-
Notifications
You must be signed in to change notification settings - Fork 117
Parameters
Kevin Robertson edited this page Feb 10, 2021
·
13 revisions
| Parameter | Default | Valid Values | Description |
|---|---|---|---|
| DHCPv6 | N | Y/N | Enable/Disable DHCPv6 spoofer. |
| DHCPv6DNSSuffix | DNS search suffix to include in DHCPv6 responses. | ||
| DHCPv6RA | 30 | DHCPv6 ICMPv6 router advertise interval. Set to 0 to disable. | |
| DNS | Y | Y/N | Enable/Disable DNS spoofer. |
| DNSHost | Fully qualified hostname to use SOA/SRV responses. | ||
| DNSTTL | 30 | DNS TTL in seconds for the response packet. | |
| LLMNR | Y | Y/N | Enable/Disable LLMNR spoofer. |
| LLMNRv6 | Y | Y/N | Enable/Disable IPv6 LLMNR spoofer. |
| LLMNRTTL | 30 | LLMNR TTL in seconds for the response packet. | |
| mDNS | N | Y/N | Enable/Disable mDNS spoofing. |
| mDNSTTL | 120 | mDNS TTL in seconds for the response packet. | |
| mDNSQuestions | QU, QM | QU, QM | Comma separated list of mDNS question types to spoof. Note that QM will send the response to 224.0.0.251. |
| NBNS | N | Y/N | Enable/Disable NBNS spoofer. |
| NBNSTTL | 165 | NBNS TTL in seconds for the response packet. | |
| NBNSTypes | 00,20 | 00, 03, 20, 1B | Comma separated list of NBNS types to spoof. Types include 00 = Workstation Service, 03 = Messenger Service, 20 = Server Service, 1B = Domain Name |
| SpooferDomainssIgnore | Comma separated list of requested domains to ignore when spoofing with DNS. | ||
| SpooferDomainssReply | Comma separated list of requested domains to respond to when spoofing with DNS. | ||
| SpooferHostsIgnore | Comma separated list of requested hostnames to ignore when spoofing. | ||
| SpooferHostsReply | Comma separated list of requested hostnames to respond to when spoofing with LLMNR and NBNS. Listed hostnames will override the whitelist created through SpooferLearning. | ||
| SpooferIP | Local IP | Response IP address for spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. | |
| SpooferIPv6 | Local IPv6 | IPv6 address for DHCPv6/LLMNR spoofing. This parameter is only necessary when redirecting victims to a system other than the Inveigh host. | |
| SpooferIPsIgnore | Comma separated list of source IP addresses to ignore when spoofing. | ||
| SpooferIPsReply | Comma separated list of source IP addresses to respond to when spoofing. | ||
| SpooferMACsIgnore | Comma separated list of MAC addresses to ignore when DHCPv6 spoofing. | ||
| SpooferMACsReply | Comma separated list of MAC addresses to respond to when DHCPv6 spoofing. | ||
| SpooferRepeat | Y | Y/N | Enable/Disable repeated LLMNR/NBNS spoofs to a victim system after one user challenge/response has been captured. |
| Parameter | Default | Valid Values | Description |
|---|---|---|---|
| Challenge | 16 character hex NTLM challenge for use with the HTTP listener. If left blank, a random challenge will be generated for each request. This will only be used for non-relay captures. | ||
| HTTP | Y | Y/N | Enable/Disable HTTP challenge/response capture. |
| HTTPAuth | NTLM | Anonymous, Basic, NTLM, NTLMNoESS | HTTP/HTTPS server authentication type. This setting does not apply to wpad.dat requests. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. |
| HTTPBasicRealm | Realm name for Basic authentication. This parameter applies to both HTTPAuth and WPADAuth. | ||
| HTTPIP | 0.0.0.0 | IP address for the HTTP listener. | |
| HTTPPort | 80 | TCP port for the HTTP listener. | |
| HTTPResponse | String or HTML to serve as the default HTTP/HTTPS response. This response will not be used for wpad.dat requests. This parameter will not be used if HTTPDir is set. Use PowerShell character escapes where necessary. | ||
| Proxy | N | Y/N | Enable/Disable proxy server authentication captures. |
| ProxyAuth | NTLM | Basic, NTLM, NTLMNoESS | Proxy server authentication type. |
| ProxyIgnore | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will not be sent the wpad.dat file used for capturing proxy authentications. Firefox does not work correctly with the proxy server failover setup. Firefox will be left unable to connect to any sites until the proxy is cleared. Remove "Firefox" from this list to attack Firefox. If attacking Firefox, consider setting -SpooferRepeat N to limit attacks against a single target so that victims can recover Firefox connectivity by closing and reopening. | |
| ProxyIP | 0.0.0.0 | IP address for the proxy listener. | |
| ProxyPort | 8492 | TCP port for the proxy listener. | |
| WPADAuth | NTLM | Anonymous, Basic, NTLM, NTLMNoESS | HTTP/HTTPS server authentication type for wpad.dat requests. Setting to Anonymous can prevent browser login prompts. NTLMNoESS turns off the 'Extended Session Security' flag during negotiation. |
| WPADAuthIgnore | Firefox | Comma separated list of keywords to use for filtering browser user agents. Matching browsers will be skipped for NTLM authentication. This can be used to filter out browsers like Firefox that display login popups for authenticated wpad.dat requests such as Firefox. | |
| WPADDirectHosts | Comma separated list of hosts to list as direct in the wpad.dat file. Listed hosts will not be routed through the defined proxy. | ||
| WPADIP | Proxy server IP to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADPort. | ||
| WPADPort | Proxy server port to be included in a basic wpad.dat response for WPAD enabled browsers. This parameter must be used with WPADIP. | ||
| WPADResponse | wpad.dat file contents to serve as the wpad.dat response. This parameter will not be used if WPADIP and WPADPort are set. Use PowerShell character escapes where necessary. |
| Parameter | Default | Valid Values | Description |
|---|---|---|---|
| ConsoleStatus | N | Interval in minutes for displaying all unique captured hashes and credentials. This is useful for displaying full capture lists when running through a shell that does not have access to the support functions. | |
| ConsoleUnique | Y | Y/N | Enable/Disable displaying challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time console output is enabled. |
| FileOutput | Y | Y/N | Enable/Disable real time file output. |
| FileOutputDirectory | Valid path to an output directory for log and capture files. FileOutput must also be enabled. | ||
| FilePrefix | Inveigh | String that is prefixed to logfiles written to disk. Files are written in format of prefix-Log.txt. | |
| FileUnique | Y | Y/N | Enable/Disable outputting challenge/response hashes for only unique IP, domain/hostname, and username combinations when real time file output is enabled. |
| Pcap | N | Y/N | Enable/Disable dumping IPv4 TCP/UDP packets to a pcap file or memory. |
| PcapTCP | 139, 445 | Comma separated list of TCP ports to filter which packets will be written to the pcap file. Use 'All' to capture on all ports. | |
| PcapUDP | Comma separated list of UDP ports to filter which packets will be written to the pcap file. Use 'All' to capture on all ports. |
| Parameter | Default | Valid Values | Description |
|---|---|---|---|
| Elevated | Y | Y/N | Set the privilege mode. Auto will determine if Inveigh is running with elevated privilege. If so, options that require elevated privilege can be used. |
| Inspect | Switch to disable LLMNR, NBNS, HTTP, and SMB in order to only inspect LLMNR/NBNS traffic. | ||
| IP | Local IP address for listening and packet sniffing. This IP address will also be used for spoofing if the SpooferIP parameter is not set. | ||
| IPv6 | Local IPv6 address for listening and packet sniffing. This IP address will also be. This IP address will also be used for spoofing if the SpooferIPv6 arg is not set.. | ||
| MachineAccounts | N | Y/N | Enable/Disable showing NTLM challenge/response captures from machine accounts. |
| SMB | Y | Y/N | Enable/Disable SMB challenge/response capture. Warning, LLMNR/NBNS spoofing can still direct targets to the host system's SMB server. Block TCP ports 445/139 or kill the SMB services if you need to prevent login requests from being processed by the Inveigh host. |
| RunCount | Number of NTLMv1/NTLMv2 captures to perform before auto-exiting. | ||
| RunTime | Run time duration in minutes. |