Tags: d-demirci/Inveigh
Tags
Inveigh 1.5 Added privileged and unprivileged DNS spoofer capable of answering incoming DNS requests. New ADIDNS attack called NS that can add an NS record to direct DNS requests to Inveigh host. Using this with WPAD can bypass the global query block list (GQBL). https://blog.netspi.com/adidns-revisited/ Pcap TCP and UDP output. New packet sniffing output including incoming SYN packets, kerberos auth negotiation, null responses, local DNS requests. Kerberos kirbi output for unconstrained delegation attacks. - https://blog.netspi.com/machineaccountquota-is-useful-sometimes/
Inveigh 1.3 Inveigh.ps1 Merged Inveigh and Inveigh-Unprivileged. The new module will run the correct functions based on the detected privilege level or ElevatedPrivilege parameter setting. Added proxy auth capture. (thanks to @lgandx and @mubix for the idea from https://github.com/lgandx/Responder) Added mDNS spoofer. Added limited ability to attack browsers of proxy auth targets. Added the ability to set the content type header for HTTPReponse, or files from disk through HTTPDir, for better support for HTA, etc. Added the ability to capture POST requests. Inveigh-Relay.ps1 Refactored the module. Switched to a TCPListener based HTTP listener so that the module can be run with an unprivileged user. If running unprivileged, the Inveigh host can be targeted with relay for privesc. Added support for longer commands to execute on the target. The module is now Empire 2.0 launcher friendly. Added SMB2 support. The module will negotiate by default and can be forced into SMB1 with the SMB1 switch. Added proxy auth capture and relay. Added NTLMv1 relay support. Added RelayAutoExit parameter to stop any running Inveigh modules after a successful relay. Inveigh.ps1 and Inveigh-Relay.ps1 Added a new HTTPS certificate install method that does not require a certificate file. (thanks to @subTee for code example from https://github.com/subTee/Interceptor) Added user agent and host header details to console/file output. Added ability to filter out specific browsers by user agent for wpad and proxy auth. Added console output levels. Added control over in memory log file and console queue. Inveigh-Unprivileged.ps1 This module has been removed.
Inveigh 1.2 1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) – This script contains only LLMNR/NBNS spoofing and hash capture methods that do not require local admin access. The NBNS spoofer can be used without disabling the local NBNS service. The LLMNR spoofer does require stopping (needs admin) the local service and freeing up port 5355. It will work without admin on a system with LLMNR disabled. Note that there can still be systems configurations that will prevent Inveigh-Unprivileged from working, and require admin access to change (e.g. local firewall blocking traffic, LLMNR enabled). This script replaces Inveigh-BruteForce and contains the same functionality. 2. Inveigh.ps1 Updates - Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that will attempt to avoid spoofing requests for valid hostnames. If enabled, Inveigh will send out LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent requests, it will add the hostname to a blacklist. Added some some code to help keep track or the SMB capture sequence. Removed the ability to launch Invoke-InveighRelay directly from an Invoke-Inveigh command line. 3. Inveigh-Relay.ps1 Status - This one is due for an overhhaul. I'm also considering trying to convert it to not require admin access. No real changes on this pass though. It will work with either Invoke-Inveigh (-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as long as the target system supports SMB1. 4. Support Functions - Merged all of the small Get functions into Get-Inveigh. 5. Extras – Added an extras directory for functions that don’t fit the main scripts. a. Send-NBNSResponse – This function sends a crafted NBNS response packet to a specific target. For name resolution to be successful, the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been able to get it to work manually by watching tshark with the the transaction ID being listed in the output. Ideally, this function would be fed by another script. b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to use manually. c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be sent from a NBNS enabled system on the same subnet using ping, etc.
New Script - Inveigh-BruteForce New Script - Inveigh-BruteForce - Remote (Hot Potato method)/unprivileged NBNS brute force spoofer. Inveigh-BruteForce Features: Targeted IPv4 NBNS brute force spoofer with granular control NTLMv1/NTLMv2 challenge/response capture over HTTP Granular control of console and file output Run time control Inveigh New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response packet. NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet. WPADDirectHosts - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Inveigh-Relay New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. RunTime - Set the run time duration in minutes. Bug Fix: Fixed an SMB relay issue that was causing a hang before sending the NTLMv2 response. Thanks to @mubix for reporting the bug and providing a packet capture.
Spoofer, HTTP/HTTPS, and WPAD additions/changes LLMNR/NBNS spoofer: SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular control over what systems to respond to when spoofing. SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular control over what requested hostnames to respond to when spoofing. Note that SpooferHostsAccept replaces SpoofList. SpooferRepeat - This parameter replaces Repeat in order to sync the parameter name with the prefix used for other spoofer parameters. HTTP/HTTPS Listener: HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). HTTPBasicRealm - Set a realm name if Basic auth is enabled. HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters provide control over the content served by the listener. HTTPSCertThumbprint - This parameter provides the ability to more easily set the thumbprint for custom certs. HTTP/HTTPS requests are now reported and/or logged. WPAD: WPADIP/WPADPort - These parameters provide the ability to configure a proxy server on victim systems through WPAD. WPADResponse - These parameters provide the ability to configure a custom wpad.dat response rather than the basic one used by WPADIP and WPADPort. WPADAuth - This parameter provides the ability to set the HTTP/HTTPS WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). Note that this parameter replaces ForceWPADAuth. Miscellaneous: Get-InveighCleartext - Gets all captured cleartext credentials. Inspect - This switch parameter serves as an easier way to inspect LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR, NBNS, HTTP, HTTPS, and SMB are disabled.