From 32b36c9597d7604fdb9160b4ec40f5478c33c55b Mon Sep 17 00:00:00 2001 From: Kevin Robertson Date: Wed, 30 Mar 2016 15:35:44 -0400 Subject: [PATCH] Comment/Notes changes and WPADResponse removal Updated additional comment/notes. I removed WPADResponse from inveigh and inveigh_bruteforce since wpad.dat code contains commas. The python code that is parsing the commas for the array parameters is getting in that way. I can add WPADResponse back in later. --- .../module_source/collection/Invoke-Inveigh.ps1 | 7 ++++--- .../collection/Invoke-InveighBruteForce.ps1 | 4 ++-- .../lateral_movement/Invoke-InveighRelay.ps1 | 2 +- data/module_source/privesc/Invoke-Tater.ps1 | 2 +- lib/modules/collection/inveigh.py | 17 +++++------------ lib/modules/collection/inveigh_bruteforce.py | 17 ++++++----------- lib/modules/lateral_movement/inveigh_relay.py | 17 +++++++++-------- lib/modules/privesc/tater.py | 14 +++++++------- 8 files changed, 35 insertions(+), 45 deletions(-) diff --git a/data/module_source/collection/Invoke-Inveigh.ps1 b/data/module_source/collection/Invoke-Inveigh.ps1 index e4025d1..8838a9e 100644 --- a/data/module_source/collection/Invoke-Inveigh.ps1 +++ b/data/module_source/collection/Invoke-Inveigh.ps1 @@ -16,7 +16,7 @@ Invoke-Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with the following fea Run time control .PARAMETER IP -Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the 'SpooferIP' parameter is not set. +Specify a specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the SpooferIP parameter is not set. .PARAMETER SpooferIP Specify an IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. @@ -74,7 +74,7 @@ Specify a filename within the HTTPDir to serve as the default HTTP/HTTPS respons Specify an EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. .PARAMETER HTTPResponse -Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. Use PowerShell character escapes where necessary. .PARAMETER HTTPSCertAppID Specify a valid application GUID for use with the ceriticate. @@ -95,7 +95,7 @@ Specify a proxy server port to be included in a basic wpad.dat response for WPAD Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. .PARAMETER WPADResponse -Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. +Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. .PARAMETER SMB Default = Enabled: (Y/N) Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. @@ -169,6 +169,7 @@ Execute specifying a specific local listening/spoofing IP and disabling HTTP cha Invoke-Inveigh -SpooferRepeat N -WPADAuth Anonymous -SpooferHostsReply host1,host2 -SpooferIPsReply 192.168.2.75,192.168.2.76 Execute with the stealthiest options. +.EXAMPLE Invoke-Inveigh -Inspect Execute with LLMNR, NBNS, SMB, HTTP, and HTTPS disabled in order to only inpect LLMNR/NBNS traffic. diff --git a/data/module_source/collection/Invoke-InveighBruteForce.ps1 b/data/module_source/collection/Invoke-InveighBruteForce.ps1 index c30e1e6..023eae4 100644 --- a/data/module_source/collection/Invoke-InveighBruteForce.ps1 +++ b/data/module_source/collection/Invoke-InveighBruteForce.ps1 @@ -48,7 +48,7 @@ Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authenticat Specify a realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. .PARAMETER HTTPResponse -Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. +Specify a string or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. Use PowerShell character escapes where necessary. .PARAMETER WPADAuth Default = NTLM: (Anonymous,Basic,NTLM) Specify the HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. @@ -60,7 +60,7 @@ Specify a proxy server IP to be included in a basic wpad.dat response for WPAD e Specify a proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. .PARAMETER WPADDirectHosts -Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. +Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Use PowerShell character escapes where necessary. .PARAMETER WPADResponse Specify wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. diff --git a/data/module_source/lateral_movement/Invoke-InveighRelay.ps1 b/data/module_source/lateral_movement/Invoke-InveighRelay.ps1 index 13c7025..21226f6 100644 --- a/data/module_source/lateral_movement/Invoke-InveighRelay.ps1 +++ b/data/module_source/lateral_movement/Invoke-InveighRelay.ps1 @@ -39,7 +39,7 @@ Default = NTLM: (Anonymous,NTLM) Specify the HTTP/HTTPS server authentication ty IP address of system to target for SMB relay. .PARAMETER SMBRelayCommand -Command to execute on SMB relay target. +Command to execute on SMB relay target. Use PowerShell character escapes where necessary. .PARAMETER SMBRelayUsernames Default = All Usernames: Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. diff --git a/data/module_source/privesc/Invoke-Tater.ps1 b/data/module_source/privesc/Invoke-Tater.ps1 index 551bcab..c6ed25d 100644 --- a/data/module_source/privesc/Invoke-Tater.ps1 +++ b/data/module_source/privesc/Invoke-Tater.ps1 @@ -14,7 +14,7 @@ Specify a specific local IP address. An IP address will be selected automaticall Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around an in-use port 80 on the privesc target. .PARAMETER Command -Command to execute as SYSTEM on the localhost. +Command to execute as SYSTEM on the localhost. Use PowerShell character escapes where necessary. .PARAMETER NBNS Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing. diff --git a/lib/modules/collection/inveigh.py b/lib/modules/collection/inveigh.py index ce46ed2..ce29fd3 100644 --- a/lib/modules/collection/inveigh.py +++ b/lib/modules/collection/inveigh.py @@ -9,9 +9,7 @@ class Module: 'Author': ['Kevin Robertson'], - 'Description': ('Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle ' - 'tool designed to assist penetration testers that find themselves ' - 'limited to a Windows system.'), + 'Description': ('Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool.'), 'Background' : True, @@ -70,7 +68,7 @@ class Module: 'SpooferRepeat' : { 'Description' : 'Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured (Y/N).', 'Required' : False, - 'Value' : '' + 'Value' : 'Y' }, 'LLMNR' : { 'Description' : 'Enable/Disable LLMNR spoofing (Y/N).', @@ -113,7 +111,7 @@ class Module: 'Value' : 'IIS' }, 'HTTPResponse' : { - 'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests.', + 'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.', 'Required' : False, 'Value' : '' }, @@ -136,11 +134,6 @@ class Module: 'Description' : 'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.', 'Required' : False, 'Value' : '' - }, - 'WPADResponse' : { - 'Description' : 'Wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.', - 'Required' : False, - 'Value' : '' }, 'SMB' : { 'Description' : 'Enable/Disable SMB challenge/response capture (Y/N).', @@ -191,8 +184,8 @@ class Module: script = moduleCode - # disable file output - script += "\n" + 'Invoke-Inveigh -ConsoleOutput "Y" -Tool "2" ' + # set defaults for Empire + script += "\n" + 'Invoke-Inveigh -Tool "2" ' for option,values in self.options.iteritems(): if option.lower() != "agent": diff --git a/lib/modules/collection/inveigh_bruteforce.py b/lib/modules/collection/inveigh_bruteforce.py index c3de44a..874542f 100644 --- a/lib/modules/collection/inveigh_bruteforce.py +++ b/lib/modules/collection/inveigh_bruteforce.py @@ -10,7 +10,7 @@ class Module: 'Author': ['Kevin Robertson'], 'Description': ('Inveigh\'s remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. ' - 'This function can be used to perform NBNS spoofing across subnets and/or perform NBNS ' + 'This module can be used to perform NBNS spoofing across subnets and/or perform NBNS ' 'spoofing without an elevated administrator or SYSTEM shell.'), 'Background' : True, @@ -24,7 +24,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Kevin-Robertson/Inveigh' + 'https://github.com/Kevin-Robertson/Inveigh' ] } @@ -38,7 +38,7 @@ class Module: 'Value' : '' }, 'SpooferIP' : { - 'Description' : 'Specific IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.', + 'Description' : 'Specific IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host.', 'Required' : False, 'Value' : '' }, @@ -83,7 +83,7 @@ class Module: 'Value' : 'IIS' }, 'HTTPResponse' : { - 'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests.', + 'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.', 'Required' : False, 'Value' : '' }, @@ -106,11 +106,6 @@ class Module: 'Description' : 'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.', 'Required' : False, 'Value' : '' - }, - 'WPADResponse' : { - 'Description' : 'Wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set.', - 'Required' : False, - 'Value' : '' }, 'Challenge' : { 'Description' : 'Specific 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.', @@ -161,8 +156,8 @@ class Module: script = moduleCode - # disable file output - script += "\n" + 'Invoke-InveighBruteForce -ConsoleOutput "Y" -Tool "2" ' + # set defaults for Empire + script += "\n" + 'Invoke-InveighBruteForce -Tool "2" ' for option,values in self.options.iteritems(): if option.lower() != "agent": diff --git a/lib/modules/lateral_movement/inveigh_relay.py b/lib/modules/lateral_movement/inveigh_relay.py index 5055cd6..bd5edc7 100644 --- a/lib/modules/lateral_movement/inveigh_relay.py +++ b/lib/modules/lateral_movement/inveigh_relay.py @@ -9,11 +9,12 @@ class Module: 'Author': ['Kevin Robertson'], - 'Description': ('Relays incoming HTTP NTLMv2 authentication requests to an SMB target. ' - 'If the authentication is successfully relayed and the account is ' - 'a local administrator, a specified command will be executed on the ' - 'target PSExec style. This module works best while also running ' - 'collection/inveigh with HTTP disabled.'), + 'Description': ('Inveigh\'s SMB relay function. This module can be used to relay ' + 'incoming HTTP NTLMv2 authentication requests to an SMB target. ' + 'If the authentication is successfully relayed and the account is ' + 'a local administrator, a specified command will be executed on the ' + 'target PSExec style. This module works best while also running ' + 'collection/inveigh with HTTP disabled.'), 'Background' : True, @@ -45,7 +46,7 @@ class Module: 'Value' : '' }, 'SMBRelayCommand' : { - 'Description' : 'Command to execute on SMB relay target. Do not wrap command in quotes.', + 'Description' : 'Command to execute on SMB relay target. Do not wrap in quotes and use PowerShell character escapes where necessary.', 'Required' : True, 'Value' : '' }, @@ -93,8 +94,8 @@ class Module: script = moduleCode - # disable file output - script += "\n" + 'Invoke-InveighRelay -ConsoleOutput "Y" -Tool "2" ' + # set defaults for Empire + script += "\n" + 'Invoke-InveighRelay -Tool "2" ' for option,values in self.options.iteritems(): if option.lower() != "agent": diff --git a/lib/modules/privesc/tater.py b/lib/modules/privesc/tater.py index 0aa267b..cca83e9 100644 --- a/lib/modules/privesc/tater.py +++ b/lib/modules/privesc/tater.py @@ -10,7 +10,7 @@ class Module: 'Author': ['Kevin Robertson'], 'Description': ('Tater is a PowerShell implementation of the Hot Potato ' - 'Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.'), + 'Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.'), 'Background' : True, @@ -37,17 +37,17 @@ class Module: 'Value' : '' }, 'IP' : { - 'Description' : 'Local IP address.', + 'Description' : 'Specific local IP address for NBNS spoofer.', 'Required' : False, 'Value' : '' }, 'SpooferIP' : { - 'Description' : 'IP address included in NBNS response.', + 'Description' : 'IP address included in NBNS response. This is needed when using two hosts to get around an in-use port 80 on the privesc target.', 'Required' : False, 'Value' : '' }, 'Command' : { - 'Description' : 'Command to execute during privilege escalation. Do not wrap command in quotes.', + 'Description' : 'Command to execute during privilege escalation. Do not wrap in quotes and use PowerShell character escapes where necessary.', 'Required' : True, 'Value' : '' }, @@ -89,7 +89,7 @@ class Module: 'WPADPort' : { 'Description' : 'Proxy server port to be included in the wpad.dat file.', 'Required' : False, - 'Value' : '' + 'Value' : '80' }, 'TaskDelete' : { 'Description' : 'Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.', @@ -135,8 +135,8 @@ class Module: script = moduleCode - # disable file output - script += "\n" + 'Invoke-Tater -ConsoleOutput "Y" -Tool "2" ' + # set defaults for Empire + script += "\n" + 'Invoke-Tater -Tool "2" ' for option,values in self.options.iteritems(): if option.lower() != "agent":