Sniffing & Spoofingssdpspoofingntlmphishingsmbupnp

evil-ssdp

Spoof SSDP replies to phish for NTLM hashes on a network. Responds to SSDP multicast discover requests, posing as a generic UPNP device that appears in Windows Explorer.

Description

evil-ssdp is a tool designed to spoof SSDP (Simple Service Discovery Protocol) replies, impersonating a generic UPNP device on the local network. When users on Windows machines in the network perform device discovery, the spoofed device magically appears in Windows Explorer, tempting users to interact with it. Upon opening the device, victims are presented with a configurable phishing webpage aimed at capturing NTLM hashes.

This tool is particularly useful in penetration testing and red team engagements for capturing credentials via NTLM authentication on Windows networks. It leverages the common trust users place in network-discovered devices, making it effective for social engineering attacks without requiring direct user interaction beyond curiosity-driven clicks.

The phishing pages and XML responses are customizable through templates, allowing adaptation to specific targets like Office 365 logins.

How It Works

The tool listens on a specified network interface for SSDP multicast discover requests (M-SEARCH messages). Upon receiving these, it responds with spoofed SSDP replies containing UPNP device descriptions, advertising a fake device. The spoofed device's location points to a local HTTP server (default port 8888) hosting XML descriptions and phishing pages. When a user accesses the device in Windows Explorer, it triggers NTLM authentication attempts to a configured SMB server, leaking hashes. Templates define the XML structure and phishing content served.

Installation

bash

sudo apt install evil-ssdp

Flags

-p, --port PORTPort for HTTP server. Defaults to 8888.

-t, --template TEMPLATEName of a folder in the templates directory. Defaults to "office365". This will determine xml and phishing pages used.

-s, --smb SMBIP address of your SMB server. Defaults to the primary address of the "interface" provided.

-bNo description provided in content.

-r, --realm REALMNo description provided in content.

-u, --url URLNo description provided in content.

-aNo description provided in content.

interfaceNetwork interface to listen on.

Examples

Show the help message and usage information.

evil-ssdp -h

Run on eth0 interface with default HTTP port 8888, office365 template, and SMB on primary interface IP.

evil-ssdp eth0

Run on wlan0 with custom HTTP port 8080.

evil-ssdp -p 8080 wlan0

Use a custom template folder for XML and phishing pages on eth0.

evil-ssdp -t custom-template eth0

Set specific SMB server IP on eth0 interface.

evil-ssdp -s 192.168.1.100 eth0

Full example with explicit defaults and custom SMB on wlan1.

evil-ssdp -p 8888 -t office365 -s 10.0.0.5 wlan1

Set custom realm for NTLM phishing on eth0.

evil-ssdp -r DOMAIN.COM eth0

Updated 2026-04-16kali.org ↗