Inveigh

Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. This repo contains the primary C# version as well as the legacy PowerShell version.

Overview

Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. The packet sniffing method, which was the basis for the original PowerShell version of this tool, has the following advantages:

• SMB NTLM challenge/response captures over the Window's SMB service
• Fewer visible port binds on the host system

The primary disadvantage is the required elevated access.

On current versions of Windows, the default running UDP services allow port reuse. Therefore, packet sniffing no longer provides an advantage for getting around in-use UDP ports. Inveigh's UDP listeners are all configured to take advantage of port reuse.

Version Descriptions

• PowerShell Inveigh - original version developed over many years. For now at least, this version (1.506) will go without additional updates. Documentation can be found here.
• C# Inveigh (aka InveighZero) - original C# POC code combined with a C# port of most of the PowerShell version's code. This version has now been rebuilt for C# and is taking over as the primary version.

Features

The C# version of Inveigh contains attacks for the following protocols:

• LLMNR [packet sniffer | listener]
• DNS [packet sniffer | listener]
• mDNS [packet sniffer | listener]
• NBNS [packet sniffer | listener]
• DHCPv6 [packet sniffer | listener]
• ICMPv6 [privileged raw socket]
• HTTP [listener]
• HTTPS [listener]
• SMB [packet sniffer | listener]
• LDAP [listener]
• WebDAV [listener]
• Proxy Auth [listener]

Inveigh works with both IPv4 and IPv6 in cases where support for both is provided by the underlying protocol.

Cross-Platform Support

Inveigh's SDK style project file is setup for .NET 3.5, 4.6.2, and 6.0 with 6.0 being the version that also works with Linux and macOS.

<TargetFrameworks>net35;net62;net6.0</TargetFrameworks>

Known Issues

• The packet sniffer is available only on Windows due to differences in the raw socket setups. When compiled for either Linux or macOS, the packet sniffer will just be disabled. Instead, Inveigh's SMB listener can be used if port 445 is open.
• macOS requires that routes are available for joining multicast groups. In my testing, I've had to add routes for DHCPv6 multicast in order to carry out that attack on this platform.
  sudo route -nv add -net ff02::1:2 -interface en0

Execution

dotnet Inveigh.dll

Linux/macOS Platform Targeted Builds

• With .NET 6.0 installed on target system
  dotnet publish -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
dotnet publish -r osx-x64 -f net8.0 -p:AssemblyName=inveigh

• Without .NET 6.0 installed on target system
  dotnet publish --self-contained=true -p:PublishSingleFile=true -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
dotnet publish --self-contained=true -p:PublishSingleFile=true -r osx-x64 -f net8.0 -p:AssemblyName=inveigh

Usage

Default parameter values are located at the beginning of Program.cs. I recommend reviewing and setting everything to fit your needs before compile. All enable/disable parameters can be set with Y/N values.

    //begin parameters - set defaults as needed before compile
    public static string argCert = "MIIKaQIBAzCCC..."
    public static string argCertPassword = "password";
    public static string argChallenge = "";
    public static string argConsole = "5";
    public static string argConsoleLimit = "-1";
    public static string argConsoleStatus = "0";
    public static string argConsoleUnique = "Y";
    public static string argDHCPv6 = "N";
    public static string argDHCPv6TTL = "30";
    public static string argDNS = "Y";
    ...
    //end parameters

Parameter Help

.\Inveigh.exe -?

Control:

  -Inspect        Default=Disabled: (Y/N) inspect traffic only.

  -IPv4           Default=Enabled: (Y/N) IPv4 spoofing/capture.

  -IPv6           Default=Enabled: (Y/N) IPv6 spoofing/capture.

  -RunCount       Default=Unlimited: Number of NetNTLM captures to perform before auto-exiting.

  -RunTime        Default=Unlimited: Run time duration in minutes.


Output:

  -Console        Default=5: Set the level for console output. (0=none, 1=only captures/spoofs, 2=no disabled, no informational, 3=no disabled, no filtered, 4=no disabled, 5=all)  

  -ConsoleLimit   Default=Unlimited: Limit to queued console entries.

  -ConsoleStatus  Default=Disabled: Interval in minutes for auto-displaying capture details.

  -ConsoleUnique  Default=Enabled: (Y/N) displaying only unique (user and system combination) hashes at time of capture.

  -FileDirectory  Default=Working Directory: Valid path to an output directory for enabled file output.

  -FileOutput     Default=Enabled: (Y/N) real time file output.

  -FilePrefix     Default=Inveigh: Prefix for all output files.

  -FileUnique     Default=Enabled: (Y/N) outputting only unique (user and system combination) hashes.

  -LogOutput      Default=Disabled: (Y/N) outputting log entries.


Spoofers:

  -DHCPV6         Default=Disabled: (Y/N) DHCPv6 spoofing.

  -DHCPv6TTL      Default=300: Lease lifetime in seconds.

  -DNS            Default=Enabled: (Y/N) DNS spoofing.

  -DNSHost        Fully qualified hostname to use SOA/SRV responses.

  -DNSSRV         Default=LDAP: Comma separated list of SRV request services to answer.

  -DNSSuffix      DNS search suffix to include in DHCPv6/ICMPv6 responses.

  -DNSTTL         Default=30: DNS TTL in seconds.

  -DNSTYPES       Default=A: (A, AAAA, SOA, SRV) Comma separated list of DNS types to spoof.

  -ICMPv6         Default=Enabled: (Y/N) sending ICMPv6 router advertisements.

  -ICMPv6Interval Default=200: ICMPv6 RA interval in seconds.
  
  -ICMPv6TTL	  Default=300: ICMPv6 TTL in seconds.

  -IgnoreDomains  Default=None: Comma separated list of domains to ignore when spoofing.



  -IgnoreIPs      Default=Local: Comma separated list of source IP addresses to ignore when spoofing.

  -IgnoreMACs     Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing.
  
  -IgnoreQueries  Default=None: Comma separated list of name queries to ignore when spoofing.

  -Local          Default=Disabled: (Y/N) performing spoofing attacks against the host system.

  -LLMNR          Default=Enabled: (Y/N) LLMNR spoofing.

  -LLMNRTTL       Default=30: LLMNR TTL in seconds.

  -MAC            Local MAC address for DHCPv6.

  -MDNS           Default=Enabled: (Y/N) mDNS spoofing.

  -MDNSQuestions  Default=QU,QM: Comma separated list of question types to spoof. (QU,QM)

  -MDNSTTL        Default=120: mDNS TTL in seconds.

  -MDNSTypes      Default=A: Comma separated list of mDNS record types to spoof. (A,AAAA,ANY)

  -MDNSUnicast    Default=Enabled: (Y/N) sending a unicast only response to a QM request.

  -NBNS           Default=Disabled: (Y/N) NBNS spoofing.

  -NBNSTTL        Default=165: NBNS TTL in seconds.

  -NBNSTypes      Default=00,20: Comma separated list of NBNS types to spoof. (00,03,20,1B)

  -ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing.

  -ReplyToIPs     Default=All: Comma separated list of source IP addresses to respond to when spoofing.

  -ReplyToMACs    Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing.
  
  -ReplyToQueries Default=All: Comma separated list of name queries to respond to when spoofing.

  -SpooferIP      Default=Autoassign: IP address included in spoofing responses.

  -SpooferIPv6    Default=Autoassign: IPv6 address included in spoofing responses.

  -Repeat         Default=Enabled: (Y/N) repeated spoofing attacks against a system after NetNTLM capture.


Capture:

  -Cert           Base64 certificate for TLS.

  -CertPassword   Base64 certificate password for TLS.

  -Challenge      Default=Random per request: 16 character hex NetNTLM challenge for use with the TCP listeners.

  -HTTP           Default=Enabled: (Y/N) HTTP listener.

  -HTTPAuth       Default=NTLM: (Anonymous/Basic/NTLM) HTTP/HTTPS listener authentication.

  -HTTPPorts      Default=80: Comma seperated list of TCP ports for the HTTP listener.

  -HTTPRealm      Default=ADFS: Basic authentication realm.

  -HTTPResponse   Content to serve as the default HTTP/HTTPS/Proxy response.

  -HTTPS          Default=Enabled: (Y/N) HTTPS listener.

  -HTTPSPorts     Default=443: Comma separated list of TCP ports for the HTTPS listener.

  -IgnoreAgents   Default=Firefox: Comma separated list of HTTP user agents to ignore with wpad and proxy auth.

  -LDAP           Default=Enabled: (Y/N) LDAP listener.

  -LDAPPorts      Default=389: Comma separated list of TCP ports for the LDAP listener.

  -ListenerIP     Default=Any: IP address for all listeners.

  -ListenerIPv6   Default=Any: IPv6 address for all listeners.

  -MachineAccount Default=Enabled: (Y/N) machine account NetNTLM captures.

  -Proxy          Default=Disabled: (Y/N) proxy listener authentication captures.

  -ProxyAuth      Default=NTLM: (Basic/NTLM) Proxy authentication.

  -ProxyPort      Default=8492: Port for the proxy listener.

  -SMB            Default=Enabled: (Y/N) SMB sniffer/listener.

  -SMBPorts       Default=445: Port for the SMB listener.

  -SnifferIP      Default=Autoassign: IP address included in spoofing responses.

  -SnifferIPv6    Default=Autoassign: IPv6 address included in spoofing responses.

  -WebDAV         Default=Enabled: (Y/N) serving WebDAV over HTTP/HTTPS listener.

  -WebDAVAuth     Default=NTLM: (Anonymous/Basic/NTLM) WebDAV authentication.

  -WPADAuth       Default=Enabled: (Y/N) authentication type for wpad.dat