| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Inveigh
Added ADIDNS attacks
New detection evasions
Inveigh Relay
Added session and enumerate attacks
Added ability to handle multiple targets with target selection based on the enumerate attack and/or BloodHound imports
|
|
Inveigh.ps1
Merged Inveigh and Inveigh-Unprivileged. The new module will run the
correct functions based on the detected privilege level or
ElevatedPrivilege parameter setting.
Added proxy auth capture. (thanks to @lgandx and @mubix for the idea
from https://github.com/lgandx/Responder)
Added mDNS spoofer.
Added limited ability to attack browsers of proxy auth targets.
Added the ability to set the content type header for HTTPReponse, or
files from disk through HTTPDir, for better support for HTA, etc.
Added the ability to capture POST requests.
Inveigh-Relay.ps1
Refactored the module.
Switched to a TCPListener based HTTP listener so that the module can be
run with an unprivileged user. If running unprivileged, the Inveigh host
can be targeted with relay for privesc.
Added support for longer commands to execute on the target. The module
is now Empire 2.0 launcher friendly.
Added SMB2 support. The module will negotiate by default and can be
forced into SMB1 with the SMB1 switch.
Added proxy auth capture and relay.
Added NTLMv1 relay support.
Added RelayAutoExit parameter to stop any running Inveigh modules after
a successful relay.
Inveigh.ps1 and Inveigh-Relay.ps1
Added a new HTTPS certificate install method that does not require a
certificate file. (thanks to @subTee for code example from
https://github.com/subTee/Interceptor)
Added user agent and host header details to console/file output.
Added ability to filter out specific browsers by user agent for wpad and
proxy auth.
Added console output levels.
Added control over in memory log file and console queue.
Inveigh-Unprivileged.ps1
This module has been removed.
|
|
1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) –
This script contains only LLMNR/NBNS spoofing and hash capture methods
that do not require local admin access. The NBNS spoofer can be used
without disabling the local NBNS service. The LLMNR spoofer does require
stopping (needs admin) the local service and freeing up port 5355. It
will work without admin on a system with LLMNR disabled. Note that there
can still be systems configurations that will prevent
Inveigh-Unprivileged from working, and require admin access to change
(e.g. local firewall blocking traffic, LLMNR enabled). This script
replaces Inveigh-BruteForce and contains the same functionality.
2. Inveigh.ps1 Updates - Added a learning mode (SpooferLearning
parameter) to Invoke-Inveigh that will attempt to avoid spoofing
requests for valid hostnames. If enabled, Inveigh will send out
LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS
requests. If Inveigh receives a response for a sent requests, it will
add the hostname to a blacklist. Added some some code to help keep track
or the SMB capture sequence. Removed the ability to launch
Invoke-InveighRelay directly from an Invoke-Inveigh command line.
3. Inveigh-Relay.ps1 Status - This one is due for an overhhaul. I'm also
considering trying to convert it to not require admin access. No real
changes on this pass though. It will work with either Invoke-Inveigh
(-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as
long as the target system supports SMB1.
4. Support Functions - Merged all of the small Get functions into
Get-Inveigh.
5. Extras – Added an extras directory for functions that don’t fit the
main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response
packet to a specific target. For name resolution to be successful, the
specified TargetIP, Hostname, and TransactionID must match a very (very
very) recent NBNS request. You must have an external method
(wireshark,etc) of viewing the required NBNS request fields for traffic
on the target subnet. The odds of pulling this attack off manually are
slim due to the narrow response window. I've only been able to get it to
work manually by watching tshark with the the transaction ID being
listed in the output. Ideally, this function would be fed by another
script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to
use manually.
c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and
execute set commands if requests for specific hostnames are received.
The function must be supplied with an even number of Hostnames and
Commands. NBNS requests can be sent from a NBNS enabled system on the
same subnet using ping, etc.
|
|
New Script - Inveigh-BruteForce - Remote (Hot Potato
method)/unprivileged NBNS brute force spoofer.
Inveigh-BruteForce
Features:
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Granular control of console and file output
Run time control
Inveigh
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response
packet.
NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet.
WPADDirectHosts - Comma separated list of hosts to list as direct in the
wpad.dat file. Listed hosts will not be routed through the defined
proxy.
Inveigh-Relay
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
RunTime - Set the run time duration in minutes.
Bug Fix:
Fixed an SMB relay issue that was causing a hang before sending the
NTLMv2 response. Thanks to @mubix for reporting the bug and providing a
packet capture.
|
|
and psm1 and psd1 files
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|