Description
Starts one or more name resolution spoofers (LLMNR, mDNS, NBNS, DNS, DHCPv6) to capture NTLM challenge/response hashes from hosts on the local network.
Overview
Starts Inveigh spoofer listeners for the specified protocols. Each protocol responds to name resolution queries with the attacker-controlled reply IP, causing clients to authenticate and exposing NTLM hashes. Filter parameters allow restricting which hosts and query names are spoofed. DHCPv6 spoofing advertises an attacker-controlled DNS server to IPv6-capable clients (MITM6 technique).
Arguments
| Parameter | Type | Description |
|---|---|---|
| Protocol | string[] | One or more protocols to spoof. ValidateSet: LLMNR, MDNS, NBNS, DNS, DHCPv6. |
| IPAddress | string | The local IP address to bind listeners to. |
| ReplyIP | string | IPv4 address returned in spoofed responses (typically the attacker machine). |
| ReplyIPv6 | string | IPv6 address returned in spoofed responses. |
| RunTime | int | Seconds to run before auto-stopping. 0 = run indefinitely. Default: 0. |
| TTL | int | TTL value for spoofed responses. 0 = use listener default. Default: 0. |
| Inspect | bool | Passive mode — log queries without responding. Default: false. |
| Repeat | bool | Respond to the same host more than once. Default: false. |
| IgnoreIPs | string[] | Source IPs to never spoof. |
| ReplyToIPs | string[] | Source IPs to exclusively spoof (ignore all others). |
| IgnoreQueries | string[] | Query names to never respond to. |
| ReplyToQueries | string[] | Query names to exclusively respond to (ignore all others). |
| IgnoreDomains | string[] | Domain suffixes to never respond to. |
| ReplyToDomains | string[] | Domain suffixes to exclusively respond to (ignore all others). |
| MAC | string | MAC address advertised in DHCPv6 responses. Default: 00:11:22:33:44:55. |
| DNSIPv6 | string | IPv6 DNS server address advertised via DHCPv6. Defaults to ReplyIPv6 or ::1. |
| DNSSuffix | string | DNS search suffix advertised via DHCPv6. |
Dependencies
- inveigh
Operating Systems
- Windows
Example Text Output
Protocol State StartedAt
-------- ----- ---------
LLMNR Running 4/27/2026 09:01:00
mDNS Running 4/27/2026 09:01:00
DHCPv6 Running 4/27/2026 09:01:00