Nmap Development mailing list archives
[NSE] New UPnP information gathering script
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Wed, 9 Jan 2008 15:05:15 -0600
Hello, Here is a script that attempts to gather information from the UPnP service (UDP port 1900). This service is commonly found on network devices such as routers, printers, networked media players, or other self-configuring devices. It can sometimes provide a fair amount of information about the device being scanned. This script operates by sending an initial discovery packet to UDP port 1900, and reading the response. A valid response should contain a link to an XML file served by an HTTP service on the device. By default, the script outputs the contents of the Server header from this response, along with the URL of the XML file. Here's an example output: $ NMAPDIR=. ./nmap -sU -p 1900 --script=UPnP-info.nse --reason 192.168.182.101 Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-09 14:29 Central Standard Time Interesting ports on 192.168.182.101: PORT STATE SERVICE REASON 1900/udp open UPnP script-set | UPnP: SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0 |_ Location: http://192.168.182.101:5555/rootDesc.xml MAC Address: 00:0C:29:BF:93:25 (VMware) Nmap done: 1 IP address (1 host up) scanned in 7.241 seconds If a -v flag has been passed to the parent nmap process, the script goes a little further. It parses the URL of the XML file, extracting the IP address, port and file location. It attempts a connection to the HTTP service, reads the XML file, and parses out manufacturer and model descriptions for various devices defined within that file. Here's an example of the more detailed output: Interesting ports on 192.168.182.101: PORT STATE SERVICE REASON 1900/udp open UPnP script-set | UPnP: SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0 | Location: http://192.168.182.101:5555/rootDesc.xml | Webserver: SmoothWall Express/3.0 UPnP/1.0 miniupnpd/1.0 | Name: SmoothWall Express router | Manufacturer: SmoothWall Express | Model Descr: SmoothWall Express router | Model Name: SmoothWall Express router | Model Version: 3.0-polar-i386 | Name: WANDevice | Manufacturer: MiniUPnP | Model Descr: WAN Device | Model Name: WAN Device | Model Version: 20070827 | Name: WANConnectionDevice | Manufacturer: MiniUPnP | Model Descr: MiniUPnP daemon | Model Name: MiniUPnPd |_ Model Version: 20070827 As you can see, this script can generate quite a lot of output in this mode, which is why a -v flag is required. Anyway, hopefully someone finds this useful, or at least mildly interesting. As always, comments or questions are welcome. Thanks, Thomas
Attachment:
UPnP-info.nse
Description: UPnP-info.nse
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] New UPnP information gathering script Thomas Buchanan (Jan 09)
- Re: [NSE] New UPnP information gathering script Eddie Bell (Jan 10)
- Re: [NSE] New UPnP information gathering script Fyodor (Jan 10)
- <Possible follow-ups>
- Re: [NSE] New UPnP information gathering script Gisle Vanem (Jan 11)
- RE: [NSE] New UPnP information gathering script Thomas Buchanan (Jan 11)
- Re: [NSE] New UPnP information gathering script Gisle Vanem (Jan 11)
- RE: [NSE] New UPnP information gathering script Thomas Buchanan (Jan 11)
- RE: [NSE] New UPnP information gathering script Thomas Buchanan (Jan 11)