v1.2.0

Version 1.2.0 overhauls the router advertisement logic and introduces new attack modes: Stateless DNS takeover via the RDNSS option in router advertisements (RFC 6106) without DHCPv6 being involved, as well as a hybrid mode with DHCPv6 still enabled as a fallback. When setting --stateless-ra, the router advertisements do not advertise a DHCPv6 server anymore but immediately set a DNS server nonetheless. By default, the DHCPv6 server still stays enabled to answer requests that come in regardless of the RA flags. This hybrid mode can be disabled via --no-dhcp for a pure stateless DNS takeover.

The stateless DNS takeover has the advantage that the DNS server configuration is actively pushed out via RA instead of pulled via DHCPv6 by the clients. Another advantage is that pretender does not need to assign IPv6 addresses (when hybrid mode is disabled) and thus leaves less of a footprint. Finally, the DNS server is immediately removed from the clients as soon as they receive the de-advertisement that is sent when pretender is stopped.

The downside of stateless DNS takeover is that pretender cannot control who receives the DNS server such that --spoof-for and --dont-spoof-for cannot be honored during this step, only later when receiving DNS queries. To avoid disturbing clients unintentionally, it is recommended to use --delegate-ignored-to in conjunction with --spoof and --dont-spoof in stateless mode (pretender will suggest this in a warning when using --spoof-for/--dont-spoof-for).

Here is the full change list:

• pretender now supports stateless DNS takeover via RDNSS option in router advertisements (RFC 6106) without DHCPv6 as well as a hybrid mode (--stateless-ra, hybrid mode can be disabled with --no-dhcp).
• pretender now responds to router solicitations with a solicited router advertisement if router advertisements are enabled.
• Router advertisements now include the DNS server address (if enabled).
• The default value for --router-lifetime was changed to 0 to avoid unnecessarily advertising as a gateway.
• If router advertisements are enabled, a de-advertisement is now sent before terminating regardless of the configured --router-lifetime.
• DHCPv6 T1 and T2 values are now dynamically computed based on --lease-lifetime.
• All dependencies were updated.

v1.1.1

This minor update adds the new option --dry-with-dhcp that can be used together with the --delegate-ignored-to option introduced in v1.1.0 to see all name resolution queries without disrupting the network.

v1.1.0

After almost a year, it is time for a pretender update. While pretender was already good at spoofing, with this update it got a lot better at not spoofing. With the new --delegate-ignored-to option, pretender can delegate ignored DNS queries to an arbitrary upstream DNS server. This is especially useful for Kerberos Relaying, where only SOA queries need to be spoofed. In general, this should make DHCPv6 DNS Takeover a lot less intrusive when targeting specific hosts or queries.

Here is the full change list:

• An upstream DNS server can now be configured using the new option --delegate-ignored-to. With this option, ignored queries will be answered by the upstream server.
• Ignored DNS queries are now answered with an empty reply instead of none at all. The old behavior can be restored with the --dont-send-empty-replies option.
• In --spoof and --dont-spoof rules, a single dot (.) now matches local names that don't contain a dot.
• The .local suffix of mDNS queries is now ignored to make matching --spoof and --dont-spoof rules more consistent.
• The long-form options --ip4 and --ip6 were renamed to --ipv4 and --ipv6
• DNS timeouts are now configurable with --dns-timeout.
• Colored output now also works on Windows.
• A few minor fixes.

v1.0.0

This release allows pretender to perform Kerberos relaying attacks together with krbrelayx. Specify your relay target with --soa-hostname. If you only want to do Kerberos relaying you can specify --spoof-types SOA to ignore unrelated queries. Check out these blog posts for more information about Kerberos relaying:

• https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
• https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html

We've also updated our own blog post with more information about Kerberos relaying.

v0.11.0

This is the initial public release. Read our accompanying blog post for more information.