diff options
| author | Kevin Robertson <Kevin-Robertson@users.noreply.github.com> | 2019-01-30 23:05:50 -0500 |
|---|---|---|
| committer | Kevin Robertson <Kevin-Robertson@users.noreply.github.com> | 2019-01-30 23:05:50 -0500 |
| commit | 2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638 (patch) | |
| tree | 88232e93dcd4670eaaf41a3dfc8c17e0c84747b6 /Inveigh-Relay.ps1 | |
| parent | dfd419e7669693f9d8a47b00172e84e558feee35 (diff) | |
| download | Inveigh-2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638.tar.gz Inveigh-2bcdf493e87cd44cf5ad7bf30f45d97b3ac5a638.zip | |
Kerberos detection and bug fixes
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
Diffstat (limited to 'Inveigh-Relay.ps1')
| -rw-r--r-- | Inveigh-Relay.ps1 | 62 |
1 files changed, 49 insertions, 13 deletions
diff --git a/Inveigh-Relay.ps1 b/Inveigh-Relay.ps1 index 88dbc26..d4ca2cd 100644 --- a/Inveigh-Relay.ps1 +++ b/Inveigh-Relay.ps1 @@ -36,6 +36,10 @@ displaying full capture lists when running through a shell that does not have ac Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. +.PARAMETER DomainMapping +Array to map one netBIOS domain to one DNS domain. Needed when attacking a domain from a non-domain +attached system with data imported from BloodHound. + .PARAMETER Enumerate Default = All: (All/Group/NetSession/Share/User) The action that will be used for the 'Enumerate' attack. @@ -214,6 +218,7 @@ param [parameter(Mandatory=$false)][ValidateSet("All","NetSession","Share","User","Group")][String]$Enumerate = "All", [parameter(Mandatory=$false)][ValidateSet("Random","Strict")][String]$TargetMode = "Random", [parameter(Mandatory=$false)][String]$EnumerateGroup = "Administrators", + [parameter(Mandatory=$false)][Array]$DomainMapping = "", [parameter(Mandatory=$false)][Array]$Target = "", [parameter(Mandatory=$false)][Array]$TargetExclude = "", [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", @@ -279,7 +284,7 @@ if($inveigh.relay_running) throw } -$inveigh_version = "1.4" +$inveigh_version = "1.4.1" if(!$target -and !$inveigh.enumerate) { @@ -304,10 +309,21 @@ if($ProxyIP -eq '0.0.0.0') if($Attack -contains 'Execute' -and !$Command) { - Write-Output "[-] -Command requiried with -Attack Execute" + Write-Output "[-] -Command required with -Attack Execute" throw } +if($DomainMapping) +{ + + if($DomainMapping.Count -ne 2 -or $DomainMapping[0] -like "*.*" -or $DomainMapping[1] -notlike "*.*") + { + Write-Output "[-] -DomainMapping format is incorrect" + throw + } + +} + if(!$FileOutputDirectory) { $output_directory = $PWD.Path @@ -641,6 +657,13 @@ if($Proxy -eq 'Y') } +if($DomainMapping) +{ + $inveigh.output_queue.Add("[+] Domain Mapping = " + ($DomainMapping -join ",")) > $null + $inveigh.netBIOS_domain = $DomainMapping[0] + $inveigh.DNS_domain = $DomainMapping[1] +} + $inveigh.output_queue.Add("[+] Relay Attack = " + ($Attack -join ",")) > $null # math taken from https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b @@ -1028,14 +1051,32 @@ while($inveigh.output_queue.Count -gt 0) } -$inveigh.status_output = $false -$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value -$inveigh.computer_name = (Get-ChildItem -path env:computername).Value +if(!$inveigh.netBIOS_domain) +{ + $inveigh.status_output = $false + $inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value + $inveigh.computer_name = (Get-ChildItem -path env:computername).Value -try + try + { + $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower() + $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower() + + if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain)) + { + $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain) + } + + } + catch + { + $inveigh.DNS_domain = $inveigh.netBIOS_domain + $inveigh.DNS_computer_name = $inveigh.computer_name + } + +} +else { - $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower() - $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower() if(!$inveigh.domain_mapping_table.ContainsKey($inveigh.netBIOS_domain)) { @@ -1043,11 +1084,6 @@ try } } -catch -{ - $inveigh.DNS_domain = $inveigh.netBIOS_domain - $inveigh.DNS_computer_name = $inveigh.computer_name -} if($inveigh.enumerate) { |