Your MitM Sidekick For Relaying Assaults That includes DHCPv6 DNS Takeover As Nicely As mDNS, LLMNR And NetBIOS-NS Spoofing

Your MitM sidekick for relaying assaults that includes DHCPv6 DNS takeover
in addition to mDNS, LLMNR and NetBIOS-NS spoofing

pretender is a device developed by RedTeam Pentesting to acquire machine-in-the-middle positions by way of spoofed native title decision and DHCPv6 DNS takeover assaults. pretender primarily targets Home windows hosts, as it’s supposed for use for relaying assaults however might be deployed on Linux, Home windows and all different platforms Go helps. Title decision queries might be answered with arbitrary IPs for conditions the place the relaying device runs on a unique host than pretender. It’s designed to work with instruments corresponding to Impacket’s ntlmrelayx.py and krbrelayx that deal with the incoming connections for relaying assaults or hash dumping.

Learn our weblog publish for extra details about DHCPv6 DNS takeover, native title decision spoofing and relay assaults.

pretender -i eth0 --dry
pretender -i eth0 --dry --no-ra # with out router commercials

To carry out native title decision spoofing by way of mDNS, LLMNR and NetBIOS-NS as nicely as a DHCPv6 DNS takeover with router commercials, merely run pretender like this:

You’ll be able to disable sure assaults with --no-dhcp-dns (disabled DHCPv6, DNS and router commercials), --no-lnr (disabled mDNS, LLMNR and NetBIOS-NS), --no-mdns, --no-llmnr, --no-netbios and --no-ra.

If ntlmrelayx.py runs on a unique host (say 10.0.0.10/fe80::5), run pretender like this:

pretender -i eth0 -4 10.0.0.10 -6 fe80::5

Pretender might be setup to solely reply to queries for sure domains (or all however sure domains) and it could possibly carry out the spoofing assaults just for sure hosts (or all however sure hosts). Referencing hosts by hostname depends on the title decision of the host that runs pretender. See the next instance:

pretender -i eth0 --spoof instance.com --dont-spoof-for 10.0.0.3,host1.corp,fe80::f --ignore-nofqdn

For extra data, run pretender --help.

Suggestions

• Be certain to allow IPv6 help in ntlmrelayx.py with the -6 flag
• Pretender might be configured to cease after a sure time interval for conditions the place it can’t be aborted manually (--stop-after and fundamental.vendorStopAfter)
• Host information lookup (which depends on the ARP desk, IP neighbours and reverse lookups) might be disabled with --no-host-info or fundamental.vendorNoHostInfo
• In case you are undecided which interface to decide on (particularly on Home windows), checklist all interfaces with names and addresses utilizing --interfaces
• If you wish to exclude hosts from native title decision spoofing, be sure to additionally exclude their IPv6 addresses or use --no-ipv6-lnr/fundamental.vendorNoIPv6LNR
• DHCPv6 messages normally comprise a FQDN possibility (which might additionally typically comprise a hostname which isn’t a FQDN). This feature is used to filter out messages by hostname (--spoof-for/--dont-spoof-for). You’ll be able to resolve what to do with DHCPv6 messages with out FQDN possibility by setting or omitting --ignore-nofqdn
• Relying on the construct configuration, both the working system resolver (CGO_ENABLED=1) or a Go implementation (CGO_ENABLED=0) is used. This may be essential for host information assortment as a result of the OS resolver could help native title decision and the Go implementation doesn’t, except a stub resolver is used.
• The host information performance is at present solely out there for Home windows and Linux.
• A customized MAC handle vendor checklist might be compiled into the binary by changing the default checklist hostinfo/mac-vendors.txt. Solely traces with MAC prefixes in the next format are acknowledged: FF:FF:FF<tab>VendorID<tab>Vendor (the MAC prefix size might be arbitrary).
• When you solely wish to carry out Kerberos relaying you’ll be able to specify --no-lnr and --spoof-types SOA to disregard any queries which can be unrelated to the assault.
• When conducting a Kerberos relay assault the place krbrelayx.py runs on a completely different host than pretender (relay IPv4 handle factors to completely different host that runs krbrelayx.py), the host working krbrelayx.py can even must run pretender with a purpose to obtain and deny the Dynamic Replace question despatched to the relay IPv4 handle.

Constructing and Vendoring

Pretender might be construct as follows:

Pretender may also be compiled with pre-configured settings. For this, the ldflags should be modified like this:

-ldflags '-X fundamental.vendorInterface=eth1'

For instance, Pretender might be constructed for Home windows with a particular default interface, with out coloured output and with a relay IPv4 handle configured:

GOOS=home windows go construct -trimpath -ldflags '-X "fundamental.vendorInterface=Ethernet 2" -X fundamental.vendorNoColor=true -X fundamental.vendorRelayIPv4=10.0.0.10'

Full checklist of vendoring choices (see defaults.go or pretender --help for detailed data):

vendorInterface
vendorRelayIPv4
vendorRelayIPv6
vendorSOAHostname
vendorNoDHCPv6DNSTakeover
vendorNoDHCPv6
vendorNoDNS
vendorNoMDNS
vendorNoNetBIOS
vendorNoLLMNR
vendorNoLocalNameResolution
vendorNoRA
vendorNoIPv6LNR
vendorSpoof
vendorDontSpoof
vendorSpoofFor
vendorDontSpoofFor
vendorSpoofTypes
vendorIgnoreDHCPv6NoFQDN
vendorDryMode
vendorTTL
vendorLeaseLifetime
vendorRARouterLifetime
vendorRAPeriod
vendorStopAfter
vendorVerbose
vendorNoColor
vendorNoTimestamps
vendorLogFileName
vendorNoHostInfo
vendorHideIgnored
vendorRedirectStderr
vendorListInterfaces