Synced collection/inveigh with current standalone Inveigh code

Direct copy/paste of Invoke-Inveigh function from current standalone version of Inveigh. This version contains a number of additions/changes/bug fixes. There are two primary additions that may be useful to Empire users. The first is that 1122334455667788 is no longer used as the default challenge over HTTP since it's now getting flagged by SEP and maybe others. The default behavior is a random challenge for each request. A specific challenge can also be specified through the 'challenge' parameter. The second is the ability to set a run time so that collection/inveigh will auto-exit after a specified number of minutes. On the python side, I have added the additional relevant parameters and flipped the module to opsec safe since no files are created on disk.
2015-12-13 19:31:52 -05:00 · 2015-12-13 19:31:52 -05:00 · e2209606aa
parent 93c1d46236
commit e2209606aa
2 changed files with 1233 additions and 816 deletions
--- a/data/module_source/collection/Invoke-Inveigh.ps1
+++ b/data/module_source/collection/Invoke-Inveigh.ps1
--- a/lib/modules/collection/inveigh.py
+++ b/lib/modules/collection/inveigh.py
@ -19,7 +19,7 @@ class Module:
            
            'NeedsAdmin' : True,

-            'OpsecSafe' : False,
+            'OpsecSafe' : True,

            'MinPSVersion' : '2',
            
@ -38,17 +38,17 @@ class Module:
                'Value'         :   ''
            },
            'IP' : {
-                'Description'   :   'A specific local IP address for listening. ',
+                'Description'   :   'Specific local IP address for listening.',
                'Required'      :   False,
                'Value'         :   ''
            },
            'SpooferIP' : {
-                'Description'   :   'Specify an IP address for LLMNR/NBNS spoofing.',
+                'Description'   :   'Specific IP address for LLMNR/NBNS spoofing.',
                'Required'      :   False,
                'Value'         :   ''
            },
-            'HTTP' : {
-                'Description'   :   'Enable/Disable HTTP challenge/response capture (Y/N).',
+	    'LLMNR' : {
+                'Description'   :   'Enable/Disable LLMNR spoofing (Y/N).',
                'Required'      :   False,
                'Value'         :   'Y'
            },
@ -57,25 +57,50 @@ class Module:
                'Required'      :   False,
                'Value'         :   'Y'
            },
+	    'NBNSTypes' : {
+                'Description'   :   'Comma separated list of NBNS types to spoof.',
+                'Required'      :   False,
+                'Value'         :   '00,20'
+            },
+	    'Repeat' : {
+                'Description'   :   'Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured (Y/N).',
+                'Required'      :   False,
+                'Value'         :   'Y'
+            },
+	    'SpoofList' : {
+                'Description'   :   'Comma separated list of hostnames to spoof with LLMNR and NBNS.',
+                'Required'      :   False,
+                'Value'         :   ''
+            },
+	    'HTTP' : {
+                'Description'   :   'Enable/Disable HTTP challenge/response capture (Y/N).',
+                'Required'      :   False,
+                'Value'         :   'Y'
+            },
            'SMB' : {
                'Description'   :   'Enable/Disable SMB challenge/response capture (Y/N).',
                'Required'      :   False,
                'Value'         :   'Y'
            },
-            'LLMNR' : {
-                'Description'   :   'Enable/Disable LLMNR spoofing (Y/N).',
+            'Challenge' : {
+                'Description'   :   'Specific 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request.',
                'Required'      :   False,
-                'Value'         :   'Y'
+                'Value'         :   ''
            },
-            'Repeat' : {
-                'Description'   :   'Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured (Y/N).',
+	    'MachineAccounts' : {
+                'Description'   :   'Enable/Disable showing NTLM challenge/response captures from machine accounts (Y/N).',
                'Required'      :   False,
-                'Value'         :   'Y'
+                'Value'         :   'N'
            },
            'ForceWPADAuth' : {
                'Description'   :   'Enable/Disable LLMNR spoofing (Y/N).',
                'Required'      :   False,
                'Value'         :   'Y'
+            },
+	    'RunTime' : {
+                'Description'   :   'Run time duration in minutes.',
+                'Required'      :   False,
+                'Value'         :   ''
            }
        }

@ -107,13 +132,11 @@ class Module:
        script = moduleCode

        # disable file output
-        script += "\n" + 'Invoke-Inveigh -Output 1 '
+        script += "\n" + 'Invoke-Inveigh -ConsoleOutput y -Tool 2 '

        for option,values in self.options.iteritems():
            if option.lower() != "agent":
-                if option.lower() == "nbns" and values['Value'].lower() == 'y':
-                    script += ' -NBNS Y -NBNSTypes @("00","20")'
-                elif values['Value'] and values['Value'] != '':
+                if values['Value'] and values['Value'] != '':
                    if values['Value'].lower() == "true":
                        # if we're just adding a switch
                        script += " -" + str(option)