Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
Version 1.2.0 overhauls the router advertisement logic and introduces new attack modes: Stateless DNS takeover via the RDNSS option in router advertisements (RFC 6106) without DHCPv6 being involved, as well as a hybrid mode with DHCPv6 still enabled as a fallback. When setting --stateless-ra, the router advertisements do not advertise a DHCPv6 server anymore but immediately set a DNS server nonetheless. By default, the DHCPv6 server still stays enabled to answer requests that come in regardless of the RA flags. This hybrid mode can be disabled via --no-dhcp for a pure stateless DNS takeover.
The stateless DNS takeover has the advantage that the DNS server configuration is actively pushed out via RA instead of pulled via DHCPv6 by the clients. Another advantage is that pretender does not need to assign IPv6 addresses (when hybrid mode is disabled) and thus leaves less of a footprint. Finally, the DNS server is immediately removed from the clients as soon as they receive the de-advertisement that is sent when pretender is stopped.
The downside of stateless DNS takeover is that pretender cannot control who receives the DNS server such that --spoof-for and --dont-spoof-for cannot be honored during this step, only later when receiving DNS queries. To avoid disturbing clients unintentionally, it is recommended to use --delegate-ignored-to in conjunction with --spoof-for and --dont-spoof-for in stateless mode (pretender will suggest this in a warning when these options are present).
Here is the full change list:
pretender now supports stateless DNS takeover via RDNSS option in router advertisements (RFC 6106) without DHCPv6 as well as a hybrid mode (--stateless-ra, hybrid mode can be disabled with --no-dhcp).pretender now responds to router solicitations with a solicited router advertisement if router advertisements are enabled.--router-lifetime was changed to 0 to avoid unnecessarily advertising as a gateway.--router-lifetime.--lease-lifetime.This minor update adds the new option --dry-with-dhcp that can be used together with the --delegate-ignored-to option introduced in v1.1.0 to see all name resolution queries without disrupting the network.
After almost a year, it is time for a pretender update. While pretender was already good at spoofing, with this update it got a lot better at not spoofing. With the new --delegate-ignored-to option, pretender can delegate ignored DNS queries to an arbitrary upstream DNS server. This is especially useful for Kerberos Relaying, where only SOA queries need to be spoofed. In general, this should make DHCPv6 DNS Takeover a lot less intrusive when targeting specific hosts or queries.
Here is the full change list:
--delegate-ignored-to. With this option, ignored queries will be answered by the upstream server.--dont-send-empty-replies option.--spoof and --dont-spoof rules, a single dot (.) now matches local names that don't contain a dot..local suffix of mDNS queries is now ignored to make matching --spoof and --dont-spoof rules more consistent.--ip4 and --ip6 were renamed to --ipv4 and --ipv6
--dns-timeout.This release allows pretender to perform Kerberos relaying attacks together with krbrelayx. Specify your relay target with --soa-hostname. If you only want to do Kerberos relaying you can specify --spoof-types SOA to ignore unrelated queries. Check out these blog posts for more information about Kerberos relaying:
We've also updated our own blog post with more information about Kerberos relaying.
This is the initial public release. Read our accompanying blog post for more information.