SSDP Amplification Scanner

2014.08.26
Credit: Anonymous
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

from scapy.all import * from struct import * import sys import socket import time import threading import random from threading import Thread ######################## #Remember the SSDP scanner keeps all packets received, so make sure you sort them example command: #Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK. #Here is a small list of commands that can help you sort your list: #This command removes the length of the responce and puts the output in line-by-line list format: #cat scannedlist.txt | awk '{print $1}' | sort -u | sort -R > output.txt #This next command sorts for all packets over 300 byte reply size and saves the output to a list: #cat scannedlist.txt | awk '$2 > 300' | awk 'print $1' | sort -u | sort -R > output.txt #This next command sorts for all reflectors that replyed with 10 or more packets (this is my favorite): #cat scannedlist.txt | sort | uniq -c | awk '$2 > 10' | awk 'print $2' | sort -u | sort -R > output.txt ######################## if len (sys.argv) != 4: print "Usage: ./" + sys.argv[0] + " [ip-start] [ip-end] [output]\n Notice: This script requires Scapy (available with apt-get or yum installs\n Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.\n V.1.0 Made by XXX" sys.exit() mydestport = random.randint(400,65535) conf.verb = 0 data = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\nMX: 2\r\nST: ssdp:all\r\n\r\n" recv = 0 def eth_addr (a) : b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5])) return b sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect(('google.com', 80)) myhost = sock.getsockname()[0] sock.close() def ipRange(start_ip, end_ip): start = list(map(int, start_ip.split("."))) end = list(map(int, end_ip.split("."))) temp = start ip_range = [] ip_range.append(start_ip) while temp != end: start[3] += 1 for i in (3, 2, 1): if temp[i] == 256: temp[i] = 0 temp[i-1] += 1 ip_range.append(".".join(map(str, temp))) return ip_range ip_range = ipRange(sys.argv[1], sys.argv[2]) def startscan(): total = 0 for server in ip_range: sys.stdout.write("\rSent %d Packets | Received %d Packets" % (total, recv)) sys.stdout.flush() packet = IP(dst=server)/UDP(sport=mydestport,dport=1900)/Raw(load=data) send(packet) total = total + 1 def listen(): global recv try: s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003)) except socket.error , msg: sys.exit() while True: packet = s.recvfrom(65565) packet = packet[0] eth_length = 14 eth_header = packet[:eth_length] eth = unpack('!6s6sH' , eth_header) eth_protocol = socket.ntohs(eth[2]) if eth_protocol == 8 : ip_header = packet[eth_length:20+eth_length] iph = unpack('!BBHHHBBH4s4s' , ip_header) version_ihl = iph[0] version = version_ihl >> 4 ihl = version_ihl & 0xF iph_length = ihl * 4 ttl = iph[5] protocol = iph[6] s_addr = socket.inet_ntoa(iph[8]); d_addr = socket.inet_ntoa(iph[9]); if protocol == 17 : u = iph_length + eth_length udph_length = 8 udp_header = packet[u:u+8] udph = unpack('!HHHH' , udp_header) source_port = udph[0] dest_port = udph[1] length = udph[2] checksum = udph[3] if dest_port == mydestport : if d_addr == myhost : list = open(sys.argv[3], 'a') list.write("%s %d\n" % (s_addr, length)) recv = recv + 1 h_size = eth_length + iph_length + udph_length data_size = len(packet) - h_size data = packet[h_size:] if __name__ == '__main__': Thread(target = startscan).start() Thread(target = listen).start()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top