| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
cleanup
|
|
|
|
Added DNS spoofer.
Added GQBL NS bypass for wpad to ADIDNS attacks.
HTTP listener improvements.
|
|
Both SMB sniffer and the HTTP/HTTPS/Proxy listener can now capture Kerberos TGTs in kirbi format.
|
|
Added SMB Kerberos TGT capture through packet sniffing and kirbi output. To use, credentials are required for an account with unconstrained delegation.
This is still in the early stages. I'm not using an ASN.1 library so there is probably lots that can throw off the parsing.
|
|
|
|
Added pcap output to either a file or in memory ArrayList. Added more output for SMB authentication activity. Fixed some Inveigh-Relay bugs.
|
|
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
|
|
|
|
Added ConvertTo-Inveigh (powershell 3+) for importing BloodHound JSON files for Inveigh Relay. Lots of updates and bug fixes.
|
|
Invoke-Inveigh - Added ADIDNS spoofing combo and wildcard attacks. Removed dynamic updates combo attack.
Invoke-InveighRelay - Latest revision of the new multi-host targeting system. I haven't yet had a chance to create a tool for importing CSV files from bloodhound. I was able to match up the data formatting though.
|
|
Added some more targeting logic. Added access denied handling for enumeration.
|
|
Added real time output for the enumerate attack. Added try/catches to
the smb relay functions and did a few bug fixes.
|
|
Added ability to Inveigh-Relay and Invoke-SMBEnum to identify groups vs
users when enumerating group memberships.
|
|
Inveigh-Relay
1. Added a new attack mode 'Enumerate'. This attack mode will leverage
relayed connections to perform system enumeration. Right now I have
local users, local admins, shares, and netsessions.
2. Attacks can now be combined. Session, Enumerate, and Execute can all
be enabled at the same time. They will be chained together.
3. New multi-target system to replace the new multi-target system from
the last dev update:) Inveigh-Relay will leverage the data gathered
through enumeration to make relay target selections.
Here's a simplistic example:
a. Inveigh-Relay receives and incoming connection from 192.168.1.1 and
relays the connection to 192.168.1.2.
b. During the NTLM relay, the module records the user (test1) that is
relayed from 192.168.1.1.
c. The relayed connection is used to enumerate details on 192.168.1.2.
The local admin group is found to include the user test2.
d. test1 is found to not be privileged on 192.168.1.2.
e. Inveigh-Relay receives an incoming connection from 192.168.1.3 and
relays the connection to 192.168.1.4.
f. During the NTLM relay, the module records the user (test2) that is
relayed from 192.168.1.3.
g. The relayed connection is used to enumerate details on 192.168.1.4.
h. test2 is found to not be privileged on 192.168.1.4.
i. Inveigh-Relay receives another connection from 192.168.1.3.
j. Since test2 was previously observed on 192.168.1.3 and 192.168.1.2
has test2 in its local admin group, 192.168.1.2 is selected as a relay
target.
k. test2 is found to be privileged on 192.168.1.2.
l. Depending on the attack selection, either a privileged session is
established, a command is executed, or both.
This is still in a very early stage and not production ready. I need to
add a lot more logic to do things like prioritizing systems hosting
shares with the session attack, etc. I also need to sort out gathering
and importing the enumeration data used for targeting if you already
have domain access. This will also open up making matches based on
domain group membership. Bloodhound data should also work for targeting.
I just need to work out how to match username formats, etc.
Most of the enumeration data is stored in $inveigh.enumeration_list.
4. Target parameter will now accept CIDR and IP ranges. Invalid targets
(as long as it's not a huge amount) are filtered out as part of the
targeting process.
5. I took out SMB1 support. It only worked for command execution and
removing it greatly simplifies things. The old version will still work
if SMB1 is required.
I should be back to regular updates leading up to the release of 1.4.
The enumeration code took some time.
|
|
The SMB echo wasn't keeping sessions open on Windows 7. Switched to tree
connect/disconnect for now. Output and signing check fix.
|
|
Fixed a lot of bugs with the new Inveigh Relay session attack mode.
Tweaked the SMB2 credits in Inveigh-Relay, Invoke-SMBExec, and
Invoke-SMBClient to hopefully keep the sessions from erroring out after
lots of repeated use. Switched to an SMB2 Echo to keep the sessions
active. Fixed some output issues.
Multitarget still isn't working correctly.
|
|
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|