Lab #2: Red Team Exercise - ackSec/DC26 GitHub Wiki

Lab #2 - Red Team Exercises

build env

Navigate to DC26/red-team-exercises by typing

cd ~/DC26/red-team-exercises

Run the script to build the environment:

sudo -E python

It should look something like this:

build env

Now open a new tab and copy/paste the url from the workstation tab into it. This will open a new terminal window as such:

new tab

Now check that our attacker Docker images were started by typing the command

sudo docker ps -a

It should look something like the screenshot below. Once you identify that both mn.attacker1 and mn.attacker2 are running, you interact with them by entering the command:

sudo docker attach mn.attacker1

Here's the running docker images and the root command prompt when you attach to the docker image:

running docker images

Today we're going to be using a couple kits developed by some awesome security folks. First we'll be looking at sdnpwn. Maintainer Site

Navigate to the directory and run the command:

./ mods

This will show you the modules available for our use as shown below:


As an attacker we are first going to try and explore our environment. Let's see if we can figure out that we're actually inside an SDN. Run the following two commands. The first will show you information about the module, and the second will actually run it:


As you can see, based on the RTT of the packets, the system was able to detect that we are inside an SDN. The controller-detect module will now help us fingerprint the SDN controller. Run the following command:

./ controller-detect -i attacker1-eth0 --lldp -v -d

This will take a minute or two to run as it's capturing, timing and fingerprinting LLDP messages. The output should look like this:


There are many other attacks that can be done within this system using these frameworks. Feel free to explore them and try some things out!

For the next few parts of this exercise we are going to attack the controller via the command channel. Exit out of the docker image by typing.


Your command prompt should look like this:


Change to the sdnpwn directory and run the setup script as shown above.

To test that the installation worked, as well as to see some of the other capabilities, run the below command:

./ of-gen info

This is a toolkit for crafting packets which enables us to perform fuzzing on the controller to fingerprint flows, or force unexpected behavior.


Next - we're just going to have a very brief look at the core code that can assist in spoofing an openflow switch. This tool can be used to gather info on flows, to "lie" to the controller, or to add rogue devices on the network. The following command will navigate out of the sdnpwn directory and run a separate program. This was developed by Gregory Pickett, and more information can be found commented inside the code.

python ~/DC26/red-team-exercises/ $CONTROLLER_IP -p 6653

This will set up a temporary switch, and with minimal modifications to the code, it can be used to host any number of rogue devices as shown below:


Feel free to explore the other tools in the kit. Some require tweaking, some require Openflow version changes, but it's a great framework and starting point for developing your own SDN attack tools and methods.

Let's move on to the next section!