| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Decide on NTLMv1 vs. NTLMv2 by inspecting the length of the NTLM
response data, not by the presence of LM data. Prior to the patch, if
an LMv2 response was included, Inveigh would output a badly formatted
hash calling it 'NTLMv1'.
Use all four bytes for offset data (just in case).
Simplify string extraction by requiring the use of an offset. Always
used the offsets from the message header instead of assuming a certain
content ordering.
|
|
Removed Get-InveighStat reference
|
|
Contains a few rounds of code cleanup and the following changes:
Parameters Added to Invoke-Inveigh:
ConsoleUnique - Enable/Disable displaying challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time console output is enabled.
FileUnique - Enable/Disable outputting challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time file output is enabled.
ConsoleStatus - Set interval in minutes for displaying all unique
captured hashes and credentials. This is useful for displaying full
capture lists when running through a shell that does not have access to
the support functions.
WPADEmptyFile - Enable/Disable serving a proxyless, all direct, wpad.dat
file for wpad.dat requests. Enabling this setting can reduce the amount
of redundant wpad.dat requests. This parameter is ignored when using
WPADIP, WPADPort, or WPADResponse.
Fixed:
Corrected an issue that was preventing the MachineAccounts parameter
from being fully enabled in all three scripts.
Removed Support Functions:
Get-InveighStat
Get-InveighNTLM
|
|
Updated some comments and notes. Replaced ForEach alias with
ForEach-Object.
|
|
Added NBNS brute force note and fixed typo
|
|
Second attempt at getting the Invoke-InveighBruteForce example right:)
|
|
The Invoke-InveighBruteForce example listed the wrong function
|
|
New Script - Inveigh-BruteForce - Remote (Hot Potato
method)/unprivileged NBNS brute force spoofer.
Inveigh-BruteForce
Features:
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Granular control of console and file output
Run time control
Inveigh
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response
packet.
NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet.
WPADDirectHosts - Comma separated list of hosts to list as direct in the
wpad.dat file. Listed hosts will not be routed through the defined
proxy.
Inveigh-Relay
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
RunTime - Set the run time duration in minutes.
Bug Fix:
Fixed an SMB relay issue that was causing a hang before sending the
NTLMv2 response. Thanks to @mubix for reporting the bug and providing a
packet capture.
|
|
Added p0wnedShell link to the included in section. Removed the SMB relay
note to sync with Inveigh.ps1 notes.
|
|
LLMNR/NBNS spoofer:
SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular
control over what systems to respond to when spoofing.
SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular
control over what requested hostnames to respond to when spoofing. Note
that SpooferHostsAccept replaces SpoofList.
SpooferRepeat - This parameter replaces Repeat in order to sync the
parameter name with the prefix used for other spoofer parameters.
HTTP/HTTPS Listener:
HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS
non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be
used to capture cleartext credentials (thanks @xorrior!).
HTTPBasicRealm - Set a realm name if Basic auth is enabled.
HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters
provide control over the content served by the listener.
HTTPSCertThumbprint - This parameter provides the ability to more easily
set the thumbprint for custom certs.
HTTP/HTTPS requests are now reported and/or logged.
WPAD:
WPADIP/WPADPort - These parameters provide the ability to configure a
proxy server on victim systems through WPAD.
WPADResponse - These parameters provide the ability to configure a
custom wpad.dat response rather than the basic one used by WPADIP and
WPADPort.
WPADAuth - This parameter provides the ability to set the HTTP/HTTPS
WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used
to capture cleartext credentials (thanks @xorrior!). Note that this
parameter replaces ForceWPADAuth.
Miscellaneous:
Get-InveighCleartext - Gets all captured cleartext credentials.
Inspect - This switch parameter serves as an easier way to inspect
LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR,
NBNS, HTTP, HTTPS, and SMB are disabled.
|
|
unique account
Added the 'unique' parameter to Get-InveighNTLMv1 and Get-InveighNTLMv2.
If 'unique' is enabled, only the first captured challenge/response for
each unique account will be displayed.
|
|
I found that I had some hard coded packet data that needed to be
dynamic. This was causing authentication failures on domain systems that
didn't match the specs (domain name length, etc) of my test domain.
Sorry!
|
|
Added the SpoofList parameter for listing specific hostnames to spoof
with LLMNR/NBNS. Stopped Inveigh from responding to AAAA LLMNR packets
received over IPv4. Fixed a NBNS display bug with 15 characters
requests.
|
|
Added additional error handling for the command execution process. The
console and file output will now report the name of the temp service
created on the relay target. Removed an unnecessary packet and modified
some of the bytes within the remaining packets.
|
|
|
|
and psm1 and psd1 files
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
|
|
Changed the real time console update loop location to get rid of the
remaining writelines and work better with Empire. Removed Hide-Inveigh
since it was no longer needed. Added the 'Tool' parameter to easily set
the proper options when running through other tools. Right now,
Metasploit Interactive PowerShell sessions and PowerShell Empire are
selectable. Also, added additional parameters and code so that Inveigh
runs better with those tools.
|
|
|
|
|
|
Inveigh should now be executed as a module rather than a standalone
script. There are multiple cmdlets for interacting with Inveigh. Also
fixed a file encoding issue that was causing problems with IEX.
|
|
|
|
|
|
|
|
|
|
|
|
This has not been fully tested. See readme for details.
|
|
|
|
Added a sleep to the main console loop to keep CPU from spiking.
|
|
Modified the SMB capture functions to remove the need to handle SMB
versions differently. To help avoid IDS/IPS, I also added a -challenge
parameter for setting a custom HTTP/HTTPS NTLM challenge. If this
parameter is left blank, a random challenge will be generated for each
HTTP/HTTPS request. To use the traditional 1122334455667788 challenge,
simply use -challenge 1122334455667788. Finally, the console prompt can
be enabled/disabled with the -consoleprompt parameter.
|
|
Added validation to ensure that a relay target and command are specified
if SMB relay is enabled.
|
|
|
|
The old generic add user example would not work on a system with complex
password requirements. Added an actual username and password to avoid
confusion.
|
|
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
|
|
|
|
|
|
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
|
|
|
|
This version contains the first pass at SMB relay. It will currently
relay HTTP/HTTPS NTLMv2 to SMB. It will perform a psexec style, command
only (no file upload) execution. It will attempt to delete the temp
service after the service is started. Launching shells directly through
the command may delay or prevent the service deletion. In the event that
manual deletion is needed, the display name of the added service is
IVSRV plus some random characters. The error/status checking needs a lot
of work. The current messages cannot be completely trusted.
The spoofer/sniffer loop has been placed in a runspace to permit
interaction with the console while Inveigh is running. Pressing enter
will now bring up a prompt. In addition to ctrl+c, Inveigh can be exited
using the quit command. Avoid using ctrl+c while the prompt is open
since it will bypass the shutdown function.
|
|
Keeping the older version easily accessible until the new version is
tested more.
|
|
loader script for easier execution as a payload.
Added '-OutputDir' parameter for controlling the output directory. Added
'Inveigh-Loader.ps1' script which has additional options for running
Inveigh as an unattended payload. Performed some cleanup. Updated
screenshot in readme.
|
|
|
|
LLMNR/NBNS spoofing IPs.
Fixed a bug that prevented SMB server challenges from being captured
when NBNS spoofing was disabled. The listening IP can now be set with
the '-IP' parameter and the LLMNR/NBNS spoofing IP can be set with
'-SpooferIP'. Both parameters are optional. If not set, the listening IP
will be used for '-SpooferIP'. Replaced the one write-host with a
write-warning. Removed the '-help' parameter.
|