UPnP
What is UPnP
From Wikipedia: Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.
The UPnP technology is promoted by the UPnP Forum, a computer industry initiative to enable simple and robust connectivity to stand-alone devices and personal computers from many different vendors. The Forum consists of over eight hundred vendors involved in everything from consumer electronics to network computing.
The concept of UPnP is an extension of plug-and-play, a technology for dynamically attaching devices directly to a computer, although UPnP is not directly related to the earlier plug-and-play technology. UPnP devices are “plug-and-play” in that when connected to a network they automatically establish working configurations with other devices.
Protocol
UPnP uses common Internet technologies. It assumes the network must run Internet Protocol (IP) and then leverages HTTP, SOAP and XML on top of IP, in order to provide device/service description, actions, data transfer and eventing. Device search requests and advertisements are supported by running HTTP on top of UDP using multicast (known as HTTPMU). Responses to search requests are also sent over UDP, but are instead sent using unicast (known as HTTPU). UPnP uses UDP due to its lower overhead in not requiring confirmation of received data and retransmission of corrupt packets. HTTPU and HTTPMU were initially submitted as an Internet Draft but it expired in 2001;[5] these specifications have since been integrated into the actual UPnP specifications.[6]
UPnP uses UDP port 1900 and all used TCP ports are derived from the SSDP alive and response messages.
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:upnp:rootdevice
Man:"ssdp:discover"
MX:3
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=100
DATE: Mon, 03 Aug 2015 23:55:42 GMT
EXT:
LOCATION: http://192.168.1.1:1900/igd.xml
SERVER: Wireless N Router WR885N, UPnP/1.0
ST: upnp:rootdevice
USN: uuid:upnp-InternetGatewayDevice-8089177da120::upnp:rootdeviceNOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.1.1:1900/igd.xml
NT: upnp:rootdevice
NTS: ssdp:alive
SERVER: Wireless N Router WR885N, UPnP/1.0
USN: uuid:upnp-InternetGatewayDevice-8089177da120::upnp:rootdevice
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.1.1:1900/igd.xml
NT: uuid:upnp-InternetGatewayDevice-8089177da120
NTS: ssdp:alive
SERVER: Wireless N Router WR885N, UPnP/1.0
USN: uuid:upnp-InternetGatewayDevice-8089177da120
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.1.1:1900/igd.xml
NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: Wireless N Router WR885N, UPnP/1.0
USN: uuid:upnp-InternetGatewayDevice-8089177da120::urn:schemas-upnp-org:device:InternetGatewayDevice:1
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.1.1:1900/igd.xml
NT: urn:schemas-upnp-org:service:Layer3Forwarding:1
NTS: ssdp:alive
SERVER: Wireless N Router WR885N, UPnP/1.0
USN: uuid:upnp-InternetGatewayDevice-8089177da120::urn:schemas-upnp-org:service:Layer3Forwarding:1
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.1.1:1900/igd.xml
NT: uuid:upnp-WANDevice-8089177da120
NTS: ssdp:alive
SERVER: Wireless N Router WR885N, UPnP/1.0
USN: uuid:upnp-WANDevice-8089177da120
NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=100 LOCATION: http://192.168.1.1:1900/igd.xml NT: urn:schemas-upnp-org:device:WANDevice:1 NTS: ssdp:alive SERVER: Wireless N Router WR885N, UPnP/1.0 USN: uuid:upnp-WANDevice-8089177da120::urn:schemas-upnp-org:device:WANDevice:1 NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=100 LOCATION: http://192.168.1.1:1900/igd.xml NT: urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 NTS: ssdp:alive SERVER: Wireless N Router WR885N, UPnP/1.0 USN: uuid:upnp-WANDevice-8089177da120::urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=100 LOCATION: http://192.168.1.1:1900/igd.xml NT: uuid:upnp-WANConnectionDevice-8089177da120 NTS: ssdp:alive SERVER: Wireless N Router WR885N, UPnP/1.0 USN: uuid:upnp-WANConnectionDevice-8089177da120 NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=100 LOCATION: http://192.168.1.1:1900/igd.xml NT: urn:schemas-upnp-org:device:WANConnectionDevice:1 NTS: ssdp:alive SERVER: Wireless N Router WR885N, UPnP/1.0 USN: uuid:upnp-WANConnectionDevice-8089177da120::urn:schemas-upnp-org:device:WANConnectionDevice:1 NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=100 LOCATION: http://192.168.1.1:1900/igd.xml NT: urn:schemas-upnp-org:service:WANIPConnection:1 NTS: ssdp:alive SERVER: Wireless N Router WR885N, UPnP/1.0 USN: uuid:upnp-WANConnectionDevice-8089177da120::urn:schemas-upnp-org:service:WANIPConnection:1Tools
Miranda
upnp-exploiter
use auxiliary/scanner/upnp/ssdp_msearch
upnp-inspector
upnp-router-controlmiranda
┌─[lab@core]─[~/miranda]
└──╼ python miranda.py
upnp>
debug exit head help host load log msearch pcap quit save seti
upnp> msearch
Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...
****************************************************************
SSDP reply message from 192.168.1.1:1900
XML file is located at http://192.168.1.1:1900/igd.xml
Device is running Wireless N Router WR885N, UPnP/1.0
****************************************************************
^CDiscover mode halted...
upnp> host
Description:
Allows you to query host information and iteract with a host's actions/services.
Usage:
host <list | get | info | summary | details | send> [host index #]
'list' displays an index of all known UPNP hosts along with their respective index numbers
'get' gets detailed information about the specified host
'details' gets and displays detailed information about the specified host
'summary' displays a short summary describing the specified host
'info' allows you to enumerate all elements of the hosts object
'send' allows you to send SOAP requests to devices and services *
Example:
> host list
> host get 0
> host summary 0
> host info 0 deviceList
> host send 0 <device name> <service name> <action name>
Notes:
o All host commands support full tab completion of enumerated arguments
o All host commands EXCEPT for the 'host send', 'host info' and 'host list' commands take only one argument: the host index number.
o The host index number can be obtained by running 'host list', which takes no futher arguments.
o The 'host send' command requires that you also specify the host's device name, service name, and action name that you wish to send,
in that order (see the last example in the Example section of this output). This information can be obtained by viewing the
'host details' listing, or by querying the host information via the 'host info' command.
o The 'host info' command allows you to selectively enumerate the host information data structure. All data elements and their
corresponding values are displayed; a value of '{}' indicates that the element is a sub-structure that can be further enumerated
(see the 'host info' example in the Example section of this output).
upnp> host list
[0] 192.168.1.1:1900
upnp> host info 0
xmlFile : http://192.168.1.1:1900/igd.xml
name : 192.168.1.1:1900
proto : http://
serverType : None
upnpServer : Wireless N Router WR885N, UPnP/1.0
dataComplete : False
deviceList : {}
upnp> host summary 0
Host: 192.168.1.1:1900
XML File: http://192.168.1.1:1900/igd.xmlssdp_msearch
msf auxiliary(ssdp_msearch) > run
[*] Sending UPnP SSDP probes to 192.168.1.1->192.168.1.1 (1 hosts)
[*] 192.168.1.1:1900 SSDP Wireless N Router WR885N, UPnP/1.0 | http://192.168.1.1:1900/igd.xml | uuid:upnp-InternetGatewayDevice-8089177da120::upnp:rootdevice
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedReferences
https://en.wikipedia.org/wiki/Universal_Plug_and_Play
http://wiki.securityweekly.com/wiki/index.php/Episode276#Tech_Segment:_UPnP_Hacking_For_Penetration_Testers