From 5116878fd5439784bd616f7094e5c82b345ff206 Mon Sep 17 00:00:00 2001 From: kevin Date: Tue, 27 Sep 2022 22:18:14 -0400 Subject: [PATCH] cleartext, proxy fixes Fixed cleartext capture/output bugs Added proxyauth reconnect relay Changed IgnoreHosts/ReplyToHosts to IgnoreQueries/ReplyToQueries --- Inveigh/Listeners/DNSListener.cs | 4 +- Inveigh/Listeners/HTTPListener.cs | 5 ++ Inveigh/Listeners/LLMNRListener.cs | 12 ++-- Inveigh/Listeners/MDNSListener.cs | 4 +- Inveigh/Listeners/NBNSListener.cs | 4 +- Inveigh/Program.cs | 28 ++++---- .../Quiddity/Listeners/HTTPListener.cs | 22 ++++++- .../Quiddity/Protocols/DNS/DNSChecker.cs | 20 +++--- Inveigh/Support/Output.cs | 65 +++++++++++++++---- Inveigh/Support/Shell.cs | 20 +++--- README.md | 12 ++-- 11 files changed, 129 insertions(+), 67 deletions(-) diff --git a/Inveigh/Listeners/DNSListener.cs b/Inveigh/Listeners/DNSListener.cs index d74b971..1915b8c 100644 --- a/Inveigh/Listeners/DNSListener.cs +++ b/Inveigh/Listeners/DNSListener.cs @@ -39,8 +39,8 @@ public override bool Check(string name, string type, string clientIP, out string DNSChecker helper = new DNSChecker { - IgnoreHosts = Program.argIgnoreHosts, - ReplyToHosts = Program.argReplyToHosts, + IgnoreQueries = Program.argIgnoreQueries, + ReplyToQueries = Program.argReplyToQueries, IgnoreIPs = Program.argIgnoreIPs, ReplyToIPs = Program.argReplyToIPs, IgnoreDomains = Program.argIgnoreDomains, diff --git a/Inveigh/Listeners/HTTPListener.cs b/Inveigh/Listeners/HTTPListener.cs index d3b0961..6537983 100644 --- a/Inveigh/Listeners/HTTPListener.cs +++ b/Inveigh/Listeners/HTTPListener.cs @@ -38,6 +38,11 @@ protected override void OutputNTLM(string protocol, string listenerPort, string Output.NTLMOutput(user, domain, ntlmChallenge, ntlmResponseHash, clientIP, host, protocol, listenerPort, clientPort, lmResponseHash); } + protected override void OutputCleartext(string protocol, string listenerPort, string clientIP, string clientPort, string credentials) + { + Output.CleartextOutput(protocol, listenerPort, clientIP, clientPort, credentials); + } + protected override void OutputChallenge(string protocol, string listenerPort, string clientIP, string clientPort, string challenge) { Output.Queue(String.Format("[+] [{0}] {1}({2}) NTLM challenge [{3}] sent to {4}:{5}", Output.Timestamp(), protocol, listenerPort, challenge, clientIP, clientPort)); diff --git a/Inveigh/Listeners/LLMNRListener.cs b/Inveigh/Listeners/LLMNRListener.cs index 93729b5..b15a989 100644 --- a/Inveigh/Listeners/LLMNRListener.cs +++ b/Inveigh/Listeners/LLMNRListener.cs @@ -28,10 +28,10 @@ protected override void OutputError(Exception ex) public override bool Check(string name, string type, string clientIP, out string message) { - LLMNRChecker llmnrHelper = new LLMNRChecker + LLMNRChecker llmnrChecker = new LLMNRChecker { - IgnoreHosts = Program.argIgnoreHosts, - ReplyToHosts = Program.argReplyToHosts, + IgnoreQueries = Program.argIgnoreQueries, + ReplyToQueries = Program.argReplyToQueries, IgnoreIPs = Program.argIgnoreIPs, ReplyToIPs = Program.argReplyToIPs, IPCaptures = Program.IPCaptureList, @@ -41,13 +41,13 @@ public override bool Check(string name, string type, string clientIP, out string Inspect = Program.enabledInspect, }; - if (llmnrHelper.Check(name, type, clientIP)) + if (llmnrChecker.Check(name, type, clientIP)) { - message = llmnrHelper.OutputMessage; + message = llmnrChecker.OutputMessage; return true; } - message = llmnrHelper.OutputMessage; + message = llmnrChecker.OutputMessage; return false; } diff --git a/Inveigh/Listeners/MDNSListener.cs b/Inveigh/Listeners/MDNSListener.cs index c8736ed..c97dd07 100644 --- a/Inveigh/Listeners/MDNSListener.cs +++ b/Inveigh/Listeners/MDNSListener.cs @@ -33,8 +33,8 @@ public override bool Check(string name, string question, string type, string cli MDNSChecker mdnsHelper = new MDNSChecker { - IgnoreHosts = Program.argIgnoreHosts, - ReplyToHosts = Program.argReplyToHosts, + IgnoreQueries = Program.argIgnoreQueries, + ReplyToQueries = Program.argReplyToQueries, IgnoreIPs = Program.argIgnoreIPs, ReplyToIPs = Program.argReplyToIPs, IPCaptures = Program.IPCaptureList, diff --git a/Inveigh/Listeners/NBNSListener.cs b/Inveigh/Listeners/NBNSListener.cs index 6e574d8..17a356b 100644 --- a/Inveigh/Listeners/NBNSListener.cs +++ b/Inveigh/Listeners/NBNSListener.cs @@ -31,8 +31,8 @@ public override bool Check(string name, string type, string clientIP, out string NetBIOSNSChecker helper = new NetBIOSNSChecker { - IgnoreHosts = Program.argIgnoreHosts, - ReplyToHosts = Program.argReplyToHosts, + IgnoreQueries = Program.argIgnoreQueries, + ReplyToQueries = Program.argReplyToQueries, IgnoreIPs = Program.argIgnoreIPs, ReplyToIPs = Program.argReplyToIPs, IPCaptures = Program.IPCaptureList, diff --git a/Inveigh/Program.cs b/Inveigh/Program.cs index 97fe911..ebb3a78 100644 --- a/Inveigh/Program.cs +++ b/Inveigh/Program.cs @@ -74,10 +74,10 @@ class Program public static string[] argIgnoreAgents = { "Firefox" }; public static string[] argIgnoreDomains; public static string[] argIgnoreIPs; - public static string[] argIgnoreHosts; + public static string[] argIgnoreQueries; public static string[] argIgnoreMACs; public static string[] argReplyToDomains; - public static string[] argReplyToHosts; + public static string[] argReplyToQueries; public static string[] argReplyToIPs; public static string[] argReplyToMACs; public static string argSpooferIP = ""; @@ -174,7 +174,7 @@ class Program public static string netbiosDomain = Environment.UserDomainName; public static string dnsDomain = ""; public static ulong smb2Session = 5548434740922023936; // todo check - public static string version = "2.0.6"; + public static string version = "2.0.8"; static void Main(string[] arguments) { @@ -355,11 +355,6 @@ static void Main(string[] arguments) argIgnoreDomains = arguments[entry.index + 1].ToUpper().Split(','); break; - case "-IGNOREHOSTS": - case "/IGNOREHOSTS": - argIgnoreHosts = arguments[entry.index + 1].ToUpper().Split(','); - break; - case "-IGNOREIPS": case "/IGNOREIPS": argIgnoreIPs = arguments[entry.index + 1].ToUpper().Split(','); @@ -370,6 +365,11 @@ static void Main(string[] arguments) argIgnoreMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(','); break; + case "-IGNOREQUERIES": + case "/IGNOREQUERIES": + argIgnoreQueries = arguments[entry.index + 1].ToUpper().Split(','); + break; + case "-INSPECT": case "/INSPECT": argInspect = arguments[entry.index + 1].ToUpper(); @@ -545,11 +545,6 @@ static void Main(string[] arguments) argReplyToDomains = arguments[entry.index + 1].ToUpper().Split(','); break; - case "-REPLYTOHOSTS": - case "/REPLYTOHOSTS": - argReplyToHosts = arguments[entry.index + 1].ToUpper().Split(','); - break; - case "-REPLYTOIPS": case "/REPLYTOIPS": argReplyToIPs = arguments[entry.index + 1].ToUpper().Split(','); @@ -558,7 +553,12 @@ static void Main(string[] arguments) case "-REPLYTOMACS": case "/REPLYTOMACS": argReplyToMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(','); - break; + break; + + case "-REPLYTOQUERIES": + case "/REPLYTOQUERIES": + argReplyToQueries = arguments[entry.index + 1].ToUpper().Split(','); + break; case "-WEBDAV": case "/WEBDAV": diff --git a/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs b/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs index 7a17131..673cbe1 100644 --- a/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs +++ b/Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs @@ -41,6 +41,7 @@ using System.Net.Security; using Quiddity.Support; using System.Collections; +using System.Collections.Generic; namespace Quiddity { @@ -64,6 +65,7 @@ class HTTPListener public static bool isRunning = false; public const SslProtocols tls12 = (SslProtocols)0x00000C00; public static Hashtable httpSessionTable = Hashtable.Synchronized(new Hashtable()); + public static Hashtable tcpSessionTable = Hashtable.Synchronized(new Hashtable()); public HTTPListener() { @@ -118,8 +120,18 @@ internal void Start(IPAddress ipAddress, int port, string type) if (isRunning) { TcpClient tcpClient = tcpListener.EndAcceptTcpClient(tcpAsync); - object[] parameters = { tcpClient, type, port }; - ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters); + string sourceIP = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Address.ToString(); + + if (type.Equals("Proxy") && tcpSessionTable.ContainsKey(sourceIP) && DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) > 0) + { + tcpClient.Client.Close(); + } + else + { + object[] parameters = { tcpClient, type, port }; + ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters); + } + } } @@ -490,6 +502,12 @@ internal void ReceiveClient(object parameters) if (type.Equals("Proxy")) { tcpClient.Client.Close(); + + if (!tcpSessionTable.ContainsKey(sourceIP) || DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) <= 0) + { + tcpSessionTable[sourceIP] = DateTime.Now.AddSeconds(1); + } + } else { diff --git a/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs b/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs index c70bd7d..5ffd513 100644 --- a/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs +++ b/Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs @@ -37,8 +37,8 @@ namespace Quiddity.DNS { class DNSChecker { - public string[] IgnoreHosts { get; set; } - public string[] ReplyToHosts { get; set; } + public string[] IgnoreQueries { get; set; } + public string[] ReplyToQueries { get; set; } public string[] IgnoreIPs { get; set; } public string[] ReplyToIPs { get; set; } public string[] IgnoreDomains { get; set; } @@ -103,12 +103,12 @@ public bool Check(string name, string type, string clientIP) this.OutputMessage = this.OutputServiceDenied; return false; } - else if (HostIsDenied(name) || FQDNIsDenied(name)) + else if (QueryIsDenied(name) || FQDNIsDenied(name)) { this.OutputMessage = this.OutputHostDenied; return false; } - else if (!HostIsAllowed(name) && !FQDNIsAllowed(name)) + else if (!QueryIsAllowed(name) && !FQDNIsAllowed(name)) { this.OutputMessage = this.OutputHostDenied; return false; @@ -193,11 +193,11 @@ public bool ServiceIsAllowed(string name, string type) return true; } - public bool HostIsDenied(string name) + public bool QueryIsDenied(string name) { string host = (name.Split('.'))[0]; - if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == host.ToUpper())) + if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == host.ToUpper())) { return true; } @@ -205,11 +205,11 @@ public bool HostIsDenied(string name) return false; } - public bool HostIsAllowed(string name) + public bool QueryIsAllowed(string name) { string host = (name.Split('.'))[0]; - if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == host.ToUpper())) + if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == host.ToUpper())) { return false; } @@ -220,7 +220,7 @@ public bool HostIsAllowed(string name) public bool FQDNIsDenied(string name) { - if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == name.ToUpper())) + if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == name.ToUpper())) { return true; } @@ -231,7 +231,7 @@ public bool FQDNIsDenied(string name) public bool FQDNIsAllowed(string name) { - if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == name.ToUpper())) + if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == name.ToUpper())) { return false; } diff --git a/Inveigh/Support/Output.cs b/Inveigh/Support/Output.cs index d44c10f..3d86a1a 100644 --- a/Inveigh/Support/Output.cs +++ b/Inveigh/Support/Output.cs @@ -592,12 +592,12 @@ public static void NTLMOutput(string user, string domain, string challenge, stri lock (Program.IPCaptureList) { - Program.IPCaptureList.Add(string.Concat(host)); + Program.IPCaptureList.Add(sourceIP); } lock (Program.HostCaptureList) { - Program.HostCaptureList.Add(string.Concat(host)); + Program.HostCaptureList.Add(host); } } @@ -642,12 +642,12 @@ public static void NTLMOutput(string user, string domain, string challenge, stri lock (Program.IPCaptureList) { - Program.IPCaptureList.Add(string.Concat(host)); + Program.IPCaptureList.Add(sourceIP); } lock (Program.HostCaptureList) { - Program.HostCaptureList.Add(string.Concat(host)); + Program.HostCaptureList.Add(host); } } @@ -680,6 +680,43 @@ public static void NTLMOutput(string user, string domain, string challenge, stri } + public static void CleartextOutput(string protocol, string listenerPort, string clientIP, string clientPort, string credentials) + { + + bool isUnique = false; + + if (Program.cleartextList.Any(str => str.Contains(credentials))) + { + isUnique = true; + } + + lock (Program.cleartextList) + { + Program.cleartextList.Add(string.Concat(clientIP, ",", credentials)); + } + + if (Program.enabledConsoleUnique && isUnique) + { + Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n[not unique]", Timestamp(), protocol, listenerPort, clientIP, clientPort)); + } + else + { + Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n{5}", Timestamp(), protocol, listenerPort, clientIP, clientPort, credentials)); + } + + if (Program.enabledFileOutput && (!Program.enabledFileUnique || !isUnique)) + { + + lock (Program.cleartextFileList) + { + Program.cleartextFileList.Add(string.Concat(clientIP, ",", credentials)); + } + + Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials written to {3}", Timestamp(), protocol, listenerPort, String.Concat(Program.argFilePrefix, "-Cleartext.txt"))); + } + + } + public static void FileOutput() { @@ -1005,10 +1042,10 @@ public static void GetHelp(string arg) OutputHelp(argument, description); } - if (nullarg || string.Equals(arg, "IGNOREHOSTS")) + if (nullarg || string.Equals(arg, "IGNOREQUERIES")) { - string argument = "IgnoreHosts"; - string description = "Default=None: Comma separated list of hostnames to ignore when spoofing."; + string argument = "IgnoreQueries"; + string description = "Default=None: Comma separated list of name queries to ignore when spoofing."; OutputHelp(argument, description); } @@ -1117,13 +1154,6 @@ public static void GetHelp(string arg) OutputHelp(argument, description); } - if (nullarg || string.Equals(arg, "REPLYTOHOSTS")) - { - string argument = "ReplyToHosts"; - string description = "Default=All: Comma separated list of hostnames to respond to when spoofing."; - OutputHelp(argument, description); - } - if (nullarg || string.Equals(arg, "REPLYTOIPS")) { string argument = "ReplyToIPs"; @@ -1138,6 +1168,13 @@ public static void GetHelp(string arg) OutputHelp(argument, description); } + if (nullarg || string.Equals(arg, "REPLYTOQUERIES")) + { + string argument = "ReplyToqueries"; + string description = "Default=All: Comma separated list of name queries to respond to when spoofing."; + OutputHelp(argument, description); + } + if (nullarg || string.Equals(arg, "SPOOFERIP")) { string argument = "SpooferIP"; diff --git a/Inveigh/Support/Shell.cs b/Inveigh/Support/Shell.cs index bfe5037..aed362c 100644 --- a/Inveigh/Support/Shell.cs +++ b/Inveigh/Support/Shell.cs @@ -34,11 +34,11 @@ public static void ConsoleLoop() "get ntlmv2usernames", "get cleartext", "get cleartextunique", - "get replytohosts", + "get replytoqueries", "get replytoips", "get replytodomains", "get replytomacs", - "get ignorehosts", + "get ignorequeries", "get ignoreips", "get ignoredomains", "get ignoremacs", @@ -436,13 +436,13 @@ public static void Commands(string inputCommand) GetNTLMv2Usernames(value); break; - case "GET REPLYTOHOSTS": - foreach (string entry in Program.argReplyToHosts) + case "GET REPLYTOQUERIES": + foreach (string entry in Program.argReplyToQueries) Console.WriteLine(entry); break; - case "GET IGNOREHOSTS": - foreach (string entry in Program.argIgnoreHosts) + case "GET IGNOREQUERIES": + foreach (string entry in Program.argIgnoreQueries) Console.WriteLine(entry); break; @@ -452,7 +452,7 @@ public static void Commands(string inputCommand) break; case "GET IGNOREIPS": - foreach (string entry in Program.argIgnoreHosts) + foreach (string entry in Program.argIgnoreIPs) Console.WriteLine(entry); break; @@ -544,14 +544,14 @@ public static void GetHelp() commands.Add("GET NTLMV2USERNAMES,get usernames and source IPs/hostnames for captured NTLMv2 hashes"); commands.Add("GET CLEARTEXT,get captured cleartext credentials"); commands.Add("GET CLEARTEXTUNIQUE,get unique captured cleartext credentials"); - commands.Add("GET REPLYTODOMAINS,get ReplyToDomains parameter startup values"); - commands.Add("GET REPLYTOHOSTS,get ReplyToHosts parameter startup values"); + commands.Add("GET REPLYTODOMAINS,get ReplyToDomains parameter startup values"); commands.Add("GET REPLYTOIPS,get ReplyToIPs parameter startup values"); commands.Add("GET REPLYTOMACS,get ReplyToMACs parameter startup values"); + commands.Add("GET REPLYTOQUERIES,get ReplyToQueries parameter startup values"); commands.Add("GET IGNOREDOMAINS,get IgnoreDomains parameter startup values"); - commands.Add("GET IGNOREHOSTS,get IgnoreHosts parameter startup values"); commands.Add("GET IGNOREIPS,get IgnoreIPs parameter startup values"); commands.Add("GET IGNOREMACS,get IgnoreMACs parameter startup values"); + commands.Add("GET IGNOREQUERIES,get IgnoreQueries parameter startup values"); commands.Add("SET CONSOLE,set Console parameter value"); commands.Add("HISTORY,get command history"); commands.Add("RESUME,resume real time console output"); diff --git a/README.md b/README.md index fc352ec..94f4bc7 100644 --- a/README.md +++ b/README.md @@ -147,11 +147,13 @@ Spoofers: -IgnoreDomains Default=None: Comma separated list of domains to ignore when spoofing. - -IgnoreHosts Default=None: Comma separated list of hostnames to ignore when spoofing. + -IgnoreIPs Default=Local: Comma separated list of source IP addresses to ignore when spoofing. -IgnoreMACs Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing. + + -IgnoreQueries Default=None: Comma separated list of name queries to ignore when spoofing. -Local Default=Disabled: (Y/N) performing spoofing attacks against the host system. @@ -179,11 +181,11 @@ Spoofers: -ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing. - -ReplyToHosts Default=All: Comma separated list of hostnames to respond to when spoofing. - -ReplyToIPs Default=All: Comma separated list of source IP addresses to respond to when spoofing. -ReplyToMACs Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing. + + -ReplyToQueries Default=All: Comma separated list of name queries to respond to when spoofing. -SpooferIP Default=Autoassign: IP address included in spoofing responses. @@ -494,13 +496,13 @@ GET NTLMV2USERNAMES | get usernames and source IPs/hostnames for cap GET CLEARTEXT | get captured cleartext credentials GET CLEARTEXTUNIQUE | get unique captured cleartext credentials GET REPLYTODOMAINS | get ReplyToDomains parameter startup values -GET REPLYTOHOSTS | get ReplyToHosts parameter startup values GET REPLYTOIPS | get ReplyToIPs parameter startup values GET REPLYTOMACS | get ReplyToMACs parameter startup values +GET REPLYTOQUERIES | get ReplyToQueries parameter startup values GET IGNOREDOMAINS | get IgnoreDomains parameter startup values -GET IGNOREHOSTS | get IgnoreHosts parameter startup values GET IGNOREIPS | get IgnoreIPs parameter startup values GET IGNOREMACS | get IgnoreMACs parameter startup values +GET IGNOREQUERIES | get IgnoreQueries parameter startup values SET CONSOLE | set Console parameter value HISTORY | get command history RESUME | resume real time console output