# Ninja c2
- No more verbose display of payloads
```bash
Ninja|master⚡ ⇒ python3 Ninja.py
███╗ ██╗██╗███╗ ██╗ ██╗ █████╗ ██████╗██████╗
████╗ ██║██║████╗ ██║ ██║██╔══██╗ ██╔════╝╚════██╗
██╔██╗ ██║██║██╔██╗ ██║ ██║███████║ ██║ █████╔╝
██║╚██╗██║██║██║╚██╗██║██ ██║██╔══██║ ██║ ██╔═══╝
██║ ╚████║██║██║ ╚████║╚█████╔╝██║ ██║ ╚██████╗███████╗
╚═╝ ╚═══╝╚═╝╚═╝ ╚═══╝ ╚════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝
Version: 2.0
[-] Ninja C2 | Stealthy Pwn like a Ninja
[-] Starting WebServer..
* Serving Flask app 'core.webserver' (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
[-] Creating Payloads..
[05:17:55] [+] Raw Payload written to: utils/payloads/Powershell/raw_payload.ps1 config.py:67
[+] Obfuscated payload written to: utils/payloads/Powershell/payload-obf.ps1 config.py:124
[+] Stager Payload written to: utils/payloads/Powershell/base64_stager.ps1 config.py:83
[+] C# Dropper DLL written to: utils/payloads/Executables/dropper_cs.dll config.py:103
[+] C# Dropper EXE written to: utils/payloads/Executables/dropper_cs.exe config.py:108
[05:17:55] [+] Created HTA-Payload payloads.py:21
[+] Created Powershell Start-Job & Start-Process payloads.py:42
[+] Created Powershell File payloads.py:59
[+] Created Powershell SCT payloads.py:76
[+] Created Simple Powershell Payloads payloads.py:101
[+] Created Powershell Base64 payloads.py:123
[+] Created Powershell Base52 payloads.py:149
[+] Cmd Shellcodex86 written to: utils/payloads/shellcodes/cmd_shellcodex86 payloads.py:198
[+] Cmd Shellcodex64 written to: utils/payloads/shellcodes/cmd_shellcodex64 payloads.py:172
[+] Word Macro written to: utils/payloads/Macros/Word_macro.vba payloads.py:227
[+] Excel Macro written to: utils/payloads/Macros/Excel_macro.vba payloads.py:241
[+] Donut Shellcode written to: utils/payloads/shellcodes/donut_shellcode.b64 payloads.py:210
[+] Migrator payload written to: Modules/Migrator.ps1 config.py:145
[-] Loading registered webshell list
[!] Webshell list file doesn't exist.
(Ninja:main)>
reset instead of clear to avoid clearing by mistake
Nicer help menu?
(Ninja:main)> help
[-] Ninja management
help: Help menu
reset: Clear screen
back: Back to the main
exit: Exit the console , or kill the agent
load: load modules
modules: list all the Available modules in Modules directory
payload: Show Payloads
downloads: list downloaded files
[-] Agents management
list: List all agents
use: Interact with AGENT
kill_all: kill all agents
delete: delete agent from the list
delete_all: delete all agents in the list
set_beacon: set the beacon interval live for agent
upload: upload files to the victim
download: download file from the victim
screenshot: take screenshot from victim machine
split: split file to small size files for data exfiltration (use join command for files in current server or use join.ps1 script to join data on windows )
join: join splited file names ( include the original file name in the path and the script will know the file parts)
[-] Enumeration Commands
get_groups: get all the groups user is member of
get_users: get all the users member in group
processlist: list processes formatted ( Name , ID , Commandline)
kerb: do kerberoast attack and dump service accounts hashes
dcsync_all: do dcsync attack and get all users hashes
dcsync_admins: do dcsync attack against admin users
dumpcreds: load mimikatz and dump credentials
dcsync_list: do dcsync attack against custom user list
bloodhound: run bloodhound to collect all the information about the AD
DA: Run defense Analysis Module
gen_ntlm: generate ntlm hash for given password
lsass_memory_dump: dump lsass memory without touching the disk then parse it and provide credentials
[-] Miscellaneous
encode64: encode any command to base64 encoded UTF-8 command ( can be decoded in powershell)
drm: disable windows realtime monitoring - require admin privileges
unmanged_powershell: run powershell payload through the dotnet agent
persist_schtasks: persistence using schedule tasks
migrate: migrate to new process ( default nslookup ) to hide the backdoor , this command will only work if you enabled donut in campaign creation
webshell_mode: enter webshell mode to register and control your shells)
register_webshell: register webshell to be controlled : register_webshell
time_stomp: change the ( access , modify , creation ) time of destination file as same as the source file ) . Usage time_stomp < source path > < destination path >
clear_all_logs: this command will clear all windows event logs in the system
Managed file structure
lib
,agents
now incore/
folder20 directories, 73 files
reset
instead ofclear
to avoid clearing by mistake[-] Ninja management
help: Help menu reset: Clear screen back: Back to the main exit: Exit the console , or kill the agent load: load modules modules: list all the Available modules in Modules directory payload: Show Payloads downloads: list downloaded files
[-] Agents management
list: List all agents use: Interact with AGENT kill_all: kill all agents delete: delete agent from the list delete_all: delete all agents in the list set_beacon: set the beacon interval live for agent upload: upload files to the victim download: download file from the victim screenshot: take screenshot from victim machine split: split file to small size files for data exfiltration (use join command for files in current server or use join.ps1 script to join data on windows ) join: join splited file names ( include the original file name in the path and the script will know the file parts)
[-] Enumeration Commands
get_groups: get all the groups user is member of get_users: get all the users member in group processlist: list processes formatted ( Name , ID , Commandline) kerb: do kerberoast attack and dump service accounts hashes dcsync_all: do dcsync attack and get all users hashes dcsync_admins: do dcsync attack against admin users dumpcreds: load mimikatz and dump credentials dcsync_list: do dcsync attack against custom user list bloodhound: run bloodhound to collect all the information about the AD DA: Run defense Analysis Module gen_ntlm: generate ntlm hash for given password lsass_memory_dump: dump lsass memory without touching the disk then parse it and provide credentials
[-] Miscellaneous
encode64: encode any command to base64 encoded UTF-8 command ( can be decoded in powershell) drm: disable windows realtime monitoring - require admin privileges unmanged_powershell: run powershell payload through the dotnet agent persist_schtasks: persistence using schedule tasks migrate: migrate to new process ( default nslookup ) to hide the backdoor , this command will only work if you enabled donut in campaign creation webshell_mode: enter webshell mode to register and control your shells) register_webshell: register webshell to be controlled : register_webshell
time_stomp: change the ( access , modify , creation ) time of destination file as same as the source file ) . Usage time_stomp < source path > < destination path >
clear_all_logs: this command will clear all windows event logs in the system