Mastering Windows Post-Exploitation – A Deep Dive into Nishang

Nishang is an exceptional post-exploitation toolkit crafted by Nikhil Mittal. This powerful toolkit comprises a collection of PowerShell scripts, meticulously designed to streamline various post-exploitation tasks. These tasks include port scanning, information gathering, privilege escalation, credential theft, and backdoor creation. Nishang’s primary advantages lie in its ability to evade antivirus systems, thanks to its PowerShell foundation, its seamless compatibility with all Windows operating systems, and its lack of necessity for additional installation, as PowerShell is pre-installed. Moreover, Nishang scripts operate in memory, ensuring no traces are left on the disk.

Downloading and Accessing Nishang

To embark on your journey with Nishang, you can download it from its official GitHub repository. Additionally, all Nishang script files are conveniently included by default in the Linux-based Kali distribution, nestled within the “/usr/share/nishang” directory.

Understanding Nishang’s Capabilities

Nishang is a post-exploitation tool, meaning it does not harbor exploits. Unlike frameworks such as Metasploit, Nishang does not furnish exploitation modules. Furthermore, it does not proffer an interactive agent akin to the Empire framework. To harness Nishang’s potential, the scripts must be uploaded and executed on a compromised system where a session has already been established.

Using Nishang Scripts

Given that Nishang is composed of PowerShell scripts, a PowerShell shell is indispensable for executing the commands. If a connection is forged using tools like Meterpreter or the default Windows CMD shell, the “powershell.exe” application must be launched to run the commands. However, invoking “powershell.exe” from the Meterpreter command line is less than ideal, as it does not yield an interactive PowerShell console.

Practical Example: Port Scanning

To illustrate Nishang’s prowess, let’s delve into a scenario where we possess a Meterpreter session on a Windows Server 2016 machine within the “PRIVIA” domain. We can employ Nishang to execute various post-exploitation tasks. For instance, to scan ports on internal machines, we can upload the “Invoke-PortScan.ps1” script using the “upload” command in Meterpreter.

Steps to Perform Port Scanning

This process meticulously scans the specified IP range and unveils the open ports on the active machines. Nishang’s user-friendly modules simplify post-exploitation tasks, making it an invaluable asset for security professionals.

Exploring Nishang Directories

Nishang scripts are meticulously organized into directories based on their functionality. For example, scripts for scanning are housed in the “Scan” directory, while scripts for privilege escalation reside in the “Escalation” directory. The “nishang.psm1” file, when executed, imports all script files as modules in one fell swoop, further streamlining the process.

The Importance of Post-Exploitation

Post-exploitation is a pivotal phase in penetration testing. After breaching a system, attackers endeavor to move laterally and escalate privileges. Nishang furnishes functional modules to facilitate these tasks effectively. The post-exploitation phases typically encompass:

Nishang Scripts Overview

Nishang proffers a plethora of scripts for diverse post-exploitation tasks. For instance, the “Add-ConstrainedDelegationBackdoor” script is employed to add a constrained service account in Active Directory environments. This account can be leveraged to obtain a TGS ticket and seize control over services using the s4u2self and s4u2proxy protocols.

Parameters for Add-ConstrainedDelegationBackdoor

Nishang is an indispensable tool for post-exploitation tasks in Windows environments. Its PowerShell-based scripts offer a stealthy and efficient means to perform a myriad of post-exploitation activities. By comprehending and leveraging Nishang’s capabilities, security professionals can augment their penetration testing and security assessment processes, ensuring robust security measures.

Mastering Windows Post-Exploitation with Nishang – A Comprehensive Guide

Nishang is a powerful post-exploitation framework developed by Nikhil Mittal. It comprises a collection of PowerShell scripts that can be utilized during the post-exploitation phase of a penetration test. These scripts enable a variety of tasks, including port scanning, information gathering, privilege escalation, credential harvesting, and establishing backdoors. One of the key advantages of Nishang is that it does not require any installation on the target Windows system, as it leverages PowerShell, which is natively available. Additionally, the scripts are executed in memory, leaving minimal traces on the disk.

The Importance of Privilege Escalation

Privilege Escalation is a critical phase in the post-exploitation process. After gaining initial access to a system, an attacker often finds themselves with limited user privileges. To achieve their objectives, they need to escalate these privileges to gain higher access levels. Nishang provides three scripts specifically designed for privilege escalation, which are detailed below.

Enable-DuplicateToken

In Windows systems, administrative accounts possess high privileges that allow them to perform various administrative tasks. However, even these accounts can sometimes face access restrictions. For instance, administrative accounts do not have access to the “HKLM:SECURITY” registry key. To access this key, SYSTEM privileges are required. The Enable-DuplicateToken script duplicates the Access Token used by the “lsass.exe” process, which runs with SYSTEM privileges. This token can then be used by the script executor to perform tasks with SYSTEM privileges. It is important to note that the account running this script must already have administrative privileges.

Invoke-PsUACMe

This script bypasses User Account Control (UAC) using methods found in the UACME repository. The techniques employed involve DLL hijacking and manipulating executable file names and locations. The Invoke-PsUACMe script utilizes these methods to bypass UAC. The script accepts several parameters, including:

Remove-Update

This script removes all updates from the system. The “KBID” parameter specifies the ID of the update to be removed. This can be particularly useful in scenarios where specific updates interfere with the execution of certain exploits or payloads.

Executing Commands and Payloads

During the post-exploitation phase, there are often situations where an attacker needs to execute commands or payloads from a remote location. Nishang provides several methods for executing commands, which are detailed below.

Download-Execute-PS

This script downloads and executes a PowerShell script from a specified URL. The URL is specified using the “ScriptURL” parameter. The script can be executed with arguments specified using the “Arguments” parameter. If the script should not be saved on the target machine, the “Nodownload” parameter can be used.

Download_Execute

This script converts a text file containing an executable into a runnable application and executes it. The only parameter required is the “URL” parameter, which specifies the URL from which the file is downloaded and executed. The “exetotext.ps1” script in Nishang can be used to convert an executable into a text file.

Execute-Command-MSSQL

This script allows an attacker to execute commands on a remote MSSQL Server. By specifying the administrator username and password for the MSSQL Server service, the script enables the xp_cmdshell stored procedure, which can then be used to execute commands on the target machine. If Windows Authentication is used by MSSQL, the script can leverage this authentication method, and no username or password is required. The parameters for this script include:

Execute-DNSTXT-Code

This script utilizes DNS TXT queries to execute shellcode on the target system. The script retrieves payload shellcode from DNS TXT records, decodes it from Base64, and executes it, thereby establishing a connection. The “Out-DnsTxt” script in Nishang can be used to place the shellcode in Base64 format into DNS TXT records. The script requires at least three parameters: “shellcode32”, “shellcode64”, and “AuthNS”. These parameters specify the domain names where the 32-bit and 64-bit shellcode in Base64 format are located, and an authoritative nameserver.

Out-RundllCommand

This script generates commands that can be executed by the rundll32.exe application. When these commands are executed on the target machine, a PowerShell session is established. The script requires two parameters: “IPAddress” and “Port”. The “IPAddress” parameter specifies the IP address of the attacker’s machine where the listener is started, and the “Port” parameter specifies the port on which the listener is running.

Gathering Information

After compromising a machine, an attacker needs to gather information to proceed with the post-exploitation phase. This information can include host details, credentials, and other sensitive data. Nishang provides several scripts for information gathering, which are detailed below.

Check-VM

This script checks if the machine is running in a virtual environment. It examines the registry keys and running services to detect the presence of virtualization software such as Hyper-V, VMWare, VirtualBox, Virtual PC, Xen, and QEMU.

Copy-VSS

This script creates copies of the SAM, NTDS.DIT databases, and the SYSTEM hive, which are used to store credentials in Windows systems. These files are locked while the operating system is running, so this script allows an attacker to create copies of these files for further analysis.

FireBuster

This script determines which port can be used to exfiltrate data from the network. It performs a port scan to find open ports and then sends all packets to a listener started by FireListener.

FireListener

FireListener starts a listener that can receive packets sent by FireBuster. This allows an attacker to exfiltrate data from the target network.

Get-Information

This script gathers information from the target machine. It retrieves data from the registry and executes various commands to extract sensitive information.

Unlocking Windows Post-Exploitation

Nishang, crafted by the skilled Nikhil Mittal, stands as a robust collection of post-exploitation tools. This suite is composed of various PowerShell scripts, each designed to aid in tasks such as port scanning, information gathering, privilege escalation, credential harvesting, and establishing backdoors. Nishang’s strength lies in its ability to evade antivirus detection due to its PowerShell foundation, its seamless compatibility with all Windows operating systems, and its minimal footprint, operating solely in memory without the need for additional installations.

Establishing Backdoors with Nishang

One of the ultimate goals for an attacker during the post-exploitation phase is to maintain persistence within the compromised system. This is achieved by creating a backdoor to ensure continued access. Nishang provides several methods to accomplish this, each with its unique approach.

Add-RegBackdoor

The Add-RegBackdoor script manipulates the Windows registry to create a backdoor. It alters the registry keys associated with the Sticky Keys and Utility Manager executables (sethc.exe and utilman.exe) to run custom payloads. Additionally, it disables Network Level Authentication (NLA) to allow remote payload execution via RDP. The primary parameter for this script is the “Payload” parameter, which specifies the application to be executed on the target system, defaulting to “cmd.exe”.

Add-ScrnSaveBackdoor

The Add-ScrnSaveBackdoor script utilizes the Windows screensaver functionality to execute payloads. It creates a custom screensaver file (Ribbons.scr) in the “C:WindowsSystem32” directory and modifies the registry to ensure the screensaver activates after a period of inactivity. When the screensaver is triggered, it executes the specified payload, which can range from a simple command to a more complex script downloaded from the internet.

DNS_TXT_Pwnage

The DNS_TXT_Pwnage script employs DNS TXT records to execute payloads and obtain a shell. It continuously queries a DNS server for TXT records, which contain encoded commands. These commands are then decoded and executed on the compromised machine. To use this script, a DNS server with configurable TXT records is required. The script includes parameters such as “StartDomain”, “CommandDomain”, and “AuthNS” to specify the domains and name servers involved in the attack.

Gupt-Backdoor

The Gupt-Backdoor script creates a Wi-Fi access point to execute commands and download scripts on the victim machine. It monitors nearby Wi-Fi networks and uses the “MagicString” parameter to identify target networks. Depending on the configuration, Gupt can execute commands directly or download and execute scripts from a specified URL. The script includes additional parameters such as “Arguments” and “EncodedCmd” to provide flexibility in command execution.

Conclusion

Nishang is a versatile and powerful toolset for post-exploitation activities. Its ability to operate within the constraints of PowerShell and its compatibility with Windows systems make it a valuable asset for security professionals and attackers alike. By understanding and utilizing the various scripts and techniques offered by Nishang, one can effectively maintain persistence and control over compromised systems.

Unleashing the Power of Nishang

Nishang, crafted by the skilled Nikhil Mittal, stands as a robust framework designed for post-exploitation tasks on Windows systems. This powerful toolkit comprises a suite of PowerShell scripts, each tailored to streamline various post-exploitation activities such as port scanning, information gathering, privilege escalation, credential harvesting, and establishing backdoors. One of Nishang’s standout features is its ability to run on Windows without installation, leveraging the built-in PowerShell component. Moreover, these scripts operate in memory, leaving minimal traces on the disk, making them a stealthy choice for security professionals.

Malware Analysis with Prasadhak

Among the array of scripts in Nishang, Prasadhak emerges as a potent tool for malware analysis. This script generates MD5 hash values for each running process on a machine and cross-references them with the VirusTotal database to pinpoint potential malware. This method proves invaluable during penetration testing, enabling testers to detect malicious software without the need for additional antivirus applications.

To harness Prasadhak effectively, you’ll need a VirusTotal account and an API key. This key serves as a parameter within the script, facilitating the comparison of hash values. Upon finding a match, the script displays a warning message along with a link to the VirusTotal analysis report for further scrutiny.

Network Scanning and Brute Force Attacks

Upon gaining access to a machine, the initial phase of post-exploitation involves identifying other accessible machines and their open ports. Nishang equips you with two pivotal scripts for this purpose: Invoke-BruteForce and Invoke-PortScan.

Invoke-BruteForce

Invoke-BruteForce is a script engineered to execute brute force attacks on a variety of services, including SQL Server, Active Directory, local accounts, Web, and FTP services. The script accommodates several parameters:

Invoke-PortScan

Invoke-PortScan is employed to identify live hosts and perform port scanning on target machines. The script utilizes the following parameters:

• StartAddress: Specifies the starting IP address for the scan.
• EndAddress: Specifies the ending IP address for the scan.
• ResolveHost: Resolves the hostnames of the identified live hosts.
• ScanPort: Specifies the ports to be scanned. By default, the script scans a comprehensive list of commonly used ports.
• Port: Allows the user to specify custom ports for scanning.

Establishing Reverse Shells

Once a machine is compromised, an attacker may seek to establish a reverse shell to maintain access and perform further exploitation. Nishang offers several methods to accomplish this: