search

Kevin-Robertson / Inveigh

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
BSD 3-Clause "New" or "Revised" License
2.44k stars 433 forks source link

Inveigh won't capture hashes #21

Open init5-SF opened 4 years ago

init5-SF commented 4 years ago

Hello, I am using this syntax to run inveigh: Invoke-inveigh -StatusOutput Y -Consoleoutput Y -ShowHelp N -HTTP Y -NBNS Y -LLMNR Y -DNS Y -Elevated Y -OutputStreamOnly Y -IP -IP 10.10.10.100

I am doing so through meterpreter's shell, so the consoleout part fails but the tool runs normally (i think). the output looks something like this:

[*] Inveigh 1.503 started at 2020-04-27T02:10:12
[+] Elevated Privilege Mode = Enabled
[+] Primary IP Address = 10.10.10.100
[+] Spoofer IP Address = 10.10.10.100
[+] ADIDNS Spoofer = Disabled
[+] DNS Spoofer = Enabled
[+] DNS TTL = 30 Seconds
[+] LLMNR Spoofer = Enabled
[+] LLMNR TTL = 30 Seconds
[+] mDNS Spoofer = Disabled
[+] NBNS Spoofer For Types 00,20 = Enabled
[+] NBNS TTL = 165 Seconds
[+] SMB Capture = Enabled
[+] HTTP Capture = Enabled
[+] HTTPS Capture = Disabled
[+] HTTP/HTTPS Authentication = NTLM
[+] WPAD Authentication = NTLM
[+] WPAD NTLM Authentication Ignore List = Firefox
[+] WPAD Response = Enabled
[+] Kerberos TGT Capture = Disabled
[+] Machine Account Capture = Disabled
[+] Console Output = Full
[+] File Output = Disabled
Cannot see if a key has been pressed when either application does not have a 
console or when console input has been redirected from a file. Try 
Console.In.Peek.
At line:6345 char:20

when I do get-inveigh, i don't see hashes, all I see is this:

[+] [2020-04-27T02:10:15] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:15] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:16] TCP(80) SYN packet detected from 10.10.10.133:56464
[+] [2020-04-27T02:10:29] LLMNR request for testserver received from 10.10.10.133 [response sent]
[+] [2020-04-27T02:10:30] LLMNR request for testserver received from 10.10.10.133 [response sent]

Am I using it the wrong way? I also tried invoke-inveigh in parallel with invoke-inveighrelay, but the -command didnt execute, probably coz no hashes are being captured.

If anyone could help me with this it would be greatly appreciated! Thank you.

sash322 commented 4 years ago

Same issue. C# version works fine, but powershell wont capture hashes

Kevin-Robertson commented 4 years ago

I've always had issues with ConsoleOutput enabled in meterpreter. Have you tried running without it and pulling back data with just get-inveigh?

Using '-Tool 1' will set what I found to work best with meterpreter.

init5-SF commented 4 years ago

I've always had issues with ConsoleOutput enabled in meterpreter. Have you tried running without it and pulling back data with just get-inveigh?

Using '-Tool 1' will set what I found to work best with meterpreter.

Hello,

This is exactly how I do it, I disable all kinds of real time outputs and leave the tool running for a while, then check with Get-Inveigh.