{"id":13576376,"url":"https://github.com/itaymigdal/Nimbo-C2","last_synced_at":"2025-04-05T05:31:39.375Z","repository":{"id":62274272,"uuid":"548014001","full_name":"itaymigdal/Nimbo-C2","owner":"itaymigdal","description":"Nimbo-C2 is yet another (simple and lightweight) C2 framework","archived":false,"fork":false,"pushed_at":"2024-10-20T10:44:20.000Z","size":1417,"stargazers_count":354,"open_issues_count":0,"forks_count":44,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-11-05T12:33:32.071Z","etag":null,"topics":["c2","c2-framework","command-and-control","payload-generator","penetration-testing-tools","pentesting-tools","rat","red-team","red-team-tools"],"latest_commit_sha":null,"homepage":"","language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itaymigdal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-08T19:02:58.000Z","updated_at":"2024-11-02T11:52:18.000Z","dependencies_parsed_at":"2023-02-05T09:30:39.586Z","dependency_job_id":"dccb3dda-ec9b-45cb-ae06-390564dca136","html_url":"https://github.com/itaymigdal/Nimbo-C2","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itaymigdal%2FNimbo-C2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itaymigdal%2FNimbo-C2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itaymigdal%2FNimbo-C2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itaymigdal%2FNimbo-C2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itaymigdal","download_url":"https://codeload.github.com/itaymigdal/Nimbo-C2/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247294468,"owners_count":20915335,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c2","c2-framework","command-and-control","payload-generator","penetration-testing-tools","pentesting-tools","rat","red-team","red-team-tools"],"created_at":"2024-08-01T15:01:09.719Z","updated_at":"2025-04-05T05:31:34.361Z","avatar_url":"https://github.com/itaymigdal.png","language":"Nim","funding_links":[],"categories":["Nim"],"sub_categories":[],"readme":"\r\n# Nimbo-C2\r\n\r\n\u003cp align=\"center\"\u003e\r\n  \u003cimg alt=\"Nimbo\" src=\"/assets/nimbo.png\"\u003e\r\n\u003c/p\u003e\r\n\r\n- [Nimbo-C2](#nimbo-c2)\r\n- [About](#about)\r\n- [Features](#features)\r\n- [Installation](#installation)\r\n  - [Easy Way](#easy-way)\r\n  - [Easier Way](#easier-way)\r\n- [Usage](#usage)\r\n  - [Main Window](#main-window)\r\n  - [Agent Window](#agent-window)\r\n    - [Windows agent](#windows-agent)\r\n    - [Linux agent](#linux-agent)\r\n- [Limitations \\\u0026 Warnings](#limitations--warnings)\r\n- [Contribution](#contribution)\r\n- [Credits](#credits)\r\n\r\n# About\r\n\r\n*Nimbo-C2 is yet another (simple and lightweight) C2 framework.*\r\n\r\n![](/assets/ui.png)\r\n\r\nNimbo-C2 agent supports x64 Windows \u0026 Linux. It's written in Nim, with some usage of .NET on Windows (by dynamically loading the CLR to the process). Nim is powerful, but interacting with Windows is much easier and robust using Powershell, hence this combination is made. The Linux agent is slimier and capable only of basic commands, including ELF loading using the `memfd` technique.\r\n\r\nAll server components are written in Python:\r\n- HTTP listener that manages the agents.\r\n- Builder that generates the agent payloads. \r\n- Nimbo-C2 is the interactive C2 component that rule'em all!\r\n\r\nMy work wouldn't be possible without the previous great work done by others, listed under credits.\r\n\r\n# Features\r\n\r\n- Build EXE, DLL, ELF payloads.\r\n- Encrypted implant configuration and strings using [NimProtect](https://github.com/itaymigdal/NimProtect).\r\n- Packing payloads using [UPX](https://github.com/upx/upx) and obfuscate the PE section names (`UPX0`, `UPX1`) to make detection and unpacking harder.\r\n- Encrypted HTTP communication (AES in CBC mode, key hardcoded in the agent and configurable by the `config.jsonc`).\r\n- Auto-completion in the C2 Console for convenient interaction.  \r\n- In-memory Powershell commands execution.\r\n- File download and upload commands.\r\n- Built-in discovery commands.\r\n- Screenshot taking, clipboard stealing, audio recording, and keylogger.\r\n- ETW \u0026 AMSI patching using indirect syscalls.\r\n- LSASS and SAM hives dumping. \r\n- Shellcode injection using indirect syscalls.\r\n- Inline .NET assemblies execution.\r\n- Persistence capabilities.\r\n- UAC bypass methods.\r\n- Setting implant process as critical (BSOD on termination).\r\n- ELF loading using `memfd` in 2 modes.\r\n- And more !\r\n\r\n# Installation\r\n\r\n**Warning: Nimbo-C2 is meant to be run only within the provided Docker container**\r\n\r\n## Easy Way\r\n\r\n\u003e Note that installing this way may cause problems or incompatibility in the future as the Docker image now doesn't enforces languages and libraries versions, so consider skipping to the next method. \r\n\r\n1. Clone the repository and `cd` in\r\n```\r\ngit clone https://github.com/itaymigdal/Nimbo-C2\r\ncd Nimbo-C2\r\n```\r\n2. Build the docker image\r\n```\r\ndocker build -t nimbo-dependencies .\r\n```\r\n3. `cd` again into the source files and run the docker image interactively, expose port 80 and mount Nimbo-C2 directory to the container (so you can easily access all project files, modify `config.jsonc`, download and upload files from agents, etc.). For Linux replace `${pwd}` with `$(pwd)`.\r\n```\r\ncd Nimbo-C2\r\ndocker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 nimbo-dependencies\r\n```\r\n## Easier Way\r\n\r\n \u003e Here we're using the already built, tested and stored Docker image - **recommended**.\r\n\r\n```\r\ngit clone https://github.com/itaymigdal/Nimbo-C2\r\ncd Nimbo-C2/Nimbo-C2\r\ndocker run -it --rm -p 80:80 -v ${pwd}:/Nimbo-C2 -w /Nimbo-C2 itaymigdal/nimbo-dependencies\r\n```\r\n\r\n# Usage\r\n\r\nFirst, edit `config.jsonc` for your needs.\r\n\r\nThen run with: `python3 Nimbo-C2.py`\r\n\r\nUse the `help` command for each screen, and tab completion.\r\n\r\nAlso, check the [examples](/examples) directory.\r\n\r\n## Main Window\r\n\r\n```\r\nNimbo-C2 \u003e help\r\n\r\n    --== Agent ==--\r\n    agent list                    -\u003e  List active agents\r\n    agent interact \u003cagent-id\u003e     -\u003e  Interact with the agent\r\n    agent remove \u003cagent-id\u003e       -\u003e  Remove agent data\r\n    \r\n    --== Builder ==--\r\n    build exe                     -\u003e  Build EXE agent (-h for help)\r\n    build dll                     -\u003e  Build DLL agent (-h for help)\r\n    build elf                     -\u003e  Build ELF agent (-h for help)\r\n\r\n    --== Listener ==--\r\n    listener start                -\u003e  Start the listener\r\n    listener stop                 -\u003e  Stop the listener\r\n    listener status               -\u003e  Print the listener status\r\n    \r\n    --== General ==--\r\n    cls                           -\u003e  Clear the screen\r\n    help                          -\u003e  Print this help message\r\n    exit                          -\u003e  Exit Nimbo-C2\r\n```\r\n\r\n## Agent Window\r\n\r\n### Windows agent\r\n```\r\nNimbo-C2 [d337c406] \u003e help\r\n\r\n    --== Send Commands ==--\r\n    cmd \u003cshell-command\u003e                    -\u003e  Execute a shell command \r\n    iex \u003cpowershell-scriptblock\u003e           -\u003e  Execute in-memory powershell command\r\n    spawn \u003cprocess-cmdline\u003e                -\u003e  Spawn new process using WMI win32_process class\r\n    \r\n    --== File Stuff ==--\r\n    download \u003cremote-file\u003e                 -\u003e  Download a file from the agent (wrap path with quotes)\r\n    upload \u003clocal-file\u003e \u003cremote-path\u003e      -\u003e  Upload a file to the agent (wrap paths with quotes)\r\n    \r\n    --== Discovery Stuff ==--\r\n    pstree                                 -\u003e  Show process tree\r\n    checksec                               -\u003e  Enum security products\r\n    software                               -\u003e  Enum installed software\r\n    windows                                -\u003e  Enum visible windows\r\n    modules                                -\u003e  Enum process loaded modules (exclude Microsoft Dlls)\r\n    modules_full                           -\u003e  Enum process loaded modules (include Microsoft Dlls)\r\n    \r\n    --== Collection Stuff ==--\r\n    clipboard                              -\u003e  Retrieve clipboard\r\n    screenshot                             -\u003e  Retrieve screenshot\r\n    audio \u003crecord-time\u003e                    -\u003e  Record audio (waits for completion)\r\n    keylog start                           -\u003e  Start a keylogger in a new thread\r\n    keylog dump                            -\u003e  Retrieve captured keystrokes\r\n    keylog stop                            -\u003e  Retrieve captured keystrokes and stop the keylogger\r\n    \r\n    --== Post Exploitation Stuff ==--\r\n    lsass examine                          -\u003e  Examine Lsass protections\r\n    lsass direct                           -\u003e  Dump Lsass directly (elevation required)\r\n    lsass comsvcs                          -\u003e  Dump Lsass using Rundll32 and Comsvcs.dll (elevation required)\r\n    lsass eviltwin                         -\u003e  Dump Lsass using the Evil Lsass Twin method (elevation required)\r\n    sam                                    -\u003e  Dump sam,security,system hives using reg.exe (elevation required)\r\n    shellc \u003craw-shellcode-file\u003e \u003cpid\u003e      -\u003e  Inject shellcode to a remote process using indirect syscalls\r\n    assembly \u003clocal-assembly\u003e \u003cargs\u003e       -\u003e  Execute inline .NET assembly (pass all args as a single quoted string)\r\n    \r\n    --== Evasion Stuff ==--\r\n    patch amsi                             -\u003e  Patch AMSI using indirect syscalls\r\n    patch etw                              -\u003e  Patch ETW using indirect syscalls\r\n    \r\n    --== Persistence Stuff ==--\r\n    persist run \u003ccommand\u003e \u003ckey-name\u003e       -\u003e  Set run key (will try first HKLM, then HKCU)\r\n    persist spe \u003ccommand\u003e \u003cprocess-name\u003e   -\u003e  Persist using Silent Process Exit technique (elevation required)\r\n    \r\n    --== Privesc Stuff ==--\r\n    uac fodhelper \u003ccommand\u003e                -\u003e  Elevate session using the Fodhelper UAC bypass technique\r\n    uac sdclt \u003ccommand\u003e                    -\u003e  Elevate session using the Sdclt UAC bypass technique\r\n    \r\n    --== Interaction stuff ==--\r\n    msgbox \u003ctitle\u003e \u003ctext\u003e                  -\u003e  Pop a message box in a new thread\r\n    speak \u003ctext\u003e                           -\u003e  Speak a string using the microphone\r\n    \r\n    --== Misc stuff ==--\r\n    critical \u003ctrue/false\u003e                  -\u003e Set agent process as critical (BSOD on termination) (elevation required)\r\n    \r\n    --== Communication Stuff ==--\r\n    sleep \u003csleep-time\u003e \u003cjitter-%\u003e          -\u003e  Change sleep time interval and jitter\r\n    clear                                  -\u003e  Clear pending commands\r\n    collect                                -\u003e  Recollect agent data\r\n    die                                    -\u003e  Kill the agent\r\n    \r\n    --== General ==--\r\n    show                                   -\u003e  Show agent details\r\n    back                                   -\u003e  Back to main screen\r\n    cls                                    -\u003e  Clear the screen\r\n    help                                   -\u003e  Print this help message\r\n    exit                                   -\u003e  Exit Nimbo-C2\r\n```\r\n### Linux agent\r\n```\r\nNimbo-2 [51a33cb9] \u003e help\r\n\r\n    --== Send Commands ==--\r\n    cmd \u003cshell-command\u003e                    -\u003e  Execute a terminal command \r\n    \r\n    --== File Stuff ==--\r\n    download \u003cremote-file\u003e                 -\u003e  Download a file from the agent (wrap path with quotes)\r\n    upload \u003clocal-file\u003e \u003cremote-path\u003e      -\u003e  Upload a file to the agent (wrap paths with quotes)\r\n    \r\n    --== Post Exploitation Stuff ==--\r\n    memfd \u003cmode\u003e \u003celf-file\u003e \u003ccommandline\u003e  -\u003e  Load ELF in-memory using the memfd_create syscall\r\n                                               implant mode: load the ELF as a child process and return\r\n                                               task mode: load the ELF as a child process, wait on it, and get its output when it's done\r\n                                               (pass the whole command line as a single quoted string)\r\n    \r\n    --== Communication Stuff ==--\r\n    sleep \u003csleep-time\u003e \u003cjitter-%\u003e          -\u003e  Change sleep time interval and jitter\r\n    clear                                  -\u003e  Clear pending commands\r\n    collect                                -\u003e  Recollect agent data\r\n    die                                    -\u003e  Kill the agent\r\n    \r\n    --== General ==--\r\n    show                                   -\u003e  Show agent details\r\n    back                                   -\u003e  Back to main screen\r\n    cls                                    -\u003e  Clear the screen\r\n    help                                   -\u003e  Print this help message\r\n    exit                                   -\u003e  Exit Nimbo-C2\r\n```\r\n\r\n# Limitations \u0026 Warnings\r\n- Even though the HTTP communication is encrypted, the 'user-agent' header is in plain text and it carries the real agent id, which some products may flag it suspicious.\r\n- `audio`, `lsass` (except the Evil Lsass Twin method) and `sam` commands temporarily save artifacts to disk before exfiltrate and delete them.\r\n- Cleaning the `persist` commands should be done manually.\r\n\r\n# Contribution\r\nThis software may be buggy or unstable in some use cases as it not being fully and constantly tested.\r\nFeel free to open issues, PR's, and contact me for any reason at ([Gmail](itaymigdal9@gmail.com) | [Linkedin](https://www.linkedin.com/in/itay-migdal-b91821116/) | [Twitter](https://twitter.com/0xTheBruter)).\r\n\r\n# Credits\r\n- [OffensiveNim](https://github.com/byt3bl33d3r/OffensiveNim) - Great resource that taught me a lot about leveraging Nim for implant tasks. Some of Nimbo-C2 agent capabilities are basically wrappers around OffensiveNim modified examples.\r\n- [Python-Prompt-Toolkit-3](https://github.com/prompt-toolkit/python-prompt-toolkit) - Awesome library for developing python CLI applications. Developed the Nimbo-C2 interactive console using this.\r\n- [ascii-image-converter](https://github.com/TheZoraiz/ascii-image-converter) - For the awesome Nimbo ascii art.\r\n- [NimlineWhispers3](https://github.com/klezVirus/NimlineWhispers3) - For the Nim indirect syscalls.\r\n- [EvilLsassTwin](https://github.com/RePRGM/Nimperiments/tree/main/EvilLsassTwin) - Great method to dump lsass evasively.\r\n- [RuBublik](https://github.com/RuBublik) - For the improved screenshot.\r\n- All those random people from Github \u0026 Stackoverflow that I copy \u0026 pasted their code :kissing_heart:.\r\n\r\n\r\n  \r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitaymigdal%2FNimbo-C2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitaymigdal%2FNimbo-C2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitaymigdal%2FNimbo-C2/lists"}