dash/slpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0014f8210b9eedadec1f7b5263dcfc1c7ba4ff37
slpscan/README.md
dash 0014f8210b Initial commit
2026-01-23 20:47:54 +01:00

106 lines
3.9 KiB
Markdown
Raw Blame History

# slpscan - service location protocol scanner
## intro
This is a research tool, created for looking deeper into SLP at the internet.
Due current events we decided to publish a version of it, to support defenders and researchers tackle the current ESXi exploitation scheme.
## usage
Show all supported functions
```
./slpscan.py -m ?
----------------------------------------------------------------------
SLPv1 Modes Operation Description
----------------------------------------------------------------------
svc_req_v1 1
svc_reply_v1 2
svc_attr_req_v1 6
svc_attr_reply_v1 7
svc_type_req_v1 9
svc_type_reply_v1 10
----------------------------------------------------------------------
SLPv2 Modes Operation Description
----------------------------------------------------------------------
svc_req_v2 1
svc_reply_v2 2
svc_attr_req_v2 6
svc_attr_reply_v2 7
svc_type_req_v2 9
svc_type_reply_v2 10
```
Do slp svc req v2
`./slpscan.py -l 192.168.170.50 -m svc_req_v2`
Do slp svc type req v1
`./slpscan.py -l 192.168.170.50 -m svc_type_req_v1`
Do slp attribute req for vmware v2
`./slpscan.py -l 192.168.170.50 -m svc_attr_req_v2`
Show supported probes
```
./slpscan.py -P?
SLP Request | Brief | Devices
-------------------------------------------------------------------------------
svc_type_req_holder_v1 | example pkt, svc_type_req_v1 |
svc_attr_req_holder_v1 | example request, svc_attr_req_v1 |
svc_req_holder_v2 | example pkt, svc_req_v2 |
svc_type_req_holder_v2 | example pkt, svc_type_req_v2 |
svc_attr_req_holder_v2 | example pkt, svc_attr_req_v2 |
VMWARE_SVC_Request_https | service:https |
```
For SLP identification against ESXi Hosts use the probe published within the release:
```
./slpscan.py -l <ip> -P VMWARE_SVC_Request_https
```
If you have a datacenter and need to check a big list of hosts use the -L option.
If you have a specific probe you can easily add it to the probe json file in the libs directory. There are already several examples to do so.
General help:
```
usage: slpscan.py [-h] [-l HOST] [-L HOSTLIST] [-p PORT] [-t THRCNT] [-m SLP_MODE]
[-P PROBE_MODE] [-d PKT_DELAY] [-T TIMEOUT] [-o OUTFILE] [-oj OUTFILE_JSON]
[-r UNRANDOM] [-R RANDOMIP]
service location protocol 0.3.7 by dash in published 2023
options:
-h, --help show this help message and exit
-l HOST, --host HOST host to check version
-L HOSTLIST, --hostlist HOSTLIST
hostlist to check
-p PORT, --port PORT slp port (default:427)
-t THRCNT, --threads THRCNT
how many threads
-m SLP_MODE, --slp-mode SLP_MODE
what attack mode to choose, ? for list
-P PROBE_MODE, --probe-mode PROBE_MODE
what probe to send, ? for list
-d PKT_DELAY, --packet-delay PKT_DELAY
set the delay(in seconds) a packet is sent, delay is per thread (1s and
10 threads, each second 10 threads are working)
-T TIMEOUT, --timeout TIMEOUT
timeout of socket recv
-o OUTFILE, --outfile OUTFILE
outfile in txt format
-oj OUTFILE_JSON, --outfile-json OUTFILE_JSON
outfile in json format
-r UNRANDOM, --unrandom UNRANDOM
disable random targetlist
-R RANDOMIP, --randomIP RANDOMIP
generate random ips on the fly
```
# outro
This tool is part of an ongoing research conducted by Marco Lux (ping@curesec.com) and Pedro Umbelino (pedro.umbelino@bitsight.com).
Reference in New Issue View Git Blame Copy Permalink