Inveigh v1.3 is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool.

Inveigh v1.3 is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool.

Changelog Inveigh v1.3:
Inveigh.ps1
– Merged Inveigh and Inveigh-Unprivileged. The new module will run the correct functions based on the detected privilege level or ElevatedPrivilege parameter setting.
– Added proxy auth capture. (thanks to @lgandx and @mubix for the idea from https://github.com/lgandx/Responder)
– Added mDNS spoofer.
– Added limited ability to attack browsers of proxy auth targets.
– Added the ability to set the content type header for HTTPReponse, or files from disk through HTTPDir, for better support for HTA, etc.
– Added the ability to capture POST requests.

Inveigh-Relay.ps1
– Refactored the module.
– Switched to a TCPListener based HTTP listener so that the module can be
– run with an unprivileged user. If running unprivileged, the Inveigh host can be targeted with relay for privesc.
– Added support for longer commands to execute on the target. The module is now Empire 2.0 launcher friendly.
– Added SMB2 support. The module will negotiate by default and can be forced into SMB1 with the SMB1 switch.
– Added proxy auth capture and relay.
– Added NTLMv1 relay support.
– Added RelayAutoExit parameter to stop any running Inveigh modules after a successful relay.

Inveigh.ps1 and Inveigh-Relay.ps1
– Added a new HTTPS certificate install method that does not require a
– certificate file. (thanks to @subTee for code example from https://github.com/subTee/Interceptor)
– Added user agent and host header details to console/file output.
– Added ability to filter out specific browsers by user agent for wpad and proxy auth.
– Added console output levels.
– Added control over in memory log file and console queue.

Inveigh-Unprivileged.ps1
– This module has been removed.

Inveigh v1.3

inveigh-v1-2invoke-inveigh

HTTPDir/HTTPDefaultFile/HTTPDefaultEXE/HTTPResponse – These parameters provide control over the content served by the listener. HTTPSCertThumbprint – This parameter provides the ability to more easily set the thumbprint for custom certs. HTTP/HTTPS requests are now reported and/or logged.

WPAD:
WPADIP/WPADPort – These parameters provide the ability to configure a proxy server on victim systems through WPAD. WPADResponse – These parameters provide the ability to configure a custom wpad.dat response rather than the basic one used by WPADIP and WPADPort. WPADAuth – This parameter provides the ability to set the HTTP/HTTPS WPAD auth to NTLM, Basic, or Anonymous. Basic authentication can be used to capture cleartext credentials (thanks @xorrior!). Note that this parameter replaces ForceWPADAuth.

Miscellaneous:
Get-InveighCleartext – Gets all captured cleartext credentials. Inspect – This switch parameter serves as an easier way to inspect LLMNR/NBNS traffic. If -Inspect is added to the command line, LLMNR, NBNS, HTTP, HTTPS, and SMB are disabled.

Invoke-InveighRelay is the main Inveigh SMB relay function.

Invoke-InveighRelay is the main Inveigh SMB relay function.

Invoke is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.
DESCRIPTION:
Invoke is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Module version of Inveigh

Module version of Inveigh

~ Parameter ~
.PARAMETER IP
Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the ‘SpoofIP’ parameter is not set.
.PARAMETER SpooferIP
Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to another system.
.PARAMETER HTTP
Default = Enabled: Enable/Disable HTTP challenge/response capture.
.PARAMETER HTTPS
Default = Disabled: Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443.
If the script does not exit gracefully, execute “netsh http delete sslcert ipport=0.0.0.0:443” and manually remove the certificate from “Local Computer\Personal” in the cert store.
.PARAMETER SMB
Default = Enabled: Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system’s SMB server.
.PARAMETER LLMNR
Default = Enabled: Enable/Disable LLMNR spoofing.
.PARAMETER NBNS
Default = Disabled: Enable/Disable NBNS spoofing.
.PARAMETER NBNSTypes
Default = 20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name
.PARAMETER Challenge
Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.
.PARAMETER SMBRelay
Default = Disabled: Enable/Disable SMB relay.
.PARAMETER SMBRelayTarget
IP address of system to target for SMB relay.
.PARAMETER SMBRelayCommand
Command to execute on SMB relay target.
.PARAMETER SMBRelayUsernames
Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts either just the username of domain\username format.
.PARAMETER SMBRelayAutoDisable
Default = Enable: Automaticaly disable SMB relay after a successful command execution on target.
.PARAMETER SMBRelayNetworkTimeout
Default = No Timeout: Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent.
.PARAMETER Repeat
Default = Enabled: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
.PARAMETER ForceWPADAuth
Default = Enabled: Matches Responder option to Enable/Disable authentication for wpad.dat GET requests. Disabling can prevent browser login prompts.
.PARAMETER ConsolePrompt
Default = Enabled: Enable/Disable the console prompt.
.PARAMETER RunTime
Set the run time duration in minutes. Note that leaving the Inveigh console open will prevent Inveigh from exiting once the set run time is reached.
.PARAMETER ConsoleOutput
Default = Console Output Disabled: Enable/Disable realtime console output.
.PARAMETER FileOutput
Default = File Output Disabled: Enable/Disable realtime file output.
.PARAMETER OutputDir
Default = Working Directory: Set an output directory for log and capture files.
.PARAMETER ShowHelp
Default = Enabled: Enable/Disable the help messages at startup.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Notes:
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.

Usage :
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:

To execute with features enabled/disabled:

Download: 1.3.zip  | 1.3.tar.gz | Our Post Before
Source : https://github.com/Kevin-Robertson