-
Notifications
You must be signed in to change notification settings - Fork 449
Avoiding Detection
Before performing LLMNR/mDNS/NBNS spoofing, start Inveigh in inspection only mode to gather information about the relevant systems and traffic on the subnet. This information can be used to later target specific systems or spoof specific hostnames in order to avoid impacting unnecessary systems. Conversely, this information can be used to filter out dangerous hostnames to spoof and systems that may be running spoofer detection services.
-
Relevant Parameter
Inspect
-
Example
Invoke-Inveigh -ConsoleOutput Y -Inspect
Using either previous knowledge or data gathered from inspection mode, start Inveigh and include/exclude specific hostnames to spoof or include/exclude specific systems to send spoofed responses.
-
Relevant Parameters
SpooferHostsIgnore
SpooferHostReply
SpooferIPsIgnore
SpooferIPsReply
-
Example
Invoke-Inveigh -ConsoleOutput Y -SpooferHostReply wpad -SpooferIPsReply 192.168.1.100
Inveigh can be set to no longer respond to a system after an NTLMv1/NTLMv2 challenge/response hash has been captured.
-
Relevant Parameter
SpooferRepeat
-
Example
Invoke-Inveigh -ConsoleOutput Y -SpooferRepeat N
Inveigh has a learning mode for LLMNR/NBNS spoofing. With learning mode enabled, Inveigh will send out its own LLMNR/NBNS requests after receiving a request from another host. If Inveigh receives a response, the hostname will be blacklisted from further LLMNR/NBNS spoofing. This can limit the potential to spoof valid hostsnames and cause interruptions. Note that spoofer learning requires elevated privilege since it’s only available through the packet sniffer.
-
Relevant Parameters
SpooferLearning
SpooferLearningDelay
SpooferLearningInterval
-
Example
Invoke-Inveigh -ConsoleOutput Y -SpooferLearning Y -SpooferLearningDelay 10
Some features and combinations can trigger visible indicators like popup login boxes or connectivity problems in either specific (usually Firefox) or all web browsers. Inveigh has the ability to set authentication methods for standard HTTP/HTTPS requests, wpad.dat requests, and proxy authentication. Inveigh also has the ability to filter out browsers by user agent for wpad.dat requests and proxy authentication.
-
Example
Invoke-Inveigh -ConsoleOutput Y -WPADAuth anonymous
-
Relevant Parameters
HTTPAuth
ProxyAuth
ProxyIgnore
WPADAuth
WPADAuthIgnore