View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0008015||Kali Linux||[All Projects] Queued Tool Addition||public||2022-10-21 13:59||2022-11-01 14:35|
|Target Version||Fixed in Version|
|Summary||0008015: pretender - Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing|
further information: https://blog.redteam-pentesting.de/2022/introducing-pretender/
author: RedTeam Pentesting GmbH
description: pretender can obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
dependencies: standalone static binary
similar tools: responder, mitm6, inveigh
activity: publicly available since july 2022
how to install: go build
how to use:
To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements.
pretender -i eth0
You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra. If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this.
pretender -i eth0 -4 10.0.0.10 -6 fe80::5
Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender.
pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn
@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging