NimPlant: light-weight first-stage C2 implant written in Nim

NimPlant – A light first-stage C2 implant written in Nim and Python

 

Nim C2 implant

Feature Overview

  • Lightweight and configurable implant wrote in the Nim programming language
  • Pretty web GUI that will make you look cool during all your ops
  • Encryption and compression of all traffic by default obfuscates static strings in implant artifacts
  • Support for several implant types, including native binaries (exe/dll), shellcode, or self-deleting executables
  • Wide selection of commands focused on early-stage operations including local enumeration, file or registry management, and web interactions
  • Easy deployment of more advanced functionality or payloads via inline-execute, shinject (using dynamic invocation), or in-thread execute-assembly
  • Support for operations on any platform, implant only targeting x64 Windows for now
  • Comprehensive logging of all interactions and file operations
  • Much, much more, just see below 🙂

Configuration

Before using NimPlant, create the configuration file config.toml. It is recommended to copy the config.toml.example and work from there.

An overview of the settings is provided below.

CategorySettingDescription
serveripThe IP that the C2 web server (including API) will listen on. Recommended to use 127.0.0.1, only use 0.0.0.0 when you have setup proper firewall or routing rules to protect the C2.
serverportThe port that the C2 web server (including API) will listen on.
listenertypeThe listener type, either HTTP or HTTPS. HTTPS options configured below.
listenersslCertPathThe local path to a HTTPS certificate file (e.g. requested via LetsEncrypt CertBot or self-signed). Ignored when listener type is ‘HTTP’.
listenersslKeyPathThe local path to the corresponding HTTPS certificate private key file. Password will be prompted when running the NimPlant server if set. Ignored when listener type is ‘HTTP’.
listenerhostnameThe listener hostname. If not empty (“”), NimPlant will use this hostname to connect. Make sure you are properly routing traffic from this host to the NimPlant listener port.
listeneripThe listener IP. Required even if ‘hostname’ is set, as it is used by the server to register on this IP.
listenerportThe listener port. Required even if ‘hostname’ is set, as it is used by the server to register on this port.
listenerregisterPathThe URI path that new NimPlants will register with.
listenertaskPathThe URI path that NimPlants will get tasks from.
listenerresultPathThe URI path that NimPlants will submit results to.
nimplantriskyModeCompile NimPlant with support for risky commands. Operator discretion advised. Disabling will remove support for execute-assemblypowershellshell and shinject.
nimplantsleepMaskWhether or not to use Ekko sleep mask instead of regular sleep calls for Nimplants. Only works with regular executables for now!
nimplantsleepTimeThe default sleep time in seconds for new NimPlants.
nimplantsleepJitterThe default jitter in percent for new NimPlants.
nimplantkillDateThe kill date for Nimplants (format: yyyy-MM-dd). Nimplants will exit if this date has passed.
nimplantuserAgentThe user-agent used by NimPlants. The server also uses this to validate NimPlant traffic, so it is recommended to choose a UA that is inconspicuous, but not too prevalent.

Install & Use

Copyright (c) 2022 Cas van Cooten (@chvancooten)