from scapy.all import *
from struct import *
import sys
import socket
import time
import threading
import random
from threading import Thread
########################
#Remember the SSDP scanner keeps all packets received, so make sure you sort them example command:
#Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.
#Here is a small list of commands that can help you sort your list:
#This command removes the length of the responce and puts the output in line-by-line list format:
#cat scannedlist.txt | awk '{print $1}' | sort -u | sort -R > output.txt
#This next command sorts for all packets over 300 byte reply size and saves the output to a list:
#cat scannedlist.txt | awk '$2 > 300' | awk 'print $1' | sort -u | sort -R > output.txt
#This next command sorts for all reflectors that replyed with 10 or more packets (this is my favorite):
#cat scannedlist.txt | sort | uniq -c | awk '$2 > 10' | awk 'print $2' | sort -u | sort -R > output.txt
########################
if len (sys.argv) != 4:
print "Usage: ./" + sys.argv[0] + " [ip-start] [ip-end] [output]\n Notice: This script requires Scapy (available with apt-get or yum installs\n Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.\n V.1.0 Made by XXX"
sys.exit()
mydestport = random.randint(400,65535)
conf.verb = 0
data = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\nMX: 2\r\nST: ssdp:all\r\n\r\n"
recv = 0
def eth_addr (a) :
b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5]))
return b
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('google.com', 80))
myhost = sock.getsockname()[0]
sock.close()
def ipRange(start_ip, end_ip):
start = list(map(int, start_ip.split(".")))
end = list(map(int, end_ip.split(".")))
temp = start
ip_range = []
ip_range.append(start_ip)
while temp != end:
start[3] += 1
for i in (3, 2, 1):
if temp[i] == 256:
temp[i] = 0
temp[i-1] += 1
ip_range.append(".".join(map(str, temp)))
return ip_range
ip_range = ipRange(sys.argv[1], sys.argv[2])
def startscan():
total = 0
for server in ip_range:
sys.stdout.write("\rSent %d Packets | Received %d Packets" % (total, recv))
sys.stdout.flush()
packet = IP(dst=server)/UDP(sport=mydestport,dport=1900)/Raw(load=data)
send(packet)
total = total + 1
def listen():
global recv
try:
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
except socket.error , msg:
sys.exit()
while True:
packet = s.recvfrom(65565)
packet = packet[0]
eth_length = 14
eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])
if eth_protocol == 8 :
ip_header = packet[eth_length:20+eth_length]
iph = unpack('!BBHHHBBH4s4s' , ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
if protocol == 17 :
u = iph_length + eth_length
udph_length = 8
udp_header = packet[u:u+8]
udph = unpack('!HHHH' , udp_header)
source_port = udph[0]
dest_port = udph[1]
length = udph[2]
checksum = udph[3]
if dest_port == mydestport :
if d_addr == myhost :
list = open(sys.argv[3], 'a')
list.write("%s %d\n" % (s_addr, length))
recv = recv + 1
h_size = eth_length + iph_length + udph_length
data_size = len(packet) - h_size
data = packet[h_size:]
if __name__ == '__main__':
Thread(target = startscan).start()
Thread(target = listen).start()
