NimPlant: light-weight first-stage C2 implant written in Nim
NimPlant – A light first-stage C2 implant written in Nim and Python
Feature Overview
- Lightweight and configurable implant wrote in the Nim programming language
- Pretty web GUI that will make you look cool during all your ops
- Encryption and compression of all traffic by default obfuscates static strings in implant artifacts
- Support for several implant types, including native binaries (exe/dll), shellcode, or self-deleting executables
- Wide selection of commands focused on early-stage operations including local enumeration, file or registry management, and web interactions
- Easy deployment of more advanced functionality or payloads via inline-execute, shinject (using dynamic invocation), or in-thread execute-assembly
- Support for operations on any platform, implant only targeting x64 Windows for now
- Comprehensive logging of all interactions and file operations
- Much, much more, just see below 🙂
Configuration
Before using NimPlant, create the configuration file config.toml. It is recommended to copy the config.toml.example and work from there.
An overview of the settings is provided below.
Category | Setting | Description |
---|---|---|
server | ip | The IP that the C2 web server (including API) will listen on. Recommended to use 127.0.0.1, only use 0.0.0.0 when you have setup proper firewall or routing rules to protect the C2. |
server | port | The port that the C2 web server (including API) will listen on. |
listener | type | The listener type, either HTTP or HTTPS. HTTPS options configured below. |
listener | sslCertPath | The local path to a HTTPS certificate file (e.g. requested via LetsEncrypt CertBot or self-signed). Ignored when listener type is ‘HTTP’. |
listener | sslKeyPath | The local path to the corresponding HTTPS certificate private key file. Password will be prompted when running the NimPlant server if set. Ignored when listener type is ‘HTTP’. |
listener | hostname | The listener hostname. If not empty (“”), NimPlant will use this hostname to connect. Make sure you are properly routing traffic from this host to the NimPlant listener port. |
listener | ip | The listener IP. Required even if ‘hostname’ is set, as it is used by the server to register on this IP. |
listener | port | The listener port. Required even if ‘hostname’ is set, as it is used by the server to register on this port. |
listener | registerPath | The URI path that new NimPlants will register with. |
listener | taskPath | The URI path that NimPlants will get tasks from. |
listener | resultPath | The URI path that NimPlants will submit results to. |
nimplant | riskyMode | Compile NimPlant with support for risky commands. Operator discretion advised. Disabling will remove support for execute-assembly , powershell , shell and shinject . |
nimplant | sleepMask | Whether or not to use Ekko sleep mask instead of regular sleep calls for Nimplants. Only works with regular executables for now! |
nimplant | sleepTime | The default sleep time in seconds for new NimPlants. |
nimplant | sleepJitter | The default jitter in percent for new NimPlants. |
nimplant | killDate | The kill date for Nimplants (format: yyyy-MM-dd). Nimplants will exit if this date has passed. |
nimplant | userAgent | The user-agent used by NimPlants. The server also uses this to validate NimPlant traffic, so it is recommended to choose a UA that is inconspicuous, but not too prevalent. |
Install & Use
Copyright (c) 2022 Cas van Cooten (@chvancooten)