Skip to content

Avoiding Detection

Kevin Robertson edited this page Apr 3, 2017 · 3 revisions


Before performing LLMNR/mDNS/NBNS spoofing, start Inveigh in inspection only mode to gather information about the relevant systems and traffic on the subnet. This information can be used to later target specific systems or spoof specific hostnames in order to avoid impacting unnecessary systems. Conversely, this information can be used to filter out dangerous hostnames to spoof and systems that may be running spoofer detection services.

  • Relevant Parameter

  • Example
    Invoke-Inveigh -ConsoleOutput Y -Inspect

Inveigh running in inspection mode

Targeted Spoofing

Using either previous knowledge or data gathered from inspection mode, start Inveigh and include/exclude specific hostnames to spoof or include/exclude specific systems to send spoofed responses.

  • Relevant Parameters

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferHostReply wpad -SpooferIPsReply

Inveigh running with SpooferHostsReply and SpooferIPsReply parameters set

Limit Repeat Spoofing

Inveigh can be set to no longer respond to a system after an NTLMv1/NTLMv2 challenge/response hash has been captured.

  • Relevant Parameter

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferRepeat N

Inveigh running with repeat spoofing disabled

Learning Mode

Inveigh has a learning mode for LLMNR/NBNS spoofing. With learning mode enabled, Inveigh will send out its own LLMNR/NBNS requests after receiving a request from another host. If Inveigh receives a response, the hostname will be blacklisted from further LLMNR/NBNS spoofing. This can limit the potential to spoof valid hostsnames and cause interruptions. Note that spoofer learning requires elevated privilege since it’s only available through the packet sniffer.

  • Relevant Parameters

  • Example
    Invoke-Inveigh -ConsoleOutput Y -SpooferLearning Y -SpooferLearningDelay 10

Inveigh running in LLMNR/NBNS learning mode

Avoid Triggering Visible Indicators in Web Browsers

Some features and combinations can trigger visible indicators like popup login boxes or connectivity problems in either specific (usually Firefox) or all web browsers. Inveigh has the ability to set authentication methods for standard HTTP/HTTPS requests, wpad.dat requests, and proxy authentication. Inveigh also has the ability to filter out browsers by user agent for wpad.dat requests and proxy authentication.

  • Example
    Invoke-Inveigh -ConsoleOutput Y -WPADAuth anonymous

  • Relevant Parameters

You can’t perform that action at this time.