Ninja - Open source C2 server created for stealth red team operations

Quick Update to include Follina Exploitation ( 01/06/2022 ) - NinjaC2 will generate the document and serve the HTML payload.

More information: https://www.linkedin.com/posts/ahmed-khlief-499321a7_i-just-pushed-a-quick-update-to-ninjac2-to-activity-6937661951007170560-Tmps

Ninja V2.2 was released on 27/03/2022.

New features include: check URL for more info on features and how to use AWS EC2 automation :

new user interface for CnC script
Now each campaign will include all the files related to the campaign and the configuration file.
new script automates AWS instance creation with NinjaC2 configuration.
Updated Invoke-Mimikatz Powershell script to the latest Mimikatz release.
Bug Fixes

Ninja V2.1 was released on 31/07/2021.

check the new features here: https://shells.systems/ninjac2-v2-1-new-webshell-agent-more-features-and-updated-av-bypass/

Ninja V2.0 was released on 16/04/2021.

Ninja V2.0 was rebuilt to use python3 with new features :

Payload variable obfuscation each time the payload requested to bypass AV
generate shellcodes using nasm and donut
new (migrate) command to do process migration.
new persistence command using scheduled tasks
new pre-compiled mimkatz PowerShell version
new payloads.
updated AMSI bypass script.

Ninja C2 is an Open source C2 server created by Purple Team to do stealthy computer and Active directory enumeration without being detected by SIEM and AVs, Ninja is still in beta version, and when the stable version is released it will contain many more stealthy techniques and anti-forensic to create a real challenge for the blue team to make sure all the defenses configured correctly and they can detect sophisticated attacks.

Ninja uses python to server the payload and controls the agents. the agents are based on C# and PowerShell which can bypass leading AVs. Ninja communicates with the agents in a secure channel encrypted with AES-256 and the key is not hardcoded but randomly generated on the campaign start, every agent connects to the C2 gets the key, and if the C2 is restarted a new key will be used by all old agents and the new. Ninja also randomizes the callback URLs for every campaign to bypass static detection.

The main feature in Ninja is called DA ( Defense Analysis ), which will do the required enumeration to get below important information and do analysis on them to get a score for system defenses and sandbox detection.
Detect SIEM solutions: right now it detects SPlUNK , Log beat collector, sysmon.
detect AV using two ways, using PowerShell command and using processes.
check if the PowerShell logging is enabled
to check if the user has admin privileges
provide information about the system: host name , OS , build number, local time, time zone, last boot, and bios.
provide information about the installed security updates.
provide a System pwn hardness score based on multiple factors.
provide a sandbox detection score based on ( privileges , bios manufacturer , joined to domain or not , existence of sysinternals processes ).
show all domain users ( using PowerShell commands ).
show all domain groups ( using PowerShell commands ).
show all domain computers ( using powerview.ps1 - taken from: https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 ).
show available shares.

Ninja is designed to be easy to setup and to add more commands and do automation for boring tasks. you can find many short commands that a red teamer struggle to memorize and search for them. please check this article to know more about ninja: https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/

Ninja key features

Ninja is packed with a number of features that allows you to gain an insight into your upcoming engagement before you actually need to deploy your full arsenal of tools and techniques, such as:

Defense Analysis
automation for kerberoast attack from generating the kerberos tickets to extracting the SPN hashes into hashcat format.
automation for dc_sync to get hashes for a list of users or domain admin group.
Undetected Automation to get groups the user belongs to and the user's member in a group.
Automation for bloodhound AD data collection.
customized c# payloads that encrypt strings to bypass static detection.
encode any command you want to unicode base64 to be used in PowerShell encoded commands.
full encryption of all communications between Agent and command and control to bypass AV and IPS detection.
dynamic URLs for all functions, just place your list of URL names and the c2 will use it randomly to bypass any static detection.
get random encryption key on the fly ( not hardcoded ) every time the agent connect ( even reconnection needs a new key )
take screenshots and send it encrypted to C2
upload files from C2 to victim encrypted to bypass AV and IPS
download files from the victim encrypted to bypass AV and IPS
staged payloads to bypass detection ( base64 and base52 )
bypasses AVs ( tested on kaspersky and trendmicro )
Bypasses SIEM detection ( tested on splunk collecting usual event logs along with sysmon logs ) not tested on PowerShell v5 script block and module logging ( will be done in the next release ).
set the beacon interval dynamically even after the agent connected and provide a starting beacon interval in the campaign start configurations
logging for all commands and results in order to return to any data you missed in your operation.
set the configuration one time when you start the campaign and enjoy it.
global kill switches to end campaigns.
delete table entries.
all the payload is written to payloads folder for easy access and further customization.
easy to add automation for any command you want.

Requirement

Please note that compling C# depends on the System.Management.Automation.dll assembly with SHA1 hash c669667bb4d7870bc8bb65365d30071eb7fb86fe.

Some Ninja Commands require below modules ( already exist in modules ) which you need to get updates from their repo :

Invoke-Kerberoast : https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1

Invoke-Mimikatz : https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1

Sharphound : https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1

PowerView : https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

Installation

First of all, make sure to download the latest version of Ninja using the following command :

git clone https://github.com/ahmedkhlief/Ninja/

You need to setup Ninja by running install.sh script :

chmod +x ./install.sh sudo ./install.sh

After that you need to initialize the campaign :

python start_campaign.py

Now you can start the Ninja server :

python Ninja.py

You will be greeted with the following once you run it :



            88             88             
            ""             ""                           
                                              88888      8888
8b,dPPYba,  88 8b,dPPYba,  88 ,adPPYYba,    88        88    88
88P'   `"8a 88 88P'   `"8a 88 ""     `Y8    88              88
88       88 88 88       88 88 ,adPPPPP88    88              88
88       88 88 88       88 88 88,    ,88    88            88
88       88 88 88       88 88 `"8bbdP"Y8    88          88  
                          ,88                 88888      888888
                        888P" 		      
					    V1.0.1 BETA !


 Ninja C2 | Stealthy Pwn like a Ninja

+------------------------------------------------------------+
 Command        Description                                                                        
 -------        -----------                                                                        
 exit           Exit the console , or kill the agent                                               
 list           List all agents                                                                    
 help           Help menu                                                                          
 show           Show Command and Controler variables                                               
 use            Interact with AGENT                                                                
 back           Back to the main                                                                   
 payload        Show Payloads                                                                      
 load           load modules                                                                       
 kill_all       kill all agents                                                                    
 delete         delete agent from the list                                                         
 delete_all     delete all agents in the list                                                      
 set-beacon     set the beacon interval live for agent                                             
 download       download file from the vicitm                                                      
 downloads      list downloaded files                                                              
 upload         upload files to the victim                                                         
 modules        list all the Available modules in Modules directory                                
 encode64       encode any command to base64 encoded UTF-8 command ( can be decoded in powershell)
 screenshot     take screenshot form  the victim                                                   
 DA             Run defense Analysis Module                                                        
 kerb           do kerberoast attack  and dump  service accounts hashes                            
 dcsync_admins  do dcsync attack agains domain admins group                                        
 dcsync_list    do dcsync attack agains custom user list                                           
 get_groups     get all the groups user is member of                                               
 get_users      get all the users member in group                                                  
 bloodhound     run bloodhound to collect all the information about the AD                 
+------------------------------------------------------------+

Usage

Please check this article about Ninja and how to use it : https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/.

Todo

Enhance DA module and add more SIEM , AV and sandbox detection along with more important enumeration data.
more focus on stealth to load agent parts only when needed
add more shortened commands for popular modules
add more customizations and ideas for phishing using C# payloads and macros
integration with curveball exploit
integration with new exchange RCE
Undetectable Persistence
create a wipe command to securely remove files on hard disk without being detected and analyzed by the blue team.
make the agent blocks changes randomly to bypass any static detection
add obfuscation for the agents.
integrate cobalt strike payloads

Screenshots

Main Screen

Payloads

Agent List

Upload file

Download File

More: https://github.com/ahmedkhlief/Ninja

July 15, 2022

Author

Hakin9 TEAM: Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.

Latest Articles

Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
Blog2022.10.12Vulnerability management with Wazuh open source XDR
Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky

Notify of

Label

Name*

Email*

WebSite URL

I agree to the Terms and Privacy Policy

The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.

Label

Name*

Email*

WebSite URL

I agree to the Terms and Privacy Policy

The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments

Inline Feedbacks

View all comments

Search for:

LOOKING for a JOB in IT security?

Popular Authors

jackthehack
Jorge Vázquez del Río
Daniel Dieterle

New Edition

Thank you!

You have successfully joined our subscriber list.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.