Re: [NSE] New UPnP information gathering script

["Eddie Bell" <ejlbell () gmail com>]

Works great on my home router

Interesting ports on 192.168.1.254:
PORT     STATE SERVICE
1900/udp open  UPnP
|  UPnP: SpeedTouch BTHH 6.2.2.6 UPnP/1.0 (0722EH5UE)
|_ Location: http://192.168.1.254:80/upnp/IGD.xml

On 09/01/2008, Thomas Buchanan <TBuchanan () thecompassgrp net> wrote:
> Hello,
>
> Here is a script that attempts to gather information from the UPnP
> service (UDP port 1900).  This service is commonly found on network
> devices such as routers, printers, networked media players, or other
> self-configuring devices.  It can sometimes provide a fair amount of
> information about the device being scanned.
>
> This script operates by sending an initial discovery packet to UDP port
> 1900, and reading the response.  A valid response should contain a link
> to an XML file served by an HTTP service on the device.  By default, the
> script outputs the contents of the Server header from this response,
> along with the URL of the XML file.  Here's an example output:
>
> $ NMAPDIR=. ./nmap -sU -p 1900 --script=UPnP-info.nse --reason
> 192.168.182.101
>
> Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-09 14:29 Central
> Standard Time
> Interesting ports on 192.168.182.101:
> PORT     STATE SERVICE REASON
> 1900/udp open  UPnP    script-set
> |  UPnP:  SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0
> |_ Location:  http://192.168.182.101:5555/rootDesc.xml
> MAC Address: 00:0C:29:BF:93:25 (VMware)
>
> Nmap done: 1 IP address (1 host up) scanned in 7.241 seconds
>
> If a -v flag has been passed to the parent nmap process, the script goes
> a little further.  It parses the URL of the XML file, extracting the IP
> address, port and file location.  It attempts a connection to the HTTP
> service, reads the XML file, and parses out manufacturer and model
> descriptions for various devices defined within that file.  Here's an
> example of the more detailed output:
>
> Interesting ports on 192.168.182.101:
> PORT     STATE SERVICE REASON
> 1900/udp open  UPnP    script-set
> |  UPnP:  SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0
> |  Location:  http://192.168.182.101:5555/rootDesc.xml
> |  Webserver:  SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0
> |   Name: SmoothWall Express router
> |    Manufacturer: SmoothWall Express
> |    Model Descr: SmoothWall Express router
> |    Model Name: SmoothWall Express router
> |    Model Version: 3.0-polar-i386
> |   Name: WANDevice
> |    Manufacturer: MiniUPnP
> |    Model Descr: WAN Device
> |    Model Name: WAN Device
> |    Model Version: 20070827
> |   Name: WANConnectionDevice
> |    Manufacturer: MiniUPnP
> |    Model Descr: MiniUPnP daemon
> |    Model Name: MiniUPnPd
> |_   Model Version: 20070827
>
> As you can see, this script can generate quite a lot of output in this
> mode, which is why a -v flag is required.
>
> Anyway, hopefully someone finds this useful, or at least mildly
> interesting.  As always, comments or questions are welcome.
>
> Thanks,
>
> Thomas
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org