Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Before performing LLMNR/mDNS/NBNS spoofing, start Inveigh in inspection only mode to gather information about the relevant systems and traffic on the subnet. This information can be used to later target specific systems or spoof specific hostnames in order to avoid impacting unnecessary systems. Conversely, this information can be used to filter out dangerous hostnames to spoof and systems that may be running spoofer detection services.
Invoke-Inveigh -ConsoleOutput Y -Inspect
Inveigh running in inspection mode
Using either previous knowledge or data gathered from inspection mode, start Inveigh and include/exclude specific hostnames to spoof or include/exclude specific systems to send spoofed responses.
Invoke-Inveigh -ConsoleOutput Y -SpooferHostReply wpad -SpooferIPsReply 192.168.1.100
Inveigh running with SpooferHostsReply and SpooferIPsReply parameters set
Limit Repeat Spoofing
Inveigh can be set to no longer respond to a system after an NTLMv1/NTLMv2 challenge/response hash has been captured.
Invoke-Inveigh -ConsoleOutput Y -SpooferRepeat N
Inveigh running with repeat spoofing disabled
Inveigh has a learning mode for LLMNR/NBNS spoofing. With learning mode enabled, Inveigh will send out its own LLMNR/NBNS requests after receiving a request from another host. If Inveigh receives a response, the hostname will be blacklisted from further LLMNR/NBNS spoofing. This can limit the potential to spoof valid hostsnames and cause interruptions. Note that spoofer learning requires elevated privilege since it’s only available through the packet sniffer.
Invoke-Inveigh -ConsoleOutput Y -SpooferLearning Y -SpooferLearningDelay 10
Inveigh running in LLMNR/NBNS learning mode
Avoid Triggering Visible Indicators in Web Browsers
Some features and combinations can trigger visible indicators like popup login boxes or connectivity problems in either specific (usually Firefox) or all web browsers. Inveigh has the ability to set authentication methods for standard HTTP/HTTPS requests, wpad.dat requests, and proxy authentication. Inveigh also has the ability to filter out browsers by user agent for wpad.dat requests and proxy authentication.
Invoke-Inveigh -ConsoleOutput Y -WPADAuth anonymous