Tags: r13mann/Inveigh
Tags
New Script - Inveigh-BruteForce New Script - Inveigh-BruteForce - Remote (Hot Potato method)/unprivileged NBNS brute force spoofer. Inveigh-BruteForce Features: Targeted IPv4 NBNS brute force spoofer with granular control NTLMv1/NTLMv2 challenge/response capture over HTTP Granular control of console and file output Run time control Inveigh New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. LLMNRTTL - Specify a custom LLMNR TTL in seconds for the response packet. NBNSTTL - Specify a custom NBNS TTL in seconds for the response packet. WPADDirectHosts - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Inveigh-Relay New Parameters: HTTPSCertAppID - Specify a valid application GUID for use with the ceriticate. RunTime - Set the run time duration in minutes. Bug Fix: Fixed an SMB relay issue that was causing a hang before sending the NTLMv2 response. Thanks to @mubix for reporting the bug and providing a packet capture.
Spoofer, HTTP/HTTPS, and WPAD additions/changes LLMNR/NBNS spoofer: SpooferIPsReply/SpooferIPsIgnore - These parameters provide granular control over what systems to respond to when spoofing. SpooferHostsReply/SpooferHostsIgnore - These parameters provide granular control over what requested hostnames to respond to when spoofing. Note that SpooferHostsAccept replaces SpoofList. SpooferRepeat - This parameter replaces Repeat in order to sync the parameter name with the prefix used for other spoofer parameters. HTTP/HTTPS Listener: HTTPAuth - This parameter provides the ability to set the HTTP/HTTPS non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). HTTPBasicRealm - Set a realm name if Basic auth is enabled. HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse - These parameters provide control over the content served by the listener. HTTPSCertThumbprint - This parameter provides the ability to more easily set the thumbprint for custom certs. HTTP/HTTPS requests are now reported and/or logged. WPAD: WPADIP/WPADPort - These parameters provide the ability to configure a proxy server on victim systems through WPAD. WPADResponse - These parameters provide the ability to configure a custom wpad.dat response rather than the basic one used by WPADIP and WPADPort. WPADAuth - This parameter provides the ability to set the HTTP/HTTPS WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). Note that this parameter replaces ForceWPADAuth. Miscellaneous: Get-InveighCleartext - Gets all captured cleartext credentials. Inspect - This switch parameter serves as an easier way to inspect LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR, NBNS, HTTP, HTTPS, and SMB are disabled.