name: pretender
version: 1.0.0
homepage: https://github.com/RedTeamPentesting/pretender
further information: https://blog.redteam-pentesting.de/2022/introducing-pretender/
download: https://github.com/RedTeamPentesting/pretender/releases/tag/v1.0.0
author: RedTeam Pentesting GmbH
licence: MIT
description: pretender can obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
dependencies: standalone static binary
similar tools: responder, mitm6, inveigh
activity: publicly available since july 2022
how to install: go build
how to use:

To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements.

pretender -i eth0

You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra. If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this.

pretender -i eth0 -4 10.0.0.10 -6 fe80::5

Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender.

pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn

packaged: no