#!/usr/bin/python2

from scapy.all import *
from struct import *
import sys
import socket
import time
import threading
import random
from threading import Thread


    ########################
    #Remember the SSDP scanner keeps all packets received, so make sure you sort them example command:

    #Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.


    #Here is a small list of commands that can help you sort your list:

    #This command removes the length of the responce and puts the output in line-by-line list format:
    #cat scannedlist.txt | awk '{print $1}' | sort -u | sort -R > output.txt

    #This next command sorts for all packets over 300 byte reply size and saves the output to a list:
    #cat scannedlist.txt | awk '$2 > 300' | awk 'print $1' | sort -u | sort -R > output.txt

    #This next command sorts for all reflectors that replyed with 10 or more packets (this is my favorite):
    #cat scannedlist.txt | sort | uniq -c | awk '$2 > 10' | awk 'print $2' | sort -u | sort -R > output.txt
    ########################

if len (sys.argv) != 4:
    print "Usage: ./" + sys.argv[0] + " [ip-start] [ip-end] [output]\n      Notice: This script requires Scapy (available with apt-get or yum installs\n    Notice: THIS HAS ONLY BEEN TESTED ON A DEDICATED SERVER VPS's MAY NOT WORK.\n   V.1.0 Made by XXX"
    sys.exit()

mydestport = random.randint(400,65535)
conf.verb = 0
data = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nMAN: \"ssdp:discover\"\r\nMX: 2\r\nST: ssdp:all\r\n\r\n"
recv = 0

def eth_addr (a):
    b = "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" % (ord(a[0]) , ord(a[1]) , ord(a[2]), ord(a[3]), ord(a[4]) , ord(a[5]))
    return b

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('google.com', 80))
myhost = sock.getsockname()[0]
sock.close()

def ipRange(start_ip, end_ip):
    start = list(map(int, start_ip.split(".")))
    end = list(map(int, end_ip.split(".")))
    temp = start
    ip_range = []

    ip_range.append(start_ip)
    while temp != end:
        start[3] += 1
        for i in (3, 2, 1):
            if temp[i] == 256:
                temp[i] = 0
                temp[i-1] += 1
        ip_range.append(".".join(map(str, temp)))

    return ip_range

ip_range = ipRange(sys.argv[1], sys.argv[2])

def startscan():
    total = 0
    for server in ip_range:
        sys.stdout.write("\rSent %d Packets | Received %d Packets" % (total, recv))
        sys.stdout.flush()
        packet = IP(dst=server)/UDP(sport=mydestport,dport=1900)/Raw(load=data)
        send(packet)
        total = total + 1

def listen():
    global recv
    try:
        s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
    except socket.error , msg:
        sys.exit()

    while True:
        packet = s.recvfrom(65565)
        packet = packet[0]

        eth_length = 14

        eth_header = packet[:eth_length]
        eth = unpack('!6s6sH' , eth_header)
        eth_protocol = socket.ntohs(eth[2])

        if eth_protocol == 8:
            ip_header = packet[eth_length:20+eth_length]

            iph = unpack('!BBHHHBBH4s4s' , ip_header)

            version_ihl = iph[0]
            version = version_ihl >> 4
            ihl = version_ihl & 0xF

            iph_length = ihl * 4

            ttl = iph[5]
            protocol = iph[6]
            s_addr = socket.inet_ntoa(iph[8]);
            d_addr = socket.inet_ntoa(iph[9]);

            if protocol == 17 :
                u = iph_length + eth_length
                udph_length = 8
                udp_header = packet[u:u+8]

                udph = unpack('!HHHH' , udp_header)

                source_port = udph[0]
                dest_port = udph[1]
                length = udph[2]
                checksum = udph[3]

                if dest_port == mydestport:
                    if d_addr == myhost:
                        list = open(sys.argv[3], 'a')
                        list.write("%s %d\n" % (s_addr, length))
                        recv = recv + 1

                        h_size = eth_length + iph_length + udph_length
                        data_size = len(packet) - h_size

                        data = packet[h_size:]

if __name__ == '__main__':
    Thread(target = startscan).start()
    Thread(target = listen).start()
