| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
|
|
|
|
I decided to do more for 1.3. I still need to do a lot of testing for
these versions and make a few tweaks.
Inveigh.ps1 - I merged Inveigh and Inveigh-Unprivileged together without
losing any funtionality. By default, Inveigh will detect privilege and
the run what's appropriate. Basically, an elevated privileged shell =
old Inveigh, non-elevated = old Inveigh-Unprivileged. You can also set
the mode manually through ElevatedPrivilege. I also added proxy
authentication (thanks to Laurent Gaffie and Mubix for the idea from
Responder) to grab challenge/response hashes or basic cleartext. Added
support for serving HTA code through HTTPResponse or stored files.
Inveigh-Relay.ps1 - Added proxy authentication relay. Enabled NTLMv1
relay. Added auto-exit (RelayAutoExit) after success.
Inveigh-Unprivileged.ps1 - gone
|
|
is still a work in progress and has not been fully tested.
1. Inveigh-Unprivileged – This script contains only LLMNR/NBNS spoofing
and hash capture methods that do not require local admin access. The
NBNS spoofer can be used without disabling the local NBNS service. The
LLMNR spoofer does require stopping (needs admin) the local service and
freeing up port 5355. It will work without admin on a system with LLMNR
disabled. This script replaces Inveigh-BruteForce since it contains the
same functionality. Note that there can still be systems configurations
that will prevent Inveigh-Unprivileged from working, and require admin
access to change (e.g. local firewall blocking traffic, LLMNR enabled).
2. Extras – Added an extras directory for functions that don’t fit the
main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response
packet to a specific target. For name resolution to be successful, the
specified TargetIP, Hostname, and TransactionID must match a very (very
very) recent NBNS request. You must have an external method
(wireshark,etc) of viewing the required NBNS request fields for traffic
on the target subnet. The odds of pulling this attack off manually are
slim due to the narrow response window. I've only been able to get it to
work manually by watching tshark with the the transaction ID being
listed in the output. Ideally, this function would be fed by another
script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to
use manually.
c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and
execute set commands if requests for specific hostnames are received.
The function must be supplied with an even number of Hostnames and
Commands. NBNS requests can be sent from a NBNS enabled system on the
same subnet using ping, etc.
|
|
New Script - Inveigh-BruteForce - Remote (Hot Potato
method)/unprivileged NBNS brute force spoofer.
Inveigh-BruteForce
Features:
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Granular control of console and file output
Run time control
Inveigh
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response
packet.
NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet.
WPADDirectHosts - Comma separated list of hosts to list as direct in the
wpad.dat file. Listed hosts will not be routed through the defined
proxy.
Inveigh-Relay
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
RunTime - Set the run time duration in minutes.
Bug Fix:
Fixed an SMB relay issue that was causing a hang before sending the
NTLMv2 response. Thanks to @mubix for reporting the bug and providing a
packet capture.
|
|
and psm1 and psd1 files
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|