" class="vc_custom_heading" >Newsletter Sign Up.</h2>
<div class="wpb_raw_code wpb_content_element wpb_raw_html" >
<div class="wpb_wrapper">
<div class="wpforms-container wpforms-container-full" id="wpforms-93"><form id="wpforms-form-93" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="93" method="post" enctype="multipart/form-data" action="/2023/05/09/c2-yet-another-simple-and-lightweight-c2-framework/" data-token="3ea2a829f5b57b403e52140630f7d553"><noscript class="wpforms-error-noscript">Please enable JavaScript in your browser to complete this form.</noscript><div class="wpforms-field-container"><div id="wpforms-93-field_1-container" class="wpforms-field wpforms-field-name" data-field-id="1"><label class="wpforms-field-label" for="wpforms-93-field_1">Name <span class="wpforms-required-label">*</span></label><div class="wpforms-field-row wpforms-field-medium"><div class="wpforms-field-row-block wpforms-first wpforms-one-half"><input type="text" id="wpforms-93-field_1" class="wpforms-field-name-first wpforms-field-required" name="wpforms[fields][1][first]" required><label for="wpforms-93-field_1" class="wpforms-field-sublabel after ">First</label></div><div class="wpforms-field-row-block wpforms-one-half"><input type="text" id="wpforms-93-field_1-last" class="wpforms-field-name-last wpforms-field-required" name="wpforms[fields][1][last]" required><label for="wpforms-93-field_1-last" class="wpforms-field-sublabel after ">Last</label></div></div></div><div id="wpforms-93-field_2-container" class="wpforms-field wpforms-field-email" data-field-id="2"><label class="wpforms-field-label" for="wpforms-93-field_2">Email <span class="wpforms-required-label">*</span></label><input type="email" id="wpforms-93-field_2" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][2]" required></div></div><input type="hidden" name="wpforms[recaptcha]" value=""><div class="wpforms-submit-container"><input type="hidden" name="wpforms[id]" value="93"><input type="hidden" name="wpforms[author]" value="1"><input type="hidden" name="wpforms[post_id]" value="2407"><button type="submit" name="wpforms[submit]" id="wpforms-submit-93" class="wpforms-submit" data-alt-text="Sending..." data-submit-text="Subscribe Now" aria-live="assertive" value="wpforms-submit">Subscribe Now</button><img src="https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt=""></div></form></div>
</div>
</div>
</div></div></div></div><div class="vc_row-full-width vc_clearfix"></div> </div>
</div>
</div>
</div> </div>
<div class="jscroll-to-top">
<a href="#back-to-top" class="jscroll-to-top_link"><i class="fa fa-angle-up"></i></a>
</div>
</div>
<div id="jeg_off_canvas" class="normal">
<a href="#" class="jeg_menu_close"><i class="jegicon-cross"></i></a>
<div class="jeg_bg_overlay"></div>
<div class="jeg_mobile_wrapper">
<div class="nav_wrap">
<div class="item_main">
<div class="jeg_aside_item jeg_search_wrapper jeg_search_no_expand square">
<a href="#" class="jeg_search_toggle"><i class="fa fa-search"></i></a>
<form action="https://ethicalhackingnewshubb.com/" method="get" class="jeg_search_form" target="_top">
<input name="s" class="jeg_search_input" placeholder="Search..." type="text" value="" autocomplete="off">
<button aria-label="Search Button" type="submit" class="jeg_search_button btn"><i class="fa fa-search"></i></button>
</form>
<div class="jeg_search_result jeg_search_hide with_result">
<div class="search-result-wrapper">
</div>
<div class="search-link search-noresult">
No Result </div>
<div class="search-link search-all-button">
<i class="fa fa-search"></i> View All Result </div>
</div></div><div class="jeg_aside_item">
<ul class="jeg_mobile_menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-61"><a href="https://ethicalhackingnewshubb.com/">Home</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-717"><a href="https://ethicalhackingnewshubb.com/category/news/">News</a></li>
<li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-716"><a href="https://ethicalhackingnewshubb.com/category/ethical-hackers/">Ethical Hackers</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-103"><a href="https://ethicalhackingnewshubb.com/contact/">Contact</a></li>
</ul></div> </div>
<div class="item_bottom">
<div class="jeg_aside_item socials_widget nobg">
</div><div class="jeg_aside_item jeg_aside_copyright">
<p>© 2022 <strong><a href="https://ethicalhackingnewshubb.com/">Ethical Hacking News Hubb</a> </strong>All rights reserved.</p>
</div> </div>
</div> </div>
</div><script type="text/javascript">var jfla = []</script><div class="jeg_read_progress_wrapper"></div><script type="text/html" id="wpb-modifications"></script><link rel='stylesheet' id='vc_google_fonts_poppinsregular-css' href='https://fonts.googleapis.com/css?family=Poppins%3Aregular' type='text/css' media='all' />
<link rel='stylesheet' id='wpforms-full-css' href='https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/css/wpforms-full.min.css' type='text/css' media='all' />
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/lib/js/hoverIntent.min.js' id='hoverIntent-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/lib/js/imagesloaded.min.js' id='imagesloaded-js'></script>
<script type='text/javascript' id='jnews-frontend-js-extra'>
/* <![CDATA[ */
var jnewsoption = {"login_reload":"https:\/\/ethicalhackingnewshubb.com\/2023\/05\/09\/c2-yet-another-simple-and-lightweight-c2-framework","popup_script":"magnific","single_gallery":"","ismobile":"","isie":"","sidefeed_ajax":"","language":"en_US","module_prefix":"jnews_module_ajax_","live_search":"1","postid":"2407","isblog":"1","admin_bar":"0","follow_video":"","follow_position":"top_right","rtl":"0","gif":"","lang":{"invalid_recaptcha":"Invalid Recaptcha!","empty_username":"Please enter your username!","empty_email":"Please enter your email!","empty_password":"Please enter your password!"},"recaptcha":"0","site_slug":"\/","site_domain":"ethicalhackingnewshubb.com","zoom_button":"0"};
/* ]]> */
</script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/dist/frontend.min.js' id='jnews-frontend-js'></script>
<!--[if lt IE 9]>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/views/fd676332bc/assets/js/html5shiv.min.js' id='html5shiv-js'></script>
<![endif]-->
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/00443ca94f/assets/js/plugin.js' id='jnews-social-login-style-js'></script>
<script type='text/javascript' id='fifu-image-js-js-extra'>
/* <![CDATA[ */
var fifuImageVars = {"fifu_lazy":"","fifu_woo_lbox_enabled":"1","fifu_woo_zoom":"inline","fifu_is_product":"","fifu_is_flatsome_active":"","fifu_rest_url":"https:\/\/ethicalhackingnewshubb.com\/wp-json\/","fifu_nonce":"2d4a6c7715"};
/* ]]> */
</script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/99e0545b46/includes/html/js/image.js' id='fifu-image-js-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/041dc5d622/assets/js/dist/js_composer_front.min.js' id='wpb_composer_front_js-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/js/jquery.validate.min.js' id='wpforms-validation-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/js/mailcheck.min.js' id='wpforms-mailcheck-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/js/punycode.min.js' id='wpforms-punycode-js'></script>
<script type='text/javascript' src='https://ethicalhackingnewshubb.com/core/modules/067a15d05a/assets/js/wpforms.min.js' id='wpforms-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LfWNIAhAAAAAMhvIecKJEtLnGDVmwab1A4-BJSj' id='wpforms-recaptcha-js'></script>
<script type='text/javascript' id='wpforms-recaptcha-js-after'>
var wpformsDispatchEvent = function (el, ev, custom) {
var e = document.createEvent(custom ? "CustomEvent" : "HTMLEvents");
custom ? e.initCustomEvent(ev, true, true, false) : e.initEvent(ev, true, true);
el.dispatchEvent(e);
};
var wpformsRecaptchaV3Execute = function ( callback ) {
grecaptcha.execute( "6LfWNIAhAAAAAMhvIecKJEtLnGDVmwab1A4-BJSj", { action: "wpforms" } ).then( function ( token ) {
Array.prototype.forEach.call( document.getElementsByName( "wpforms[recaptcha]" ), function ( el ) {
el.value = token;
} );
if ( typeof callback === "function" ) {
return callback();
}
} );
}
grecaptcha.ready( function () {
wpformsDispatchEvent( document, "wpformsRecaptchaLoaded", true );
} );
</script>
<div class="jeg_ad jnews_mobile_sticky_ads "></div><script type='application/ld+json'>{"@context":"http:\/\/schema.org","@type":"article","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/ethicalhackingnewshubb.com\/2023\/05\/09\/c2-yet-another-simple-and-lightweight-c2-framework\/"},"dateCreated":"2023-05-09 01:26:12","datePublished":"2023-05-09 01:26:12","dateModified":"2023-05-09 01:26:12","url":"https:\/\/ethicalhackingnewshubb.com\/2023\/05\/09\/c2-yet-another-simple-and-lightweight-c2-framework\/","headline":"C2 – Yet Another (Simple And Lightweight) C2 Framework","name":"C2 – Yet Another (Simple And Lightweight) C2 Framework","articleBody":" [ad_1]\r\n<br><div id=\"post-body-2011729406040869697\" itemprop=\"articleBody\">\n<meta content=\" About Nimbo-C2 is yet another (simple and lightweight) C2 framework. Nimbo-C2 agent supports x64 Windows & Linux. It's writt...\" name=\"twitter:description\"\/>\n<meta content=\" About Nimbo-C2 is yet another (simple and lightweight) C2 framework. Nimbo-C2 agent supports x64 Windows & Linux. It's writt...\" name=\"description\"\/>\n<meta content=\" About Nimbo-C2 is yet another (simple and lightweight) C2 framework. Nimbo-C2 agent supports x64 Windows & Linux. It's writt...\" property=\"og:description\"\/>\n\n<p align=\"center\" dir=\"auto\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi7QOYx_IoF5M2xDYW-pyk7QH8dV8r5QX1EdHg5ad7XOWvZw6wc4iC-n0cYnqh2_q4oGFaAcmV_Gn0f521Nx4kXWAdP4Q7Ge4MkaiubZHB1S1XU5w3Yl9AedausK87AZ1pOhcJ7qb6JQX-umDSYy5DX7HxF3eeLVrokyfZEN6h5B0MUWB4BGlofBIwxqg\"><img alt=\"\" border=\"0\" height=\"563\" id=\"BLOGGER_PHOTO_ID_7209873808627101634\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi7QOYx_IoF5M2xDYW-pyk7QH8dV8r5QX1EdHg5ad7XOWvZw6wc4iC-n0cYnqh2_q4oGFaAcmV_Gn0f521Nx4kXWAdP4Q7Ge4MkaiubZHB1S1XU5w3Yl9AedausK87AZ1pOhcJ7qb6JQX-umDSYy5DX7HxF3eeLVrokyfZEN6h5B0MUWB4BGlofBIwxqg=w640-h563\" width=\"640\"\/><\/a><\/p> <p dir=\"auto\"><em>Nimbo-C2 is yet another (simple and lightweight) C2 framework.<\/em><\/p> <p dir=\"auto\" style=\"text-align: center;\"><a href=\"https:\/\/github.com\/itaymigdal\/Nimbo-C2\/blob\/main\/assets\/ui.png\" rel=\"nofollow noopener\" target=\"_blank\" title=\"Nimbo-C2 is yet another (simple and lightweight) C2 framework (16)\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj6Huq26Z_HUHSdaWA3LkkwTt5bvtrhnVIxeVtzlitTlCyttoesAVLQ8Y1TxCYNwx4acQBK3xhW89BLyQpiRg3Yq1K0zU_-vMfYII6cxxHmAkKoh8sSw9ZtyRuG3k4-PvrimzCUx8S-IUrC5UI1dY5SCH_J0yQB5f_P8CMYZpVz2sh2RB4mw2NqzFSv0A\"><img alt=\"\" border=\"0\" height=\"344\" id=\"BLOGGER_PHOTO_ID_7209873818573964898\" src=\"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj6Huq26Z_HUHSdaWA3LkkwTt5bvtrhnVIxeVtzlitTlCyttoesAVLQ8Y1TxCYNwx4acQBK3xhW89BLyQpiRg3Yq1K0zU_-vMfYII6cxxHmAkKoh8sSw9ZtyRuG3k4-PvrimzCUx8S-IUrC5UI1dY5SCH_J0yQB5f_P8CMYZpVz2sh2RB4mw2NqzFSv0A=w640-h344\" width=\"640\"\/><\/a><\/p> <p dir=\"auto\">Nimbo-C2 agent supports x64 Windows & Linux. It's written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimer and capable only of basic commands, including ELF loading using the memfd technique.<\/p> <p dir=\"auto\">All server components are written in Python:<\/p> <ul dir=\"auto\"> <li>HTTP listener that manages the agents.<\/li> <li>Builder that generates the agent payloads.<\/li> <li>Nimbo-C2 is the interactive C2 component that rule'em all!<\/li> <\/ul> <p dir=\"auto\">My work wouldn't be possible without the previous great work done by others, listed under credits.<\/p><span><a name=\"more\"\/><\/span> <ul dir=\"auto\"> <li>Build EXE, DLL, ELF payloads.<\/li> <li>Encrypted implant configuration and strings using <a href=\"https:\/\/github.com\/itaymigdal\/NimProtect\" rel=\"nofollow noopener\" target=\"_blank\" title=\"NimProtect\">NimProtect<\/a>.<\/li> <li>Packing payloads using <a href=\"https:\/\/github.com\/upx\/upx\" rel=\"nofollow noopener\" target=\"_blank\" title=\"UPX\">UPX<\/a> and obfuscate the PE section names (<code>UPX0<\/code>, <code>UPX1<\/code>) to make detection and unpacking harder.<\/li> <li>Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the <code>config.jsonc<\/code>).<\/li> <li>Auto-completion in the C2 Console for convenient interaction.<\/li> <li>In-memory Powershell commands execution.<\/li> <li>File download and upload commands.<\/li> <li>Built-in discovery commands.<\/li> <li>Screenshot taking, clipboard stealing, audio recording.<\/li> <li>Memory evasion techniques like NTDLL unhooking, ETW & AMSI patching.<\/li> <li>LSASS and SAM hives dumping.<\/li> <li>Shellcode injection.<\/li> <li>Inline .NET <a href=\"https:\/\/www.kitploit.com\/search\/label\/Assemblies\" target=\"_blank\" title=\"assemblies\" rel=\"noopener\">assemblies<\/a> execution.<\/li> <li>Persistence capabilities.<\/li> <li>UAC bypass methods.<\/li> <li>ELF loading using memfd in 2 modes.<\/li> <li>And more !<\/li> <\/ul> <h2 dir=\"auto\" tabindex=\"-1\">Easy Way<\/h2> <ol dir=\"auto\"> <li>Clone the repository and <code>cd<\/code> in<\/li> <\/ol> <div><pre><code>git clone https:\/\/github.com\/itaymigdal\/Nimbo-C2<br\/>cd Nimbo-C2<br\/><\/code><\/pre><\/div> <ol dir=\"auto\" start=\"2\"> <li>Build the docker image<\/li> <\/ol> <div><pre><code>docker build -t nimbo-dependencies .<br\/><\/code><\/pre><\/div> <ol dir=\"auto\" start=\"3\"> <li><code>cd<\/code> again into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modify <code>config.jsonc<\/code>, download and upload files from agents, etc.). For Linux replace <code>${pwd}<\/code> with <code>$(pwd)<\/code>.<\/li> <\/ol> <div><pre><code>cd Nimbo-C2<br\/>docker run -it --rm -p 80:80 -v ${pwd}:\/Nimbo-C2 -w \/Nimbo-C2 nimbo-dependencies<br\/><\/code><\/pre><\/div> <h2 dir=\"auto\" tabindex=\"-1\">Easier Way<\/h2> <div><pre><code>git clone https:\/\/github.com\/itaymigdal\/Nimbo-C2<br\/>cd Nimbo-C2\/Nimbo-C2<br\/>docker run -it --rm -p 80:80 -v ${pwd}:\/Nimbo-C2 -w \/Nimbo-C2 itaymigdal\/nimbo-dependencies<br\/><\/code><\/pre><\/div> <p dir=\"auto\">First, edit <code>config.jsonc<\/code> for your needs.<\/p> <p dir=\"auto\">Then run with: <code>python3 Nimbo-C2.py<\/code><\/p> <p dir=\"auto\">Use the <code>help<\/code> command for each screen, and tab completion.<\/p> <p dir=\"auto\">Also, check the <a href=\"https:\/\/github.com\/itaymigdal\/Nimbo-C2\/blob\/main\/examples\" rel=\"nofollow noopener\" target=\"_blank\" title=\"examples\">examples<\/a> directory.<\/p> <h2 dir=\"auto\" tabindex=\"-1\">Main Window<\/h2> <div><pre><code>Nimbo-C2 > help<p>--== Agent ==--<br\/>agent list -> list active agents<br\/>agent interact <agent-id> -> interact with the agent<br\/>agent remove <agent-id> -> remove agent data<\/p><p>--== Builder ==--<br\/>build exe -> build exe agent (-h for help)<br\/>build dll -> build dll agent (-h for help)<br\/>build elf -> build elf agent (-h for help)<\/p><p>--== Listener ==--<br\/>listener start -> start the listener<br\/>listener stop -> stop the listener<br\/>listener status -> print the listener status<\/p><p>--== General ==--<br\/>cls -> clear the screen<br\/>help -> print this help message<br\/>exit -> exit Nimbo-C2<br\/><\/p><\/code><\/pre> div> <h2 dir=\"auto\" tabindex=\"-1\">Agent Window<\/h2> <h3 dir=\"auto\" tabindex=\"-1\">Windows agent<\/h3> <div><pre><code>Nimbo-2 [d337c406] > help<p>--== Send Commands ==--<br\/>cmd <shell-command> -> execute a shell command<br\/>iex <powershell-scriptblock> -> execute in-memory powershell command<\/p><p>--== File Stuff ==--<br\/>download <remote-file> -> download a file from the agent (wrap path with quotes)<br\/>upload <loal-file> <remote-path> -> upload a file to the agent (wrap paths with quotes)<\/p><p>--== Discovery Stuff ==--<br\/>pstree -> show process tree<br\/>checksec -> check for security products<br\/>software -> check for installed software<\/p><p>--== Collection Stuff ==--<br\/>clipboard -> retrieve clipboard<br\/>screenshot -> retrieve screenshot<br\/>audio <record-time> -> record audio<\/p><p>--== <a href=\"https:\/\/www.kitploit.com\/search\/label\/Post%20Exploitation\" target=\"_blank\" title=\"Post Exploitation\" rel=\"noopener\">Post Exploitation<\/a> Stuff ==--<br\/>lsass <method> -> dump lsass.exe [methods: direct,comsvcs] (elevation required)<br\/>sam -> dump sam,security,system hives using reg.exe (elevation required)<br\/>shellc <raw-shellcode-file> <pid> -> inject shellcode to remote process<br\/>assembly <local-assembly> <args> -> execute .net assembly (pass all args as a single string using quotes)<br\/>warning: make sure the assembly doesn't call any exit function<\/p><p>--== Evasion Stuff ==--<br\/>unhook -> unhook ntdll.dll<br\/>amsi -> patch amsi out of the current process<br\/>etw -> patch etw out of the current process<\/p><p>--== <a href=\"https:\/\/www.kitploit.com\/search\/label\/Persistence\" target=\"_blank\" title=\"Persistence\" rel=\"noopener\">Persistence<\/a> Stuff ==--<br\/>persist run <command> <key-name> -> set run key (will try first hklm, then hkcu)<br\/>persist spe <command> <process-name> -> persist using silent process exit technique (elevation required)<\/p><p>--== Privesc Stuff ==--<br\/>uac fodhelper <command> <keep\/die> -> elevate session using the fodhelper uac bypass technique<br\/>uac sdclt <command> <keep\/die> -> elevate session using the sdclt uac bypass technique<\/p><p>--== Interaction stuff ==--<br\/>msgbox <title> <text> -> pop a message box (blocking! waits for enter press)<br\/>speak <text> -> speak using sapi.spvoice com interface<\/p><p>--== Communication Stuff ==--<br\/>sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter<br\/>clear -> clear pending commands<br\/>collect -> recollect agent data<br\/>kill -> kill the agent (persistence will still take place)<\/p><p>--== General ==--<br\/>show -> show agent details<br\/>back -> back to main screen<br\/>cls -> clear the screen<br\/>help -> print this help message<br\/>exit -> exit Nimbo-C2<br\/><\/p><\/code><\/pre><\/div> <h3 dir=\"auto\" tabindex=\"-1\">Linux agent<\/h3> <div><pre><code>Nimbo-2 [51a33cb9] > help<p>--== Send Commands ==--<br\/>cmd <shell-command> -> execute a terminal command <\/p><p>--== File Stuff ==--<br\/>download <remote-file> -> download a file from the agent (wrap path with quotes)<br\/>upload <local-file> <remote-path> -> upload a file to the agent (wrap paths with quotes)<\/p><p>--== Post <a href=\"https:\/\/www.kitploit.com\/search\/label\/Exploitation\" target=\"_blank\" title=\"Exploitation\" rel=\"noopener\">Exploitation<\/a> Stuff ==--<br\/>memfd <mode> <elf-file> <commandline> -> load elf in-memory using the memfd_create syscall<br\/>implant mode: load the elf as a child process and return<br\/>task mode: load the elf as a child process, wait on it, and get its output when it's done<br\/>(pass the whole <a href=\"https:\/\/www.kitploit.com\/search\/label\/Commandline\" target=\"_blank\" title=\"commandline\" rel=\"noopener\">commandline<\/a> as a single string using quotes)<\/p><p>--== Communication Stuff ==--<br\/>sleep <sleep-time> <jitter-%> -> change sleep time interval and jitter<br\/>clear -> clear pending commands<br\/>collect -> recollect agent data<br\/>kill -> kill the agent (persistence will still take place)<\/p><p>--== General ==--<br\/>show -> show agent details<br\/>back -> back to main screen<br\/>cls -> clear the screen<br\/>help -> print this help message<br\/>exit -> exit Nimbo-C2<br\/><\/p><\/code> <\/pre><\/div> <ul dir=\"auto\"> <li>Even though the HTTP communication is encrypted, the 'user-agent' header is in plain text and it carries the real agent id, which some products may flag it suspicious.<\/li> <li>When using <code>assembly<\/code> command, make sure your assembly doesn't call any exit function because it will kill the agent.<\/li> <li><code>shellc<\/code> command may unexpectedly crash or change the injected process behavior, test the shellcode and the target process first.<\/li> <li><code>audio<\/code>, <code>lsass<\/code> and <code>sam<\/code> commands temporarily save artifacts to disk before exfiltrate and delete them.<\/li> <li>Cleaning the <code>persist<\/code> commands should be done manually.<\/li> <li>Specify whether to keep or kill the initiating agent process in the <code>uac<\/code> commands. <code>die<\/code> flag may leave you with no active agent (if the unelevated agent thinks that the UAC bypass was successful, and it wasn't), <code>keep<\/code> should leave you with 2 active agents probing the C2, then you should manually kill the unelevated.<\/li> <li><code>msgbox<\/code> is blocking, until the user will press the ok button.<\/li> <\/ul> <p dir=\"auto\">This software may be buggy or unstable in some use cases as it not being fully and constantly tested. Feel free to open issues, PR's, and contact me for any reason at (<a href=\"https:\/\/github.com\/itaymigdal\/Nimbo-C2\/blob\/main\/itaymigdal9@gmail.com\" rel=\"nofollow noopener\" target=\"_blank\" title=\"Gmail\">Gmail<\/a> | <a href=\"https:\/\/www.linkedin.com\/in\/itay-migdal-b91821116\/\" rel=\"nofollow noopener\" target=\"_blank\" title=\"Linkedin\">Linkedin<\/a> | <a href=\"https:\/\/twitter.com\/0xTheBruter\" rel=\"nofollow noopener\" target=\"_blank\" title=\"Twitter\">Twitter<\/a>).<\/p> <ul dir=\"auto\"> <li><a href=\"https:\/\/github.com\/byt3bl33d3r\/OffensiveNim\" rel=\"nofollow noopener\" target=\"_blank\" title=\"OffensiveNim\">OffensiveNim<\/a> - Great resource that taught me a lot about leveraging Nim for implant tasks. Some of Nimbo-C2 agent capabilities are basically wrappers around OffensiveNim modified examples.<\/li> <li><a href=\"https:\/\/github.com\/prompt-toolkit\/python-prompt-toolkit\" rel=\"nofollow noopener\" target=\"_blank\" title=\"Python-Prompt-Toolkit-3\">Python-Prompt-Toolkit-3<\/a> - Awsome library for developing python CLI applications. Developed the Nimbo-C2 interactive console using this.<\/li> <li><a href=\"https:\/\/github.com\/TheZoraiz\/ascii-image-converter\" rel=\"nofollow noopener\" target=\"_blank\" title=\"ascii-image-converter\">ascii-image-converter<\/a> - For the awsome Nimbo ascii art.<\/li> <li>All those random people from Github & Stackoverflow that I copy & pasted their code <p>\uf618<\/p>.<\/li> <\/ul> <\/div>\n<\/div><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><script>(function(d, s, id){var js, fjs = d.getElementsByTagName(s)[0];if (d.getElementById(id)) return;js = d.createElement(s); js.id = id;js.src = \"http:\/\/connect.facebook.net\/en_US\/sdk.js#xfbml=1&version=v2.5\";fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));<\/script>\r\n<br>[ad_2]\r\n<br><a href=\"http:\/\/www.kitploit.com\/2023\/05\/nimbo-c2-yet-another-simple-and.html\">Source link <\/a>","author":{"@type":"Person","name":"admin","url":"https:\/\/ethicalhackingnewshubb.com\/writer\/admin\/","sameAs":["https:\/\/ethicalhackingnewshubb.com"]},"articleSection":["News"],"image":{"@type":"ImageObject","url":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEi7QOYx_IoF5M2xDYW-pyk7QH8dV8r5QX1EdHg5ad7XOWvZw6wc4iC-n0cYnqh2_q4oGFaAcmV_Gn0f521Nx4kXWAdP4Q7Ge4MkaiubZHB1S1XU5w3Yl9AedausK87AZ1pOhcJ7qb6JQX-umDSYy5DX7HxF3eeLVrokyfZEN6h5B0MUWB4BGlofBIwxqg=w640-h563","width":1920,"height":0},"publisher":{"@type":"Organization","name":"","url":"https:\/\/ethicalhackingnewshubb.com","logo":{"@type":"ImageObject","url":""},"sameAs":[]}}</script>
<script type='application/ld+json'>{"@context":"http:\/\/schema.org","@type":"hentry","entry-title":"C2 – Yet Another (Simple And Lightweight) C2 Framework","published":"2023-05-09 01:26:12","updated":"2023-05-09 01:26:12"}</script>
<script type='application/ld+json'>{"@context":"http:\/\/schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"https:\/\/ethicalhackingnewshubb.com","name":"Home"}},{"@type":"ListItem","position":2,"item":{"@id":"https:\/\/ethicalhackingnewshubb.com\/category\/news\/","name":"News"}},{"@type":"ListItem","position":3,"item":{"@id":"https:\/\/ethicalhackingnewshubb.com","name":"Home"}},{"@type":"ListItem","position":4,"item":{"@id":"https:\/\/ethicalhackingnewshubb.com\/category\/news\/","name":"News"}}]}</script>
<script type='text/javascript'>
/* <![CDATA[ */
var wpforms_settings = {"val_required":"This field is required.","val_email":"Please enter a valid email address.","val_email_suggestion":"Did you mean {suggestion}?","val_email_suggestion_title":"Click to accept this suggestion.","val_email_restricted":"This email address is not allowed.","val_number":"Please enter a valid number.","val_number_positive":"Please enter a valid positive number.","val_confirm":"Field values do not match.","val_checklimit":"You have exceeded the number of allowed selections: {#}.","val_limit_characters":"{count} of {limit} max characters.","val_limit_words":"{count} of {limit} max words.","val_recaptcha_fail_msg":"Google reCAPTCHA verification failed, please try again later.","val_empty_blanks":"Please fill out all blanks.","uuid_cookie":"","locale":"en","wpforms_plugin_url":"https:\/\/ethicalhackingnewshubb.com\/core\/modules\/067a15d05a\/","gdpr":"","ajaxurl":"https:\/\/ethicalhackingnewshubb.com\/wp-admin\/admin-ajax.php","mailcheck_enabled":"1","mailcheck_domains":[],"mailcheck_toplevel_domains":["dev"],"is_ssl":"1"}
/* ]]> */
</script>
<script type="text/javascript">;!function(){"use strict";window.jnews=window.jnews||{},window.jnews.first_load=window.jnews.first_load||{},window.jnews.first_load=function(){var e=this,t=jnews.library,n="object"==typeof jnews&&"object"==typeof jnews.library;e.data=null,e.run_ajax=!0,e.run_loginregister=!0,e.clear=function(){e.run_ajax=!0,e.run_loginregister=!0,e.data=null},e.init=function(){n&&(t.globalBody.querySelectorAll(".jeg_popup_account").length&&jnews.loginregister&&e.run_loginregister&&(e.run_loginregister=!1,jnews.loginregister.init(),jnews.loginregister.hook_form()),jfla.length&&e.run_ajax&&(e.run_ajax=!1,e.do_ajax({action:"jnews_first_load_action",jnews_id:jnewsoption.postid,load_action:jfla})))},e.update_counter=function(){if(n){var o={total_view:t.globalBody.querySelectorAll(".jeg_share_stats .jeg_views_count .counts"),total_share:t.globalBody.querySelectorAll(".jeg_share_stats .jeg_share_count .counts"),total_comment:t.globalBody.querySelectorAll(".jeg_meta_comment a span")};t.forEach(Object.entries(e.data.counter),(function([e,n]){o[e].length&&t.forEach(o[e],(function(e,o){t.setText(e,n)}))}))}},e.do_ajax=function(o){if(n){var a=new XMLHttpRequest;a.onreadystatechange=function(){XMLHttpRequest.DONE===a.readyState&&200==a.status&&(e.data=JSON.parse(a.responseText),e.data.counter&&"object"==typeof e.data.counter&&e.update_counter())},a.open("POST",jnews_ajax_url,!0),a.setRequestHeader("Content-Type","application/x-www-form-urlencoded; charset=UTF-8"),a.send(t.httpBuildQuery(o))}}},window.jnews.first_load=new window.jnews.first_load,jnews.first_load.init()}();</script></body>
</html>