diff options
| -rw-r--r-- | Inveigh-Loader.ps1 | 77 | ||||
| -rw-r--r-- | Inveigh.ps1 | bin | 71870 -> 73010 bytes | |||
| -rw-r--r-- | README.md | 10 |
3 files changed, 82 insertions, 5 deletions
diff --git a/Inveigh-Loader.ps1 b/Inveigh-Loader.ps1 new file mode 100644 index 0000000..5e4f4ac --- /dev/null +++ b/Inveigh-Loader.ps1 @@ -0,0 +1,77 @@ +<# +.SYNOPSIS +Inveigh Loader provides additional options for running Inveigh as an unattended payload. + +.DESCRIPTION +Inveigh Loader can load Inveigh with set parameters and stop execution after specified amount of time. Inveigh can be either loaded as a separate script or through a scriptblock embedded within this script. If the scriptblock method is selected, the current Inveigh.ps1 code must be copied into the $inveigh_scriptblock below. This is a basic version, additional features will be added. +#> + +# Inveigh loader parameters +$run_length = 1 # Set the number of minutes Inveigh will run +$start_job_method = "filepath" # Set the Job-Start method. filepath,scriptblock + +# Inveigh parameters - refer to Inveigh.ps1 for details +$IP = "" +$SpooferIP = "" +$HTTP = "Y" +$HTTPS = "N" +$SMB = "Y" +$LLMNR = "Y" +$NBNS = "N" +$NBNSTypes = @("20") # Format for multiples = @("00","20") +$Repeat = "Y" +$ForceWPADAuth = "Y" +$Output = "0" +$OutputDir = "" + +if(-not($IP)) +{ + $IP = (Test-Connection 127.0.0.1 -count 1 | select -ExpandProperty Ipv4Address) +} + +if(-not($SpooferIP)) +{ + $SpooferIP = $IP +} + +if(-not($OutputDir)) +{ + $OutputDir = $PWD.Path +} + +$inveigh_scriptblock = +{ # begin $inveigh_scriptblock - paste Inveigh.ps1 code below this line if using $start_job_method = "scriptblock" + +} # end $inveigh_scriptblock + +try +{ + if ($start_job_method -eq "filepath") + { + Start-Job -Name Inveigh -FilePath .\Inveigh.ps1 -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null + } + elseif ($start_job_method -eq "scriptblock") + { + Start-Job -Name Inveigh -ScriptBlock $inveigh_scriptblock -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null + } + else + { + throw "Invalid $start_job_method." + } + + $run_timeout = new-timespan -Minutes $run_length + $run_stopwatch = [diagnostics.stopwatch]::StartNew() + + while ($run_stopwatch.elapsed -lt $run_timeout) + { + Receive-Job -name Inveigh + } + +} +finally +{ + Stop-Job -name Inveigh + Receive-Job -name Inveigh + Remove-Job -name Inveigh + write-warning "Inveigh Loader exited at $(Get-Date -format 's')" +} diff --git a/Inveigh.ps1 b/Inveigh.ps1 Binary files differindex 6bbb375..436d505 100644 --- a/Inveigh.ps1 +++ b/Inveigh.ps1 @@ -2,10 +2,10 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions. # Requirements -Tested with PowerShell 2.0 and .NET 3.5. +Tested minimums are PowerShell 2.0 and .NET 3.5. # Notes -1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture. +1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture. 2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets. 3. SMB challenge/response captures are performed by sniffing over the host system's SMB service. 4. HTTP challenge/response captures are performed with a dedicated listener. @@ -17,13 +17,13 @@ Tested with PowerShell 2.0 and .NET 3.5. 10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns. # Usage -Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy. +Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass the PowerShell script execution policy. To execute with default settings: Inveigh.ps1 To execute with features enabled/disabled: -Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 +Inveigh.ps1 -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 -OutputDir 'valid folder path' # Screenshot - + |