Inveigh vs PetitPotam
GitHub Stats
About Inveigh
Inveigh is a .NET/PowerShell tool for network protocol poisoning and relay attacks on Windows networks. It spoofs LLMNR, NBNS, mDNS, DNS, and DHCPv6 responses to capture NTLMv1/v2 hashes from hosts attempting name resolution. Beyond simple hash capture, Inveigh includes an SMB relay module that forwards captured authentication to other hosts for immediate code execution without cracking. The .NET version (InveighZero) runs as a standalone executable without PowerShell dependencies, evading script-based detections. It is the Windows-native alternative to Responder.
About PetitPotam
PetitPotam is a tool that coerces Windows hosts into authenticating to an attacker-controlled server by abusing the Encrypting File System Remote Protocol (MS-EFSRPC). By sending specially crafted requests to the EfsRpcOpenFileRaw function (and similar EFS functions), PetitPotam forces the target machine to initiate an NTLM authentication to an arbitrary server specified by the attacker. When combined with NTLM relay attacks (via tools like ntlmrelayx from Impacket), this can be used to relay the authentication to Active Directory Certificate Services (AD CS) to obtain certificates, or to other services for privilege escalation. PetitPotam was a significant discovery because it works unauthenticated against domain controllers in many configurations, making it a critical vector for Active Directory domain compromise. Microsoft has issued patches, but many environments remain vulnerable.
Platform Support
Tags
Shared
Inveigh only
PetitPotam only