Just a few more small changes

3 files changed, 17 insertions, 8 deletions

diff --git a/README.md b/README.md
index edeace4..752bbd7 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,15 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
 ## System Requirements
 * Tested minimums are PowerShell 2.0 and .NET 3.5
 	
-## Functions
+## Functions  
+* Invoke-Inveigh  
+* Invoke-InveighUnprivileged  
+* Invoke-InveighRelay  
+* Clear-Inveigh  
+* Get-Inveigh  
+* Stop-Inveigh  
+* Watch-Inveigh  
+
 ### Invoke-Inveigh
 * The main Inveigh LLMNR/NBNS spoofer function.
 
@@ -72,7 +80,7 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
 * __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS.  
 * __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS.  
 * __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.  
-* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist.  
+* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted.  
 * __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.  
 * __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out a LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled.  
 * __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.  
@@ -133,6 +141,7 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
 ##### Notes:  
 * The local NBNS service does not need to be disabled on the host system.   
 * Ensure that any needed LMMNR, NBNS, HTTP ports are open within any local firewall on the host system.  
+* Migrating/injecting into a process that has already been allowed incoming/outgoing firewall access should also work.  
 * If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
 * Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June.  
 
diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1
index 1b07313..25e84f4 100644
--- a/Scripts/Inveigh-Unprivileged.ps1
+++ b/Scripts/Inveigh-Unprivileged.ps1
@@ -1061,7 +1061,7 @@ $HTTP_scriptblock =
             $HTTP_timestamp = Get-Date -format r
             $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
 
-            if((($WPADIP -and $WPADPort) -or $WPADResponse -or $WPADEmptyFile -eq 'y') -and $HTTP_request_raw_URL -match '/wpad.dat')
+            if((($WPADIP -and $WPADPort) -or $WPADResponse -or $WPADEmptyFile -eq 'Y') -and $HTTP_request_raw_URL -match '/wpad.dat')
             {
                 $HTTP_message = $HTTP_WPAD_response
             }
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 1f43999..66dfa73 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -1663,7 +1663,11 @@ $sniffer_scriptblock =
                                     else
                                     {
 
-                                        if($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string)
+                                        if($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
+                                        {
+                                            $NBNS_request_ignore = $true
+                                        }
+                                        elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string)
                                         {
                                             $NBNS_response_message = "- $NBNS_query_string is not on reply list"
                                         }
@@ -1699,10 +1703,6 @@ $sniffer_scriptblock =
                                         {
                                             $NBNS_response_message = "- request is local"
                                         }
-                                        elseif($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
-                                        {
-                                            $NBNS_request_ignore = $true
-                                        }
                                         else
                                         {
                                             $NBNS_response_message = "- something went wrong"