pretend is a simple tool for altering your user identity (uid), group identity (gid), and your list of supplementary group identities (sgids) in Linux.

That's awesome! 1337 h4X0rZ rUL3!!

Uh, no. This isn't an exploit. This is a tool that lets you legitimately change your uid/gid/sgids using the normal mechanisms of the underlying operating system. Changing identity is a privileged operation reserved for accounts with the CAP_SETUID capability, which normally means root. Actually, this tool is a very simple wrapper for the system calls that do exactly this:

• setresuid
• setresgid
• setgroups

So what then?! I'll just use su!

su is good for switching uids for identities that already exist on the machine. However, if the identity isn't in /etc/passwd, then su will throw an error.

empty@monkey:~$ sudo su foo
Unknown id: foo

Further, you can't use su to change to a uid for which you only have the numeric value and not the human readable string. pretend gives you this functionality.

But why would I ever need that?

There are many reasons why you may want to quickly switch to a non-valid user id:

• Performing a forensic analysis of filesystems that originated from other hosts.
• Gaining access to a remote root-squashed filesystem as part of a pentest, for which you have no valid user map.
• Launching or accessing a process, to meet a critical business need, after the process owner has left the company (and the account has been terminated).

Usage: pretend uid:gid[:gid1:gid2:...] COMMAND [ARGS]

Lets start with some basic use examples:

empty@monkey:~$ id
uid=1000(empty) gid=1000(empty) groups=1000(empty),4(adm),24(cdrom),25(floppy),29(audio)

empty@monkey:~$ sudo pretend 5:26:103:110:50 id
uid=5(games) gid=26(tape) groups=60(games),50(staff),103(ssh),110(kvm)

empty@monkey:~$ sudo pretend 5:26:103:110:50 bash
games@monkey:~$ whoami
games

empty@monkey:~$ sudo pretend 666:9000:9000 bash
I have no name!@monkey:~$ whoami
whoami: cannot find name for user ID 666
I have no name!@monkey:~$ id
uid=666 gid=9000 groups=9000

Here is a more advanced usage example, looping over the entries of a remote root-squashed file system without read privileges:

root@monkey:/mnt# ls -l target_vol
drwxr-x---     2  8803     6211    4096 May 22  2011 foo/
drwxr-x---     2  9836     6211    4096 Jun  7  2012 bar/
drwxr-x---     3  7438     6211    4096 Apr 19  2007 baz/

root@monkey:/mnt# for i in `ls --color=no -1`; do pretend `ls -ld $i | awk '{print $3,$4}' OFS=:` ls -al; done

git clone https://github.com/emptymonkey/pretend.git
cd pretend
make

I write and release these tools with the intention of educating the larger IT community and empowering legitimate pentesters. If I can write these tools in my spare time, then rest assured that the dedicated malicious actors have already developed versions of their own.