Skip to content

Avoiding Detection

Kevin Robertson edited this page Apr 3, 2017 · 3 revisions

Inspection

Before performing LLMNR/mDNS/NBNS spoofing, start Inveigh in inspection only mode to gather information about the relevant systems and traffic on the subnet. This information can be used to later target specific systems or spoof specific hostnames in order to avoid impacting unnecessary systems. Conversely, this information can be used to filter out dangerous hostnames to spoof and systems that may be running spoofer detection services.

  • Relevant Parameter
    Inspect

  • Example
    Invoke-Inveigh -ConsoleOutput Y -Inspect

Inveigh running in inspection mode

Targeted Spoofing

Using either previous knowledge or data gathered from inspection mode, start Inveigh and include/exclude specific hostnames to spoof or include/exclude specific systems to send spoofed responses.

  • Relevant Parameters
    SpooferHostsIgnore
    SpooferHostReply
    SpooferIPsIgnore
    SpooferIPsReply

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferHostReply wpad -SpooferIPsReply 192.168.1.100

Inveigh running with SpooferHostsReply and SpooferIPsReply parameters set

Limit Repeat Spoofing

Inveigh can be set to no longer respond to a system after an NTLMv1/NTLMv2 challenge/response hash has been captured.

  • Relevant Parameter
    SpooferRepeat

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferRepeat N

Inveigh running with repeat spoofing disabled

Learning Mode

Inveigh has a learning mode for LLMNR/NBNS spoofing. With learning mode enabled, Inveigh will send out its own LLMNR/NBNS requests after receiving a request from another host. If Inveigh receives a response, the hostname will be blacklisted from further LLMNR/NBNS spoofing. This can limit the potential to spoof valid hostsnames and cause interruptions. Note that spoofer learning requires elevated privilege since it’s only available through the packet sniffer.

  • Relevant Parameters
    SpooferLearning
    SpooferLearningDelay
    SpooferLearningInterval

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferLearning Y -SpooferLearningDelay 10

Inveigh running in LLMNR/NBNS learning mode

Avoid Triggering Visible Indicators in Web Browsers

Some features and combinations can trigger visible indicators like popup login boxes or connectivity problems in either specific (usually Firefox) or all web browsers. Inveigh has the ability to set authentication methods for standard HTTP/HTTPS requests, wpad.dat requests, and proxy authentication. Inveigh also has the ability to filter out browsers by user agent for wpad.dat requests and proxy authentication.

  • Example
    Invoke-Inveigh -ConsoleOutput Y -WPADAuth anonymous

  • Relevant Parameters
    HTTPAuth
    ProxyAuth
    ProxyIgnore
    WPADAuth
    WPADAuthIgnore

You can’t perform that action at this time.