| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
cleanup
|
|
|
|
Added DNS spoofer.
Added GQBL NS bypass for wpad to ADIDNS attacks.
HTTP listener improvements.
|
|
|
|
Both SMB sniffer and the HTTP/HTTPS/Proxy listener can now capture Kerberos TGTs in kirbi format.
|
|
|
|
Added SMB Kerberos TGT capture through packet sniffing and kirbi output. To use, credentials are required for an account with unconstrained delegation.
This is still in the early stages. I'm not using an ASN.1 library so there is probably lots that can throw off the parsing.
|
|
Added pcap output to either a file or in memory ArrayList. Added more output for SMB authentication activity. Fixed some Inveigh-Relay bugs.
|
|
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
|
|
|
|
Added ConvertTo-Inveigh (powershell 3+) for importing BloodHound JSON files for Inveigh Relay. Lots of updates and bug fixes.
|
|
Invoke-Inveigh - Added ADIDNS spoofing combo and wildcard attacks. Removed dynamic updates combo attack.
Invoke-InveighRelay - Latest revision of the new multi-host targeting system. I haven't yet had a chance to create a tool for importing CSV files from bloodhound. I was able to match up the data formatting though.
|
|
Inveigh-Relay
1. Added a new attack mode 'Enumerate'. This attack mode will leverage
relayed connections to perform system enumeration. Right now I have
local users, local admins, shares, and netsessions.
2. Attacks can now be combined. Session, Enumerate, and Execute can all
be enabled at the same time. They will be chained together.
3. New multi-target system to replace the new multi-target system from
the last dev update:) Inveigh-Relay will leverage the data gathered
through enumeration to make relay target selections.
Here's a simplistic example:
a. Inveigh-Relay receives and incoming connection from 192.168.1.1 and
relays the connection to 192.168.1.2.
b. During the NTLM relay, the module records the user (test1) that is
relayed from 192.168.1.1.
c. The relayed connection is used to enumerate details on 192.168.1.2.
The local admin group is found to include the user test2.
d. test1 is found to not be privileged on 192.168.1.2.
e. Inveigh-Relay receives an incoming connection from 192.168.1.3 and
relays the connection to 192.168.1.4.
f. During the NTLM relay, the module records the user (test2) that is
relayed from 192.168.1.3.
g. The relayed connection is used to enumerate details on 192.168.1.4.
h. test2 is found to not be privileged on 192.168.1.4.
i. Inveigh-Relay receives another connection from 192.168.1.3.
j. Since test2 was previously observed on 192.168.1.3 and 192.168.1.2
has test2 in its local admin group, 192.168.1.2 is selected as a relay
target.
k. test2 is found to be privileged on 192.168.1.2.
l. Depending on the attack selection, either a privileged session is
established, a command is executed, or both.
This is still in a very early stage and not production ready. I need to
add a lot more logic to do things like prioritizing systems hosting
shares with the session attack, etc. I also need to sort out gathering
and importing the enumeration data used for targeting if you already
have domain access. This will also open up making matches based on
domain group membership. Bloodhound data should also work for targeting.
I just need to work out how to match username formats, etc.
Most of the enumeration data is stored in $inveigh.enumeration_list.
4. Target parameter will now accept CIDR and IP ranges. Invalid targets
(as long as it's not a huge amount) are filtered out as part of the
targeting process.
5. I took out SMB1 support. It only worked for command execution and
removing it greatly simplifies things. The old version will still work
if SMB1 is required.
I should be back to regular updates leading up to the release of 1.4.
The enumeration code took some time.
|
|
Fixed a lot of bugs with the new Inveigh Relay session attack mode.
Tweaked the SMB2 credits in Inveigh-Relay, Invoke-SMBExec, and
Invoke-SMBClient to hopefully keep the sessions from erroring out after
lots of repeated use. Switched to an SMB2 Echo to keep the sessions
active. Fixed some output issues.
Multitarget still isn't working correctly.
|
|
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
|
|
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
Changed the real time console update loop location to get rid of the
remaining writelines and work better with Empire. Removed Hide-Inveigh
since it was no longer needed. Added the 'Tool' parameter to easily set
the proper options when running through other tools. Right now,
Metasploit Interactive PowerShell sessions and PowerShell Empire are
selectable. Also, added additional parameters and code so that Inveigh
runs better with those tools.
|
|
Inveigh should now be executed as a module rather than a standalone
script. There are multiple cmdlets for interacting with Inveigh. Also
fixed a file encoding issue that was causing problems with IEX.
|
|
|
|
Added a sleep to the main console loop to keep CPU from spiking.
|
|
Modified the SMB capture functions to remove the need to handle SMB
versions differently. To help avoid IDS/IPS, I also added a -challenge
parameter for setting a custom HTTP/HTTPS NTLM challenge. If this
parameter is left blank, a random challenge will be generated for each
HTTP/HTTPS request. To use the traditional 1122334455667788 challenge,
simply use -challenge 1122334455667788. Finally, the console prompt can
be enabled/disabled with the -consoleprompt parameter.
|
|
Added validation to ensure that a relay target and command are specified
if SMB relay is enabled.
|
|
|
|
The old generic add user example would not work on a system with complex
password requirements. Added an actual username and password to avoid
confusion.
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
Added some additional SMB relay limiters to lessen the amount to
unnecessary relay attempts. Inveigh will not attempt to relay from the
relay target back to itself. Inveigh will also not attempt to relay with
a username that has already failed against a target due to either not
authenticating or not being a local admin. There is also now a parameter
for specifying usernames to relay. If this parameter is used, usernames
not on the list will not be relayed.
|
|
This version contains the first pass at SMB relay. It will currently
relay HTTP/HTTPS NTLMv2 to SMB. It will perform a psexec style, command
only (no file upload) execution. It will attempt to delete the temp
service after the service is started. Launching shells directly through
the command may delay or prevent the service deletion. In the event that
manual deletion is needed, the display name of the added service is
IVSRV plus some random characters. The error/status checking needs a lot
of work. The current messages cannot be completely trusted.
The spoofer/sniffer loop has been placed in a runspace to permit
interaction with the console while Inveigh is running. Pressing enter
will now bring up a prompt. In addition to ctrl+c, Inveigh can be exited
using the quit command. Avoid using ctrl+c while the prompt is open
since it will bypass the shutdown function.
|
|
loader script for easier execution as a payload.
Added '-OutputDir' parameter for controlling the output directory. Added
'Inveigh-Loader.ps1' script which has additional options for running
Inveigh as an unattended payload. Performed some cleanup. Updated
screenshot in readme.
|
|
LLMNR/NBNS spoofing IPs.
Fixed a bug that prevented SMB server challenges from being captured
when NBNS spoofing was disabled. The listening IP can now be set with
the '-IP' parameter and the LLMNR/NBNS spoofing IP can be set with
'-SpooferIP'. Both parameters are optional. If not set, the listening IP
will be used for '-SpooferIP'. Replaced the one write-host with a
write-warning. Removed the '-help' parameter.
|
|
Added ability to enabled/disable spoofing specific NBNS types with the
-NBNSTypes parameter. Cleaned up parameter validation code.
|
|
Added '-Output' option to enable/disable most console output and all
file output. 0 = Console Enabled/File Enabled, 1 = Console Enabled/File
Disabled, 2 = Console Disabled/File Enabled. 0 is default.
|
|
HTTPS captures can now be enabled. The default setting is disabled. Note
that if HTTPS is enabled, the cert file needs to be in the same
directory as the script. The cert will be installed in the local machine
certificate store and bound to port 443. The script should remove the
cert from the store and delete the binding on exit. If needed, see HTTPS
parameter comments in the script or execute "Get-help .\Inveigh.ps1
-parameter https" for manual cert cleanup instructions.
|
|
ForceWPADAuth matches Responder option to enable/disable authentication
for wpad.dat GET requests. Disabling can prevent browser login prompts.
The option is currently enabled by default.
|
|
|
|
|
|
|
|
|
|
|
|
Added '-repeat y/n' option that can suppress repeat LLMNR/NBNS spoofs by
IP address. Once a user challenge/response has been captured from an IP
address, no additional LLMNR/NBNS spoofed responses will be sent to that
IP.
|
|
|
|
Script can now find a local IP to listen on. This will help when using
the script as a payload.
|
|
Disabling LLMNR/NBNS now just disables sending spoofed responses.
Requests are now displayed and logged.
|
|
Added support for attacking Windows XP clients. Fixed malformed NBNS
response packet and incorrect HTTP NTLMv2 output file.
|
|
|
|
|
|
|
|
|