Inveigh - .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

Age	Commit message (Collapse)	Author	Files	Lines
2018-02-19	Inveigh 1.4 dev	Kevin Robertson	1	-87/+0
	This is an early version of Inveigh 1.4. There is probably alot that is broken. Inveigh: 1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS records if the same LLMNR/NBNS request is observed from multiple systems. The goal is to find requests that could be valid in other subnets and leverage them through DNS. This version requires that Inveigh is running with a domain auth user context. 2. Reworked output system and formating. 3. hmm...I forget. Inveigh Relay: 1. New attack with Invoke-TheHash integration - In addition to that standard psexec style attack, Inveigh Relay now has the ability to create and maintain authenticated priv and unpriv SMB2 sessions. These sessions can be used by Invoke-SMBClient (attack file shares) and Invoke-SMBExec. Invoke-InveighRelay -Attack session -Target 10.10.10.10 wait for relay Get-Inveigh -session Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share 2. Multitarget - Inveigh Relay will now accept an array of targets. As relay attempts come in, Inveigh Relay will attempt to select the best target (still needs work). 3. SMB signing check for targets on startup. 4. Reworked output system and formating. I'm temporarily housing newer versions of Invoke-DNSUpdate, Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into the same powershell session for integration to work. There is also probably a lot broken with these.
2016-08-21	Early version of Inveigh 1.2 with the new Inveigh-Unprivileged script. This ↵	Kevin Robertson	1	-0/+87
	is still a work in progress and has not been fully tested. 1. Inveigh-Unprivileged – This script contains only LLMNR/NBNS spoofing and hash capture methods that do not require local admin access. The NBNS spoofer can be used without disabling the local NBNS service. The LLMNR spoofer does require stopping (needs admin) the local service and freeing up port 5355. It will work without admin on a system with LLMNR disabled. This script replaces Inveigh-BruteForce since it contains the same functionality. Note that there can still be systems configurations that will prevent Inveigh-Unprivileged from working, and require admin access to change (e.g. local firewall blocking traffic, LLMNR enabled). 2. Extras – Added an extras directory for functions that don’t fit the main scripts. a. Send-NBNSResponse – This function sends a crafted NBNS response packet to a specific target. For name resolution to be successful, the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been able to get it to work manually by watching tshark with the the transaction ID being listed in the output. Ideally, this function would be fed by another script. b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to use manually. c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be sent from a NBNS enabled system on the same subnet using ping, etc.