Changelog inveigh v1.2:
1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) – This script contains only LLMNR/NBNS spoofing and hash capture methods that do not require local admin access. The NBNS spoofer can be used without disabling the local NBNS service. The LLMNR spoofer does require stopping (needs admin) the local service and freeing up port 5355. It will work without admin on a system with LLMNR disabled. Note that there can still be systems configurations that will prevent Inveigh-Unprivileged from working, and require admin access to change (e.g. local firewall blocking traffic, LLMNR enabled). This script replaces Inveigh-BruteForce and contains the same functionality.
2. Inveigh.ps1 Updates – Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that will attempt to avoid spoofing requests for valid hostnames. If enabled, Inveigh will send out LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent requests, it will add the hostname to a blacklist. Added some some code to help keep track or the SMB capture sequence. Removed the ability to launch Invoke-InveighRelay directly from an Invoke-Inveigh command line.
3. Inveigh-Relay.ps1 Status – This one is due for an overhhaul. I’m also considering trying to convert it to not require admin access. No real changes on this pass though. It will work with either Invoke-Inveigh (-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as long as the target system supports SMB1.
4. Support Functions – Merged all of the small Get functions into Get-Inveigh.
++ Extras – Added an extras directory for functions that don’t fit the main scripts.
a. Send-NBNSResponse – This function sends a crafted NBNS response packet to a specific target. For name resolution to be successful, the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I’ve only been able to get it to work manually by watching tshark with the the transaction ID being listed in the output. Ideally, this function would be fed by another script.
b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to use manually.
c. Invoke-NBNSC2 – Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be sent from a NBNS enabled system on the same subnet using ping, etc.
HTTP/HTTPS Listener:HTTPAuth – This parameter provides the ability to set the HTTP/HTTPS non-WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). HTTPBasicRealm – Set a realm name if Basic auth is enabled.
HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse – These parameters provide control over the content served by the listener. HTTPSCertThumbprint – This parameter provides the ability to more easily set the thumbprint for custom certs. HTTP/HTTPS requests are now reported and/or logged.
WPADIP/WPADPort – These parameters provide the ability to configure a proxy server on victim systems through WPAD. WPADResponse – These parameters provide the ability to configure a custom wpad.dat response rather than the basic one used by WPADIP and WPADPort. WPADAuth – This parameter provides the ability to set the HTTP/HTTPS WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). Note that this parameter replaces ForceWPADAuth.
Get-InveighCleartext – Gets all captured cleartext credentials. Inspect – This switch parameter serves as an easier way to inspect LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR, NBNS, HTTP, HTTPS, and SMB are disabled.
Invoke is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.
Invoke is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.
~ Parameter ~
Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the ‘SpoofIP’ parameter is not set.
Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to another system.
Default = Enabled: Enable/Disable HTTP challenge/response capture.
Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443.
If the script does not exit gracefully, execute “netsh http delete sslcert ipport=0.0.0.0:443” and manually remove the certificate from “Local Computer\Personal” in the cert store.
Default = Enabled: Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system’s SMB server.
Default = Enabled: Enable/Disable LLMNR spoofing.
Default = Disabled: Enable/Disable NBNS spoofing.
Default = 20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.
Default = Disabled: Enable/Disable SMB relay.
IP address of system to target for SMB relay.
Command to execute on SMB relay target.
Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts either just the username of domain\username format.
Default = Enable: Automaticaly disable SMB relay after a successful command execution on target.
Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent.
Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts.
Default = Enabled: Enable/Disable the console prompt.
Set the run time duration in minutes. Note that leaving the Inveigh console open will prevent Inveigh from exiting once the set run time is reached.
Default = Console Output Disabled: Enable/Disable realtime console output.
Default = File Output Disabled: Enable/Disable realtime file output.
Default = Working Directory: Set an output directory for log and capture files.
Default = Enabled: Enable/Disable the help messages at startup.
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:
Inveigh.ps1 -i localip
To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -SMB Y/N