It’s been over a year since sdnpwn was first released,  and in that time there have been a lot of updates.  In this post I’m going to give a quick overview of the newest latest to be added!

  • detect-proxy-arp
    This module was added about 7 months ago but still warrants a mention.  Basically, this will detect whether or not the controller has a proxy ARP application running. Proxy ARP will let the controller respond to ARP requests, and it’s useful to detect it because it can prevent attacks like the Data Plane ARP cache poisoning attack from working correctly.  The trick to detecting it is to have a host send an ARP request for it’s own IP address.  A request like this usually wouldn’t get a response, but if proxy ARP is running then the controller will respond to the request!  A pretty simple but cool trick!
  • of-scan
    This scanner will scan ports on a target host and try to detect if an OpenFlow service is running.  If it detects OpenFlow it’ll enumerate the available versions.  I’ll integrate this with the controller-detect fingerprinting module in the future.
  • floodlight-debug-autopwn
    This module is pretty simple.  Floodlight has a debugging service open on port 6655. Connecting to this port provides you with a Python CLI.  The module automates the process of connecting to this port, running the appropriate commands to get a reverse shell, and listening for that connection.  A very simple but effective way to take advantage of an open debug port.

Stay tuned for more updates!

Updates to sdnpwn (Version 1.7.0)
Tagged on: