Generalize LLMNR response name spoofing for DNS

Author: rtpt-erikgeiser

README.md

@@ -110,8 +110,6 @@ For more information, run `pretender --help`.
 - If you only want to perform Kerberos relaying via dynamic updates you can
   specify `--no-lnr` and `--spoof-types SOA` to ignore any queries that are
   unrelated to the attack.
-- Kerberos relaying via spoofed LLMNR names (`--spoof-llmnr-name`) is more
-  effective when mDNS and NetBIOS-NS are disabled (`--no-netbios --no-mdns`).
 - When conducting a Kerberos relay attack where `krbrelayx.py` runs on a
   different host than pretender (relay IPv4 address points to different host
   that runs `krbrelayx.py`), the host running `krbrelayx.py` will also need to
@@ -162,7 +160,7 @@ vendorInterface
 vendorRelayIPv4
 vendorRelayIPv6
 vendorSOAHostname
-vendorSpoofLLMNRName
+vendorSpoofResponseName
 vendorNoDHCPv6DNSTakeover
 vendorNoDHCPv6
 vendorNoDNS

cli.go

@@ -18,18 +18,18 @@ var stdErr = os.Stderr // this is used to make stderr redirectable without side
 
 // Config holds the configuration.
 type Config struct {
-	RelayIPv4      net.IP
-	RelayIPv6      net.IP
-	SOAHostname    string
-	SpoofLLMNRName string
-	Interface      *net.Interface
-	TTL            time.Duration
-	LeaseLifetime  time.Duration
-	RouterLifetime time.Duration
-	LocalIPv6      net.IP
-	RAPeriod       time.Duration
-	StatelessRA    bool
-	DNSTimeout     time.Duration
+	RelayIPv4         net.IP
+	RelayIPv6         net.IP
+	SOAHostname       string
+	SpoofResponseName string
+	Interface         *net.Interface
+	TTL               time.Duration
+	LeaseLifetime     time.Duration
+	RouterLifetime    time.Duration
+	LocalIPv6         net.IP
+	RAPeriod          time.Duration
+	StatelessRA       bool
+	DNSTimeout        time.Duration
 
 	NoDHCPv6DNSTakeover   bool
 	NoDHCPv6              bool
@@ -147,16 +147,12 @@ func (c Config) PrintSummary() {
 		}
 	}
 
-	if c.SpoofLLMNRName != "" {
-		fmt.Println("LLMNR response names spoofed as:", c.SpoofLLMNRName)
+	if c.SpoofResponseName != "" {
+		fmt.Println("DNS/LLMNR response names spoofed as:", c.SpoofResponseName)
 
-		switch {
-		case c.NoLLMNR:
-			fmt.Println(c.style(fgYellow, bold) + "Warning:" + c.style(reset) + c.style(fgYellow) +
-				" LLMNR spoofing is enabled but LLMNR itself is disabled" + c.style())
-		case !c.NoNetBIOS, !c.NoMDNS:
+		if c.NoLLMNR && c.NoDNS {
 			fmt.Println(c.style(fgYellow, bold) + "Warning:" + c.style(reset) + c.style(fgYellow) +
-				" LLMNR name spoofing is more effective when mDNS and NetBIOS-NS are disabled" + c.style())
+				" Response name spoofing is enabled but LLMNR and DNS are disabled" + c.style())
 		}
 	}
 
@@ -244,8 +240,8 @@ func configFromCLI() (config *Config, logger *Logger, err error) {
 		"Relay IPv6 address with which queries are answered, supports\nauto-detection by interface")
 	pflag.StringVar(&config.SOAHostname, "soa-hostname", defaultSOAHostname,
 		"Hostname for the SOA record (useful for Kerberos relaying)")
-	pflag.StringVar(&config.SpoofLLMNRName, "spoof-llmnr-name", defaultSpoofLLMNRName,
-		"Spoof name LLMNR replies to influnce SPNs (it is recommended to disable mDNS/NetBIOS-NS)")
+	pflag.StringVar(&config.SpoofResponseName, "spoof-response-name", defaultSpoofResponseName,
+		"Spoof response name to influnce SPNs (works with DNS and LLMNR, NetBIOS and mDNS will be ignored)")
 
 	pflag.BoolVar(&config.NoDHCPv6DNSTakeover, "no-dhcp-dns", defaultNoDHCPv6DNSTakeover,
 		"Disable DHCPv6 DNS takeover attack (DHCPv6 and DNS, mutually\nexlusive with --stateless-ra)")

defaults.go

@@ -14,11 +14,11 @@ var (
 	// vendors can set the following values to tweak the default configuration
 	// during compilation as with -ldflags "-X main.vendorInterface=eth1".
 
-	vendorInterface      = ""
-	vendorRelayIPv4      = ""
-	vendorRelayIPv6      = ""
-	vendorSOAHostname    = ""
-	vendorSpoofLLMNRName = ""
+	vendorInterface         = ""
+	vendorRelayIPv4         = ""
+	vendorRelayIPv6         = ""
+	vendorSOAHostname       = ""
+	vendorSpoofResponseName = ""
 
 	vendorNoDHCPv6DNSTakeover   = ""
 	vendorNoDHCPv6              = ""
@@ -63,11 +63,11 @@ var (
 )
 
 var (
-	defaultInterface      = vendorInterface
-	defaultRelayIPv4      = forceIP(vendorRelayIPv4, nil)
-	defaultRelayIPv6      = forceIP(vendorRelayIPv6, nil)
-	defaultSOAHostname    = vendorSOAHostname
-	defaultSpoofLLMNRName = vendorSpoofLLMNRName
+	defaultInterface         = vendorInterface
+	defaultRelayIPv4         = forceIP(vendorRelayIPv4, nil)
+	defaultRelayIPv6         = forceIP(vendorRelayIPv6, nil)
+	defaultSOAHostname       = vendorSOAHostname
+	defaultSpoofResponseName = vendorSpoofResponseName
 
 	defaultNoDHCPv6DNSTakeover   = forceBool(vendorNoDHCPv6DNSTakeover, false)
 	defaultNoDHCPv6              = forceBool(vendorNoDHCPv6, false)

dns.go

@@ -69,7 +69,8 @@ func createDNSReplyFromRequest(
 		questionName := normalizedNameFromQuery(q, handlerType)
 		allQuestions = append(allQuestions, fmt.Sprintf("%q (%s)", questionName, queryType(q, request.Opcode)))
 
-		shouldRespond, reason := shouldRespondToNameResolutionQuery(config, questionName, q.Qtype, peer, peerHostnames)
+		shouldRespond, reason := shouldRespondToNameResolutionQuery(
+			config, questionName, q.Qtype, peer, peerHostnames, handlerType)
 		if !shouldRespond {
 			answers := handleIgnored(logger, q, questionName, queryType(q, request.Opcode),
 				peer, reason, handlerType, rw.RemoteAddr().Network(), delegateQuestion)
@@ -79,8 +80,8 @@ func createDNSReplyFromRequest(
 		}
 
 		answerName := q.Name
-		if handlerType == HandlerTypeLLMNR && config.SpoofLLMNRName != "" {
-			answerName = dns.Fqdn(config.SpoofLLMNRName)
+		if config.SpoofResponseName != "" {
+			answerName = dns.Fqdn(config.SpoofResponseName)
 		}
 
 		switch q.Qtype {
@@ -160,7 +161,6 @@ func createDNSReplyFromRequest(
 		}
 	}
 
-	// don't send a reply at all if we don't actually spoof anything
 	if len(reply.Answer) == 0 && len(reply.Ns) == 0 && len(reply.Extra) == 0 &&
 		(handlerType != HandlerTypeDNS || config.DontSendEmptyReplies) {
 		logger.Debugf("ignoring query for %s from %s because no answers were configured",

dns_test.go

@@ -355,6 +355,37 @@ func TestDelegatedQueryUDP(t *testing.T) {
 	}
 }
 
+func TestDNSResponseNameSpoofing(t *testing.T) {
+	aQuery := &dns.Msg{}
+	aQuery.SetQuestion("test", dns.TypeAAAA)
+
+	relayIP := mustParseIP(t, "fe80::1")
+	mockRW := mockResonseWriter{Remote: &net.UDPAddr{IP: mustParseIP(t, "10.0.0.1")}}
+
+	cfg := &Config{RelayIPv6: relayIP, TTL: 60 * time.Second, SpoofResponseName: "spoofedname"}
+
+	reply := createDNSReplyFromRequest(mockRW, aQuery, nil, cfg, HandlerTypeDNS, nil)
+	if reply == nil {
+		t.Fatalf("no message was created")
+	}
+
+	if len(reply.Question) != 1 {
+		t.Fatalf("reply does %d questions instead of 1", len(reply.Question))
+	}
+
+	if reply.Question[0].Name != "test" {
+		t.Fatalf("reply contains question %q instead of %q", reply.Question[0].Name, "test.")
+	}
+
+	if len(reply.Answer) != 1 {
+		t.Fatalf("reply contains %d answers instead of 1", len(reply.Answer))
+	}
+
+	if reply.Answer[0].Header().Name != "spoofedname." {
+		t.Fatalf("reply answer name is %q instead of %q", reply.Answer[0].Header().Name, "spoofedname.")
+	}
+}
+
 func TestDelegatedQueryTCP(t *testing.T) {
 	aQuery := &dns.Msg{}
 	aQuery.SetQuestion("host", dns.TypeA)

filter.go

@@ -41,7 +41,7 @@ func containsDomain(haystack []string, needle string) bool {
 }
 
 func shouldRespondToNameResolutionQuery(config *Config, host string, queryType uint16,
-	from net.IP, fromHostnames []string,
+	from net.IP, fromHostnames []string, handlerType HandlerType,
 ) (bool, string) {
 	if config.spoofingTemporarilyDisabled {
 		return false, "spoofing is temporarily disabled"
@@ -51,6 +51,10 @@ func shouldRespondToNameResolutionQuery(config *Config, host string, queryType u
 		return false, "dry mode"
 	}
 
+	if config.SpoofResponseName != "" && (handlerType == HandlerTypeMDNS || handlerType == HandlerTypeNetBIOS) {
+		return false, "response name spoofing not supported for " + string(handlerType)
+	}
+
 	if strings.HasPrefix(strings.ToLower(host), isatapHostname) {
 		return false, "ISATAP is always ignored"
 	}

filter_test.go

@@ -26,6 +26,7 @@ func TestFilterNameResolutionQuery(t *testing.T) { //nolint:maintidx
 		NoRelayIPv4Configured       bool
 		NoRelayIPv6Configured       bool
 		SpoofingTemporarilyDisabled bool
+		SpoofResponseName           string
 
 		Host          string
 		QueryType     uint16 // defaults to A
@@ -350,6 +351,38 @@ func TestFilterNameResolutionQuery(t *testing.T) { //nolint:maintidx
 			SpoofingTemporarilyDisabled: true,
 			ShouldRespond:               false,
 		},
+		{
+			TestName:          "ignore mDNS when response name spoofing is active",
+			Host:              "foo",
+			From:              someIP,
+			SpoofResponseName: "test",
+			HandlerType:       HandlerTypeMDNS,
+			ShouldRespond:     false,
+		},
+		{
+			TestName:          "ignore NetBIOS when response name spoofing is active",
+			Host:              "foo",
+			From:              someIP,
+			SpoofResponseName: "test",
+			HandlerType:       HandlerTypeNetBIOS,
+			ShouldRespond:     false,
+		},
+		{
+			TestName:          "do not ignore DNS when response name spoofing is active",
+			Host:              "foo",
+			From:              someIP,
+			SpoofResponseName: "test",
+			HandlerType:       HandlerTypeDNS,
+			ShouldRespond:     true,
+		},
+		{
+			TestName:          "do not ignore LLMNR when response name spoofing is active",
+			Host:              "foo",
+			From:              someIP,
+			SpoofResponseName: "test",
+			HandlerType:       HandlerTypeLLMNR,
+			ShouldRespond:     true,
+		},
 	}
 
 	hostMatcherLookupFunction = func(host string, _ time.Duration) ([]net.IP, error) {
@@ -385,6 +418,7 @@ func TestFilterNameResolutionQuery(t *testing.T) { //nolint:maintidx
 				DryWithDHCPv6Mode:           testCase.DryWithDHCPv6Mode,
 				SpoofTypes:                  types,
 				SOAHostname:                 "test",
+				SpoofResponseName:           testCase.SpoofResponseName,
 				spoofingTemporarilyDisabled: testCase.SpoofingTemporarilyDisabled,
 			}
 
@@ -407,7 +441,8 @@ func TestFilterNameResolutionQuery(t *testing.T) { //nolint:maintidx
 			}
 
 			shouldRespond, _ := shouldRespondToNameResolutionQuery(cfg,
-				normalizedName(testCase.Host, handlerType), testCase.QueryType, testCase.From, testCase.FromHostnames)
+				normalizedName(testCase.Host, handlerType),
+				testCase.QueryType, testCase.From, testCase.FromHostnames, testCase.HandlerType)
 			if shouldRespond != testCase.ShouldRespond {
 				t.Errorf("shouldRespondToNameResolutionQuery returned %v instead of %v",
 					shouldRespond, testCase.ShouldRespond)

local_name_resolution_test.go

@@ -81,11 +81,11 @@ func TestNetBIOS(t *testing.T) {
 	}
 }
 
-func TestLLMNRNameSpoofing(t *testing.T) {
+func TestLLMNRResponseNameSpoofing(t *testing.T) {
 	relayIP := mustParseIP(t, "fe80::1")
 	mockRW := mockResonseWriter{Remote: &net.UDPAddr{IP: mustParseIP(t, "10.0.0.1")}}
 	request := readNameServiceMessage(t, "testdata/llmnr_request.bin")
-	cfg := &Config{RelayIPv6: relayIP, TTL: 60 * time.Second, SpoofLLMNRName: "spoofedname"}
+	cfg := &Config{RelayIPv6: relayIP, TTL: 60 * time.Second, SpoofResponseName: "spoofedname"}
 
 	reply := createDNSReplyFromRequest(mockRW, request, nil, cfg, HandlerTypeLLMNR, nil)
 	if reply == nil {
@@ -109,6 +109,30 @@ func TestLLMNRNameSpoofing(t *testing.T) {
 	}
 }
 
+func TestMDNSNoResponseNameSpoofing(t *testing.T) {
+	relayIP := mustParseIP(t, "fe80::1")
+	mockRW := mockResonseWriter{Remote: &net.UDPAddr{IP: mustParseIP(t, "10.0.0.1")}}
+	request := readNameServiceMessage(t, "testdata/llmnr_request.bin")
+	cfg := &Config{RelayIPv6: relayIP, TTL: 60 * time.Second, SpoofResponseName: "spoofedname"}
+
+	reply := createDNSReplyFromRequest(mockRW, request, nil, cfg, HandlerTypeMDNS, nil)
+	if reply != nil {
+		t.Fatalf("an mDNS response was created even though mDNS does not support response name spoofing")
+	}
+}
+
+func TestNetBIOSNoResponseNameSpoofing(t *testing.T) {
+	relayIP := mustParseIP(t, "fe80::1")
+	mockRW := mockResonseWriter{Remote: &net.UDPAddr{IP: mustParseIP(t, "10.0.0.1")}}
+	request := readNameServiceMessage(t, "testdata/llmnr_request.bin")
+	cfg := &Config{RelayIPv6: relayIP, TTL: 60 * time.Second, SpoofResponseName: "spoofedname"}
+
+	reply := createDNSReplyFromRequest(mockRW, request, nil, cfg, HandlerTypeNetBIOS, nil)
+	if reply != nil {
+		t.Fatalf("an NetBIOS response was created even though NetBIOS does not support response name spoofing")
+	}
+}
+
 func TestSubnetBroadcastListenIP(t *testing.T) {
 	testCases := []struct {
 		Net         string