Skip to content
This repository has been archived by the owner on May 17, 2023. It is now read-only.

Latest commit

 

History

History
108 lines (76 loc) · 2.89 KB

README.md

File metadata and controls

108 lines (76 loc) · 2.89 KB

Nicodemus

Nicodemus is a cross-platform Nim implant for the Prelude Operator adversary emulation platform.

It's a port of Pneuma and intended as a reference implementation for those thinking about writing their own Operator agent in Nim. Where possible, Nicodemus' code closely resembles that of Pneuma.

Getting started

Use build.sh to compile Nicodemus for the host OS and Windows build target.

Run the compiled agent to connect on the default TCP address. For help use the -h command switch.

Linux

  1. Install Nim.
  2. Install dependencies with Nimble.
    • cd nicodemus/ && nimble install
  3. Install MinGW-w64 toolchain.
    • Ubuntu: apt install mingw-w64
  4. Compile agent for build targets.
    • ./build.sh

MacOS

  1. Install Nim.
  2. Install dependencies with Nimble.
    • cd nicodemus/ && nimble install
  3. Install MinGW-w64 toolchain.
    • OSX: brew install mingw-w64
  4. Compile agent for build targets.
    • ./build.sh

Cross-compiling

Nim cross-compiling is documented here.

Check out this Docker image for easy cross-compiling. You'll need to install any nimble packages required by this project first.

You can use the docker-build.sh script to automatically cross-compile amd64 versions for Mac, Linux, and Windows through the docker using this:

docker run --rm -v `pwd`:/usr/local/src \
  chrishellerappsian/docker-nim-cross:latest ./build-docker.sh

Use without Operator

Nicodemus is a port of Pneuma so it's meant to be used with Prelude Operator. If you want to use a different C2 you'll need to structure messages so that Nicodemus understands. See Pneuma beacon documentation for more detail.

C2 Instruction

{
  ID: "067e99fb-f88f-49a8-aadc-b5cadf3438d4",
  ttp: "0b726950-11fc-4b15-a7d3-0d6e9cfdbeab",
  tactic: "discovery",
  Executor: "sh",
  Request: "whoami",
  Payload: "https://s3.amazonaws.com/operator.payloads/demo.exe",
}

Agent Beacon

{
  "Name": "test",
  "Location": "/tmp/me.go"
  "Platform": "darwin",
  "Executors": ["sh"],
  "Range": "red",
  "Pwd": "/tmp",
  "Links": []
}

Links

{
  "ID": "123",
  "Executor": "sh",
  "Payload: "",
  "Request": "whoami",
  "Response: "",
  "Status: 0,
  "Pid": 0
}

Channel selection

Nicodemus currently supports TCP, UDP and HTTP.

TCP

./main --contact=tcp --address=127.0.0.1 --port=2323

UDP

./main --contact=udp --address=127.0.0.1 --port=4545

HTTP

./main --contact=http --address=http://127.0.0.1 --port=3391

Coming soon