Invoke-Inveighrelay doesn't execute command

[kimoppalfens]

Hi,

I've pretty much mimicked the setup in the Wiki and ran the commands from the example section from Invoke-InveighRelay. Both commands execute fine, and when I try to authenticate to the attacking host where Inveigh runs I do see the authentication and the NTLM hash. However, the command's set (Net user add && net localgroup administrators /add) are never run.

Any idea as to what I am missing? Both the machine running Invoke_InveighRelay and the machine I am targetting are Windows 10 1709.

Best, Kim

[Freakazoidile]

I've tried to get this working as well and could not. I'm running as admin on the host with inveigh. NBNS and LLMBR requests are being received. I can capture hashes, but relay never works, no information from relay is output like in the example screenshots. The same attacks are working on Kali in the same environment with responder and responder-multirelay or ntlmrelayx.

I have imported invoke-thehash in powershell, and have tried playing with options such as lowering the repeat enumerate, increasing the failed login threshold (to 1000), and added Execute to the attack types. I'm trying this in a test environment where I have full control of all machines

I am using Inveigh in CommandoVM, Windows 10, Powershell version 5.1 with execution policy set to unrestricted. I also tried the dev branch without success. I checked invoke-relay module and there is no option for verbosity.

Is there any way to turn on some debugging or steps investigate further? I can provide screenshots and/or pcaps if necessary.

Cheers.

[Kevin-Robertson]

@kimoppalfens Sorry, looks like I never responded. Did you sort this out? The biggest catch I've seen with running net user to add an account is not using a password that meets the target's password complexity requirements. Relay adds and executes the service but that command itself fails. If you can get a packet capture, check for the CreateServiceW SMB2 packet. You should be able to see your command in that packet.

@Freakazoidile You don't see any relay related output at all? Here are some things that might cause that:

1. The Inveigh HTTP listener is running and not the Inveigh-Relay HTTP listener.
2. You are seeing an SMB capture from the Inveigh packet sniffer. Inveigh only does HTTP to SMB relay and not SMB to SMB due to 445 being in use by Windows.
3. You are targeting the same system that Inveigh-Relay is running on. This is doubtful though since you would still see some relay output messages.

Most of Inveigh runs in various runspaces and output is tricky. You can attach to the individual runspaces directly with runspace debugging. For the relay stuff, pcaps will generally give you a good idea what's going on.