Nishang

Nishang is a PowerShell-based offensive security framework designed for red teaming and penetration testing on Windows targets. It functions as a post-exploitation toolkit and payload generator to automate attacks and manage remote targets.

The project provides specialized capabilities for bypassing security controls, such as disabling the Antimalware Scan Interface and employing in-memory execution to avoid disk-based detection. It includes a variety of stealthy command and control mechanisms, utilizing non-standard channels like DNS TXT records, ICMP traffic, and webmail for communication and data exfiltration.

The framework covers a broad surface of offensive operations, including privilege escalation through token manipulation, credential harvesting from memory and registry hives, and the generation of weaponized documents. It also facilitates lateral movement via network pivoting, man-in-the-middle traffic interception, and the establishment of persistent backdoors.

The toolset is implemented primarily in PowerShell.

Features

Post-Exploitation Toolkits - Provides a comprehensive suite of tools for post-compromise activities including privilege escalation and credential harvesting.

Offensive & Red Team Operations - Provides a comprehensive PowerShell-based framework for red teaming and offensive security operations on Windows targets.

DNS Command Execution - Runs scripts on a target machine by retrieving instructions from DNS TXT records.

Command And Control Frameworks - Establishes a covert command and control channel by retrieving scripts and sending output via Gmail.

Lateral Movement - Provides tools for scanning internal networks and pivoting traffic to move laterally across a compromised environment.

Process Reboot Persistence - Configures payloads to automatically relaunch and maintain access across system reboots.

Registry Persistence - Ensures payload survival across reboots by configuring persistence within registry keys and event triggers.

Remote Access & Control - Establishes versatile remote access channels using TCP, UDP, HTTP, ICMP, and WMI.

DNS Tunnels - Implements network tunneling over DNS protocols to retrieve instructions and exfiltrate data covertly.

DNS Shellcode Execution - Retrieves shellcode from DNS records and executes it in memory to bypass disk-based detection.

Remote Shells - Establishes interactive PowerShell sessions via reverse connections or TCP listeners.

Persistence Mechanisms - Implements techniques to ensure continued access to a system through backdoors and modified settings.

AMSI Bypasses - Disables the Antimalware Scan Interface by manipulating memory or unloading modules to prevent script scanning.

Covert Backdoors - Installs backdoors using unconventional channels like DNS queries and WLAN SSIDs for long-term access.

Data Exfiltration Tools - Sends command execution results to external destinations such as DNS and web servers.

Exfiltration Channels - Exfiltrates stolen data to remote servers using DNS queries and HTTP POST requests.

Credential Extraction Utilities - Recovers sensitive authentication secrets and password hashes from system memory and local databases using Volume Shadow Copies.

In-Memory Payload Execution - Runs scripts and shellcode directly in system memory to evade disk-based forensic detection.

Multi-Protocol Command and Control - Establishes command and control channels using multiple transports including HTTP, ICMP, UDP, and WMI.

DNS Payload Delivery - Retrieves and runs payloads encoded within DNS records to bypass network security filters.

Post-Exploitation Frameworks - Provides a post-exploitation framework for maintaining persistence, escalating privileges, and harvesting credentials.

Privilege Escalation Tools - Includes utilities for bypassing UAC and duplicating process tokens to gain SYSTEM-level privileges.

Security Token Manipulators - Duplicates security tokens from high-privileged processes to impersonate users and escalate system privileges.

UAC Bypasses - Elevates process integrity by exploiting Windows misconfigurations to bypass User Account Control.

Remote Command Execution Tools - Provides utilities for managing persistent sessions and delivering payloads to remote target systems.

Remote Script Execution - Downloads scripts from a URL and executes them on target systems via memory or disk.

Reverse Shells - Creates an interactive remote shell that transmits data over ICMP traffic to bypass firewall restrictions.

Command and Control Frameworks - Uses email accounts as a command and control channel by sending encoded scripts for remote agent retrieval.

Command and Control Platforms - Establishes command and control infrastructure using HTTP, DNS, and ICMP to manage remote target agents.

Information Gathering Tools - Extracts sensitive credentials, including LSA secrets and WLAN keys, from target systems.

Offensive Security Frameworks - Implements a modular framework for automating penetration testing and post-exploitation operations using PowerShell.

System Backdoors - Creates persistent remote execution channels using HTTP, DNS, and registry-based hooks.

System Permission Escalators - Increases process permissions to SYSTEM level or modifies WMI permissions to escalate privileges.

Memory-Only Execution - Executes scripts or shellcode exclusively in volatile memory to minimize the forensic footprint on disk.

Security Payload Generators - Automates the generation and obfuscation of weaponized documents and scripts to bypass security controls.

Data Exfiltration Payloads - Sends captured data to remote destinations including mail accounts, web servers, and DNS servers.

File Transfer - Transfers sensitive files from a target system to an external server using various network protocols.

Brute Force - Implements utilities for testing authentication and password spraying against services like FTP, Active Directory, and MSSQL.

Traffic Capture Frameworks - Sets up proxy servers that generate certificates to decrypt and capture HTTPS traffic.

Evasion and Bypass Tools - Implements techniques to circumvent and disable the Antimalware Scan Interface (AMSI).

Local System Enumeration Toolsets - Enumerates local system configurations and registry settings to identify exploitable vulnerabilities.

Offensive Security Tools - Allows for the immediate import and execution of penetration testing scripts into an active session.

Alternate Data Stream Persistence - Stores payloads in Alternate Data Streams to maintain stealthy, persistent access to the system.

Volume Shadow Copy Exfiltration - Copies volume shadow copies and sensitive files to external locations for offline analysis.

Command Execution - Launches arbitrary commands through system utilities like Rundll32 to evade security detection.

Weaponized Documents - Generates Office documents or shortcuts that execute payloads using DDE or macros.

Document Macro Injection - Injects executable macros or DDE vectors into Word files to execute scripts on a target.

Remote File Transfers - Provides bidirectional file transfer capabilities between local machines and target servers.

Web-based Shells - Provides an interactive terminal session accessible via a web browser for remote system management.

Remote Command Execution - Runs operating system commands on remote database servers by enabling shell execution features.

DNS Record Encoding - Compresses and encodes files into segments for distribution across DNS TXT records.

Firewall Bypass Networking - Implements techniques for exposing local services and mapping ports to bypass network firewalls.

Wireless Credential Auditors - Extracts clear-text passwords for saved WLAN profiles using administrative privileges.

Network Pivoting Tools - Creates network relays and concurrent sessions to move laterally across different machines.

Packet Redirection - Provides capabilities for rerouting network packets between interfaces to reach isolated network segments.

Port Scanners - Provides port scanners for identifying open network ports and available services on target systems.

Encrypted Shells - Starts encrypted listeners to receive interactive PowerShell sessions from remote targets.

Remote Access Permission Modification - Adjusts security descriptors to grant full control of PowerShell remoting for specific domain users.

Remote File Downloads - Enables the retrieval of files from remote servers for local execution or analysis.

Traffic Interception Tools - Implements a local HTTPS proxy to perform man-in-the-middle attacks on encrypted web traffic.

Volume Shadow Copy Abuse - Creates snapshots of protected system files to extract credential stores and directory databases for offline analysis.

Active Directory Delegation Manipulations - The tool modifies delegation settings to allow user impersonation for specific services.

Authentication Hash Capture - Runs a server to intercept and log Basic authentication and SMB hashes from incoming network requests.

Directory Database Permission Manipulations - The tool adjusts access control lists on a domain controller to enable directory database shadow copies.

Executable Obfuscation Techniques - Compresses and encodes PowerShell scripts using Base64 and custom methods to evade antivirus detection.

System Utility Execution - Generates single-line commands to launch payloads through system utilities like Rundll32 to bypass whitelists.

Network Credential Capturers - Generates SCF files to force clients to send NTLM authentication hashes to a capture server.

Keystroke Loggers - Records keyboard input to local files and exfiltrates the data to remote servers.

Man-in-the-Middle Frameworks - Intercepts and redirects network communications to capture or modify data in transit.

Private Key Extractions - Extracts saved wireless network passwords and security keys from the local machine.

WMI Permission Manipulations - Adjusts security descriptors of WMI namespaces to grant administrative permissions to domain users.

Remote Binary Execution - Transfers and executes binary files on remote machines for access or privilege escalation.

Payload Conversion and Execution - Downloads text-formatted executables, converts them to binary, and runs them on the local system.

Shell Delivery Mechanisms - Delivers reverse shell payloads via regsvr32.exe to execute remote commands on target systems.

Secret Retrieval Utilities - Provides utilities to retrieve sensitive security secrets from the local registry.

Security Software Evasion - Circumvents security features and endpoint protection, specifically the Antimalware Scan Interface, to execute scripts.

Security Interface Disablers - Disables the Antimalware Scan Interface using techniques like module unloading or DLL hijacking.

UDP Reverse Shells - Implements a remote command shell that transmits data over UDP to bypass firewall restrictions.

Network Reconnaissance Tools - Ships tools to scan networks and determine permitted outbound connections through egress testing.

Administrative Living-Off-The-Land Techniques - Abuses trusted system utilities like Rundll32 and Regsvr32 to launch payloads and evade application whitelisting.

Traffic Interception and Modification - Provides capabilities for capturing, redirecting, and actively altering network requests and responses to replace strings in web traffic.

Remote Management Access - Configures system services and firewalls to enable remote PowerShell remoting and WMI access.

Spyware Screen Capturers - Captures screen images and records keystrokes to monitor user activity in real time.

Active Directory Exploitation - Collection of PowerShell scripts for Windows penetration testing.

Security And Privacy - Scripting toolkit for red team and penetration testing.

samratashoknishang

Features

Star history