| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
cleanup
|
|
|
|
Added DNS spoofer.
Added GQBL NS bypass for wpad to ADIDNS attacks.
HTTP listener improvements.
|
|
|
|
Both SMB sniffer and the HTTP/HTTPS/Proxy listener can now capture Kerberos TGTs in kirbi format.
|
|
|
|
Added SMB Kerberos TGT capture through packet sniffing and kirbi output. To use, credentials are required for an account with unconstrained delegation.
This is still in the early stages. I'm not using an ASN.1 library so there is probably lots that can throw off the parsing.
|
|
|
|
Added pcap output to either a file or in memory ArrayList. Added more output for SMB authentication activity. Fixed some Inveigh-Relay bugs.
|
|
|
|
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
|
|
|
|
Added Invoke-TheHash link
|
|
|
|
Added ConvertTo-Inveigh (powershell 3+) for importing BloodHound JSON files for Inveigh Relay. Lots of updates and bug fixes.
|
|
Invoke-Inveigh - Added ADIDNS spoofing combo and wildcard attacks. Removed dynamic updates combo attack.
Invoke-InveighRelay - Latest revision of the new multi-host targeting system. I haven't yet had a chance to create a tool for importing CSV files from bloodhound. I was able to match up the data formatting though.
|
|
Added some more targeting logic. Added access denied handling for enumeration.
|
|
Added real time output for the enumerate attack. Added try/catches to
the smb relay functions and did a few bug fixes.
|
|
Added ability to Inveigh-Relay and Invoke-SMBEnum to identify groups vs
users when enumerating group memberships.
|
|
Inveigh-Relay
1. Added a new attack mode 'Enumerate'. This attack mode will leverage
relayed connections to perform system enumeration. Right now I have
local users, local admins, shares, and netsessions.
2. Attacks can now be combined. Session, Enumerate, and Execute can all
be enabled at the same time. They will be chained together.
3. New multi-target system to replace the new multi-target system from
the last dev update:) Inveigh-Relay will leverage the data gathered
through enumeration to make relay target selections.
Here's a simplistic example:
a. Inveigh-Relay receives and incoming connection from 192.168.1.1 and
relays the connection to 192.168.1.2.
b. During the NTLM relay, the module records the user (test1) that is
relayed from 192.168.1.1.
c. The relayed connection is used to enumerate details on 192.168.1.2.
The local admin group is found to include the user test2.
d. test1 is found to not be privileged on 192.168.1.2.
e. Inveigh-Relay receives an incoming connection from 192.168.1.3 and
relays the connection to 192.168.1.4.
f. During the NTLM relay, the module records the user (test2) that is
relayed from 192.168.1.3.
g. The relayed connection is used to enumerate details on 192.168.1.4.
h. test2 is found to not be privileged on 192.168.1.4.
i. Inveigh-Relay receives another connection from 192.168.1.3.
j. Since test2 was previously observed on 192.168.1.3 and 192.168.1.2
has test2 in its local admin group, 192.168.1.2 is selected as a relay
target.
k. test2 is found to be privileged on 192.168.1.2.
l. Depending on the attack selection, either a privileged session is
established, a command is executed, or both.
This is still in a very early stage and not production ready. I need to
add a lot more logic to do things like prioritizing systems hosting
shares with the session attack, etc. I also need to sort out gathering
and importing the enumeration data used for targeting if you already
have domain access. This will also open up making matches based on
domain group membership. Bloodhound data should also work for targeting.
I just need to work out how to match username formats, etc.
Most of the enumeration data is stored in $inveigh.enumeration_list.
4. Target parameter will now accept CIDR and IP ranges. Invalid targets
(as long as it's not a huge amount) are filtered out as part of the
targeting process.
5. I took out SMB1 support. It only worked for command execution and
removing it greatly simplifies things. The old version will still work
if SMB1 is required.
I should be back to regular updates leading up to the release of 1.4.
The enumeration code took some time.
|
|
|
|
Dev version of Invoke-SMBEnum for performing enum tasks over SMB with
PTH and Inveigh-Relay sessions. Right now it just enumerates shares,
netsessions, and local users. Also fixed some minor Invoke-SMBClient and
Invoke-SMBExec issues.
|
|
The SMB echo wasn't keeping sessions open on Windows 7. Switched to tree
connect/disconnect for now. Output and signing check fix.
|
|
Fixed a lot of bugs with the new Inveigh Relay session attack mode.
Tweaked the SMB2 credits in Inveigh-Relay, Invoke-SMBExec, and
Invoke-SMBClient to hopefully keep the sessions from erroring out after
lots of repeated use. Switched to an SMB2 Echo to keep the sessions
active. Fixed some output issues.
Multitarget still isn't working correctly.
|
|
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
|
|
Inveigh will now ignore NBNS/LLMNR requests sent directly to the host IP
address rather than the broadcast/multicast address.
|
|
|
|
|
|
|
|
|
|
Added mDNS spoofer. Simplified some HTTP listener code. Added LogOutput
and ConsoleQueueLimit parameters to control in-memory log entry storage.
Fixed some bugs.
|
|
|
|
Added additional ConsoleOutput levels.
Inveigh.ps1 - Added ability to capture POST requests for use when
serving up forms. Added limited ability automatically serve content to
browsers during proxy auth attacks.
|
|
Added ProxyIgnore parameter for controlling browser user agents string
that get blocked from the proxy auth process. Firefox is listed by
default since it doesn't play nice with the proxy failover.
|
|
I decided to do more for 1.3. I still need to do a lot of testing for
these versions and make a few tweaks.
Inveigh.ps1 - I merged Inveigh and Inveigh-Unprivileged together without
losing any funtionality. By default, Inveigh will detect privilege and
the run what's appropriate. Basically, an elevated privileged shell =
old Inveigh, non-elevated = old Inveigh-Unprivileged. You can also set
the mode manually through ElevatedPrivilege. I also added proxy
authentication (thanks to Laurent Gaffie and Mubix for the idea from
Responder) to grab challenge/response hashes or basic cleartext. Added
support for serving HTA code through HTTPResponse or stored files.
Inveigh-Relay.ps1 - Added proxy authentication relay. Enabled NTLMv1
relay. Added auto-exit (RelayAutoExit) after success.
Inveigh-Unprivileged.ps1 - gone
|
|
Inveigh-Relay now support longer commands such as the Empire 2.0
launchers.
The current features in dev will likely be tested and released as
Inveigh 1.3.
|
|
|
|
|
|
Invoke-InveighRelay refactor - added SMB2 support and switched to an
HTTP listener that does not require admin access. Admin access is still
required if installing a cert for HTTPS. Note that the system running
Invoke-InveighRelay can be targeted for privesc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fixed some issues with the Inveigh-Unprivileged web server. Modified the
Inveigh learning code so that it can handle multiple requests received
in quick succession.
|