Nmap/UPnP: Difference between revisions

From charlesreid1

(Created page with "UPnP Discovery With Nmap In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command: nmap -Pn -...")
 
No edit summary
 
Line 1: Line 1:
UPnP Discovery With Nmap
=UPnP Discovery With Nmap=


In a previous segment I covered how you can use Nmap to enumerate hosts via broadcast protocols, such as UPnP with the following command:
Nmap can be used to enumerate hosts via specific broadcast protocols. For example, for UPnP:


<pre>
nmap -Pn -n --script=broadcast
nmap -Pn -n --script=broadcast
</pre>


It seems the Nmap team has added functionality (or I just have new stuff going on on my network, or both!). So check this out, it detect Dropbox in use:
Nmap can detect Dropbox in use:


<pre>
| broadcast-dropbox-listener:  
| broadcast-dropbox-listener:  
| displayname  ip            port  version  host_int  namespaces
| displayname  ip            port  version  host_int  namespaces
|_77339174     192.168.1.205 17500  1.8      77339174 69385827, 61346060, 82845516, 54162449, 69420146, 6768627, 58215509, 58372182
|_37449174     192.168.0.2 17500  1.8      37449174 78226771, 78226771
</pre>


UPnP Discovery and Control with Backtrack 5 and Miranda
Taking a deeper dive into UPnP: some devices on a network run UPnP, like TVs, receivers, routers, Chromecast, Roku. A tool called Miranda (circa 2008) enumerates UPnP devices and allows changes if the device unchanges.


I am still fascinated with what information can be gathered from passive sniffing and broadcast traffic. I decided to take a deeper dive into UPnP, knowing that I have some deviced on my network that are running it (such as my TV, receivers, and Roku players). I found a tool called Miranda, written in 2008 it allows you to enumerate UPnP devices, gater information from them, and even make changes if the device allows that. My mission? From the network be able to mute my TV. Here's how I did it:
Miranda should be provided on Kali. Execute a search for UPnP devices using the msearch command:
 
Miranda comes pre-installed on Backtrack 5, which is very handy. The first thing to do is fire it up (its located in /pentest/enumeration/miranda). First you need to execute a search for UPnP devices using the msearch command:


<pre>
upnp> msearch
upnp> msearch


Line 22: Line 25:


****************************************************************
****************************************************************
SSDP reply message from 192.168.1.213:8060
SSDP reply message from 192.168.1.23:8060
XML file is located at http://192.168.1.213:8060/
XML file is located at http://192.168.1.23:8060/
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
****************************************************************
****************************************************************
Line 38: Line 41:
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************
****************************************************************
</pre>


I've pruned the list for brevity, but you can see one Roku, my receiver and my TV. Turns out the receiver and TV use the same commands. Interesting to think how you could generalize commands and script them on a network. Next you can list out all the hosts dicovered:
One Roku, one receiver, one TV. Receivers and TVs should use same commands. Now list out all the hosts dicovered:


<pre>
upnp> host list
upnp> host list


Line 50: Line 55:
[5] 192.168.1.241:8888
[5] 192.168.1.241:8888
[6] 192.168.1.16:2869  
[6] 192.168.1.16:2869  
</pre>


Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device:
Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device:


<pre>
  upnp> host get 5
  upnp> host get 5


Line 58: Line 65:


Host data enumeration complete!   
Host data enumeration complete!   
</pre>


Now review some information about the device using the host summary command:
Now review some information about the device using the host summary command:


<pre>
  upnp> host summary 5
  upnp> host summary 5


Line 76: Line 85:
modelURL: http://www.onkyo.com
modelURL: http://www.onkyo.com
manufacturer: ONKYO  
manufacturer: ONKYO  
</pre>


The host info command gives you some further data:
host info command gives you some further data:


<pre>
upnp> host info 5
upnp> host info 5


Line 88: Line 99:
dataComplete : True
dataComplete : True
deviceList : {}
deviceList : {}
</pre>


You can save all of this data to disk with the following commands:
Save data to a file via:


upnp> save data onkyo
<pre>
upnp> save data yoyo


Host data saved to 'struct_onkyo.mir'
Host data saved to 'struct_yoyo.mir'


upnp> save info 5 onkyo
upnp> save info 5 onkyo


Host info for '192.168.1.241:8888' saved to 'info_onkyo.mir'
Host info for '192.168.1.241:8888' saved to 'info_yoyo.mir'
</pre>


Inside the file info_onkyo is all the commands for reference:
Inside the file info_yoyo is all the commands for reference:


<pre>
Device information:
Device information:
         Device Name: MediaRenderer
         Device Name: MediaRenderer
Line 117: Line 132:
                                                         allowedValueList: []
                                                         allowedValueList: []
                                                 direction: in  
                                                 direction: in  
</pre>


Next we execute the command, pasing is the serviceID, tag, and command:
Now run some commands:


<pre>
  upnp>  host send 5 MediaRenderer RenderingControl GetMute
  upnp>  host send 5 MediaRenderer RenderingControl GetMute


Line 135: Line 152:


CurrentMute : 0
CurrentMute : 0
</pre>


We can see above the TV or receiver is not muted. Next, we can chenge the value:
The TV or receiver is not muted. Now change the value:


<pre>
upnp>  host send 5 MediaRenderer RenderingControl SetMute
upnp>  host send 5 MediaRenderer RenderingControl SetMute


Line 157: Line 176:
Allowed Values: ['Master', 'LF', 'RF']
Allowed Values: ['Master', 'LF', 'RF']
Set Channel value to: Master  
Set Channel value to: Master  
</pre>


It was pretty neat to be able to mute the TV over the network. This is a documented "feature", but should require some sort of authentication. Think about the devices on your nework that have this enabled, or could have this enabled. Good Lord, I hope there are no SCADA devices implementing this protocol, however if a control channel is left open without authentication, this is where things can go wrong.
This mutes the TV.


I should note, that in order to get this to work, I had to modify the source code. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. So I changed the following lines:
Source code may need to be modified. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. Change the following lines:


<pre>
if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
-xmlFile = service['SCPDURL']
-xmlFile = service['SCPDURL']
Line 168: Line 189:
-xmlFile += service['SCPDURL']
-xmlFile += service['SCPDURL']
+xmlFile += 'dmr/' + service['SCPDURL']
+xmlFile += 'dmr/' + service['SCPDURL']
</pre>


Yea, its a "wicked hack" and the logic needs to be changed to modify the path on the fly of the POST request.
==UPnP Inspector==
UPnP Inspector


This tool does not come with Backtrack 5, however use the following two commands to install it:
This tool does not come with Backtrack 5, however use the following two commands to install it:


# apt-get install python-setuptools
<pre>
 
$ apt-get install python-setuptools
# easy_install UPnP-Inspector
$ easy_install UPnP-Inspector
</prE>


Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so.
Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so.

Latest revision as of 09:36, 12 August 2017

UPnP Discovery With Nmap

Nmap can be used to enumerate hosts via specific broadcast protocols. For example, for UPnP: 

nmap -Pn -n --script=broadcast

Nmap can detect Dropbox in use: 

| broadcast-dropbox-listener: 
| displayname  ip             port   version  host_int  namespaces
|_37449174     192.168.0.2  17500  1.8      37449174  78226771, 78226771

Taking a deeper dive into UPnP: some devices on a network run UPnP, like TVs, receivers, routers, Chromecast, Roku. A tool called Miranda (circa 2008) enumerates UPnP devices and allows changes if the device unchanges.

Miranda should be provided on Kali. Execute a search for UPnP devices using the msearch command: 

upnp> msearch

Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...

****************************************************************
SSDP reply message from 192.168.1.23:8060
XML file is located at http://192.168.1.23:8060/
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.224:52236
XML file is located at http://192.168.1.224:52236/rcr/RemoteControlReceiver.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.214:52235
XML file is located at http://192.168.1.214:52235/dmr/SamsungMRDesc.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

One Roku, one receiver, one TV. Receivers and TVs should use same commands. Now list out all the hosts dicovered: 

upnp> host list

	[0] 192.168.1.213:8060
	[1] 192.168.1.219:8060
	[2] 192.168.1.215:8060
	[3] 192.168.1.224:52236
	[4] 192.168.1.214:52235
	[5] 192.168.1.241:8888
	[6] 192.168.1.16:2869

Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device: 

 upnp> host get 5

Requesting device and service info for 192.168.1.241:8888 (this could take a few seconds)...

Host data enumeration complete!

Now review some information about the device using the host summary command: 

 upnp> host summary 5

Host: 192.168.1.241:8888
XML File: http://192.168.1.241:8888/upnp_descriptor_0
MediaRenderer
	manufacturerURL: http://www.onkyo.com
	modelName: TX-NR509
	modelNumber: TX-NR509
	presentationURL: http://192.168.1.241/
	friendlyName: TX-NR509
	fullName: urn:schemas-upnp-org:device:MediaRenderer:1
	modelDescription: AV Receiver
	UDN: uuid:aeb01704-c117-04b9-db1e-0409c1b9c871
	modelURL: http://www.onkyo.com
	manufacturer: ONKYO

host info command gives you some further data: 

upnp> host info 5

xmlFile : http://192.168.1.241:8888/upnp_descriptor_0
name : 192.168.1.241:8888
proto : http://
serverType : MediabolicMWEB/1.8.225
upnpServer : Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
dataComplete : True
deviceList : {}

Save data to a file via: 

upnp> save data yoyo

Host data saved to 'struct_yoyo.mir'

upnp> save info 5 onkyo

Host info for '192.168.1.241:8888' saved to 'info_yoyo.mir'

Inside the file info_yoyo is all the commands for reference: 

Device information:
        Device Name: MediaRenderer
                Service Name: AVTransport
                        controlURL: /upnp_control_2
                        eventSubURL: /upnp_event_2
                        serviceId: urn:upnp-org:serviceId:AVTransport
                        SCPDURL: /scpd/AVTransport_1
                        fullName: urn:schemas-upnp-org:service:AVTransport:1
                        ServiceActions:
                                SetNextAVTransportURI
                                        InstanceID
                                                A_ARG_TYPE_InstanceID:
                                                        dataType: ui4
                                                        sendEvents: N/A
                                                        allowedValueList: []
                                                direction: in

Now run some commands: 

 upnp>  host send 5 MediaRenderer RenderingControl GetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master

CurrentMute : 0

The TV or receiver is not muted. Now change the value: 

upnp>  host send 5 MediaRenderer RenderingControl SetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  DesiredMute
	Data Type:      boolean
	Allowed Values: []
	Set DesiredMute value to: 1

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master

This mutes the TV.

Source code may need to be modified. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. Change the following lines: 

if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
		-xmlFile = service['SCPDURL']
		+xmlFile = 'dmr/' + service['SCPDURL']
	else:
		-xmlFile += service['SCPDURL']
		+xmlFile += 'dmr/' + service['SCPDURL']

UPnP Inspector

This tool does not come with Backtrack 5, however use the following two commands to install it: 

$ apt-get install python-setuptools
$ easy_install UPnP-Inspector

Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so.

Retrieved from "https://charlesreid1.com/w/index.php?title=Nmap/UPnP&oldid=20377"