View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008015Kali Linux[All Projects] Queued Tool Additionpublic2022-10-21 13:592022-11-01 14:35
ReporterRedTeamPT Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0008015: pretender - Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing
Descriptionname: pretender
version: 1.0.0
homepage: https://github.com/RedTeamPentesting/pretender
further information: https://blog.redteam-pentesting.de/2022/introducing-pretender/
download: https://github.com/RedTeamPentesting/pretender/releases/tag/v1.0.0
author: RedTeam Pentesting GmbH
licence: MIT
description: pretender can obtain machine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS takeover attacks. pretender primarily targets Windows hosts, as it is intended to be used for relaying attacks but can be deployed on Linux, Windows and all other platforms Go supports. Name resolution queries can be answered with arbitrary IPs for situations where the relaying tool runs on a different host than pretender. It is designed to work with tools such as Impacket's ntlmrelayx.py and krbrelayx that handle the incoming connections for relaying attacks or hash dumping.
dependencies: standalone static binary
similar tools: responder, mitm6, inveigh
activity: publicly available since july 2022
how to install: go build
how to use:

To perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well as a DHCPv6 DNS takeover with router advertisements.
---
pretender -i eth0

You can disable certain attacks with --no-dhcp-dns (disabled DHCPv6, DNS and router advertisements), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra. If ntlmrelayx.py runs on a different host (say 10.0.0.10/fe80::5), run pretender like this.
---
pretender -i eth0 -4 10.0.0.10 -6 fe80::5

Pretender can be setup to only respond to queries for certain domains (or all but certain domains) and it can perform the spoofing attacks only for certain hosts (or all but certain hosts). Referencing hosts by hostname relies on the name resolution of the host that runs pretender.
---
pretender -i eth0 --spoof example.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn

packaged: no

Activities

g0tmi1k

2022-11-01 14:34

administrator   ~0017032

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

Issue History

Date Modified Username Field Change
2022-10-21 13:59 RedTeamPT New Issue
2022-11-01 14:34 g0tmi1k Note Added: 0017032
2022-11-01 14:35 g0tmi1k Status new => acknowledged
2022-11-01 14:35 g0tmi1k Category New Tool Requests => Queued Tool Addition