{"id":13841855,"url":"https://github.com/RedTeamPentesting/pretender","last_synced_at":"2025-07-11T13:32:51.559Z","repository":{"id":45298815,"uuid":"512766189","full_name":"RedTeamPentesting/pretender","owner":"RedTeamPentesting","description":"Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.","archived":false,"fork":false,"pushed_at":"2024-06-07T14:11:43.000Z","size":1065,"stargazers_count":969,"open_issues_count":0,"forks_count":68,"subscribers_count":13,"default_branch":"main","last_synced_at":"2024-11-21T05:07:30.485Z","etag":null,"topics":["dhcpv6","dns","go","llmnr","mdns","netbios","pentesting","pretender","relaying","security","spoofer"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RedTeamPentesting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-11T13:23:23.000Z","updated_at":"2024-11-20T20:57:59.000Z","dependencies_parsed_at":"2023-02-09T16:01:15.790Z","dependency_job_id":"ca06241c-bf2b-4d92-8853-392009b0611a","html_url":"https://github.com/RedTeamPentesting/pretender","commit_stats":{"total_commits":162,"total_committers":3,"mean_commits":54.0,"dds":0.01851851851851849,"last_synced_commit":"2fd24391392f924af0c0f34a8534f159b7f05119"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fpretender","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fpretender/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fpretender/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RedTeamPentesting%2Fpretender/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RedTeamPentesting","download_url":"https://codeload.github.com/RedTeamPentesting/pretender/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729724,"owners_count":17515157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dhcpv6","dns","go","llmnr","mdns","netbios","pentesting","pretender","relaying","security","spoofer"],"created_at":"2024-08-04T17:01:22.946Z","updated_at":"2025-07-11T13:32:51.546Z","avatar_url":"https://github.com/RedTeamPentesting.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003e\u003cb\u003epretender\u003c/b\u003e\u003c/h1\u003e\n  \u003cp align=\"center\"\u003e\u003ci\u003eYour MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover\u003cbr\u003eas well as mDNS, LLMNR and NetBIOS-NS spoofing\u003c/i\u003e\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/RedTeamPentesting/pretender/releases/latest\"\u003e\u003cimg alt=\"Release\" src=\"https://img.shields.io/github/release/RedTeamPentesting/pretender.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/RedTeamPentesting/pretender/actions?workflow=Check\"\u003e\u003cimg alt=\"GitHub Action: Check\" src=\"https://img.shields.io/github/actions/workflow/status/RedTeamPentesting/pretender/check.yml?branch=main\u0026style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"/LICENSE\"\u003e\u003cimg alt=\"Software License\" src=\"https://img.shields.io/badge/license-MIT-brightgreen.svg?style=for-the-badge\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://goreportcard.com/report/github.com/RedTeamPentesting/pretender\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/RedTeamPentesting/pretender?style=for-the-badge\"\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n---\n\n`pretender` is a tool developed by RedTeam Pentesting to obtain\nmachine-in-the-middle positions via spoofed local name resolution and DHCPv6 DNS\ntakeover attacks. `pretender` primarily targets Windows hosts, as it is intended\nto be used for relaying attacks but can be deployed on Linux, Windows and all\nother platforms Go supports. Name resolution queries can be answered with\narbitrary IPs for situations where the relaying tool runs on a different host\nthan `pretender`. It is designed to work with tools such as\n[Impacket's](https://github.com/SecureAuthCorp/impacket) `ntlmrelayx.py` and\n[krbrelayx](https://github.com/dirkjanm/krbrelayx) that handle the incoming\nconnections for relaying attacks or hash dumping.\n\nRead our [blog\npost](https://blog.redteam-pentesting.de/2022/introducing-pretender/) for more\ninformation about DHCPv6 DNS takeover, local name resolution spoofing and relay\nattacks.\n\n---\n\n## Usage\n\nTo get a feel for the situation in the local network, `pretender` can be started\nin `--dry` mode where it only logs incoming queries and does not answer any of\nthem:\n\n```sh\npretender -i eth0 --dry\npretender -i eth0 --dry --no-ra # without router advertisements (RA)\npretender -i eth0 --dry --no-ra-dns # with RA but without advertizing DNS in RA\n```\n\nTo perform local name resolution spoofing via mDNS, LLMNR and NetBIOS-NS as well\nas a DHCPv6 DNS takeover with router advertisements, simply run `pretender` like\nthis:\n\n```sh\npretender -i eth0\n```\n\nYou can disable certain attacks with `--no-dhcp-dns` (disabled DHCPv6, DNS and\nrouter advertisements), `--no-lnr` (disabled mDNS, LLMNR and NetBIOS-NS),\n`--no-mdns`, `--no-llmnr`, `--no-netbios` and `--no-ra`.\n\nIf `ntlmrelayx.py` runs on a different host (say `10.0.0.10`/`fe80::5`), run\n`pretender` like this:\n\n```sh\npretender -i eth0 -4 \"10.0.0.10\" -6 \"fe80::5\"\n```\n\nPretender can be setup to only respond to queries for certain domains (or all\n_but_ certain domains) and it can perform the spoofing attacks only for certain\nhosts (or all _but_ certain hosts). Referencing hosts by hostname relies on the\nname resolution of the host that runs `pretender`. See the following example:\n\n```sh\npretender -i eth0 --spoof \"example.com\" --dont-spoof-for \"10.0.0.3,host1.corp,fe80::f\" --ignore-nofqdn\n```\n\nFor more information, run `pretender --help`.\n\n---\n\n## Tips\n\n- The options `--spoof/--dont-spoof/--spoof-for/--dont-spoof-for` support\n  wildcards. While `domain.fqdn` only performs literal matching, `.domain.fqdn`\n  will match `domain.fqdn` and `sub.domain.fqdn`. Similarly, `*domain.fqdn`\n  matches `mydomain.fqdn`. Use `*.domain.fqdn` to *only* match subdomains.  Note\n  that subdomain wildcards (leading .) and arbitrary wildcards (*) cannot be\n  used together.\n- Make sure to enable IPv6 support in `ntlmrelayx.py` with the `-6` flag.\n- Pretender supports stateless DNS configuration via Router Advertisements\n  without DHCPv6 with the `--stateless-ra` flag. By default, the DHCPv6 server\n  is still started but it can be disabled using `--no-dhcp`.\n- If `--dont-spoof`/`--dont-spoof-for` filters are present and no upstream DNS\n  server is configured with `--delegate-ignored-to`, router advertisements will\n  not directly advertize the DNS server which makes the attack less effective.\n- Pretender can be configured to stop after a certain time period for situations\n  where it cannot be aborted manually (`--stop-after` and\n  `main.vendorStopAfter`).\n- Host info lookup (which relies on the ARP table, IP neighbours and reverse\n  lookups) can be disabled with `--no-host-info` or `main.vendorNoHostInfo`\n- If you are not sure which interface to choose (especially on Windows), list\n  all interfaces with names and addresses using `--interfaces`.\n- If you want to exclude hosts from local name resolution spoofing, make sure to\n  also exclude their IPv6 addresses or use\n  `--no-ipv6-lnr`/`main.vendorNoIPv6LNR`.\n- DHCPv6 messages usually contain a FQDN option (which can also sometimes\n  contain a hostname which is not a FQDN). This option is used to filter out\n  messages by hostname (`--spoof-for`/`--dont-spoof-for`). You can decide what\n  to do with DHCPv6 messages without FQDN option by setting or omitting\n  `--ignore-nofqdn`.\n- Depending on the build configuration, either the operating system resolver\n  (`CGO_ENABLED=1`) or a Go implementation (`CGO_ENABLED=0`) is used. This can\n  be important for host info collection because the OS resolver may support\n  local name resolution and the Go implementation does not, unless a stub\n  resolver is used..\n- The host info functionality is currently only available for Windows and Linux.\n- A custom MAC address vendor list can be compiled into the binary by replacing\n  the default list `hostinfo/mac-vendors.txt`. Only lines with MAC prefixes in\n  the following format are recognized: `FF:FF:FF\u003ctab\u003eVendorID\u003ctab\u003eVendor` (the\n  MAC prefix length can be arbitrary).\n- If you only want to perform Kerberos relaying via dynamic updates you can\n  specify `--no-lnr` and `--spoof-types SOA` to ignore any queries that are\n  unrelated to the attack.\n- When conducting a Kerberos relay attack where `krbrelayx.py` runs on a\n  different host than pretender (relay IPv4 address points to different host\n  that runs `krbrelayx.py`), the host running `krbrelayx.py` will also need to\n  run pretender in order to receive and deny the Dynamic Update query sent to\n  the relay IPv4 address.\n- By default, in order to limit disruption during a DHCPv6 DNS Takeover, the\n  option `--delegate-ignored-to \u003cDNS server\u003e` can be used to delegate ignored\n  queries to a legitimate DNS server.\n- The option `--dry-with-dhcp` can be combined with `--delegate-ignored-to` to\n  monitor the name resolution queries in the network without disruption.\n- It is possible to ignore DHCP messages from non-Windows clients by specifying\n  `--ignore-non-microsoft-dhcp`. This is possible because the Windows DHCP\n  client includes Microsoft's enterprise number 311 in the DHCP vendor option.\n- With `--toggle`, name resolution spoofing (DNS, mDNS, LLMNR, NetBIOS) can be\n  enabled and disabled dynamically at runtime. This is especially powerful with\n  `--delegate-ignored-to` to start and stop attacks without stopping the DHCP\n  server. This can be used as a workaround when the Windows DHCP client stops\n  leasing addresses after failing to reach the DHCP server for some time.\n---\n\n## Building and Vendoring\n\nPretender can be build as follows:\n\n```sh\ngo build\n```\n\nPretender can also be compiled with pre-configured settings. For this, the\n`ldflags` have to be modified like this:\n\n```sh\n-ldflags '-X main.vendorInterface=eth1'\n```\n\nFor example, Pretender can be built for Windows with a specific default\ninterface, without colored output and with a relay IPv4 address configured:\n\n```\nGOOS=windows go build -trimpath -ldflags '-X \"main.vendorInterface=Ethernet 2\" -X main.vendorNoColor=true -X main.vendorRelayIPv4=10.0.0.10'\n```\n\nFull list of vendoring options (see `defaults.go` or `pretender --help` for\ndetailed information):\n\n```\nvendorInterface\nvendorRelayIPv4\nvendorRelayIPv6\nvendorSOAHostname\nvendorSpoofResponseName\nvendorNoDHCPv6DNSTakeover\nvendorNoDHCPv6\nvendorNoDNS\nvendorNoMDNS\nvendorNoNetBIOS\nvendorNoLLMNR\nvendorNoLocalNameResolution\nvendorNoIPv6LNR\nvendorNoRA\nvendorNoRADNS\nvendorSpoof\nvendorDontSpoof\nvendorSpoofFor\nvendorDontSpoofFor\nvendorSpoofTypes\nvendorIgnoreDHCPv6NoFQDN\nvendorIgnoreNonMicrosoftDHCP\nvendorDelegateIgnoredTo\nvendorToggleNameResolutionSpoofing\nvendorDontSendEmptyReplies\nvendorDryMode\nvendorDryWithDHCPMode\nvendorStatelessRA\nvendorTTL\nvendorLeaseLifetime\nvendorRARouterLifetime\nvendorRAPeriod\nvendorDNSTimeout\nvendorStopAfter\nvendorVerbose\nvendorNoColor\nvendorNoTimestamps\nvendorLogFileName\nvendorNoHostInfo\nvendorHideIgnored\nvendorRedirectStderr\nvendorListInterfaces\n```\n","funding_links":[],"categories":["其他_安全与渗透","Go"],"sub_categories":["网络服务_其他"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRedTeamPentesting%2Fpretender","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRedTeamPentesting%2Fpretender","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRedTeamPentesting%2Fpretender/lists"}