Inveigh v1.5 releases: Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
- PowerShell Empire – https://github.com/PowerShellEmpire/Empire
- PS>Attack – https://github.com/jaredhaight/psattack
- p0wnedShell – https://github.com/Cn33liz/p0wnedShell
- PowerUpSQL – https://github.com/NetSPI/PowerUpSQL
- PoshC2 – https://github.com/nettitude/PoshC2
- pupy – https://github.com/n1nj4sec/pupy
At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. It also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. It relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.
Inveigh running with elevated privilege
Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. It can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.
By default, It will attempt to detect the privilege level and load the corresponding functions.
Inveigh running without elevated privilege
Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for the relay if the goal is local privilege escalation.
Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher
- Added privileged and unprivileged DNS spoofer capable of answering incoming DNS requests.
- New ADIDNS attack called NS that can add an NS record to direct DNS requests to Inveigh host. Using this with WPAD can bypass the global query block list (GQBL). https://blog.netspi.com/adidns-revisited/
- Pcap TCP and UDP output.
- New packet sniffing output including incoming SYN packets, kerberos auth negotiation, null responses, local DNS requests.
- Kerberos kirbi output for unconstrained delegation attacks. – https://blog.netspi.com/machineaccountquota-is-useful-sometimes/
git clone https://github.com/Kevin-Robertson/Inveigh.git
Copyright (c) 2015, Kevin Robertson All rights reserved.