UPnP Discovery With Nmap

Nmap can be used to enumerate hosts via specific broadcast protocols. For example, for UPnP:

nmap -Pn -n --script=broadcast

Nmap can detect Dropbox in use:

| broadcast-dropbox-listener: 
| displayname  ip             port   version  host_int  namespaces
|_37449174     192.168.0.2  17500  1.8      37449174  78226771, 78226771

Taking a deeper dive into UPnP: some devices on a network run UPnP, like TVs, receivers, routers, Chromecast, Roku. A tool called Miranda (circa 2008) enumerates UPnP devices and allows changes if the device unchanges.

Miranda should be provided on Kali. Execute a search for UPnP devices using the msearch command:

upnp> msearch

Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...

****************************************************************
SSDP reply message from 192.168.1.23:8060
XML file is located at http://192.168.1.23:8060/
Device is running Roku UPnP/1.0 MiniUPnPd/1.4
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.224:52236
XML file is located at http://192.168.1.224:52236/rcr/RemoteControlReceiver.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

****************************************************************
SSDP reply message from 192.168.1.214:52235
XML file is located at http://192.168.1.214:52235/dmr/SamsungMRDesc.xml
Device is running Linux/9.0 UPnP/1.0 PROTOTYPE/1.0
****************************************************************

One Roku, one receiver, one TV. Receivers and TVs should use same commands. Now list out all the hosts dicovered:

upnp> host list

	[0] 192.168.1.213:8060
	[1] 192.168.1.219:8060
	[2] 192.168.1.215:8060
	[3] 192.168.1.224:52236
	[4] 192.168.1.214:52235
	[5] 192.168.1.241:8888
	[6] 192.168.1.16:2869 

Use the host get command to read the entire tree of UPnP commands. This needs to be successful if you are to be able to send commands to the device:

 upnp> host get 5

Requesting device and service info for 192.168.1.241:8888 (this could take a few seconds)...

Host data enumeration complete!  

Now review some information about the device using the host summary command:

 upnp> host summary 5

Host: 192.168.1.241:8888
XML File: http://192.168.1.241:8888/upnp_descriptor_0
MediaRenderer
	manufacturerURL: http://www.onkyo.com
	modelName: TX-NR509
	modelNumber: TX-NR509
	presentationURL: http://192.168.1.241/
	friendlyName: TX-NR509
	fullName: urn:schemas-upnp-org:device:MediaRenderer:1
	modelDescription: AV Receiver
	UDN: uuid:aeb01704-c117-04b9-db1e-0409c1b9c871
	modelURL: http://www.onkyo.com
	manufacturer: ONKYO 

host info command gives you some further data:

upnp> host info 5

xmlFile : http://192.168.1.241:8888/upnp_descriptor_0
name : 192.168.1.241:8888
proto : http://
serverType : MediabolicMWEB/1.8.225
upnpServer : Linux/2.6.33-rc4 UPnP/1.0 MediabolicUPnP/1.8.225
dataComplete : True
deviceList : {}

Save data to a file via:

upnp> save data yoyo

Host data saved to 'struct_yoyo.mir'

upnp> save info 5 onkyo

Host info for '192.168.1.241:8888' saved to 'info_yoyo.mir'

Inside the file info_yoyo is all the commands for reference:

Device information:
        Device Name: MediaRenderer
                Service Name: AVTransport
                        controlURL: /upnp_control_2
                        eventSubURL: /upnp_event_2
                        serviceId: urn:upnp-org:serviceId:AVTransport
                        SCPDURL: /scpd/AVTransport_1
                        fullName: urn:schemas-upnp-org:service:AVTransport:1
                        ServiceActions:
                                SetNextAVTransportURI
                                        InstanceID
                                                A_ARG_TYPE_InstanceID:
                                                        dataType: ui4
                                                        sendEvents: N/A
                                                        allowedValueList: []
                                                direction: in 

Now run some commands:

 upnp>  host send 5 MediaRenderer RenderingControl GetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master

CurrentMute : 0

The TV or receiver is not muted. Now change the value:

upnp>  host send 5 MediaRenderer RenderingControl SetMute

Required argument:
	Argument Name:  InstanceID
	Data Type:      ui4
	Allowed Values: []
	Set InstanceID value to: 0

Required argument:
	Argument Name:  DesiredMute
	Data Type:      boolean
	Allowed Values: []
	Set DesiredMute value to: 1

Required argument:
	Argument Name:  Channel
	Data Type:      string
	Allowed Values: ['Master', 'LF', 'RF']
	Set Channel value to: Master 

This mutes the TV.

Source code may need to be modified. When commands were being sent to the device, it was not building the POST request correctly, and ignoring one of the directories. Change the following lines:

if self.ENUM_HOSTS[index]['proto'] in service['SCPDURL']:
		-xmlFile = service['SCPDURL']
		+xmlFile = 'dmr/' + service['SCPDURL']
	else:
		-xmlFile += service['SCPDURL']
		+xmlFile += 'dmr/' + service['SCPDURL']

UPnP Inspector

This tool does not come with Backtrack 5, however use the following two commands to install it:

$ apt-get install python-setuptools
$ easy_install UPnP-Inspector

Once installed it gives you a GUI to discover, browse, and send commands to devices. The neat part about this program is that you can browse files over UPnP if its configured to do so.