After seeing many positive feedback regarding Ninja C2 . I decided to enhance it , solve the known issues and provide more features that will help every pentester . i tested Ninja in real world pentest engagements , also in CRTP exam and it proved to be worthy to make your life easy while doing your pentest. in this article i will explain the new features and i hope you like it . https://github.com/ahmedkhlief/Ninja
New Update Features
- Fully rebuilt to use flask for stability and unlimited agent connections
- Added SSL support where user can provide their own cert or use the default one .
- Ninja Powershell Implant does include all the modules when loaded in order to bypass the detection and to not uncover unused features by analyst
- Added Jitter functionality to bypass SIEM statistical analysis by randomizing the period of calling C&C.
- Added Kill date functionality .
- Ninja now does not use GET request for implant communications and does not send the agent name in the URL in order to make it more stealth and bypass current SIEM solutions that use this as detection method.
- Ninja now use IE user agent in implant communications and not default user agent to bypass SIEM detections .
- Ninja now send request and respond with variable length of data in order to bypass SIEM statistical analysis
- Ninja now provide executable payloads that bypass 90% of AVs.
- Ninja now use IIS header as server header when responding to any request in order minimize the possibilty of being detected by shodan and other scanners.
- Ninja now support auto complete and command history to make more easy for pentesters and reduce the time when searching for command.
- Manually compiled Invoke-Mimikatz.ps1 that support win10.
- Now Defense Analysis ( DA ) run on both local and domain joined devices.
- added short cut commands for AMSI bypass , mimikatz creds dump , dcsync and disable runtime monitoring
- Fixed the issue of the encoding that faced many users who use Ninja on OS not using English language.
Fully Rebuilt to Use Flask
I have fully rebuilt Ninja to use Flask in order to provide stability and unlimited number of agent support because the old version was only supporting 10 concurrent connections.
Added SSL Support
Now you can setup SSL config when you run start_campaign.py script which will ask you to use default SSL cert already created in Ninja directory or specify your own cert and key .
Ninja load required modules when needed
Ninja now does not load all function using the main powershell payload in order to bypass and detection for these modules and not be analyzed by analyst . when the powershell payload requested , ninja will only send the main payload and when the user use a function Ninja will load the required module.
Bypass Statistical Analysis
Ninja now support Jitter which a feature that randomize the time agent wait before calling the C&C in order to not be caught by SIEM solutions that detect periodic connections that create a specific pattern . Also Ninja now support variable payload size for agent request and server response to bypass being detected by same payload size pattern . below screenshot shows data collected from wireshark that shows (on the left) how the time agent wait to call for a command not same for every request and the request size is variable ( on the right ) .
Undetectable Executable by 90% of AVs
Ninja one liners ( normal payload , base64 payload and base52 payloads ) are 99% undetected but there was issue with .net executable that has been detected lately but now with new technique to bypass the AV . Ninja .net executable has been tested on various AVs and bypassed their detection like kaspersky.
Defense Analysis Command support Domain joined or not device
Now you can use DA command to get information about the device and get domain enumeration if the device is joined to domain
Added Kill Date Functionality
Ninja now support kill date in order set a date to end your campaign automatically when the date you specified is reached.
Ninja Now Support command History and auto complete
Its simple but very useful feature as i really needed it in my pentest to stop writing full commands or go back to search manually for old command i typed .
I would like to thank all the people who tested Ninja and provided me your their feedback . i will keep working to enhance Ninja and add more features.