pretender
is a tool developed by RedTeam Pentesting to obtain
machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS
takeover attacks. pretender
primarily targets Windows hosts, as it is intended
to be used for relaying attacks but can be deployed on Linux, Windows and all
other platforms Go supports. Name resolution queries can be answered with
arbitrary IPs for situations where the relaying tool runs on a different host
than pretender
. It is designed to work with tools such as
Impacket's ntlmrelayx.py
and
krbrelayx that handle the incoming
connections for relaying attacks or hash dumping.
Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.
To get a feel for the situation in the local network, pretender
can be started
in --dry
mode where it only logs incoming queries and does not answer any of
them:
pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # without router advertisements (RA)
pretender -i eth0 --dry --no-ra-dns # with RA but without advertizing DNS in RA
To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well
as a DHCPv6 DNS takeover with router advertisements, simply run pretender
like
this:
pretender -i eth0
You can disable certain attacks with --no-dhcp-dns
(disabled DHCPv6, DNS and
router advertisements), --no-lnr
(disabled mDNS, LLMNR and NetBIOS-NS),
--no-mdns
, --no-llmnr
, --no-netbios
and --no-ra
.
If ntlmrelayx.py
runs on a different host (say 10.0.0.10
/fe80::5
), run
pretender
like this:
pretender -i eth0 -4 "10.0.0.10" -6 "fe80::5"
Pretender can be setup to only respond to queries for certain domains (or all
but certain domains) and it can perform the spoofing attacks only for certain
hosts (or all but certain hosts). Referencing hosts by hostname relies on the
name resolution of the host that runs pretender
. See the following example:
pretender -i eth0 --spoof "example.com" --dont-spoof-for "10.0.0.3,host1.corp,fe80::f" --ignore-nofqdn
For more information, run pretender --help
.
ntlmrelayx.py
with the -6
flag.--stateless-ra
flag. By default, the DHCPv6 server--no-dhcp
.--dont-spoof
/--dont-spoof-for
filters are present and no upstream DNS--delegate-ignored-to
, router advertisements will--stop-after
andmain.vendorStopAfter
).--no-host-info
or main.vendorNoHostInfo
--interfaces
.--no-ipv6-lnr
/main.vendorNoIPv6LNR
.--spoof-for
/--dont-spoof-for
). You can decide what--ignore-nofqdn
.CGO_ENABLED=1
) or a Go implementation (CGO_ENABLED=0
) is used. This canhostinfo/mac-vendors.txt
. Only lines with MAC prefixes inFF:FF:FF<tab>VendorID<tab>Vendor
(the--no-lnr
and--spoof-types SOA
to ignore any queries that are unrelated to the attack.krbrelayx.py
runs on akrbrelayx.py
), the host running krbrelayx.py
will also need to--delegate-ignored-to <DNS server>
can be used to delegate ignored--dry-with-dhcp
can be combined with --delegate-ignored-to
toPretender can be build as follows:
go build
Pretender can also be compiled with pre-configured settings. For this, the
ldflags
have to be modified like this:
-ldflags '-X main.vendorInterface=eth1'
For example, Pretender can be built for Windows with a specific default interface, without colored output and with a relay IPv4 address configured:
GOOS=windows go build -trimpath -ldflags '-X "main.vendorInterface=Ethernet 2" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'
Full list of vendoring options (see defaults.go
or pretender --help
for
detailed information):
vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoIPv6LNR
vendorNoRA
vendorNoRADNS
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDelegateIgnoredTo
vendorDontSendEmptyReplies
vendorDryMode
vendorDryWithDHCPMode
vendorStatelessRA
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorDNSTimeout
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces