Tuesday, August 14, 2012

(Introducing) Nishang : PowerShell for Penetration Testing

I have been using PowerShell in penetration tests for some time now. It is a really powerful shell and scripting language which gives you access to interesting things on a Windows machine. There are many PowerShell scripts involved in Kautilya. In fact, these PowerShell scripts are the reason behind power of Windows payloads in Kautilya.

At some of my talks many nice folks have asked me about the availability of PowerShell scripts for use in Penetration Tests. I started writing new scripts and collecting older ones. After working on this for a while I had some useful collection of payloads and scripts. I call it Nishang. It is available on google code here http://code.google.com/p/nishang/

Nishang means quiver (container for arrows) in Sanskrit. Apt for a collection of payloads and scripts.

It is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Why PowerShell? It is easy to learn and powerful (think of Bash in Unix ported to Windows) and is present on every modern Windows macine. If you use PowerShell "properly", most of the times you would need practically nothing for post exploitation other than powershell.

Currently, Nishang includes only those payloads and scripts which do not require you to be an administrator on the machine. That is, no priv shell is required. The payloads are of varied complexity (for the user), while there are simpler ones like Download, Keylogger and Information Gatherer to complex ones like DNS_TXT_Pwnage and Wait_For_Command. All the payloads and scripts come with help. Use

PS> Get-Help [payloadname.ps1] -full

for help on executing a script or payload.

How to use it? The scripts can be used either if you have access to powershell prompt (when you have vnc or rdp etc) or if you have a windows command shell on the target. You must download the script on the target machine.

Below screenshots shows a quick example of the Information_Gather payload being downloaded and executed on a target machine.

One liner to download a script on the target

Execute the script. Note the parameters being passed ot the script.

The result of this payload (info uploaded to pastebin)

That was easy. All the scripts could be executed this way. Yay!

A word of caution, it may appear that your session has stuck after you execute the script. But you can eventually make your way out by repeatedly pressing enter. I am unaware of the reason behind this.

What's next? More scripts are in the development pipeline. Many of them require privileged shell on the target. Also, Niklas Goude has allowed me to add his powershell scripts to Nishang. They should be available with next release, thanks Niklas !

Also, the scripts are Tab ugly right now, that would be clean in next release.

I am looking forward for feedbacks, contributions and feature requests. I hope this would be useful.


  1. my friend i love your work and i see all your post you are great and thank you

  2. Awesome work. I really appreciate. Thanks for sharing. Keep it up.

    Penetration Testing

  3. This comment has been removed by the author.