| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
https://github.com/Kevin-Robertson/Inveigh/issues/20
|
|
|
|
|
|
Added privileged and unprivileged DNS spoofer capable of answering incoming DNS requests.
New ADIDNS attack called NS that can add an NS record to direct DNS requests to Inveigh host. Using this with WPAD can bypass the global query block list (GQBL). https://blog.netspi.com/adidns-revisited/
Pcap TCP and UDP output.
New packet sniffing output including incoming SYN packets, kerberos auth negotiation, null responses, local DNS requests.
Kerberos kirbi output for unconstrained delegation attacks. - https://blog.netspi.com/machineaccountquota-is-useful-sometimes/
|
|
Inveigh
Added ADIDNS attacks
New detection evasions
Inveigh Relay
Added session and enumerate attacks
Added ability to handle multiple targets with target selection based on the enumerate attack and/or BloodHound imports
|
|
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
Changed the real time console update loop location to get rid of the
remaining writelines and work better with Empire. Removed Hide-Inveigh
since it was no longer needed. Added the 'Tool' parameter to easily set
the proper options when running through other tools. Right now,
Metasploit Interactive PowerShell sessions and PowerShell Empire are
selectable. Also, added additional parameters and code so that Inveigh
runs better with those tools.
|
|
Inveigh should now be executed as a module rather than a standalone
script. There are multiple cmdlets for interacting with Inveigh. Also
fixed a file encoding issue that was causing problems with IEX.
|
|
|
|
Added a sleep to the main console loop to keep CPU from spiking.
|
|
Modified the SMB capture functions to remove the need to handle SMB
versions differently. To help avoid IDS/IPS, I also added a -challenge
parameter for setting a custom HTTP/HTTPS NTLM challenge. If this
parameter is left blank, a random challenge will be generated for each
HTTP/HTTPS request. To use the traditional 1122334455667788 challenge,
simply use -challenge 1122334455667788. Finally, the console prompt can
be enabled/disabled with the -consoleprompt parameter.
|
|
Added validation to ensure that a relay target and command are specified
if SMB relay is enabled.
|
|
|
|
The old generic add user example would not work on a system with complex
password requirements. Added an actual username and password to avoid
confusion.
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
This version contains the first pass at SMB relay. It will currently
relay HTTP/HTTPS NTLMv2 to SMB. It will perform a psexec style, command
only (no file upload) execution. It will attempt to delete the temp
service after the service is started. Launching shells directly through
the command may delay or prevent the service deletion. In the event that
manual deletion is needed, the display name of the added service is
IVSRV plus some random characters. The error/status checking needs a lot
of work. The current messages cannot be completely trusted.
The spoofer/sniffer loop has been placed in a runspace to permit
interaction with the console while Inveigh is running. Pressing enter
will now bring up a prompt. In addition to ctrl+c, Inveigh can be exited
using the quit command. Avoid using ctrl+c while the prompt is open
since it will bypass the shutdown function.
|
|
loader script for easier execution as a payload.
Added '-OutputDir' parameter for controlling the output directory. Added
'Inveigh-Loader.ps1' script which has additional options for running
Inveigh as an unattended payload. Performed some cleanup. Updated
screenshot in readme.
|
|
LLMNR/NBNS spoofing IPs.
Fixed a bug that prevented SMB server challenges from being captured
when NBNS spoofing was disabled. The listening IP can now be set with
the '-IP' parameter and the LLMNR/NBNS spoofing IP can be set with
'-SpooferIP'. Both parameters are optional. If not set, the listening IP
will be used for '-SpooferIP'. Replaced the one write-host with a
write-warning. Removed the '-help' parameter.
|
|
Added ability to enabled/disable spoofing specific NBNS types with the
-NBNSTypes parameter. Cleaned up parameter validation code.
|
|
Added '-Output' option to enable/disable most console output and all
file output. 0 = Console Enabled/File Enabled, 1 = Console Enabled/File
Disabled, 2 = Console Disabled/File Enabled. 0 is default.
|
|
HTTPS captures can now be enabled. The default setting is disabled. Note
that if HTTPS is enabled, the cert file needs to be in the same
directory as the script. The cert will be installed in the local machine
certificate store and bound to port 443. The script should remove the
cert from the store and delete the binding on exit. If needed, see HTTPS
parameter comments in the script or execute "Get-help .\Inveigh.ps1
-parameter https" for manual cert cleanup instructions.
|
|
ForceWPADAuth matches Responder option to enable/disable authentication
for wpad.dat GET requests. Disabling can prevent browser login prompts.
The option is currently enabled by default.
|
|
|
|
|
|
|
|
|
|
|
|
Added '-repeat y/n' option that can suppress repeat LLMNR/NBNS spoofs by
IP address. Once a user challenge/response has been captured from an IP
address, no additional LLMNR/NBNS spoofed responses will be sent to that
IP.
|
|
|
|
Script can now find a local IP to listen on. This will help when using
the script as a payload.
|
|
Disabling LLMNR/NBNS now just disables sending spoofed responses.
Requests are now displayed and logged.
|
|
Added support for attacking Windows XP clients. Fixed malformed NBNS
response packet and incorrect HTTP NTLMv2 output file.
|
|
|
|
|
|
|
|
|
|
|
|
Conflicts:
Inveigh.ps1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This reverts commit bbc9752d61a740cea6bbafca6363d11e745b3f21.
|
|
|