Inveigh - .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

Age	Commit message (Collapse)	Author	Files	Lines
2016-05-10	Code cleanup and new parameters	Kevin Robertson	1	-558/+965
	Contains a few rounds of code cleanup and the following changes: Parameters Added to Invoke-Inveigh: ConsoleUnique - Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. FileUnique - Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. ConsoleStatus - Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. WPADEmptyFile - Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. Fixed: Corrected an issue that was preventing the MachineAccounts parameter from being fully enabled in all three scripts. Removed Support Functions: Get-InveighStat Get-InveighNTLM
2016-03-30	Comment/notes update, minor cleanup	Kevin Robertson	1	-10/+11
	Updated some comments and notes. Replaced ForEach alias with ForEach-Object.
2016-03-15	New Script - Inveigh-BruteForce1.1	Kevin Robertson	1	-190/+225
	New Script - Inveigh-BruteForce - Remote (Hot Potato method)/unprivileged NBNS brute force spoofer. Inveigh-BruteForce Features: Targeted IPv4 NBNS brute force spoofer with granular control NTLMv1/NTLMv2 challenge/response capture over HTTP Granular control of console and file output Run time control Inveigh New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response packet. NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet. WPADDirectHosts - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Inveigh-Relay New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. RunTime - Set the run time duration in minutes. Bug Fix: Fixed an SMB relay issue that was causing a hang before sending the NTLMv2 response. Thanks to @mubix for reporting the bug and providing a packet capture.
2016-01-12	Spoofer, HTTP/HTTPS, and WPAD additions/changes1.0.0	Kevin Robertson	1	-114/+423
	LLMNR/NBNS spoofer: SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular control over what systems to respond to when spoofing. SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular control over what requested hostnames to respond to when spoofing. Note that SpooferHostsAccept replaces SpoofList. SpooferRepeat - This parameter replaces Repeat in order to sync the parameter name with the prefix used for other spoofer parameters. HTTP/HTTPS Listener: HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). HTTPBasicRealm - Set a realm name if Basic auth is enabled. HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters provide control over the content served by the listener. HTTPSCertThumbprint - This parameter provides the ability to more easily set the thumbprint for custom certs. HTTP/HTTPS requests are now reported and/or logged. WPAD: WPADIP/WPADPort - These parameters provide the ability to configure a proxy server on victim systems through WPAD. WPADResponse - These parameters provide the ability to configure a custom wpad.dat response rather than the basic one used by WPADIP and WPADPort. WPADAuth - This parameter provides the ability to set the HTTP/HTTPS WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). Note that this parameter replaces ForceWPADAuth. Miscellaneous: Get-InveighCleartext - Gets all captured cleartext credentials. Inspect - This switch parameter serves as an easier way to inspect LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR, NBNS, HTTP, HTTPS, and SMB are disabled.
2015-12-09	Added ability to display only one captured challenge/response for each ↵	Kevin Robertson	1	-2/+68
	unique account Added the 'unique' parameter to Get-InveighNTLMv1 and Get-InveighNTLMv2. If 'unique' is enabled, only the first captured challenge/response for each unique account will be displayed.
2015-10-15	Added SpoofList parameter and spoofer improvements	Kevin Robertson	1	-169/+203
	Added the SpoofList parameter for listing specific hostnames to spoof with LLMNR/NBNS. Stopped Inveigh from responding to AAAA LLMNR packets received over IPv4. Fixed a NBNS display bug with 15 characters requests.
2015-10-11	Moved SMB relay code to a dedicated script, also added a Scripts directory ↵	Kevin Robertson	1	-0/+1599
	and psm1 and psd1 files The SMB relay code is now in Inveigh-Relay.ps1. The script can be used either through Invoke-Inveigh or as a standalone function.