Monday, June 2, 2014

Nishang 0.3.4 - Nishang Module, Dot Sourcing, Leaner scripts, New Exfiltration methods and bug fixes.

This update of Nishang makes some basic changes in how Nishang could be used.

You can now use Nishang as a module. Just import Nishang.psm1 by using

Now, list and use all the functions available
You can use any function from above as you use the scripts.

The code of nishang.psm1 is this
It just imports all scripts in the Nishang folder in the current session. It excercises no export control so you may see some functions which themselves are part of other functions. Note that the code shows that we are not loading Keylogger. In my testing, I found Keylogger should be left alone :)

Dot Sourcing

Next, if you like to use individual scripts (like I do), the scripts in Nishang, other then the Keylogger, now runs with dot sourcing.

Leaner Scripts

The exfiltration option has been removed from every script but Keylogger annd the three Backdoors. This not only makes those leaner (again) but also less complex to use. But, since I have been working on using Nishang scripts in client side attacks, it doesn't make sense to remove the exfitration altogether.

If you need exfiltration in a script just use Add-Exfiltration in the Utility folder and pass to it the path of the script.

New Exfiltration Methods

You can now use your own weberver which could log POST requests and a DNS server which could log TXT queries as exfiltration options. The webserver option could be seen in above example of leaner scripts.

Lets see an example of using DNS txt queries.

Both Webserver and DNS methods encodes data using Carols Perez's Compress-PostScript. You can decode it using Invoke-Decode in the Utility folder.

Parameters have been rearaanged in all the scripts to make the code more readable.

Here is the CHANGELOG:

0.3.4
- Minor improvements in StringtoBase64.ps1
- Fixed a typo in Firelistener. Client port was not being displayed.
- All the scripts could be run using "dot source" now.
- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
- Removed exfiltration support for tinypaste.
- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
- Added Nishang.psm1
- Added Do-Exfiltration.ps1.
- Added Add-Exfiltration.ps1.
- Added Invoke-Decode.ps1.
- Removed Browse_Accept_Applet.ps1

Nishang could be found here https://github.com/samratashok/nishang

I welcome any feedbacks, bugs and feature requests.

No comments:

Post a Comment