SSDP Amplification Scanner



EKU-ID: 4209 CVE: OSVDB-ID:
Author: SaMaN Published: 2014-08-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


	

    from scapy.all import *
    from struct import *
    import sys
    import socket
    import time
    import threading
    import random
    from threading import Thread
     
     
    ########################
    #Remember the SSDP scanner keeps all packets received, so make sure you sort them example command:
     
    #Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.
     
     
    #Here is a small list of commands that can help you sort your list:
     
    #This command removes the length of the responce and puts the output in line-by-line list format:
    #cat scannedlist.txt | awk '{print $1}' | sort -u | sort -R > output.txt
     
    #This next command sorts for all packets over 300 byte reply size and saves the output to a list:
    #cat scannedlist.txt | awk '$2 > 300' | awk 'print $1' | sort -u | sort -R > output.txt
     
    #This next command sorts for all reflectors that replyed with 10 or more packets (this is my favorite):
    #cat scannedlist.txt | sort | uniq -c | awk '$2 > 10' | awk 'print $2' | sort -u | sort -R > output.txt
    ########################
     
    if len (sys.argv) != 4:
            print "Usage: ./" + sys.argv[0] + " [ip-start] [ip-end] [output]\n      Notice: This script requires Scapy (available with apt-get or yum installs\n    Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.\n   V.1.0 Made by XXX"
            sys.exit()
     
    mydestport = random.randint(400,65535)
    conf.verb = 0
    data = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\nMX: 2\r\nST: ssdp:all\r\n\r\n"
    recv = 0
     
     
    def eth_addr (a) :
      b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5]))
      return b
     
    sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    sock.connect(('google.com', 80))
    myhost = sock.getsockname()[0]
    sock.close()
     
           
    def ipRange(start_ip, end_ip):
       start = list(map(int, start_ip.split(".")))
       end = list(map(int, end_ip.split(".")))
       temp = start
       ip_range = []
       
       ip_range.append(start_ip)
       while temp != end:
          start[3] += 1
          for i in (3, 2, 1):
             if temp[i] == 256:
                temp[i] = 0
                temp[i-1] += 1
          ip_range.append(".".join(map(str, temp)))
     
       return ip_range
     
    ip_range = ipRange(sys.argv[1], sys.argv[2])
     
    def startscan():
            total = 0      
            for server in ip_range:
                   
                    sys.stdout.write("\rSent %d Packets | Received %d Packets" % (total, recv))
                    sys.stdout.flush()     
                    packet = IP(dst=server)/UDP(sport=mydestport,dport=1900)/Raw(load=data)
                    send(packet)
                    total = total + 1
     
    def listen():
            global recv
            try:
                s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
            except socket.error , msg:
                sys.exit()
     
     
            while True:
                packet = s.recvfrom(65565)
         
     
                packet = packet[0]
         
                eth_length = 14
         
                eth_header = packet[:eth_length]
                eth = unpack('!6s6sH' , eth_header)
                eth_protocol = socket.ntohs(eth[2])
     
                if eth_protocol == 8 :
                    ip_header = packet[eth_length:20+eth_length]
                     
                    iph = unpack('!BBHHHBBH4s4s' , ip_header)
     
                    version_ihl = iph[0]
                    version = version_ihl >> 4
                    ihl = version_ihl & 0xF
     
                    iph_length = ihl * 4
     
                    ttl = iph[5]
                    protocol = iph[6]
                    s_addr = socket.inet_ntoa(iph[8]);
                    d_addr = socket.inet_ntoa(iph[9]);
     
     
                    if protocol == 17 :
                        u = iph_length + eth_length
                        udph_length = 8
                        udp_header = packet[u:u+8]
     
                        udph = unpack('!HHHH' , udp_header)
                 
                        source_port = udph[0]
                        dest_port = udph[1]
                        length = udph[2]
                        checksum = udph[3]
                 
                        if dest_port == mydestport :
                            if d_addr == myhost :
     
                                    list = open(sys.argv[3], 'a')
                                    list.write("%s %d\n" % (s_addr, length))
                                    recv = recv + 1
     
                        h_size = eth_length + iph_length + udph_length
                        data_size = len(packet) - h_size
                 
                        data = packet[h_size:]
     
    if __name__ == '__main__':
        Thread(target = startscan).start()
        Thread(target = listen).start()