sdnpwn: Security Testing the Invisible Layer Between Your Switches and Controllers
Hook
Most penetration testers can map your network perimeter in their sleep, but ask them to audit a Software-Defined Network and watch them freeze. SDN infrastructure creates an entirely new attack surface that traditional security tools weren’t built to probe.
Context
Software-Defined Networking fundamentally changed how modern networks operate by decoupling the control plane from the data plane. Instead of each switch independently making forwarding decisions, SDN centralizes network intelligence in controllers that communicate with switches using protocols like OpenFlow. This architecture introduces unique security challenges where traditional penetration testing tools like nmap or Metasploit weren’t designed to understand OpenFlow handshakes or controller APIs.
sdnpwn emerged as a specialized toolkit focused on SDN penetration testing. Developed by security researchers to address the growing gap between SDN deployment and security expertise, it provides a modular framework for testing SDN controllers, emulating switches, and fingerprinting SDN infrastructure. The project gained recognition in the SDN security research community and was featured in the Awesome SDN Security list.
Technical Insight
sdnpwn’s architecture revolves around modularity, with each attack vector or testing capability implemented as an independent module that can be invoked from the command line. This design means you select specific tools for specific SDN attack scenarios rather than launching a monolithic scanner.
The core workflow is straightforward. First, you list available modules:
./sdnpwn.py modsTo understand what a specific module does and what options it accepts, you use the info module:
./sdnpwn.py info <module_name>Then you execute the module with its required parameters:
./sdnpwn.py <module_name> <module_options>The of-switch module emulates an OpenFlow switch, providing active testing capabilities that can establish OpenFlow sessions with real SDN controllers and inject crafted traffic. This allows testing how controllers respond to malicious or malformed messages, essentially acting as a malicious network device that speaks the SDN control plane language.
The sdn-detect module provides reconnaissance capabilities for identifying SDN deployments and fingerprinting controller software. This works by analyzing behavioral patterns in OpenFlow handshakes and controller responses, similar to banner grabbing in traditional penetration testing but adapted for SDN contexts where controllers may not advertise themselves obviously.
For testing specific platforms, sdnpwn includes the onos-app module targeting ONOS (Open Network Operating System) deployments. This module can test ONOS applications for vulnerabilities, though the README notes that application templates need updating to match current ONOS versions.
The modular architecture means extending sdnpwn with new attack vectors is conceptually straightforward—each module is self-contained, accepting its own parameters and implementing its own attack logic.
Gotcha
The README includes an extensive TODO list indicating areas needing work: the setup script needs verification, all modules require testing to confirm they function as expected, bugs need fixing, signal handling and help menus need consistency across modules, and the OpenFlow library used by of-switch requires updating or replacement. This suggests the tool is in active development but requires careful testing before use.
Protocol coverage is acknowledged as a limitation. The TODO list explicitly mentions the need to add more OpenFlow versions to the of-switch module, potentially requiring a swap to a different OpenFlow library or a full rewrite. The TODO also mentions creating a p4-switch module, indicating current focus is on OpenFlow-based SDN testing. If you’re testing deployments using newer protocols or versions, verify compatibility first.
The fingerprinting accuracy is also flagged as needing improvement according to the TODO list. Controller fingerprinting data needs better structure and more comprehensive information.
With 117 GitHub stars, this represents a specialized tool with a focused community rather than a widely adopted mainstream project.
Verdict
Use if you’re a security researcher or student learning about SDN attack vectors and need concrete examples of OpenFlow-level testing capabilities. sdnpwn provides valuable educational insight into SDN security fundamentals through its modular approach to different attack scenarios. It’s also useful if you’re willing to contribute to the project—the modular architecture provides a foundation for building custom SDN testing tools, and the maintainer has clearly documented areas needing development. Skip if you need a fully production-ready tool without testing and verification first, as the README explicitly states modules need validation. Also skip if you require support for the latest protocol versions without modification, as OpenFlow library updates are on the TODO list. Before deploying for serious security assessments, review the TODO items and test modules against your specific target environment to ensure compatibility and reliability.
