Skip to content
This repository has been archived by the owner on May 17, 2023. It is now read-only.
/ nicodemus Public archive

A cross-platform Nim implant for Prelude Operator

License

GPL-3.0 license
32 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

VVX7/nicodemus

BranchesTags

Repository files navigation

Nicodemus

Nicodemus is a cross-platform Nim implant for the Prelude Operator adversary emulation platform.

It's a port of Pneuma and intended as a reference implementation for those thinking about writing their own Operator agent in Nim. Where possible, Nicodemus' code closely resembles that of Pneuma.

Getting started

Use build.sh to compile Nicodemus for the host OS and Windows build target.

Run the compiled agent to connect on the default TCP address. For help use the -h command switch.

Linux

  1. Install Nim.
  2. Install dependencies with Nimble.
    • cd nicodemus/ && nimble install
  3. Install MinGW-w64 toolchain.
    • Ubuntu: apt install mingw-w64
  4. Compile agent for build targets.
    • ./build.sh

MacOS

  1. Install Nim.
  2. Install dependencies with Nimble.
    • cd nicodemus/ && nimble install
  3. Install MinGW-w64 toolchain.
    • OSX: brew install mingw-w64
  4. Compile agent for build targets.
    • ./build.sh

Cross-compiling

Nim cross-compiling is documented here.

Check out this Docker image for easy cross-compiling. You'll need to install any nimble packages required by this project first.

You can use the docker-build.sh script to automatically cross-compile amd64 versions for Mac, Linux, and Windows through the docker using this:

docker run --rm -v `pwd`:/usr/local/src \
  chrishellerappsian/docker-nim-cross:latest ./build-docker.sh

Use without Operator

Nicodemus is a port of Pneuma so it's meant to be used with Prelude Operator. If you want to use a different C2 you'll need to structure messages so that Nicodemus understands. See Pneuma beacon documentation for more detail.

C2 Instruction

{
  ID: "067e99fb-f88f-49a8-aadc-b5cadf3438d4",
  ttp: "0b726950-11fc-4b15-a7d3-0d6e9cfdbeab",
  tactic: "discovery",
  Executor: "sh",
  Request: "whoami",
  Payload: "https://s3.amazonaws.com/operator.payloads/demo.exe",
}

Agent Beacon

{
  "Name": "test",
  "Location": "/tmp/me.go"
  "Platform": "darwin",
  "Executors": ["sh"],
  "Range": "red",
  "Pwd": "/tmp",
  "Links": []
}

Links

{
  "ID": "123",
  "Executor": "sh",
  "Payload: "",
  "Request": "whoami",
  "Response: "",
  "Status: 0,
  "Pid": 0
}

Channel selection

Nicodemus currently supports TCP, UDP and HTTP.

TCP

./main --contact=tcp --address=127.0.0.1 --port=2323

UDP

./main --contact=udp --address=127.0.0.1 --port=4545

HTTP

./main --contact=http --address=http://127.0.0.1 --port=3391

Coming soon

About

A cross-platform Nim implant for Prelude Operator

Topics

nim rat operator ost red-team redteam implant adversary-emulation pneuma

Resources

Readme

License

GPL-3.0 license
Activity

Stars

32 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages