Updates Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB.
Latest Change; 8/8/2015:
+ Added parameter for controlling output directory. Added first version of loader script for easier execution as a payload.
+ Added ‘-OutputDir’ parameter for controlling the output directory.
+ Added ‘Inveigh-Loader.ps1’ script which has additional options for running Inveigh as an unattended payload.
+ Performed some cleanup.
+ Added HTTPS listener.
Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB attacks, VLAN pivoting, or even restrictions from the client.
– Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
– LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
– SMB challenge/response captures are performed by sniffing over the host system’s SMB service.
– HTTP challenge/response captures are performed with a dedicated listener.
– The local LLMNR/NBNS services do not need to be disabled on the host system.
– LLMNR/NBNS spoofer will point victims to host system’s SMB service, keep account lockout scenarios in mind.
– Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
– Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
– Output files will be created in current working directory.
– If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
– Code is proof of concept level and may not work under some scenarios.
Obtain an elevated administrator or SYSTEM shell. If necessary, execute Set-ExecutionPolicy Unrestricted within PowerShell.
To execute with default settings:
Inveigh.ps1 -i localip
To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -SMB Y/N