Shulou(Shulou.com)05/31 Report--

This article will explain what Ninja is for you in detail. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Ninja

Ninja is an open source command-controlled C2 server designed, developed and maintained by the Purple team. With the help of Ninjia, Red team researchers can hide their computer and active Directory enumeration activities without being detected by SIEM and antivirus products. At present, the Ninjia is still in the testing stage, and after the stable version is released, it will include more covert technology and anti-forensics technology, which will be a real challenge for the blue team to help them ensure the security of the defense system to detect more complex attacks.

Ninjia uses Python to provide Payload and control agents, which are based on C # and PowerShell to bypass most antivirus products. Ninjia can interact with agents by encrypting (AES-256) secure channels, and the key is not hard-coded, but randomly generated during the activity. Each agent connected to the C2 server will get a key, and when C2 restarts and generates a new key, all old and new agents will use the new key. Ninjia also supports random callback of URL addresses to bypass static detection / analysis.

Tool requirements

Note that compiling the C # code depends on the assembly result of the System.Management.Automation.dll and SHA1 hash "c669667bb4d7870bc8bb65365d30071eb7fb86fe".

Some Ninjia commands may require the following modules, so users need to obtain them from the appropriate code base:

Invoke-Kerberoast:

Https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1

Invoke-Mimikatz:

Https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1

Sharphound:

Https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1

PowerView:

Https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

Tool installation

First, be sure to get the latest version of Ninjia from the project code library using the following command:

Git clone https://github.com/ahmedkhlief/Ninja/

Next, we change to the project root on the command line, and then run the install.sh script to install and configure Ninjia:

Chmod + x. / install.sh sudo. / install.sh

After you have done the above, you need to initialize the activity:

Python start_campaign.py

Now you can start the Ninjia server with the following command:

Python Ninja.py

After running, you will see the following on the terminal screen:

Custom callback URL

Ninjia C2 allows us to customize the callback URL in a more secure way. You need to edit the file links.txt and add the words needed in the connection. Ninjia C2 will randomly select words from them and use them in URL addresses. If you want to use static connections, you can edit the core/config.py file directly to make functional changes.

Ninjia C2 file architecture

Ninjia C2 has a lot of functions and uses file directories to store the output of these functions. Here are all the directories and some important files:

Agents/: contains all the original proxies required by Ninjia.

Core/: contains all the core scripts that run Ninjia.

DA/: the defense analysis script will write its output here.

Downloads/: all files downloaded from the target device will be here.

File/: the file to upload to the target device.

Images/: screenshots will be uploaded here.

Kerberoast/: the kerberoast module will write its output here.

Lib/: includes libraries used by Ninjia C2.

Modules/: the Powershell module can be loaded into the target device.

Payloads/: Payload that needs to be used in the activity.

Ninja.py: Ninjia C2 master script.

Start_campaign.py: the Python script used to initialize the active configuration.

Links.txt: the file that contains the words to be used in the callback link.

Install.sh: used to install Bash scripts that depend on the environment.

C2-logs.txt: record the results of all command execution.

Create Automation Command

You can set a short instruction for a longer command or a series of commands that must exist in the core/cmd.py:

Config.ComMAND [config.get _ pointer ()] .append (encrypt (config.AESKey, "load SharpHound.ps1"))

In the above example, load SharpHound.ps1 is the final command sample.

The tool runs the screenshot main screen:

Payload:

List of agents:

Domain administrator:

Upload files:

Download the file:

This is the end of this article on "what is Ninja?". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.