Mastering Windows Post-Exploitation: A Deep Dive into Nishang
Introduction to Nishang
Nishang is an exceptional post-exploitation toolkit crafted by Nikhil Mittal. This powerful toolkit comprises a collection of PowerShell scripts, meticulously designed to streamline various post-exploitation tasks. These tasks include port scanning, information gathering, privilege escalation, credential theft, and backdoor creation. Nishang’s primary advantages lie in its ability to evade antivirus systems, thanks to its PowerShell foundation, its seamless compatibility with all Windows operating systems, and its lack of necessity for additional installation, as PowerShell is pre-installed. Moreover, Nishang scripts operate in memory, ensuring no traces are left on the disk.
Downloading and Accessing Nishang
To embark on your journey with Nishang, you can download it from its official GitHub repository. Additionally, all Nishang script files are conveniently included by default in the Linux-based Kali distribution, nestled within the “/usr/share/nishang” directory.
Understanding Nishang’s Capabilities
Nishang is a post-exploitation tool, meaning it does not harbor exploits. Unlike frameworks such as Metasploit, Nishang does not furnish exploitation modules. Furthermore, it does not proffer an interactive agent akin to the Empire framework. To harness Nishang’s potential, the scripts must be uploaded and executed on a compromised system where a session has already been established.
Using Nishang Scripts
Given that Nishang is composed of PowerShell scripts, a PowerShell shell is indispensable for executing the commands. If a connection is forged using tools like Meterpreter or the default Windows CMD shell, the “powershell.exe” application must be launched to run the commands. However, invoking “powershell.exe” from the Meterpreter command line is less than ideal, as it does not yield an interactive PowerShell console.
Practical Example: Port Scanning
To illustrate Nishang’s prowess, let’s delve into a scenario where we possess a Meterpreter session on a Windows Server 2016 machine within the “PRIVIA” domain. We can employ Nishang to execute various post-exploitation tasks. For instance, to scan ports on internal machines, we can upload the “Invoke-PortScan.ps1” script using the “upload” command in Meterpreter.
Steps to Perform Port Scanning
- Upload the script using the “upload” command in Meterpreter.
- Transition to the Windows shell using the “shell” command.
- Launch PowerShell using the “powershell” command.
- Import the module using the “Import-Module” cmdlet.
- Execute the “Invoke-PortScan” cmdlet to perform the port scan.
This process meticulously scans the specified IP range and unveils the open ports on the active machines. Nishang’s user-friendly modules simplify post-exploitation tasks, making it an invaluable asset for security professionals.
Exploring Nishang Directories
Nishang scripts are meticulously organized into directories based on their functionality. For example, scripts for scanning are housed in the “Scan” directory, while scripts for privilege escalation reside in the “Escalation” directory. The “nishang.psm1” file, when executed, imports all script files as modules in one fell swoop, further streamlining the process.
The Importance of Post-Exploitation
Post-exploitation is a pivotal phase in penetration testing. After breaching a system, attackers endeavor to move laterally and escalate privileges. Nishang furnishes functional modules to facilitate these tasks effectively. The post-exploitation phases typically encompass:
- Privilege Escalation
- Information Gathering
- Lateral Movement
- Persistence
Nishang Scripts Overview
Nishang proffers a plethora of scripts for diverse post-exploitation tasks. For instance, the “Add-ConstrainedDelegationBackdoor” script is employed to add a constrained service account in Active Directory environments. This account can be leveraged to obtain a TGS ticket and seize control over services using the s4u2self and s4u2proxy protocols.
Parameters for Add-ConstrainedDelegationBackdoor
- SamAccountName: Specifies the username for the new account.
- Password: Sets the password for the new account. If not specified, the default password is “Password@123!”.
- ServicePrincipalName: The SPN value required for enabling delegation.
- AllowedToDelegateTo: Specifies the services the new account has control over.
Conclusion
Nishang is an indispensable tool for post-exploitation tasks in Windows environments. Its PowerShell-based scripts offer a stealthy and efficient means to perform a myriad of post-exploitation activities. By comprehending and leveraging Nishang’s capabilities, security professionals can augment their penetration testing and security assessment processes, ensuring robust security measures.
