Fixes for startup checks

Added @6cyril's improved netstat checks. Added StartupChecks parameter for an easy way to disable checks if they get in the way.
author: Kevin Robertson <robertsonk@gmail.com> 2016-10-17 21:21:48 -0400
committer: Kevin Robertson <robertsonk@gmail.com> 2016-10-17 21:21:48 -0400
commit: 841bc1584525af51b5d9fbbfee374bb2c9a7348d (patch)
tree: 54d141169dce5f56f590a8e886b599909b32f2bc /Scripts
parent: c40dc8cade7b878b556c4745abd4febb36835b68 (diff)
download: Inveigh-841bc1584525af51b5d9fbbfee374bb2c9a7348d.tar.gz
Inveigh-841bc1584525af51b5d9fbbfee374bb2c9a7348d.zip
3 files changed, 109 insertions, 20 deletions
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index f766b71..ef5f5f4 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -80,6 +80,9 @@ enabled.
 .PARAMETER RunTime
 (Integer) Run time duration in minutes.
 
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
 .PARAMETER ShowHelp
 Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
 
@@ -111,6 +114,7 @@ param
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable = "Y",
+    [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
     [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM",
     [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
     [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
@@ -242,7 +246,10 @@ else
 $inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null
 $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null
 
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+    $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
 
 if($firewall_status)
 {
@@ -260,7 +267,10 @@ if($firewall_status)
 if($HTTP -eq 'Y')
 {
 
-    $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
+    if($StartupChecks -eq 'Y')
+    {
+        $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":80 "
+    }
 
     if($HTTP_port_check)
     {
@@ -283,11 +293,14 @@ else
 if($HTTPS -eq 'Y')
 {
     
-    $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
+    if($StartupChecks -eq 'Y')
+    {
+        $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":443 "
+    }
 
     if($HTTPS_port_check)
     {
-        $inveigh.HTTP = $true
+        $inveigh.HTTPS = $false
         $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port 443")  > $null
     }
     else
diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1
index b4c0c25..d39c616 100644
--- a/Scripts/Inveigh-Unprivileged.ps1
+++ b/Scripts/Inveigh-Unprivileged.ps1
@@ -160,6 +160,9 @@ Default = Unlimited: (Integer) Run time duration in minutes.
 .PARAMETER RunCount
 Default = Unlimited: (Integer) Number of captures to perform before auto-exiting.
 
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
 .PARAMETER ShowHelp
 Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
 
@@ -201,6 +204,7 @@ param
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+    [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
     [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
     [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
     [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
@@ -236,6 +240,11 @@ if ($invalid_parameter)
     throw "$($invalid_parameter) is not a valid parameter."
 }
 
+if($inveigh.HTTP -or $inveigh.HTTPS)
+{
+    throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module."
+}
+
 if($NBNSBruteForce -eq 'Y')
 {
     $NBNS = 'N'
@@ -362,7 +371,10 @@ else
 $inveigh.status_queue.Add("Inveigh Unprivileged started at $(Get-Date -format 's')") > $null
 $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged started")])  > $null
 
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+    $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
 
 if($firewall_status)
 {
@@ -380,7 +392,10 @@ if($firewall_status)
 
 if($LLMNR -eq 'Y')
 {
-    $LLMNR_port_check = netstat -anp UDP | findstr 0.0.0.0:5355
+    if($StartupChecks -eq 'Y')
+    {
+        $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 "
+    }
 
     if(!$LLMNR_port_check)
     {
@@ -475,11 +490,14 @@ else
 
 if($HTTP -eq 'Y')
 {
-    $HTTP_port_check += netstat -anp TCP | findstr 0.0.0.0:$HTTPPort
     
-    if($HTTPIP)
+    if($StartupChecks -eq 'Y')
     {
-        $HTTP_port_check += netstat -anp TCP | findstr $HTTPIP`:$HTTPPort
+        $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"0.0.0.0:$HTTPPort "
+    }
+    elseif($HTTPIP -and $StartupChecks -eq 'Y')
+    {
+        $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort "
     }
 
     if($HTTP_port_check)
@@ -785,7 +803,17 @@ $HTTP_scriptblock =
     }
 
     $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint
-    $HTTP_listener.Start()
+    
+    try
+    {
+        $HTTP_listener.Start()
+    }
+    catch
+    {
+        $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")
+        $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting HTTP listener")])
+        break HTTP_listener_loop
+    }
 
     $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate
     $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count
@@ -1205,9 +1233,20 @@ $LLMNR_spoofer_scriptblock =
     $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group)
     $LLMNR_UDP_client.Client.ReceiveTimeout = 5000
 
-    while($inveigh.unprivileged_running)
+    :LLMNR_spoofer_loop while($inveigh.unprivileged_running)
     {   
-        $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async
+
+        try
+        {
+            $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async
+        }
+        catch
+        {
+            $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")
+            $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting LLMNR spoofer")])
+            break LLMNR_spoofer_loop
+        }
+
 
         if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now
         {
@@ -1291,9 +1330,20 @@ $NBNS_spoofer_scriptblock =
     $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
     $NBNS_UDP_client.Client.ReceiveTimeout = 5000
 
-    while($inveigh.unprivileged_running)
+    :NBNS_spoofer_loop while($inveigh.unprivileged_running)
     {
-        $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async
+        
+        try
+        {
+            $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async
+        }
+        catch
+        {
+            $inveigh.console_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")
+            $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Error starting NBNS spoofer")])
+            break NBNS_spoofer_loop
+        }
+
 
         if([System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01')
         {
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 0ac0fad..60ece26 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -178,6 +178,9 @@ also be enabled.
 .PARAMETER RunTime
 (Integer) Run time duration in minutes.
 
+.PARAMETER StartupChecks
+Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup.
+
 .PARAMETER ShowHelp
 Default = Enabled: (Y/N) Enable/Disable the help messages at startup.
 
@@ -254,6 +257,7 @@ param
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y",
     [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y",
+    [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y",
     [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
     [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM",
     [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM",
@@ -292,6 +296,11 @@ if ($invalid_parameter)
     throw "$($invalid_parameter) is not a valid parameter."
 }
 
+if($inveigh.HTTP -or $inveigh.HTTPS)
+{
+    throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module."
+}
+
 if(!$IP)
 { 
     $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
@@ -438,11 +447,22 @@ else
 $inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')")  > $null
 $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null
 
-$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+if($StartupChecks -eq 'Y')
+{
+    $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'}
+}
 
 if($firewall_status)
 {
     $inveigh.status_queue.Add("Windows Firewall = Enabled")  > $null
+    $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2
+    $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}"
+
+    if($firewall_powershell)
+    {
+        $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed")  > $null
+    }
+
 }
 
 $inveigh.status_queue.Add("Listening IP Address = $IP")  > $null
@@ -551,8 +571,11 @@ else
 
 if($HTTP -eq 'Y')
 {
-
-    $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80
+    
+    if($StartupChecks -eq 'Y')
+    {
+        $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":80 "
+    }
 
     if($HTTP_port_check)
     {
@@ -574,12 +597,15 @@ else
 
 if($HTTPS -eq 'Y')
 {
-
-    $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443
+    
+    if($StartupChecks -eq 'Y')
+    {
+        $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:":443 "
+    }
 
     if($HTTPS_port_check)
     {
-        $inveigh.HTTP = $true
+        $inveigh.HTTPS = $false
         $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443")  > $null
     }
     else
author	Kevin Robertson <robertsonk@gmail.com>	2016-10-17 21:21:48 -0400
committer	Kevin Robertson <robertsonk@gmail.com>	2016-10-17 21:21:48 -0400
commit	841bc1584525af51b5d9fbbfee374bb2c9a7348d (patch)
tree	54d141169dce5f56f590a8e886b599909b32f2bc /Scripts
parent	c40dc8cade7b878b556c4745abd4febb36835b68 (diff)
download	Inveigh-841bc1584525af51b5d9fbbfee374bb2c9a7348d.tar.gz Inveigh-841bc1584525af51b5d9fbbfee374bb2c9a7348d.zip