| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Inveigh-Relay
1. Added a new attack mode 'Enumerate'. This attack mode will leverage
relayed connections to perform system enumeration. Right now I have
local users, local admins, shares, and netsessions.
2. Attacks can now be combined. Session, Enumerate, and Execute can all
be enabled at the same time. They will be chained together.
3. New multi-target system to replace the new multi-target system from
the last dev update:) Inveigh-Relay will leverage the data gathered
through enumeration to make relay target selections.
Here's a simplistic example:
a. Inveigh-Relay receives and incoming connection from 192.168.1.1 and
relays the connection to 192.168.1.2.
b. During the NTLM relay, the module records the user (test1) that is
relayed from 192.168.1.1.
c. The relayed connection is used to enumerate details on 192.168.1.2.
The local admin group is found to include the user test2.
d. test1 is found to not be privileged on 192.168.1.2.
e. Inveigh-Relay receives an incoming connection from 192.168.1.3 and
relays the connection to 192.168.1.4.
f. During the NTLM relay, the module records the user (test2) that is
relayed from 192.168.1.3.
g. The relayed connection is used to enumerate details on 192.168.1.4.
h. test2 is found to not be privileged on 192.168.1.4.
i. Inveigh-Relay receives another connection from 192.168.1.3.
j. Since test2 was previously observed on 192.168.1.3 and 192.168.1.2
has test2 in its local admin group, 192.168.1.2 is selected as a relay
target.
k. test2 is found to be privileged on 192.168.1.2.
l. Depending on the attack selection, either a privileged session is
established, a command is executed, or both.
This is still in a very early stage and not production ready. I need to
add a lot more logic to do things like prioritizing systems hosting
shares with the session attack, etc. I also need to sort out gathering
and importing the enumeration data used for targeting if you already
have domain access. This will also open up making matches based on
domain group membership. Bloodhound data should also work for targeting.
I just need to work out how to match username formats, etc.
Most of the enumeration data is stored in $inveigh.enumeration_list.
4. Target parameter will now accept CIDR and IP ranges. Invalid targets
(as long as it's not a huge amount) are filtered out as part of the
targeting process.
5. I took out SMB1 support. It only worked for command execution and
removing it greatly simplifies things. The old version will still work
if SMB1 is required.
I should be back to regular updates leading up to the release of 1.4.
The enumeration code took some time.
|
|
Dev version of Invoke-SMBEnum for performing enum tasks over SMB with
PTH and Inveigh-Relay sessions. Right now it just enumerates shares,
netsessions, and local users. Also fixed some minor Invoke-SMBClient and
Invoke-SMBExec issues.
|
|
Fixed a lot of bugs with the new Inveigh Relay session attack mode.
Tweaked the SMB2 credits in Inveigh-Relay, Invoke-SMBExec, and
Invoke-SMBClient to hopefully keep the sessions from erroring out after
lots of repeated use. Switched to an SMB2 Echo to keep the sessions
active. Fixed some output issues.
Multitarget still isn't working correctly.
|
|
This is an early version of Inveigh 1.4. There is probably alot that is
broken.
Inveigh:
1. Invoke-DNSUpdate integration - Inveigh will attempt to inject DNS
records if the same LLMNR/NBNS request is observed from multiple
systems. The goal is to find requests that could be valid in other
subnets and leverage them through DNS. This version requires that
Inveigh is running with a domain auth user context.
2. Reworked output system and formating.
3. hmm...I forget.
Inveigh Relay:
1. New attack with Invoke-TheHash integration - In addition to that
standard psexec style attack, Inveigh Relay now has the ability to
create and maintain authenticated priv and unpriv SMB2 sessions. These
sessions can be used by Invoke-SMBClient (attack file shares) and
Invoke-SMBExec.
Invoke-InveighRelay -Attack session -Target 10.10.10.10
wait for relay
Get-Inveigh -session
Invoke-SMBClient -Session 0 -Source \\10.10.10.10\share
2. Multitarget - Inveigh Relay will now accept an array of targets. As
relay attempts come in, Inveigh Relay will attempt to select the best
target (still needs work).
3. SMB signing check for targets on startup.
4. Reworked output system and formating.
I'm temporarily housing newer versions of Invoke-DNSUpdate,
Invoke-SMBClient, and Invoke-SMBExec here. They need to be imported into
the same powershell session for integration to work. There is also
probably a lot broken with these.
|