aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Inveigh/Listeners/DNSListener.cs4
-rw-r--r--Inveigh/Listeners/HTTPListener.cs5
-rw-r--r--Inveigh/Listeners/LLMNRListener.cs12
-rw-r--r--Inveigh/Listeners/MDNSListener.cs4
-rw-r--r--Inveigh/Listeners/NBNSListener.cs4
-rw-r--r--Inveigh/Program.cs28
-rw-r--r--Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs22
-rw-r--r--Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs20
-rw-r--r--Inveigh/Support/Output.cs65
-rw-r--r--Inveigh/Support/Shell.cs20
-rw-r--r--README.md12
11 files changed, 129 insertions, 67 deletions
diff --git a/Inveigh/Listeners/DNSListener.cs b/Inveigh/Listeners/DNSListener.cs
index d74b971..1915b8c 100644
--- a/Inveigh/Listeners/DNSListener.cs
+++ b/Inveigh/Listeners/DNSListener.cs
@@ -39,8 +39,8 @@ namespace Inveigh
DNSChecker helper = new DNSChecker
{
- IgnoreHosts = Program.argIgnoreHosts,
- ReplyToHosts = Program.argReplyToHosts,
+ IgnoreQueries = Program.argIgnoreQueries,
+ ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IgnoreDomains = Program.argIgnoreDomains,
diff --git a/Inveigh/Listeners/HTTPListener.cs b/Inveigh/Listeners/HTTPListener.cs
index d3b0961..6537983 100644
--- a/Inveigh/Listeners/HTTPListener.cs
+++ b/Inveigh/Listeners/HTTPListener.cs
@@ -38,6 +38,11 @@ namespace Inveigh
Output.NTLMOutput(user, domain, ntlmChallenge, ntlmResponseHash, clientIP, host, protocol, listenerPort, clientPort, lmResponseHash);
}
+ protected override void OutputCleartext(string protocol, string listenerPort, string clientIP, string clientPort, string credentials)
+ {
+ Output.CleartextOutput(protocol, listenerPort, clientIP, clientPort, credentials);
+ }
+
protected override void OutputChallenge(string protocol, string listenerPort, string clientIP, string clientPort, string challenge)
{
Output.Queue(String.Format("[+] [{0}] {1}({2}) NTLM challenge [{3}] sent to {4}:{5}", Output.Timestamp(), protocol, listenerPort, challenge, clientIP, clientPort));
diff --git a/Inveigh/Listeners/LLMNRListener.cs b/Inveigh/Listeners/LLMNRListener.cs
index 93729b5..b15a989 100644
--- a/Inveigh/Listeners/LLMNRListener.cs
+++ b/Inveigh/Listeners/LLMNRListener.cs
@@ -28,10 +28,10 @@ namespace Inveigh
public override bool Check(string name, string type, string clientIP, out string message)
{
- LLMNRChecker llmnrHelper = new LLMNRChecker
+ LLMNRChecker llmnrChecker = new LLMNRChecker
{
- IgnoreHosts = Program.argIgnoreHosts,
- ReplyToHosts = Program.argReplyToHosts,
+ IgnoreQueries = Program.argIgnoreQueries,
+ ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
@@ -41,13 +41,13 @@ namespace Inveigh
Inspect = Program.enabledInspect,
};
- if (llmnrHelper.Check(name, type, clientIP))
+ if (llmnrChecker.Check(name, type, clientIP))
{
- message = llmnrHelper.OutputMessage;
+ message = llmnrChecker.OutputMessage;
return true;
}
- message = llmnrHelper.OutputMessage;
+ message = llmnrChecker.OutputMessage;
return false;
}
diff --git a/Inveigh/Listeners/MDNSListener.cs b/Inveigh/Listeners/MDNSListener.cs
index c8736ed..c97dd07 100644
--- a/Inveigh/Listeners/MDNSListener.cs
+++ b/Inveigh/Listeners/MDNSListener.cs
@@ -33,8 +33,8 @@ namespace Inveigh
MDNSChecker mdnsHelper = new MDNSChecker
{
- IgnoreHosts = Program.argIgnoreHosts,
- ReplyToHosts = Program.argReplyToHosts,
+ IgnoreQueries = Program.argIgnoreQueries,
+ ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
diff --git a/Inveigh/Listeners/NBNSListener.cs b/Inveigh/Listeners/NBNSListener.cs
index 6e574d8..17a356b 100644
--- a/Inveigh/Listeners/NBNSListener.cs
+++ b/Inveigh/Listeners/NBNSListener.cs
@@ -31,8 +31,8 @@ namespace Inveigh
NetBIOSNSChecker helper = new NetBIOSNSChecker
{
- IgnoreHosts = Program.argIgnoreHosts,
- ReplyToHosts = Program.argReplyToHosts,
+ IgnoreQueries = Program.argIgnoreQueries,
+ ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
diff --git a/Inveigh/Program.cs b/Inveigh/Program.cs
index 97fe911..ebb3a78 100644
--- a/Inveigh/Program.cs
+++ b/Inveigh/Program.cs
@@ -74,10 +74,10 @@ namespace Inveigh
public static string[] argIgnoreAgents = { "Firefox" };
public static string[] argIgnoreDomains;
public static string[] argIgnoreIPs;
- public static string[] argIgnoreHosts;
+ public static string[] argIgnoreQueries;
public static string[] argIgnoreMACs;
public static string[] argReplyToDomains;
- public static string[] argReplyToHosts;
+ public static string[] argReplyToQueries;
public static string[] argReplyToIPs;
public static string[] argReplyToMACs;
public static string argSpooferIP = "";
@@ -174,7 +174,7 @@ namespace Inveigh
public static string netbiosDomain = Environment.UserDomainName;
public static string dnsDomain = "";
public static ulong smb2Session = 5548434740922023936; // todo check
- public static string version = "2.0.6";
+ public static string version = "2.0.8";
static void Main(string[] arguments)
{
@@ -355,11 +355,6 @@ namespace Inveigh
argIgnoreDomains = arguments[entry.index + 1].ToUpper().Split(',');
break;
- case "-IGNOREHOSTS":
- case "/IGNOREHOSTS":
- argIgnoreHosts = arguments[entry.index + 1].ToUpper().Split(',');
- break;
-
case "-IGNOREIPS":
case "/IGNOREIPS":
argIgnoreIPs = arguments[entry.index + 1].ToUpper().Split(',');
@@ -370,6 +365,11 @@ namespace Inveigh
argIgnoreMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(',');
break;
+ case "-IGNOREQUERIES":
+ case "/IGNOREQUERIES":
+ argIgnoreQueries = arguments[entry.index + 1].ToUpper().Split(',');
+ break;
+
case "-INSPECT":
case "/INSPECT":
argInspect = arguments[entry.index + 1].ToUpper();
@@ -545,11 +545,6 @@ namespace Inveigh
argReplyToDomains = arguments[entry.index + 1].ToUpper().Split(',');
break;
- case "-REPLYTOHOSTS":
- case "/REPLYTOHOSTS":
- argReplyToHosts = arguments[entry.index + 1].ToUpper().Split(',');
- break;
-
case "-REPLYTOIPS":
case "/REPLYTOIPS":
argReplyToIPs = arguments[entry.index + 1].ToUpper().Split(',');
@@ -558,7 +553,12 @@ namespace Inveigh
case "-REPLYTOMACS":
case "/REPLYTOMACS":
argReplyToMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(',');
- break;
+ break;
+
+ case "-REPLYTOQUERIES":
+ case "/REPLYTOQUERIES":
+ argReplyToQueries = arguments[entry.index + 1].ToUpper().Split(',');
+ break;
case "-WEBDAV":
case "/WEBDAV":
diff --git a/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs b/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs
index 7a17131..673cbe1 100644
--- a/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs
+++ b/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs
@@ -41,6 +41,7 @@ using System.Security.Authentication;
using System.Net.Security;
using Quiddity.Support;
using System.Collections;
+using System.Collections.Generic;
namespace Quiddity
{
@@ -64,6 +65,7 @@ namespace Quiddity
public static bool isRunning = false;
public const SslProtocols tls12 = (SslProtocols)0x00000C00;
public static Hashtable httpSessionTable = Hashtable.Synchronized(new Hashtable());
+ public static Hashtable tcpSessionTable = Hashtable.Synchronized(new Hashtable());
public HTTPListener()
{
@@ -118,8 +120,18 @@ namespace Quiddity
if (isRunning)
{
TcpClient tcpClient = tcpListener.EndAcceptTcpClient(tcpAsync);
- object[] parameters = { tcpClient, type, port };
- ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters);
+ string sourceIP = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Address.ToString();
+
+ if (type.Equals("Proxy") && tcpSessionTable.ContainsKey(sourceIP) && DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) > 0)
+ {
+ tcpClient.Client.Close();
+ }
+ else
+ {
+ object[] parameters = { tcpClient, type, port };
+ ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters);
+ }
+
}
}
@@ -490,6 +502,12 @@ namespace Quiddity
if (type.Equals("Proxy"))
{
tcpClient.Client.Close();
+
+ if (!tcpSessionTable.ContainsKey(sourceIP) || DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) <= 0)
+ {
+ tcpSessionTable[sourceIP] = DateTime.Now.AddSeconds(1);
+ }
+
}
else
{
diff --git a/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs b/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs
index c70bd7d..5ffd513 100644
--- a/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs
+++ b/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs
@@ -37,8 +37,8 @@ namespace Quiddity.DNS
{
class DNSChecker
{
- public string[] IgnoreHosts { get; set; }
- public string[] ReplyToHosts { get; set; }
+ public string[] IgnoreQueries { get; set; }
+ public string[] ReplyToQueries { get; set; }
public string[] IgnoreIPs { get; set; }
public string[] ReplyToIPs { get; set; }
public string[] IgnoreDomains { get; set; }
@@ -103,12 +103,12 @@ namespace Quiddity.DNS
this.OutputMessage = this.OutputServiceDenied;
return false;
}
- else if (HostIsDenied(name) || FQDNIsDenied(name))
+ else if (QueryIsDenied(name) || FQDNIsDenied(name))
{
this.OutputMessage = this.OutputHostDenied;
return false;
}
- else if (!HostIsAllowed(name) && !FQDNIsAllowed(name))
+ else if (!QueryIsAllowed(name) && !FQDNIsAllowed(name))
{
this.OutputMessage = this.OutputHostDenied;
return false;
@@ -193,11 +193,11 @@ namespace Quiddity.DNS
return true;
}
- public bool HostIsDenied(string name)
+ public bool QueryIsDenied(string name)
{
string host = (name.Split('.'))[0];
- if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == host.ToUpper()))
+ if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == host.ToUpper()))
{
return true;
}
@@ -205,11 +205,11 @@ namespace Quiddity.DNS
return false;
}
- public bool HostIsAllowed(string name)
+ public bool QueryIsAllowed(string name)
{
string host = (name.Split('.'))[0];
- if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == host.ToUpper()))
+ if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == host.ToUpper()))
{
return false;
}
@@ -220,7 +220,7 @@ namespace Quiddity.DNS
public bool FQDNIsDenied(string name)
{
- if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == name.ToUpper()))
+ if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == name.ToUpper()))
{
return true;
}
@@ -231,7 +231,7 @@ namespace Quiddity.DNS
public bool FQDNIsAllowed(string name)
{
- if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == name.ToUpper()))
+ if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == name.ToUpper()))
{
return false;
}
diff --git a/Inveigh/Support/Output.cs b/Inveigh/Support/Output.cs
index d44c10f..3d86a1a 100644
--- a/Inveigh/Support/Output.cs
+++ b/Inveigh/Support/Output.cs
@@ -592,12 +592,12 @@ namespace Inveigh
lock (Program.IPCaptureList)
{
- Program.IPCaptureList.Add(string.Concat(host));
+ Program.IPCaptureList.Add(sourceIP);
}
lock (Program.HostCaptureList)
{
- Program.HostCaptureList.Add(string.Concat(host));
+ Program.HostCaptureList.Add(host);
}
}
@@ -642,12 +642,12 @@ namespace Inveigh
lock (Program.IPCaptureList)
{
- Program.IPCaptureList.Add(string.Concat(host));
+ Program.IPCaptureList.Add(sourceIP);
}
lock (Program.HostCaptureList)
{
- Program.HostCaptureList.Add(string.Concat(host));
+ Program.HostCaptureList.Add(host);
}
}
@@ -680,6 +680,43 @@ namespace Inveigh
}
+ public static void CleartextOutput(string protocol, string listenerPort, string clientIP, string clientPort, string credentials)
+ {
+
+ bool isUnique = false;
+
+ if (Program.cleartextList.Any(str => str.Contains(credentials)))
+ {
+ isUnique = true;
+ }
+
+ lock (Program.cleartextList)
+ {
+ Program.cleartextList.Add(string.Concat(clientIP, ",", credentials));
+ }
+
+ if (Program.enabledConsoleUnique && isUnique)
+ {
+ Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n[not unique]", Timestamp(), protocol, listenerPort, clientIP, clientPort));
+ }
+ else
+ {
+ Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n{5}", Timestamp(), protocol, listenerPort, clientIP, clientPort, credentials));
+ }
+
+ if (Program.enabledFileOutput && (!Program.enabledFileUnique || !isUnique))
+ {
+
+ lock (Program.cleartextFileList)
+ {
+ Program.cleartextFileList.Add(string.Concat(clientIP, ",", credentials));
+ }
+
+ Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials written to {3}", Timestamp(), protocol, listenerPort, String.Concat(Program.argFilePrefix, "-Cleartext.txt")));
+ }
+
+ }
+
public static void FileOutput()
{
@@ -1005,10 +1042,10 @@ namespace Inveigh
OutputHelp(argument, description);
}
- if (nullarg || string.Equals(arg, "IGNOREHOSTS"))
+ if (nullarg || string.Equals(arg, "IGNOREQUERIES"))
{
- string argument = "IgnoreHosts";
- string description = "Default=None: Comma separated list of hostnames to ignore when spoofing.";
+ string argument = "IgnoreQueries";
+ string description = "Default=None: Comma separated list of name queries to ignore when spoofing.";
OutputHelp(argument, description);
}
@@ -1117,13 +1154,6 @@ namespace Inveigh
OutputHelp(argument, description);
}
- if (nullarg || string.Equals(arg, "REPLYTOHOSTS"))
- {
- string argument = "ReplyToHosts";
- string description = "Default=All: Comma separated list of hostnames to respond to when spoofing.";
- OutputHelp(argument, description);
- }
-
if (nullarg || string.Equals(arg, "REPLYTOIPS"))
{
string argument = "ReplyToIPs";
@@ -1138,6 +1168,13 @@ namespace Inveigh
OutputHelp(argument, description);
}
+ if (nullarg || string.Equals(arg, "REPLYTOQUERIES"))
+ {
+ string argument = "ReplyToqueries";
+ string description = "Default=All: Comma separated list of name queries to respond to when spoofing.";
+ OutputHelp(argument, description);
+ }
+
if (nullarg || string.Equals(arg, "SPOOFERIP"))
{
string argument = "SpooferIP";
diff --git a/Inveigh/Support/Shell.cs b/Inveigh/Support/Shell.cs
index bfe5037..aed362c 100644
--- a/Inveigh/Support/Shell.cs
+++ b/Inveigh/Support/Shell.cs
@@ -34,11 +34,11 @@ namespace Inveigh
"get ntlmv2usernames",
"get cleartext",
"get cleartextunique",
- "get replytohosts",
+ "get replytoqueries",
"get replytoips",
"get replytodomains",
"get replytomacs",
- "get ignorehosts",
+ "get ignorequeries",
"get ignoreips",
"get ignoredomains",
"get ignoremacs",
@@ -436,13 +436,13 @@ namespace Inveigh
GetNTLMv2Usernames(value);
break;
- case "GET REPLYTOHOSTS":
- foreach (string entry in Program.argReplyToHosts)
+ case "GET REPLYTOQUERIES":
+ foreach (string entry in Program.argReplyToQueries)
Console.WriteLine(entry);
break;
- case "GET IGNOREHOSTS":
- foreach (string entry in Program.argIgnoreHosts)
+ case "GET IGNOREQUERIES":
+ foreach (string entry in Program.argIgnoreQueries)
Console.WriteLine(entry);
break;
@@ -452,7 +452,7 @@ namespace Inveigh
break;
case "GET IGNOREIPS":
- foreach (string entry in Program.argIgnoreHosts)
+ foreach (string entry in Program.argIgnoreIPs)
Console.WriteLine(entry);
break;
@@ -544,14 +544,14 @@ namespace Inveigh
commands.Add("GET NTLMV2USERNAMES,get usernames and source IPs/hostnames for captured NTLMv2 hashes");
commands.Add("GET CLEARTEXT,get captured cleartext credentials");
commands.Add("GET CLEARTEXTUNIQUE,get unique captured cleartext credentials");
- commands.Add("GET REPLYTODOMAINS,get ReplyToDomains parameter startup values");
- commands.Add("GET REPLYTOHOSTS,get ReplyToHosts parameter startup values");
+ commands.Add("GET REPLYTODOMAINS,get ReplyToDomains parameter startup values");
commands.Add("GET REPLYTOIPS,get ReplyToIPs parameter startup values");
commands.Add("GET REPLYTOMACS,get ReplyToMACs parameter startup values");
+ commands.Add("GET REPLYTOQUERIES,get ReplyToQueries parameter startup values");
commands.Add("GET IGNOREDOMAINS,get IgnoreDomains parameter startup values");
- commands.Add("GET IGNOREHOSTS,get IgnoreHosts parameter startup values");
commands.Add("GET IGNOREIPS,get IgnoreIPs parameter startup values");
commands.Add("GET IGNOREMACS,get IgnoreMACs parameter startup values");
+ commands.Add("GET IGNOREQUERIES,get IgnoreQueries parameter startup values");
commands.Add("SET CONSOLE,set Console parameter value");
commands.Add("HISTORY,get command history");
commands.Add("RESUME,resume real time console output");
diff --git a/README.md b/README.md
index fc352ec..94f4bc7 100644
--- a/README.md
+++ b/README.md
@@ -147,11 +147,13 @@ Spoofers:
-IgnoreDomains Default=None: Comma separated list of domains to ignore when spoofing.
- -IgnoreHosts Default=None: Comma separated list of hostnames to ignore when spoofing.
+
-IgnoreIPs Default=Local: Comma separated list of source IP addresses to ignore when spoofing.
-IgnoreMACs Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing.
+
+ -IgnoreQueries Default=None: Comma separated list of name queries to ignore when spoofing.
-Local Default=Disabled: (Y/N) performing spoofing attacks against the host system.
@@ -179,11 +181,11 @@ Spoofers:
-ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing.
- -ReplyToHosts Default=All: Comma separated list of hostnames to respond to when spoofing.
-
-ReplyToIPs Default=All: Comma separated list of source IP addresses to respond to when spoofing.
-ReplyToMACs Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing.
+
+ -ReplyToQueries Default=All: Comma separated list of name queries to respond to when spoofing.
-SpooferIP Default=Autoassign: IP address included in spoofing responses.
@@ -494,13 +496,13 @@ GET NTLMV2USERNAMES | get usernames and source IPs/hostnames for cap
GET CLEARTEXT | get captured cleartext credentials
GET CLEARTEXTUNIQUE | get unique captured cleartext credentials
GET REPLYTODOMAINS | get ReplyToDomains parameter startup values
-GET REPLYTOHOSTS | get ReplyToHosts parameter startup values
GET REPLYTOIPS | get ReplyToIPs parameter startup values
GET REPLYTOMACS | get ReplyToMACs parameter startup values
+GET REPLYTOQUERIES | get ReplyToQueries parameter startup values
GET IGNOREDOMAINS | get IgnoreDomains parameter startup values
-GET IGNOREHOSTS | get IgnoreHosts parameter startup values
GET IGNOREIPS | get IgnoreIPs parameter startup values
GET IGNOREMACS | get IgnoreMACs parameter startup values
+GET IGNOREQUERIES | get IgnoreQueries parameter startup values
SET CONSOLE | set Console parameter value
HISTORY | get command history
RESUME | resume real time console output
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 23:37:37 +0000