-
Ensure the requisite software/hardware is installed.
-
Run the
quickstartHelm chart to configure Nemesis's services and secrets. -
Deploy Nemesis's services by using its Helm chart.
If you run into any issues, please see troubleshooting.md for common errors/issues.
Once Nemesis is running, data first needs to be ingested into the platform. Ingestion into Nemesis can occur in muliple ways, including
- Auto-ingesting data from C2 platorms.
- Manually uploading files on the "File Upload" page in the Nemesis's Dashboard UI.
- Using the submit_to_nemesis CLI tool to submit files.
- Writing custom tools to interact with Nemesis's API.
Nemesis includes connectors for various C2 platorms. The connectors hook into the C2 platforms and transfer data automatically into Nemesis. The ./cmd/connectors/ folder contains the following C2 connectors:
Note: not all connectors have the same level of completeness! We intended to show the range of connectors possible, but there is not yet feature parity.
If you'd like to ingest data from another platform, see the documentation for adding a new connector.
All Nemesis services are exposed through a single HTTP endpoint (defined in the NEMESIS_HTTP_SERVER environment variable) protected by HTTP basic auth credentials configured through the BASIC_AUTH_USER and BASIC_AUTH_PASSWORD settings.
To see a basic landing page with exposed services, go to http NEMESIS_HTTP_SERVER endpoint root. The routes and corresponding services are:
| Service | Route | Username | Password |
|---|---|---|---|
| dashboard | /dashboard/ | DASHBOARD_USER | DASHBOARD_PASSWORD |
| kibana | /kibana/ | ELASTICSEARCH_USER | ELASTICSEARCH_PASSWORD |
| Hasura | /hasura/ | N/A | N/A |
| Nemesis web-api | /api/ | N/A | N/A |
| pgadmin | /pgadmin/ | PGADMIN_EMAIL | PGADMIN_PASSWORD |
| rabbitmq | /rabbitmq/ | RABBITMQ_ADMIN_USER | RABBITMQ_ADMIN_PASSWORD |
| alertmanager | /alertmanager/ | N/A | N/A |
| grafana | /grafana/ | GRAFANA_USER | GRAFANA_PASSWORD |
| prometheus | /prometheus/graph | N/A | N/A |
| elastic | /elastic/ | ELASTICSEARCH_USER | ELASTICSEARCH_PASSWORD |
| yara | /yara/ | N/A | N/A |
| crack-list | /crack-list/ | N/A | N/A |
helm install --repo https://specterops.github.io/Nemesis/ monitoring monitoringMetrics Server is available but not installed by default. Enable it with the following:
helm show values --repo https://specterops.github.io/Nemesis/ nemesisModify the value:
metricsServer:
enabled: trueIf you have not installed Nemesis yet, see Nemesis Chart or upgrade the installation:
helm upgrade --repo https://specterops.github.io/Nemesis/ [chart name] nemesisElasticsearch, PostgreSQL, and Minio (if using instead of AWS S3) have persistent storage volumes in the cluster.
Nemesis can use AWS S3 (in conjunction with KMS for file encryption) for file storage by modifying the storage setting in values.yaml and configuring the aws block.
By default, Nemesis uses Minio for file storage with a default storage size of 30Gi.
To change the size, modify the minio.persistence.size value in values.yaml file.
The default storage size is 20Gi. To change this, modify the elasticsearch.storage value in values.yaml.
The default storage size is 20Gi. To change this, modify the postgres.storage value in values.yaml.
Nemesis's HTTP traffic is managed by k3s traefik service. Therefore, in order to change Nemesis's listening port, you need to change the port of k3s's traefik HTTP endpoint. You can do this by creating the file /var/lib/rancher/k3s/server/manifests/traefik-config.yaml with the content below and then installing k3s. In this case, the config exposes HTTP traffic on port 8080 and HTTPS traffic on port 8443.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
exposedPort: 8080
websecure:
exposedPort: 8443Once updated, ensure to update the operation.nemesisHttpServer configuration option to use the new port.
helm uninstall nemesis && kubectl delete all --all -n default
skaffold delete
If you do not want to run the Helm charts hosted on https://specterops.github.io/Nemesis/, you can run them locally. For example:
helm install nemesis-quickstart ./helm/quickstart
helm install nemesis ./helm/nemesis --timeout '45m'
helm install nemesis-monitoring ./helm/monitoringIf you run into any issues, please see troubleshooting.md for common errors/issues.
Otherwise, file an issue or feel free to ask questions in the #nemesis-chat channel in the Bloodhound Slack (click here to join).