v1.3.2

This updated introduces globbing in --spoof, --dont-spoof, and so on. This is useful to spoof only hostnames for Kerberos relay attacks with --spoof '*1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA*' (see this blog post). It also fixes some typos.

v1.3.1

As it turns out, the LLMNR response name spoofing technique introduced in v1.3.0 also works with DNS queries. Therefore --spoof-llmnr-name was renamed to --spoof-response-name. When this option is active, mDNS and NetBIOS queries are automatically ignored to prevent them from interfering with the attack.

v1.3.0

Just as pretender surpassed 1000 GitHub stars (thanks everyone), we've prepared a major update containing new features and fixes. Here are the changes:

• A new option to facilitate Kerberos relaying via spoofed LLMNR response names was added. With --spoof-llmnr-name you can now choose an arbitrary hostname that is used in the SPN when a totally different name is resolved via LLMNR. For more details, read this excellent blog post. (This option was renamed to --spoof-response-name in v1.3.1!)
• The new option --toggle allows for dynamic toggling of name resolution spoofing. With the press of one of the hotkeys, all name resolution queries are ignored or passed to an upstream DNS server configured with --delegate-ignored-to, while the DHCP server remains active. This feature is important, since newer Windows versions seem to have a bug in the DHCPv6 client that causes the client to stop trying to lease addresses if the DHCPv6 server is unavailable for too long. This causes the DHCPv6-DNS-Takeover attacker to work only once per boot (or until the interface is cycled). With --toggle the DHCPv6 server stays active when the attacks are temporarily halted and the DHCPv6 clients stay happy.
• It is now possible to ignore DHCPv6 messages from non-Windows clients with --ignore-non-microsoft-dhcp, since they are the primary target of this tool. This works because the Microsoft DHCP client includes Microsoft's enterprise number 311 in the DHCP messages.
• It is now possible to start pretender even though another service listens on the DNS port through the SO_REUSEADDR and SO_REUSEPORT socket options on Linux.
• Delegated DNS queries (--delegate-ignored-to) now use the same protocol as the incoming queries.
• The default DNS lookup timeout was increased.
• Router advertisements are now also disabled when --no-dhcp-dns is specified.
• All dependencies were updated.

v1.2.0

Version 1.2.0 overhauls the router advertisement logic and introduces new attack modes: Stateless DNS takeover via the RDNSS option in router advertisements (RFC 6106) without DHCPv6 being involved, as well as a hybrid mode with DHCPv6 still enabled as a fallback. When setting --stateless-ra, the router advertisements do not advertise a DHCPv6 server anymore but immediately set a DNS server nonetheless. By default, the DHCPv6 server still stays enabled to answer requests that come in regardless of the RA flags. This hybrid mode can be disabled via --no-dhcp for a pure stateless DNS takeover.

The stateless DNS takeover has the advantage that the DNS server configuration is actively pushed out via RA instead of pulled via DHCPv6 by the clients. Another advantage is that pretender does not need to assign IPv6 addresses (when hybrid mode is disabled) and thus leaves less of a footprint. Finally, the DNS server is immediately removed from the clients as soon as they receive the de-advertisement that is sent when pretender is stopped.

The downside of stateless DNS takeover is that pretender cannot control who receives the DNS server such that --spoof-for and --dont-spoof-for cannot be honored during this step, only later when receiving DNS queries. To avoid disturbing clients unintentionally, it is recommended to use --delegate-ignored-to in conjunction with --spoof and --dont-spoof in stateless mode (pretender will suggest this in a warning when using --spoof-for/--dont-spoof-for).

Here is the full change list:

• pretender now supports stateless DNS takeover via RDNSS option in router advertisements (RFC 6106) without DHCPv6 as well as a hybrid mode (--stateless-ra, hybrid mode can be disabled with --no-dhcp).
• pretender now responds to router solicitations with a solicited router advertisement if router advertisements are enabled.
• Router advertisements now include the DNS server address (if enabled).
• The default value for --router-lifetime was changed to 0 to avoid unnecessarily advertising as a gateway.
• If router advertisements are enabled, a de-advertisement is now sent before terminating regardless of the configured --router-lifetime.
• DHCPv6 T1 and T2 values are now dynamically computed based on --lease-lifetime.
• All dependencies were updated.

v1.1.1

This minor update adds the new option --dry-with-dhcp that can be used together with the --delegate-ignored-to option introduced in v1.1.0 to see all name resolution queries without disrupting the network.

v1.1.0

After almost a year, it is time for a pretender update. While pretender was already good at spoofing, with this update it got a lot better at not spoofing. With the new --delegate-ignored-to option, pretender can delegate ignored DNS queries to an arbitrary upstream DNS server. This is especially useful for Kerberos Relaying, where only SOA queries need to be spoofed. In general, this should make DHCPv6 DNS Takeover a lot less intrusive when targeting specific hosts or queries.

Here is the full change list:

• An upstream DNS server can now be configured using the new option --delegate-ignored-to. With this option, ignored queries will be answered by the upstream server.
• Ignored DNS queries are now answered with an empty reply instead of none at all. The old behavior can be restored with the --dont-send-empty-replies option.
• In --spoof and --dont-spoof rules, a single dot (.) now matches local names that don't contain a dot.
• The .local suffix of mDNS queries is now ignored to make matching --spoof and --dont-spoof rules more consistent.
• The long-form options --ip4 and --ip6 were renamed to --ipv4 and --ipv6
• DNS timeouts are now configurable with --dns-timeout.
• Colored output now also works on Windows.
• A few minor fixes.

v1.0.0

This release allows pretender to perform Kerberos relaying attacks together with krbrelayx. Specify your relay target with --soa-hostname. If you only want to do Kerberos relaying you can specify --spoof-types SOA to ignore unrelated queries. Check out these blog posts for more information about Kerberos relaying:

• https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
• https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html

We've also updated our own blog post with more information about Kerberos relaying.

v0.11.0

This is the initial public release. Read our accompanying blog post for more information.