Post Exploitation

Nishang – PowerShell Penetration Testing Framework

Nishang is an open source framework and collection of powerful PowerShell scripts and payloads that you can use during penetration testing audit,  post exploitation phase or other stages of offensive security auditing. Nishang is useful during various phases of a security auditing process and has many scripts categorized into logical categories such as information gathering, scanning, privilege elevation etc.

PowerShell Penetration Testing Framework Usage:

Import all scripts in the current PowerShell session (PowerShell v3 onwards).

C:\nishang> Import-Module .\nishang.psm1

Use the individual scripts with dot sourcing.

C:\nishang> . C:\nishang\Gather\Get-Information.ps1
C:\nishang> Get-Information

To get help about any script or function, use:

C:\nishang> Get-Help [scriptname] -full

Note: Help is available for the function loaded after running a script but not the script itself – since version 0.3.8. The function names are the same as script names.

For example, to see the help about Get-WLAN-Keys.ps1, use

C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1
C:\nishang> Get-Help Get-WLAN-Keys -Full

 

Scripts

Nishang currently contains the following scripts and payloads.

ActiveDirectory

  • Get-Unconstrained – Find computers in active directory which have Kerberos Unconstrained Delegation enabled.

 

Antak – the Webshell

  • Antak – Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.

 

Backdoors

  • HTTP-Backdoor – A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
  • DNS_TXT_Pwnage – A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
  • Execute-OnTime – A backdoor which can execute PowerShell scripts at a given time on a target.
  • Gupt-Backdoor – A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
  • Add-ScrnSaveBackdoor – A backdoor which can use Windows screen saver for remote command and script execution.
  • Invoke-ADSBackdoor – A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
  • Add-RegBackdoor – A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
  • Set-RemoteWMI – Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
  • Set-RemotePSRemoting – Modify permissions of PowerShell remoting to allow access to a non-admin user.

 

Bypass

  • Invoke-AmsiBypass – Implementation of publicly known methods to bypass/avoid AMSI.

 

Client

  • Out-CHM – Create infected CHM files which can execute PowerShell commands and scripts.
  • Out-Word – Create Word files and infect existing ones to run PowerShell commands and scripts.
  • Out-Excel – Create Excel files and infect existing ones to run PowerShell commands and scripts.
  • Out-HTA – Create a HTA file which can be deployed on a web server and used in phishing campaigns.
  • Out-Java – Create signed JAR files which can be used with applets for script and command execution.
  • Out-Shortcut – Create shortcut files capable of executing PowerShell commands and scripts.
  • Out-WebQuery – Create IQY files for phishing credentials and SMB hashes.
  • Out-JS – Create JS files capable of executing PowerShell commands and scripts.
  • Out-SCT – Create SCT files capable of executing PowerShell commands and scripts.
  • Out-SCF – Create a SCF file which can be used for capturing NTLM hash challenges.

 

Escalation

 

Execution

  • Download-Execute-PS – Download and execute a PowerShell script in memory.
  • Download_Execute – Download an executable in text format, convert it to an executable, and execute.
  • Execute-Command-MSSQL – Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
  • Execute-DNSTXT-Code – Execute shellcode in memory using DNS TXT queries.
  • Out-RundllCommand – Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.

 

Gather

 

MITM

 

Pivot

 

Prasadhak

  • Prasadhak – Check running hashes of running process against the VirusTotal database.

 

Scan

  • Brute-Force – Brute force FTP, Active Directory, MSSQL, and Sharepoint.
  • Port-Scan – A handy port scanner.

 

Powerpreter

  • Powerpreter – All the functionality of nishang in a single script module.

 

Shells

 

Utility

  • Add-Exfiltration – Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
  • Add-Persistence – Add reboot persistence capability to a script.
  • Remove-Persistence – Remote persistence added by the Add-Persistence script.
  • Do-Exfiltration – Pipe (|) this to any script to exfiltrate the output.
  • Download – Transfer a file to the target.
  • Parse_Keys – Parse keys logged by the keylogger.
  • Invoke-Encode – Encode and compress a script or string.
  • Invoke-Decode – Decode and decompress a script or string from Invoke-Encode.
  • Start-CaptureServer – Run a web server which logs Basic authentication and SMB hashes.
  • ConvertTo-ROT13 – Encode a string to ROT13 or decode a ROT13 string.
  • Out-DnsTxt – Generate DNS TXT records which could be used with other scripts.
  • [Base64ToString]
  • [StringToBase64]
  • [ExetoText]
  • [TexttoExe]

Download Nishang