Exploit the possiblities

SSDP Amplification Scanner

SSDP Amplification Scanner
Posted Aug 25, 2014

SSDP amplification scanner written in Python. Makes use of Scapy.

tags | exploit, tool, python
MD5 | dfc27673f907456fb104eb06f3a59b7b

SSDP Amplification Scanner

Change Mirror Download
  

from scapy.all import *
from struct import *
import sys
import socket
import time
import threading
import random
from threading import Thread


########################
#Remember the SSDP scanner keeps all packets received, so make sure you sort them example command:

#Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.


#Here is a small list of commands that can help you sort your list:

#This command removes the length of the responce and puts the output in line-by-line list format:
#cat scannedlist.txt | awk '{print $1}' | sort -u | sort -R > output.txt

#This next command sorts for all packets over 300 byte reply size and saves the output to a list:
#cat scannedlist.txt | awk '$2 > 300' | awk 'print $1' | sort -u | sort -R > output.txt

#This next command sorts for all reflectors that replyed with 10 or more packets (this is my favorite):
#cat scannedlist.txt | sort | uniq -c | awk '$2 > 10' | awk 'print $2' | sort -u | sort -R > output.txt
########################

if len (sys.argv) != 4:
print "Usage: ./" + sys.argv[0] + " [ip-start] [ip-end] [output]\n Notice: This script requires Scapy (available with apt-get or yum installs\n Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.\n V.1.0 Made by XXX"
sys.exit()

mydestport = random.randint(400,65535)
conf.verb = 0
data = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\nMX: 2\r\nST: ssdp:all\r\n\r\n"
recv = 0


def eth_addr (a) :
b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5]))
return b

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('google.com', 80))
myhost = sock.getsockname()[0]
sock.close()


def ipRange(start_ip, end_ip):
start = list(map(int, start_ip.split(".")))
end = list(map(int, end_ip.split(".")))
temp = start
ip_range = []

ip_range.append(start_ip)
while temp != end:
start[3] += 1
for i in (3, 2, 1):
if temp[i] == 256:
temp[i] = 0
temp[i-1] += 1
ip_range.append(".".join(map(str, temp)))

return ip_range

ip_range = ipRange(sys.argv[1], sys.argv[2])

def startscan():
total = 0
for server in ip_range:

sys.stdout.write("\rSent %d Packets | Received %d Packets" % (total, recv))
sys.stdout.flush()
packet = IP(dst=server)/UDP(sport=mydestport,dport=1900)/Raw(load=data)
send(packet)
total = total + 1

def listen():
global recv
try:
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
except socket.error , msg:
sys.exit()


while True:
packet = s.recvfrom(65565)


packet = packet[0]

eth_length = 14

eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])

if eth_protocol == 8 :
ip_header = packet[eth_length:20+eth_length]

iph = unpack('!BBHHHBBH4s4s' , ip_header)

version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF

iph_length = ihl * 4

ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);


if protocol == 17 :
u = iph_length + eth_length
udph_length = 8
udp_header = packet[u:u+8]

udph = unpack('!HHHH' , udp_header)

source_port = udph[0]
dest_port = udph[1]
length = udph[2]
checksum = udph[3]

if dest_port == mydestport :
if d_addr == myhost :

list = open(sys.argv[3], 'a')
list.write("%s %d\n" % (s_addr, length))
recv = recv + 1

h_size = eth_length + iph_length + udph_length
data_size = len(packet) - h_size

data = packet[h_size:]

if __name__ == '__main__':
Thread(target = startscan).start()
Thread(target = listen).start()



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close