# slpscan - service location protocol scanner ## intro This is a research tool, created for looking deeper into SLP at the internet. Due current events we decided to publish a version of it, to support defenders and researchers tackle the current ESXi exploitation scheme. ## usage Show all supported functions ``` ./slpscan.py -m ? ---------------------------------------------------------------------- SLPv1 Modes Operation Description ---------------------------------------------------------------------- svc_req_v1 1 svc_reply_v1 2 svc_attr_req_v1 6 svc_attr_reply_v1 7 svc_type_req_v1 9 svc_type_reply_v1 10 ---------------------------------------------------------------------- SLPv2 Modes Operation Description ---------------------------------------------------------------------- svc_req_v2 1 svc_reply_v2 2 svc_attr_req_v2 6 svc_attr_reply_v2 7 svc_type_req_v2 9 svc_type_reply_v2 10 ``` Do slp svc req v2 `./slpscan.py -l 192.168.170.50 -m svc_req_v2` Do slp svc type req v1 `./slpscan.py -l 192.168.170.50 -m svc_type_req_v1` Do slp attribute req for vmware v2 `./slpscan.py -l 192.168.170.50 -m svc_attr_req_v2` Show supported probes ``` ./slpscan.py -P? SLP Request | Brief | Devices ------------------------------------------------------------------------------- svc_type_req_holder_v1 | example pkt, svc_type_req_v1 | svc_attr_req_holder_v1 | example request, svc_attr_req_v1 | svc_req_holder_v2 | example pkt, svc_req_v2 | svc_type_req_holder_v2 | example pkt, svc_type_req_v2 | svc_attr_req_holder_v2 | example pkt, svc_attr_req_v2 | VMWARE_SVC_Request_https | service:https | ``` For SLP identification against ESXi Hosts use the probe published within the release: ``` ./slpscan.py -l -P VMWARE_SVC_Request_https ``` If you have a datacenter and need to check a big list of hosts use the -L option. If you have a specific probe you can easily add it to the probe json file in the libs directory. There are already several examples to do so. General help: ``` usage: slpscan.py [-h] [-l HOST] [-L HOSTLIST] [-p PORT] [-t THRCNT] [-m SLP_MODE] [-P PROBE_MODE] [-d PKT_DELAY] [-T TIMEOUT] [-o OUTFILE] [-oj OUTFILE_JSON] [-r UNRANDOM] [-R RANDOMIP] service location protocol 0.3.7 by dash in published 2023 options: -h, --help show this help message and exit -l HOST, --host HOST host to check version -L HOSTLIST, --hostlist HOSTLIST hostlist to check -p PORT, --port PORT slp port (default:427) -t THRCNT, --threads THRCNT how many threads -m SLP_MODE, --slp-mode SLP_MODE what attack mode to choose, ? for list -P PROBE_MODE, --probe-mode PROBE_MODE what probe to send, ? for list -d PKT_DELAY, --packet-delay PKT_DELAY set the delay(in seconds) a packet is sent, delay is per thread (1s and 10 threads, each second 10 threads are working) -T TIMEOUT, --timeout TIMEOUT timeout of socket recv -o OUTFILE, --outfile OUTFILE outfile in txt format -oj OUTFILE_JSON, --outfile-json OUTFILE_JSON outfile in json format -r UNRANDOM, --unrandom UNRANDOM disable random targetlist -R RANDOMIP, --randomIP RANDOMIP generate random ips on the fly ``` # outro This tool is part of an ongoing research conducted by Marco Lux (ping@curesec.com) and Pedro Umbelino (pedro.umbelino@bitsight.com).