Comment/Notes changes and WPADResponse removal

Updated additional comment/notes. I removed WPADResponse from inveigh and inveigh_bruteforce since wpad.dat code contains commas. The python code that is parsing the commas for the array parameters is getting in that way. I can add WPADResponse back in later.
2016-03-30 15:35:44 -04:00 · 2016-03-30 15:35:44 -04:00 · 32b36c9597
parent 987679bd9a
commit 32b36c9597
8 changed files with 35 additions and 45 deletions
--- a/data/module_source/collection/Invoke-Inveigh.ps1
+++ b/data/module_source/collection/Invoke-Inveigh.ps1
@ -16,7 +16,7 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea
    Run time control

 .PARAMETER IP
-Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set.
+Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the SpooferIP parameter is not set.

 .PARAMETER SpooferIP
 Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. 
@ -74,7 +74,7 @@ Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS respons
 Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. 

 .PARAMETER HTTPResponse
-Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. Use PowerShell character escapes where necessary.

 .PARAMETER HTTPSCertAppID
 Specify a valid application GUID for use with the ceriticate.
@ -95,7 +95,7 @@ Specify a proxy server port to be included in a basic wpad.dat response for WPAD
 Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy.

 .PARAMETER WPADResponse
-Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.
+Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary.

 .PARAMETER SMB
 Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server.
@ -169,6 +169,7 @@ Execute specifying a specific local listening/spoofing IP and disabling HTTP cha
 Invoke-Inveigh -SpooferRepeat N -WPADAuth Anonymous -SpooferHostsReply host1,host2 -SpooferIPsReply 192.168.2.75,192.168.2.76
 Execute with the stealthiest options.

+.EXAMPLE
 Invoke-Inveigh -Inspect
 Execute with LLMNR, NBNS, SMB, HTTP, and HTTPS disabled in order to only inpect LLMNR/NBNS traffic.

--- a/data/module_source/collection/Invoke-InveighBruteForce.ps1
+++ b/data/module_source/collection/Invoke-InveighBruteForce.ps1
@ -48,7 +48,7 @@ Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authenticat
 Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.

 .PARAMETER HTTPResponse
-Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests.
+Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. Use PowerShell character escapes where necessary.

 .PARAMETER WPADAuth
 Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts.
@ -60,7 +60,7 @@ Specify a proxy server IP to be included in a basic wpad.dat response for WPAD e
 Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.

 .PARAMETER WPADDirectHosts
-Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy.
+Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Use PowerShell character escapes where necessary.

 .PARAMETER WPADResponse
 Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.
--- a/data/module_source/lateral_movement/Invoke-InveighRelay.ps1
+++ b/data/module_source/lateral_movement/Invoke-InveighRelay.ps1
@ -39,7 +39,7 @@ Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication ty
 IP address of system to target for SMB relay.

 .PARAMETER SMBRelayCommand
-Command to execute on SMB relay target.
+Command to execute on SMB relay target. Use PowerShell character escapes where necessary.

 .PARAMETER SMBRelayUsernames
 Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. 
--- a/data/module_source/privesc/Invoke-Tater.ps1
+++ b/data/module_source/privesc/Invoke-Tater.ps1
@ -14,7 +14,7 @@ Specify a specific local IP address. An IP address will be selected automaticall
 Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around an in-use port 80 on the privesc target. 

 .PARAMETER Command
-Command to execute as SYSTEM on the localhost.
+Command to execute as SYSTEM on the localhost. Use PowerShell character escapes where necessary.

 .PARAMETER NBNS
 Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing. 
--- a/lib/modules/collection/inveigh.py
+++ b/lib/modules/collection/inveigh.py
@ -9,9 +9,7 @@ class Module:

            'Author': ['Kevin Robertson'],

-            'Description': ('Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle '
-                            'tool designed to assist penetration testers that find themselves '
-                            'limited to a Windows system.'),
+            'Description': ('Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool.'),

            'Background' : True,

@ -70,7 +68,7 @@ class Module:
 			'SpooferRepeat' : {
                'Description'   :   'Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured (Y/N).',
                'Required'      :   False,
-                'Value'         :   ''
+                'Value'         :   'Y'
            },
            'LLMNR' : {
                'Description'   :   'Enable/Disable LLMNR spoofing (Y/N).',
@ -113,7 +111,7 @@ class Module:
                'Value'         :   'IIS'
            },
 			'HTTPResponse' : {
-                'Description'   :   'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests.',
+                'Description'   :   'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.',
                'Required'      :   False,
                'Value'         :   ''
            },
@ -136,11 +134,6 @@ class Module:
                'Description'   :   'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.',
                'Required'      :   False,
                'Value'         :   ''
-            },
-			'WPADResponse' : {
-                'Description'   :   'Wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.',
-                'Required'      :   False,
-                'Value'         :   ''
            },
            'SMB' : {
                'Description'   :   'Enable/Disable SMB challenge/response capture (Y/N).',
@ -191,8 +184,8 @@ class Module:

        script = moduleCode

-        # disable file output
-        script += "\n" + 'Invoke-Inveigh -ConsoleOutput "Y" -Tool "2" '
+        # set defaults for Empire
+        script += "\n" + 'Invoke-Inveigh -Tool "2" '

        for option,values in self.options.iteritems():
            if option.lower() != "agent":
--- a/lib/modules/collection/inveigh_bruteforce.py
+++ b/lib/modules/collection/inveigh_bruteforce.py
@ -10,7 +10,7 @@ class Module:
            'Author': ['Kevin Robertson'],

            'Description': ('Inveigh\'s remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. '
-                            'This function can be used to perform NBNS spoofing across subnets and/or perform NBNS '
+                            'This module can be used to perform NBNS spoofing across subnets and/or perform NBNS '
                            'spoofing without an elevated administrator or SYSTEM shell.'),

            'Background' : True,
@ -24,7 +24,7 @@ class Module:
            'MinPSVersion' : '2',
            
            'Comments': [
-                'https://github.com/Kevin-Robertson/Inveigh'
+                'https://github.com/Kevin-Robertson/Inveigh' 
            ]
        }

@ -38,7 +38,7 @@ class Module:
                'Value'         :   ''
            },
            'SpooferIP' : {
-                'Description'   :   'Specific IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.',
+                'Description'   :   'Specific IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host.',
                'Required'      :   False,
                'Value'         :   ''
            },
@ -83,7 +83,7 @@ class Module:
                'Value'         :   'IIS'
            },
 			'HTTPResponse' : {
-                'Description'   :   'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests.',
+                'Description'   :   'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.',
                'Required'      :   False,
                'Value'         :   ''
            },
@ -106,11 +106,6 @@ class Module:
                'Description'   :   'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.',
                'Required'      :   False,
                'Value'         :   ''
-            },
-			'WPADResponse' : {
-                'Description'   :   'Wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.',
-                'Required'      :   False,
-                'Value'         :   ''
            },
            'Challenge' : {
                'Description'   :   'Specific 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.',
@ -161,8 +156,8 @@ class Module:

        script = moduleCode

-        # disable file output
-        script += "\n" + 'Invoke-InveighBruteForce -ConsoleOutput "Y" -Tool "2" '
+        # set defaults for Empire
+        script += "\n" + 'Invoke-InveighBruteForce -Tool "2" '

        for option,values in self.options.iteritems():
            if option.lower() != "agent":
--- a/lib/modules/lateral_movement/inveigh_relay.py
+++ b/lib/modules/lateral_movement/inveigh_relay.py
@ -9,11 +9,12 @@ class Module:

            'Author': ['Kevin Robertson'],

-            'Description': ('Relays incoming HTTP NTLMv2 authentication requests to an SMB target. '
-			    'If the authentication is successfully relayed and the account is '
-			    'a local administrator, a specified command will be executed on the '
-			    'target PSExec style. This module works best while also running '
- 			    'collection/inveigh with HTTP disabled.'),
+            'Description': ('Inveigh\'s SMB relay function. This module can be used to relay '
+							'incoming HTTP NTLMv2 authentication requests to an SMB target. '
+							'If the authentication is successfully relayed and the account is '
+							'a local administrator, a specified command will be executed on the '
+							'target PSExec style. This module works best while also running '
+							'collection/inveigh with HTTP disabled.'),

            'Background' : True,

@ -45,7 +46,7 @@ class Module:
                'Value'           :   ''
            },
            'SMBRelayCommand'     : {
-                'Description'     :   'Command to execute on SMB relay target. Do not wrap command in quotes.',
+                'Description'     :   'Command to execute on SMB relay target. Do not wrap in quotes and use PowerShell character escapes where necessary.',
                'Required'        :   True,
                'Value'           :   ''
            },
@ -93,8 +94,8 @@ class Module:

        script = moduleCode

-        # disable file output
-        script += "\n" + 'Invoke-InveighRelay -ConsoleOutput "Y" -Tool "2" '
+        # set defaults for Empire
+        script += "\n" + 'Invoke-InveighRelay -Tool "2" '

 	for option,values in self.options.iteritems():
            if option.lower() != "agent":
--- a/lib/modules/privesc/tater.py
+++ b/lib/modules/privesc/tater.py
@ -10,7 +10,7 @@ class Module:
            'Author': ['Kevin Robertson'],

            'Description': ('Tater is a PowerShell implementation of the Hot Potato '
-			    'Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.'),
+							'Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.'),

            'Background' : True,

@ -37,17 +37,17 @@ class Module:
                'Value'           :   ''
            },
            'IP'      		  : {
-                'Description'     :   'Local IP address.',
+                'Description'     :   'Specific local IP address for NBNS spoofer.',
                'Required'        :   False,
                'Value'           :   ''
            },
 			'SpooferIP'       	  : {
-                'Description'     :   'IP address included in NBNS response.',
+                'Description'     :   'IP address included in NBNS response. This is needed when using two hosts to get around an in-use port 80 on the privesc target.',
                'Required'        :   False,
                'Value'           :   ''
            },
 			'Command'     	  : {
-                'Description'     :   'Command to execute during privilege escalation. Do not wrap command in quotes.',
+                'Description'     :   'Command to execute during privilege escalation. Do not wrap in quotes and use PowerShell character escapes where necessary.',
                'Required'        :   True,
                'Value'           :   ''
            },
@ -89,7 +89,7 @@ class Module:
 			'WPADPort' 	  	  : {
                'Description'     :   'Proxy server port to be included in the wpad.dat file.',
                'Required'        :   False,
-                'Value'           :   ''
+                'Value'           :   '80'
            },
 			'TaskDelete' 	  	  : {
                'Description'     :   'Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.',
@ -135,8 +135,8 @@ class Module:

        script = moduleCode

-        # disable file output
-        script += "\n" + 'Invoke-Tater -ConsoleOutput "Y" -Tool "2" '
+        # set defaults for Empire
+        script += "\n" + 'Invoke-Tater -Tool "2" '

 	for option,values in self.options.iteritems():
            if option.lower() != "agent":