#Nishang
###Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage. By nikhil_mitt ####Scripts Nishang currently contains the following scripts and payloads.
#####Antak - the Webshell Antak
Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
#####Backdoors HTTP-Backdoor
A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
A backdoor which can execute PowerShell scripts at a given time on a target.
A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
A backdoor which can use Windows screen saver for remote command and script execution.
A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
#####Client Out-CHM
Create infected CHM files which can execute PowerShell commands and scripts.
Create Word files and infect existing ones to run PowerShell commands and scripts.
Create Excel files and infect existing ones to run PowerShell commands and scripts.
Create a HTA file which can be deployed on a web server and used in phishing campaigns.
Create signed JAR files which can be used with applets for script and command execution.
Create shortcut files capable of executing commands and scripts.
#####Escalation Enable-DuplicateToken
When SYSTEM privileges are required.
Introduce vulnerabilities by removing patches.
#####Execution Download-Execute-PS
Download and execute a PowerShell script in memory.
Download an executable in text format, convert it to an executable, and execute.
Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
Execute shellcode in memory using DNS TXT queries.
#####Gather Check-VM
Check for a virtual machine.
Copy the SAM file using Volume Shadow Copy Service.
Trick a user into giving credentials in plain text.
A pair of scripts for egress testing
Get juicy information from a target.
Get LSA Secret from a target.
Get password hashes from a target.
Get WLAN keys in plain text from a target.
Log keystrokes from a target.
Invoke-MimikatzWdigestDowngrade
Dump user passwords in plain on Windows 8.1 and Server 2012
#####Pivot Create-MultipleSessions
Check credentials on multiple computers and create PSSessions.
Run-EXEonRemote Copy and execute an executable on multiple machines.
Invoke-NetworkRelay Create network relays between computers.
#####Prasadhak Prasadhak
Check running hashes of running process against the VirusTotal database.
#####Scan Brute-Force
Brute force FTP, Active Directory, MSSQL, and Sharepoint.
A handy port scanner.
#####Powerpreter Powerpreter
All the functionality of nishang in a single script module.
#####Shells Invoke-PsGcat
Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
Execute commands and scripts sent by Invoke-PsGcat.
An interactive PowerShell reverse connect or bind shell
Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
An interactive PowerShell reverse connect or bind shell over UDP
Stripped down version of Invoke-PowerShellUdp.
Reverse interactive PowerShell over HTTPS.
Reverse interactive PowerShell over HTTP.
Clean the system after using Invoke-PoshRatHttps
Interactive PowerShell using WMI.
An interactive PowerShell reverse shell over ICMP.
#####Utility Add-Exfiltration
Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
Add reboot persistence capability to a script.
Remote persistence added by the Add-Persistence script.
Pipe (|) this to any script to exfiltrate the output.
Transfer a file to the target.
Parse keys logged by the keylogger.
Encode and compress a script or string.
Decode and decompress a script or string from Invoke-Encode.
[Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]
####Usage
Import all the scripts in the current PowerShell session (PowerShell v3 onwards).
PS > Import-Module .\nishang.psm1
Use the individual scripts with dot sourcing.
PS > . C:\nishang\Gather\Get-Information.ps1
PS > Get-Information
To get help about any script, use:
PS > Get-Help [scriptname] -full
Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.
For example, to see the help about Get-WLAN-Keys.ps1, use
PS> . C:\nishang\Get-WLAN-Keys.ps1
PS> Get-Help Get-WLAN-Keys
####Updates
Updates about Nishang can be found at my blog http://labofapenetrationtester.com and my Twitter feed @nikhil_mitt.
####Bugs, Feedback and Feature Requests Please raise an issue if you encounter a bug or have a feature request. You can email me at nikhil [dot] uitrgpv at gmail.com
#####Mailing List For feedback, discussions, and feature requests, join: http://groups.google.com/group/nishang-users
#####Contributing I am always looking for contributors to Nishang. Please submit requests or drop me an email.
#####Blog Posts
Some helpful blog posts to check out for beginners:
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
http://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.html
http://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html
http://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.html
All posts about Nishang: