Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
pretender
Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover
as well as mDNS, LLMNR and NetBIOS-NS spoofing
pretender is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.
Usage
To get a feel for the situation in the local network, pretender can be started in --dry mode where it only logs incoming queries and does not answer any of them:
pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # without router advertisements (RA)
pretender -i eth0 --dry --no-ra-dns # with RA but without advertizing DNS in RA
To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements, simply run pretender like this:
pretender -i eth0
You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra.
If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this:
pretender -i eth0 -4 "10.0.0.10" -6 "fe80::5"
Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender. See the following example:
pretender -i eth0 --spoof "example.com" --dont-spoof-for "10.0.0.3,host1.corp,fe80::f" --ignore-nofqdn
For more information, run pretender --help.
Tips
- The options
--spoof/--dont-spoof/--spoof-for/--dont-spoof-forsupport
domain.fqdn only performs literal matching, .domain.fqdn
will match domain.fqdn and sub.domain.fqdn. Similarly, *domain.fqdn
matches mydomain.fqdn. Use .domain.fqdn to only* match subdomains. Note
that subdomain wildcards (leading .) and arbitrary wildcards (*) cannot be
used together.
- Make sure to enable IPv6 support in
ntlmrelayx.pywith the-6flag. - Pretender supports stateless DNS configuration via Router Advertisements
--stateless-ra flag. By default, the DHCPv6 server
is still started but it can be disabled using --no-dhcp.
- If
--dont-spoof/--dont-spoof-forfilters are present and no upstream DNS
--delegate-ignored-to, router advertisements will
not directly advertize the DNS server which makes the attack less effective.
- Pretender can be configured to stop after a certain time period for situations
--stop-after and
main.vendorStopAfter).
- Host info lookup (which relies on the ARP table, IP neighbours and reverse
--no-host-info or main.vendorNoHostInfo
- If you are not sure which interface to choose (especially on Windows), list
--interfaces.
- If you want to exclude hosts from local name resolution spoofing, make sure to
--no-ipv6-lnr/main.vendorNoIPv6LNR.
- DHCPv6 messages usually contain a FQDN option (which can also sometimes
--spoof-for/--dont-spoof-for). You can decide what
to do with DHCPv6 messages without FQDN option by setting or omitting
--ignore-nofqdn.
- Depending on the build configuration, either the operating system resolver
CGOENABLED=1) or a Go implementation (CGOENABLED=0) is used. This can
be important for host info collection because the OS resolver may support
local name resolution and the Go implementation does not, unless a stub
resolver is used..
- The host info functionality is currently only available for Windows and Linux.
- A custom MAC address vendor list can be compiled into the binary by replacing
hostinfo/mac-vendors.txt. Only lines with MAC prefixes in
the following format are recognized: FF:FF:FF<tab>VendorID<tab>Vendor (the
MAC prefix length can be arbitrary).
- If you only want to perform Kerberos relaying via dynamic updates you can
--no-lnr and --spoof-types SOA to ignore any queries that are
unrelated to the attack.
- When conducting a Kerberos relay attack where
krbrelayx.pyruns on a
krbrelayx.py), the host running krbrelayx.py will also need to
run pretender in order to receive and deny the Dynamic Update query sent to
the relay IPv4 address.
- By default, in order to limit disruption during a DHCPv6 DNS Takeover, the
--delegate-ignored-to <DNS server> can be used to delegate ignored
queries to a legitimate DNS server.
- The option
--dry-with-dhcpcan be combined with--delegate-ignored-toto
- It is possible to ignore DHCP messages from non-Windows clients by specifying
--ignore-non-microsoft-dhcp. This is possible because the Windows DHCP
client includes Microsoft's enterprise number 311 in the DHCP vendor option.
- With
--toggle, name resolution spoofing (DNS, mDNS, LLMNR, NetBIOS) can be
--delegate-ignored-to to start and stop attacks without stopping the DHCP
server. This can be used as a workaround when the Windows DHCP client stops
leasing addresses after failing to reach the DHCP server for some time.
Building and Vendoring
Pretender can be build as follows:
go build
Pretender can also be compiled with pre-configured settings. For this, the ldflags have to be modified like this:
-ldflags '-X main.vendorInterface=eth1'
For example, Pretender can be built for Windows with a specific default interface, without colored output and with a relay IPv4 address configured:
GOOS=windows go build -trimpath -ldflags '-X "main.vendorInterface=Ethernet 2" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'
Full list of vendoring options (see defaults.go or pretender --help for detailed information):
vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorSpoofResponseName
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoIPv6LNR
vendorNoRA
vendorNoRADNS
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorSpoofSRV
vendorIgnoreDHCPv6NoFQDN
vendorIgnoreNonMicrosoftDHCP
vendorDelegateIgnoredTo
vendorToggleNameResolutionSpoofing
vendorDontSendEmptyReplies
vendorDryMode
vendorDryWithDHCPMode
vendorStatelessRA
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorDNSTimeout
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces