| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Added indicator for when SMB auth negotiates to Kerberos. Bug fixes.
|
|
|
|
Added Invoke-TheHash link
|
|
|
|
Inveigh will now ignore NBNS/LLMNR requests sent directly to the host IP
address rather than the broadcast/multicast address.
|
|
|
|
|
|
Added mDNS spoofer. Simplified some HTTP listener code. Added LogOutput
and ConsoleQueueLimit parameters to control in-memory log entry storage.
Fixed some bugs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fixed some issues with the Inveigh-Unprivileged web server. Modified the
Inveigh learning code so that it can handle multiple requests received
in quick succession.
|
|
Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that
will attempt to avoid spoofing requests for valid hostnames. If enabled,
Inveigh will send out LLMNR/NBNS requests for hostnames received through
incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent
requests, it will add the hostname to a blacklist.
Refined the Invoke-InveighPrivileged web server.
Performed some general cleanup on all functions.
|
|
|
|
Added a warning for when the Windows Firewall is enabled. Added a note
about the June patches likely breaking features of
Invoke-InveighBruteForce.
|
|
Removed Get-InveighStat reference
|
|
Contains a few rounds of code cleanup and the following changes:
Parameters Added to Invoke-Inveigh:
ConsoleUnique - Enable/Disable displaying challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time console output is enabled.
FileUnique - Enable/Disable outputting challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time file output is enabled.
ConsoleStatus - Set interval in minutes for displaying all unique
captured hashes and credentials. This is useful for displaying full
capture lists when running through a shell that does not have access to
the support functions.
WPADEmptyFile - Enable/Disable serving a proxyless, all direct, wpad.dat
file for wpad.dat requests. Enabling this setting can reduce the amount
of redundant wpad.dat requests. This parameter is ignored when using
WPADIP, WPADPort, or WPADResponse.
Fixed:
Corrected an issue that was preventing the MachineAccounts parameter
from being fully enabled in all three scripts.
Removed Support Functions:
Get-InveighStat
Get-InveighNTLM
|
|
Updated some comments and notes. Replaced ForEach alias with
ForEach-Object.
|
|
Added NBNS brute force note and fixed typo
|
|
Second attempt at getting the Invoke-InveighBruteForce example right:)
|
|
The Invoke-InveighBruteForce example listed the wrong function
|
|
New Script - Inveigh-BruteForce - Remote (Hot Potato
method)/unprivileged NBNS brute force spoofer.
Inveigh-BruteForce
Features:
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Granular control of console and file output
Run time control
Inveigh
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response
packet.
NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet.
WPADDirectHosts - Comma separated list of hosts to list as direct in the
wpad.dat file. Listed hosts will not be routed through the defined
proxy.
Inveigh-Relay
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
RunTime - Set the run time duration in minutes.
Bug Fix:
Fixed an SMB relay issue that was causing a hang before sending the
NTLMv2 response. Thanks to @mubix for reporting the bug and providing a
packet capture.
|
|
Added p0wnedShell link to the included in section. Removed the SMB relay
note to sync with Inveigh.ps1 notes.
|
|
LLMNR/NBNS spoofer:
SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular
control over what systems to respond to when spoofing.
SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular
control over what requested hostnames to respond to when spoofing. Note
that SpooferHostsAccept replaces SpoofList.
SpooferRepeat - This parameter replaces Repeat in order to sync the
parameter name with the prefix used for other spoofer parameters.
HTTP/HTTPS Listener:
HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS
non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be
used to capture cleartext credentials (thanks @xorrior!).
HTTPBasicRealm - Set a realm name if Basic auth is enabled.
HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters
provide control over the content served by the listener.
HTTPSCertThumbprint - This parameter provides the ability to more easily
set the thumbprint for custom certs.
HTTP/HTTPS requests are now reported and/or logged.
WPAD:
WPADIP/WPADPort - These parameters provide the ability to configure a
proxy server on victim systems through WPAD.
WPADResponse - These parameters provide the ability to configure a
custom wpad.dat response rather than the basic one used by WPADIP and
WPADPort.
WPADAuth - This parameter provides the ability to set the HTTP/HTTPS
WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used
to capture cleartext credentials (thanks @xorrior!). Note that this
parameter replaces ForceWPADAuth.
Miscellaneous:
Get-InveighCleartext - Gets all captured cleartext credentials.
Inspect - This switch parameter serves as an easier way to inspect
LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR,
NBNS, HTTP, HTTPS, and SMB are disabled.
|
|
and psm1 and psd1 files
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
files."
This reverts commit 8ab002602f672dddb91e27ff6bb7d5050771c688.
|
|
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
loader script for easier execution as a payload.
Added '-OutputDir' parameter for controlling the output directory. Added
'Inveigh-Loader.ps1' script which has additional options for running
Inveigh as an unattended payload. Performed some cleanup. Updated
screenshot in readme.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|