Your MitM sidekick for relaying assaults that includes DHCPv6 DNS takeover
in addition to mDNS, LLMNR and NetBIOS-NS spoofing
pretender
is a device developed by RedTeam Pentesting to acquire machine-in-the-middle positions by way of spoofed native title decision and DHCPv6 DNS takeover assaults. pretender
primarily targets Home windows hosts, as it’s supposed for use for relaying assaults however might be deployed on Linux, Home windows and all different platforms Go helps. Title decision queries might be answered with arbitrary IPs for conditions the place the relaying device runs on a unique host than pretender
. It’s designed to work with instruments corresponding to Impacket’s ntlmrelayx.py
and krbrelayx that deal with the incoming connections for relaying assaults or hash dumping.
Learn our weblog publish for extra details about DHCPv6 DNS takeover, native title decision spoofing and relay assaults.
Utilization
To get a really feel for the state of affairs within the native community, pretender
might be began in --dry
mode the place it solely logs incoming queries and doesn’t reply any of them:
pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # with out router commercials
To carry out native title decision spoofing by way of mDNS, LLMNR and NetBIOS-NS as nicely as a DHCPv6 DNS takeover with router commercials, merely run pretender
like this:
You’ll be able to disable sure assaults with --no-dhcp-dns
(disabled DHCPv6, DNS and router commercials), --no-lnr
(disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns
, --no-llmnr
, --no-netbios
and --no-ra
.
If ntlmrelayx.py
runs on a unique host (say 10.0.0.10
/fe80::5
), run pretender
like this:
pretender -i eth0 -4 10.0.0.10 -6 fe80::5
Pretender might be setup to solely reply to queries for sure domains (or all however sure domains) and it could possibly carry out the spoofing assaults just for sure hosts (or all however sure hosts). Referencing hosts by hostname depends on the title decision of the host that runs pretender
. See the next instance:
pretender -i eth0 --spoof instance.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn
For extra data, run pretender --help
.
Suggestions
- Be certain to allow IPv6 help in
ntlmrelayx.py
with the-6
flag - Pretender might be configured to cease after a sure time interval for conditions the place it can’t be aborted manually (
--stop-after
andfundamental.vendorStopAfter
) - Host information lookup (which depends on the ARP desk, IP neighbours and reverse lookups) might be disabled with
--no-host-info
orfundamental.vendorNoHostInfo
- In case you are undecided which interface to decide on (particularly on Home windows), checklist all interfaces with names and addresses utilizing
--interfaces
- If you wish to exclude hosts from native title decision spoofing, be sure to additionally exclude their IPv6 addresses or use
--no-ipv6-lnr
/fundamental.vendorNoIPv6LNR
- DHCPv6 messages normally comprise a FQDN possibility (which might additionally typically comprise a hostname which isn’t a FQDN). This feature is used to filter out messages by hostname (
--spoof-for
/--dont-spoof-for
). You’ll be able to resolve what to do with DHCPv6 messages with out FQDN possibility by setting or omitting--ignore-nofqdn
- Relying on the construct configuration, both the working system resolver (
CGO_ENABLED=1
) or a Go implementation (CGO_ENABLED=0
) is used. This may be essential for host information assortment as a result of the OS resolver could help native title decision and the Go implementation doesn’t, except a stub resolver is used. - The host information performance is at present solely out there for Home windows and Linux.
- A customized MAC handle vendor checklist might be compiled into the binary by changing the default checklist
hostinfo/mac-vendors.txt
. Solely traces with MAC prefixes in the next format are acknowledged:FF:FF:FF<tab>VendorID<tab>Vendor
(the MAC prefix size might be arbitrary). - When you solely wish to carry out Kerberos relaying you’ll be able to specify
--no-lnr
and--spoof-types SOA
to disregard any queries which can be unrelated to the assault. - When conducting a Kerberos relay assault the place
krbrelayx.py
runs on a completely different host than pretender (relay IPv4 handle factors to completely different host that runskrbrelayx.py
), the host workingkrbrelayx.py
can even must run pretender with a purpose to obtain and deny the Dynamic Replace question despatched to the relay IPv4 handle.
Constructing and Vendoring
Pretender might be construct as follows:
Pretender may also be compiled with pre-configured settings. For this, the ldflags
should be modified like this:
-ldflags '-X fundamental.vendorInterface=eth1'
For instance, Pretender might be constructed for Home windows with a particular default interface, with out coloured output and with a relay IPv4 handle configured:
GOOS=home windows go construct -trimpath -ldflags '-X "fundamental.vendorInterface=Ethernet 2" -X fundamental.vendorNoColor=true -X fundamental.vendorRelayIPv4=10.0.0.10'
Full checklist of vendoring choices (see defaults.go
or pretender --help
for detailed data):
vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoRA
vendorNoIPv6LNR
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDryMode
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces