Admin at 09:36, 12 August 2017

2017-08-12T09:36:10Z

Admin: Created page with "UPnP Discovery With Nmap In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command: nmap -Pn -..."

2016-04-03T09:59:41Z

Created page with "UPnP Discovery With Nmap In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command: nmap -Pn -..."

New page

UPnP Discovery With Nmap

In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command:

nmap -Pn -n --script=broadcast

It seems the Nmap team has added functionality (or I just have new stuff going on on my network, or both!). So check this out, it detect Dropbox in use:

| broadcast-dropbox-listener:
| displayname ip port version host_int namespaces
|_77339174 192.168.1.205 17500 1.8 77339174 69385827, 61346060, 82845516, 54162449, 69420146, 6768627, 58215509, 58372182

UPnP Discovery and Control with Backtrack 5 and Miranda

I am still fascinated with what information can be gathered from passive sniffing and broadcast traffic. I decided to take a deeper dive into UPnP, knowing that I have some deviced on my network that are running it (such as my TV, receivers, and Roku players). I found a tool called Miranda, written in 2008 it allows you to enumerate UPnP devices, gater information from them, and even make changes if the device allows that. My mission? From the network be able to mute my TV. Here's how I did it:

Miranda comes pre-installed on Backtrack 5, which is very handy. The first thing to do is fire it up (its located in /pentest/enumeration/miranda). First you need to execute a search for UPnP devices using the msearch command:

upnp> msearch

Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...

****************************************************************
SSDP reply message from 192.168.1.213:8060
XML file is located at http://192.168.1.213:8060/
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.224:52236
XML file is located at http://192.168.1.224:52236/rcr/RemoteControlReceiver.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.214:52235
XML file is located at http://192.168.1.214:52235/dmr/SamsungMRDesc.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

I've pruned the list for brevity, but you can see one Roku, my receiver and my TV. Turns out the receiver and TV use the same commands. Interesting to think how you could generalize commands and script them on a network. Next you can list out all the hosts dicovered:

upnp> host list

[0] 192.168.1.213:8060
[1] 192.168.1.219:8060
[2] 192.168.1.215:8060
[3] 192.168.1.224:52236
[4] 192.168.1.214:52235
[5] 192.168.1.241:8888
[6] 192.168.1.16:2869

Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device:

upnp> host get 5

Requesting device and service info for 192.168.1.241:8888 (this could take a few seconds)...

Host data enumeration complete!

Now review some information about the device using the host summary command:

upnp> host summary 5

Host: 192.168.1.241:8888
XML File: http://192.168.1.241:8888/upnp_descriptor_0
MediaRenderer
manufacturerURL: http://www.onkyo.com
modelName: TX-NR509
modelNumber: TX-NR509
presentationURL: http://192.168.1.241/
friendlyName: TX-NR509
fullName: urn:schemas-upnp-org:device:MediaRenderer:1
modelDescription: AV Receiver
UDN: uuid:aeb01704-c117-04b9-db1e-0409c1b9c871
modelURL: http://www.onkyo.com
manufacturer: ONKYO

The host info command gives you some further data:

upnp> host info 5

xmlFile : http://192.168.1.241:8888/upnp_descriptor_0
name : 192.168.1.241:8888
proto : http://
serverType : MediabolicMWEB/1.8.225
upnpServer : Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
dataComplete : True
deviceList : {}

You can save all of this data to disk with the following commands:

upnp> save data onkyo

Host data saved to 'struct_onkyo.mir'

upnp> save info 5 onkyo

Host info for '192.168.1.241:8888' saved to 'info_onkyo.mir'

Inside the file info_onkyo is all the commands for reference:

Device information:
Device Name: MediaRenderer
Service Name: AVTransport
controlURL: /upnp_control_2
eventSubURL: /upnp_event_2
serviceId: urn:upnp-org:serviceId:AVTransport
SCPDURL: /scpd/AVTransport_1
fullName: urn:schemas-upnp-org:service:AVTransport:1
ServiceActions:
SetNextAVTransportURI
InstanceID
A_ARG_TYPE_InstanceID:
dataType: ui4
sendEvents: N/A
allowedValueList: []
direction: in

Next we execute the command, pasing is the serviceID, tag, and command:

upnp> host send 5 MediaRenderer RenderingControl GetMute

Required argument:
Argument Name: InstanceID
Data Type: ui4
Allowed Values: []
Set InstanceID value to: 0

Required argument:
Argument Name: Channel
Data Type: string
Allowed Values: ['Master', 'LF', 'RF']
Set Channel value to: Master

CurrentMute : 0

We can see above the TV or receiver is not muted. Next, we can chenge the value:

upnp> host send 5 MediaRenderer RenderingControl SetMute

Required argument:
Argument Name: InstanceID
Data Type: ui4
Allowed Values: []
Set InstanceID value to: 0

Required argument:
Argument Name: DesiredMute
Data Type: boolean
Allowed Values: []
Set DesiredMute value to: 1

Required argument:
Argument Name: Channel
Data Type: string
Allowed Values: ['Master', 'LF', 'RF']
Set Channel value to: Master

It was pretty neat to be able to mute the TV over the network. This is a documented "feature", but should require some sort of authentication. Think about the devices on your nework that have this enabled, or could have this enabled. Good Lord, I hope there are no SCADA devices implementing this protocol, however if a control channel is left open without authentication, this is where things can go wrong.

I should note, that in order to get this to work, I had to modify the source code. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. So I changed the following lines:

if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
-xmlFile = service['SCPDURL']
+xmlFile = 'dmr/' + service['SCPDURL']
else:
-xmlFile += service['SCPDURL']
+xmlFile += 'dmr/' + service['SCPDURL']

Yea, its a "wicked hack" and the logic needs to be changed to modify the path on the fly of the POST request.
UPnP Inspector

This tool does not come with Backtrack 5, however use the following two commands to install it:

# apt-get install python-setuptools

# easy_install UPnP-Inspector

Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so.

Nmap/UPnP - Revision history

Admin at 09:36, 12 August 2017

Admin: Created page with "UPnP Discovery With Nmap In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command: nmap -Pn -..."