diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2018-05-01 23:50:39 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2018-05-01 23:50:39 -0400 |
| commit | 93b5687e40025eec2d14efb2f45cfb4c0227c720 (patch) | |
| tree | 48267f769791ef246199a88668a2fafd9bc8e75b /Inveigh.ps1 | |
| parent | ac5f0e258448772c6b414ccbc8b925e6f8224f00 (diff) | |
| download | Inveigh-93b5687e40025eec2d14efb2f45cfb4c0227c720.tar.gz Inveigh-93b5687e40025eec2d14efb2f45cfb4c0227c720.zip | |
Inveigh-Relay new attack and targeting system
Inveigh-Relay
1. Added a new attack mode 'Enumerate'. This attack mode will leverage
relayed connections to perform system enumeration. Right now I have
local users, local admins, shares, and netsessions.
2. Attacks can now be combined. Session, Enumerate, and Execute can all
be enabled at the same time. They will be chained together.
3. New multi-target system to replace the new multi-target system from
the last dev update:) Inveigh-Relay will leverage the data gathered
through enumeration to make relay target selections.
Here's a simplistic example:
a. Inveigh-Relay receives and incoming connection from 192.168.1.1 and
relays the connection to 192.168.1.2.
b. During the NTLM relay, the module records the user (test1) that is
relayed from 192.168.1.1.
c. The relayed connection is used to enumerate details on 192.168.1.2.
The local admin group is found to include the user test2.
d. test1 is found to not be privileged on 192.168.1.2.
e. Inveigh-Relay receives an incoming connection from 192.168.1.3 and
relays the connection to 192.168.1.4.
f. During the NTLM relay, the module records the user (test2) that is
relayed from 192.168.1.3.
g. The relayed connection is used to enumerate details on 192.168.1.4.
h. test2 is found to not be privileged on 192.168.1.4.
i. Inveigh-Relay receives another connection from 192.168.1.3.
j. Since test2 was previously observed on 192.168.1.3 and 192.168.1.2
has test2 in its local admin group, 192.168.1.2 is selected as a relay
target.
k. test2 is found to be privileged on 192.168.1.2.
l. Depending on the attack selection, either a privileged session is
established, a command is executed, or both.
This is still in a very early stage and not production ready. I need to
add a lot more logic to do things like prioritizing systems hosting
shares with the session attack, etc. I also need to sort out gathering
and importing the enumeration data used for targeting if you already
have domain access. This will also open up making matches based on
domain group membership. Bloodhound data should also work for targeting.
I just need to work out how to match username formats, etc.
Most of the enumeration data is stored in $inveigh.enumeration_list.
4. Target parameter will now accept CIDR and IP ranges. Invalid targets
(as long as it's not a huge amount) are filtered out as part of the
targeting process.
5. I took out SMB1 support. It only worked for command execution and
removing it greatly simplifies things. The old version will still work
if SMB1 is required.
I should be back to regular updates leading up to the release of 1.4.
The enumeration code took some time.
Diffstat (limited to 'Inveigh.ps1')
| -rw-r--r-- | Inveigh.ps1 | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/Inveigh.ps1 b/Inveigh.ps1 index 5a8a791..f067d82 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 @@ -479,17 +479,21 @@ if(!$inveigh) $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList $inveigh.POST_request_list = New-Object System.Collections.ArrayList - $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.relay_user_failed_list = New-Object System.Collections.ArrayList $inveigh.valid_host_list = New-Object System.Collections.ArrayList $inveigh.requested_host_list = New-Object System.Collections.ArrayList $inveigh.requested_host_IP_list = New-Object System.Collections.ArrayList $inveigh.DNS_list = New-Object System.Collections.ArrayList - $inveigh.session_list = @() + $inveigh.relay_privilege_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_failed_auth_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_history_table = [HashTable]::Synchronized(@{}) $inveigh.session_socket_table = [HashTable]::Synchronized(@{}) $inveigh.session_table = [HashTable]::Synchronized(@{}) $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{}) $inveigh.session_lock_table = [HashTable]::Synchronized(@{}) $inveigh.session_count = 0 + $inveigh.session_list = @() + $inveigh.enumeration_list = @() } if($inveigh.running) @@ -2395,7 +2399,7 @@ $sniffer_scriptblock = } - 445 + 445 { if($SMB -eq 'Y') @@ -4356,6 +4360,7 @@ Get relay session list. [parameter(Mandatory=$false)][Switch]$POSTRequest, [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, [parameter(Mandatory=$false)][Switch]$Session, + [parameter(Mandatory=$false)][Switch]$Enumeration, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -4530,6 +4535,11 @@ Get relay session list. Write-Output $inveigh.session_list | Format-Table -AutoSize } + if($Enumeration) + { + Write-Output $inveigh.enumeration_list | Format-Table + } + } function Watch-Inveigh |