SMB challenge/response never intercepted

[jammys]

Hello, and thank you for this great tool.

I'm facing a problem when trying to MITM the LLMNR requests through Inveigh. I use it with default settings, but what it happens at testing:

[+] [2018-10-29T22:21:53] LLMNR request for ppppppp received from 192.168.0.10 [Response Sent] [+] [2018-10-29T22:21:53] LLMNR request for ppppppp received from 192.168.0.10 [Response Sent] ............

And I never receive the SMB challenge. Is that problem has something to do with firewall? I use Inveigh in elevated privileges.

[Kevin-Robertson]

Hi, it could be the firewall. Are you able to do a packet capture on the system that's running Inveigh? That will give you a better view of what's actually hitting the box (smb,ntlmssp).

I did add an indicator of incoming SMB connections for Inveigh 1.4. You should see this for any incoming SMB connection:

[+] [2018-10-31T00:00:37] SMB(445) negotiation request detected from 10.10.2.106:54378

This is just an indicator of an incoming SMB connection and doesn't necessarily mean the authentication will be with NTLM. You should at least see that though before getting a challenge/response through SMB.

[jammys]

Hello, unfortunately I can't do packet capture on the system running Inveigh. But I can ensure that I never saw the indicator of incoming SMB connections.

I think nothing actually hitting the box, but I could give you a list of all firewall rules for incoming connections?

Thank you

[Kevin-Robertson]

445 is all that is needed for SMB. 80 for wpad and random http. It looks like you are getting LLMNR traffic through the firewall so I think you're good with UDP 5355.

If you are able to spoof LLMNR, you might be able to just send the traffic to another box that you control on another subnet. The SpooferIP parameter lets you set where the traffic goes. You might have to deal with ACLs between the subnets though.