| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
I decided to do more for 1.3. I still need to do a lot of testing for
these versions and make a few tweaks.
Inveigh.ps1 - I merged Inveigh and Inveigh-Unprivileged together without
losing any funtionality. By default, Inveigh will detect privilege and
the run what's appropriate. Basically, an elevated privileged shell =
old Inveigh, non-elevated = old Inveigh-Unprivileged. You can also set
the mode manually through ElevatedPrivilege. I also added proxy
authentication (thanks to Laurent Gaffie and Mubix for the idea from
Responder) to grab challenge/response hashes or basic cleartext. Added
support for serving HTA code through HTTPResponse or stored files.
Inveigh-Relay.ps1 - Added proxy authentication relay. Enabled NTLMv1
relay. Added auto-exit (RelayAutoExit) after success.
Inveigh-Unprivileged.ps1 - gone
|
|
Inveigh-Relay now support longer commands such as the Empire 2.0
launchers.
The current features in dev will likely be tested and released as
Inveigh 1.3.
|
|
|
|
|
|
Invoke-InveighRelay refactor - added SMB2 support and switched to an
HTTP listener that does not require admin access. Admin access is still
required if installing a cert for HTTPS. Note that the system running
Invoke-InveighRelay can be targeted for privesc.
|
|
|
|
|
|
|
|
|
|
Fixed some issues with the Inveigh-Unprivileged web server. Modified the
Inveigh learning code so that it can handle multiple requests received
in quick succession.
|
|
Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that
will attempt to avoid spoofing requests for valid hostnames. If enabled,
Inveigh will send out LLMNR/NBNS requests for hostnames received through
incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent
requests, it will add the hostname to a blacklist.
Refined the Invoke-InveighPrivileged web server.
Performed some general cleanup on all functions.
|
|
Removed the ability to launch Inveigh-Relay directly from Inveigh. Added
@joncave's parsing functions to Inveigh-Relay and Inveigh-Unprivileged.
Added some some code to help keep track or the SMB capture sequence.
This will hopefully prevent SMB challenge/response mismatches due to the
firewall interference issue reported by @Meatballs1.
http://stackoverflow.com/questions/4840902/unable-to-read-incoming-responses-using-raw-sockets/5127784#5127784
|
|
Hostname parsing and UDP client fixes.
|
|
is still a work in progress and has not been fully tested.
1. Inveigh-Unprivileged – This script contains only LLMNR/NBNS spoofing
and hash capture methods that do not require local admin access. The
NBNS spoofer can be used without disabling the local NBNS service. The
LLMNR spoofer does require stopping (needs admin) the local service and
freeing up port 5355. It will work without admin on a system with LLMNR
disabled. This script replaces Inveigh-BruteForce since it contains the
same functionality. Note that there can still be systems configurations
that will prevent Inveigh-Unprivileged from working, and require admin
access to change (e.g. local firewall blocking traffic, LLMNR enabled).
2. Extras – Added an extras directory for functions that don’t fit the
main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response
packet to a specific target. For name resolution to be successful, the
specified TargetIP, Hostname, and TransactionID must match a very (very
very) recent NBNS request. You must have an external method
(wireshark,etc) of viewing the required NBNS request fields for traffic
on the target subnet. The odds of pulling this attack off manually are
slim due to the narrow response window. I've only been able to get it to
work manually by watching tshark with the the transaction ID being
listed in the output. Ideally, this function would be fed by another
script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to
use manually.
c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and
execute set commands if requests for specific hostnames are received.
The function must be supplied with an even number of Hostnames and
Commands. NBNS requests can be sent from a NBNS enabled system on the
same subnet using ping, etc.
|
|
Added a warning for when the Windows Firewall is enabled. Added a note
about the June patches likely breaking features of
Invoke-InveighBruteForce.
|
|
|
|
Decide on NTLMv1 vs. NTLMv2 by inspecting the length of the NTLM
response data, not by the presence of LM data. Prior to the patch, if
an LMv2 response was included, Inveigh would output a badly formatted
hash calling it 'NTLMv1'.
Use all four bytes for offset data (just in case).
Simplify string extraction by requiring the use of an offset. Always
used the offsets from the message header instead of assuming a certain
content ordering.
|
|
Contains a few rounds of code cleanup and the following changes:
Parameters Added to Invoke-Inveigh:
ConsoleUnique - Enable/Disable displaying challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time console output is enabled.
FileUnique - Enable/Disable outputting challenge/response hashes for
only unique IP, domain/hostname, and username combinations when real
time file output is enabled.
ConsoleStatus - Set interval in minutes for displaying all unique
captured hashes and credentials. This is useful for displaying full
capture lists when running through a shell that does not have access to
the support functions.
WPADEmptyFile - Enable/Disable serving a proxyless, all direct, wpad.dat
file for wpad.dat requests. Enabling this setting can reduce the amount
of redundant wpad.dat requests. This parameter is ignored when using
WPADIP, WPADPort, or WPADResponse.
Fixed:
Corrected an issue that was preventing the MachineAccounts parameter
from being fully enabled in all three scripts.
Removed Support Functions:
Get-InveighStat
Get-InveighNTLM
|
|
Updated some comments and notes. Replaced ForEach alias with
ForEach-Object.
|
|
New Script - Inveigh-BruteForce - Remote (Hot Potato
method)/unprivileged NBNS brute force spoofer.
Inveigh-BruteForce
Features:
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Granular control of console and file output
Run time control
Inveigh
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response
packet.
NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet.
WPADDirectHosts - Comma separated list of hosts to list as direct in the
wpad.dat file. Listed hosts will not be routed through the defined
proxy.
Inveigh-Relay
New Parameters:
HTTPSCertAppID - Specify a valid application GUID for use with the
ceriticate.
RunTime - Set the run time duration in minutes.
Bug Fix:
Fixed an SMB relay issue that was causing a hang before sending the
NTLMv2 response. Thanks to @mubix for reporting the bug and providing a
packet capture.
|
|
LLMNR/NBNS spoofer:
SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular
control over what systems to respond to when spoofing.
SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular
control over what requested hostnames to respond to when spoofing. Note
that SpooferHostsAccept replaces SpoofList.
SpooferRepeat - This parameter replaces Repeat in order to sync the
parameter name with the prefix used for other spoofer parameters.
HTTP/HTTPS Listener:
HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS
non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be
used to capture cleartext credentials (thanks @xorrior!).
HTTPBasicRealm - Set a realm name if Basic auth is enabled.
HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters
provide control over the content served by the listener.
HTTPSCertThumbprint - This parameter provides the ability to more easily
set the thumbprint for custom certs.
HTTP/HTTPS requests are now reported and/or logged.
WPAD:
WPADIP/WPADPort - These parameters provide the ability to configure a
proxy server on victim systems through WPAD.
WPADResponse - These parameters provide the ability to configure a
custom wpad.dat response rather than the basic one used by WPADIP and
WPADPort.
WPADAuth - This parameter provides the ability to set the HTTP/HTTPS
WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used
to capture cleartext credentials (thanks @xorrior!). Note that this
parameter replaces ForceWPADAuth.
Miscellaneous:
Get-InveighCleartext - Gets all captured cleartext credentials.
Inspect - This switch parameter serves as an easier way to inspect
LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR,
NBNS, HTTP, HTTPS, and SMB are disabled.
|
|
unique account
Added the 'unique' parameter to Get-InveighNTLMv1 and Get-InveighNTLMv2.
If 'unique' is enabled, only the first captured challenge/response for
each unique account will be displayed.
|
|
I found that I had some hard coded packet data that needed to be
dynamic. This was causing authentication failures on domain systems that
didn't match the specs (domain name length, etc) of my test domain.
Sorry!
|
|
Added the SpoofList parameter for listing specific hostnames to spoof
with LLMNR/NBNS. Stopped Inveigh from responding to AAAA LLMNR packets
received over IPv4. Fixed a NBNS display bug with 15 characters
requests.
|
|
Added additional error handling for the command execution process. The
console and file output will now report the name of the temp service
created on the relay target. Removed an unnecessary packet and modified
some of the bytes within the remaining packets.
|
|
and psm1 and psd1 files
The SMB relay code is now in Inveigh-Relay.ps1. The script can be used
either through Invoke-Inveigh or as a standalone function.
|