GRC's UPnP scanner

cyabro said:
My post with more info about why you need to run the test. :D
http://www.technibble.com/forums/showthread.php?t=44548
Click to expand...

And the day before with this post.. :D
http://www.technibble.com/forums/showthread.php?t=44523&highlight=upnp

GRC's site is a bit "too paranoid".....for giggles I ran his UPnP probe knowing that my router does have UPnP enabled.
I get the following message after running the test:
"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!"
 
Last edited:
I saw the Rapid7 utility post but from my understanding it's buggy and only tests the LAN not the WAN. It actually crashed on my Win 7 box. I wasn't even able to run a scan. Besides, this needs to be ran outside your local network, from an external IP address.

The GRC utility was just recently made available yesterday.
 
I've always been concerned about UPnP vulns from inside the network...not outside.
Most routers have the UPnP service bound to the LAN side, because it listens to requests for dynamic port forwarding from internal hosts....as far as firewall concerns. The concept of UPnP being bound to the WAN IP address simply doesn't make sense. I've never heard of a firewall that has that feature (although I haven't looked either).

The worry should be, a bug (malware like some trojan/back door) gets put on a PC inside the network. It is programmed to find the network gateway...and then scan that gateway for UPnP vulnerabilities...once found, exploit them...open/forward all ports to that PC on the network (or some scripts will identify a server on a network...and open/forward all ports to that servers LAN IP). Now you have fully exposed PCs or worse..a fully exposed server on the network, which is no longer behind NAT. Since the remote hacker has the WAN IP address...and no NAT protecting that Windows PC...guess what...it's field day! The front door is wiiiiiide open!
 
YeOldeStonecat said:
I've always been concerned about UPnP vulns from inside the network...not outside.
Most routers have the UPnP service bound to the LAN side, because it listens to requests for dynamic port forwarding from internal hosts....as far as firewall concerns. The concept of UPnP being bound to the WAN IP address simply doesn't make sense. I've never heard of a firewall that has that feature (although I haven't looked either).

The worry should be, a bug (malware like some trojan/back door) gets put on a PC inside the network. It is programmed to find the network gateway...and then scan that gateway for UPnP vulnerabilities...once found, exploit them...open/forward all ports to that PC on the network (or some scripts will identify a server on a network...and open/forward all ports to that servers LAN IP). Now you have fully exposed PCs or worse..a fully exposed server on the network, which is no longer behind NAT. Since the remote hacker has the WAN IP address...and no NAT protecting that Windows PC...guess what...it's field day! The front door is wiiiiiide open!
Click to expand...

Absolutely, I couldn't agree more. The current exploit or problem with UPnP that is causing all of the fuss is that many routers DO allow WAN side access using a single UDP packet. The problems with UPnP on the LAN side have long be a problem which is why I always shut it off and port forward as necessary.

According to the podcast, HD Moore, the creator of Metasploit, has been conducting some UPnP tests for quite a few months. The results, in short, 81 million devices responded to UPnP discovery requests over the internet. Here's a link to the PDF.

It's simply a fundamental flaw in the design of many routers/devices. There's absolutely no reason for access to UPnP from the WAN side. There won't be a setting in the router's interface to turn this off...it shouldn't even exist. Maybe some firmware releases are in the works??? I doubt it. Most people won't be aware and the mfgs could care less.

I was curious so I ran the scan and fortunately my router behaved itself. :D
 
my results
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
and I do have it enabled, forgive me if I'm wrong, but I'm attempting to do a my own cloud backup between offices and bought a linkstation that has web access thru a upnp setup, It automatically sets up the passthroughs if i read it correctly.
I have liked Gibson ever since spinrite in the old days,,


BnB
 
You must log in or register to reply here.

Similar threads

GTP
Being driven mad by "that" popup?
Replies
9
Views
711
Sky-Knight
Sky-Knight
ThatPlace928
[SOLVED] Best Remote Software?
2 3
Replies
58
Views
1K
twwabw
twwabw
callthatgirl
How to use Rules in New Outlook vs Outlook Classic
2
Replies
31
Views
640
callthatgirl
callthatgirl
Diggs
NUC mini-computers
Replies
10
Views
303
fincoder
fincoder
Appletax
[TIP] Manually Resize Recovery Partition in Win 10 so Updates Do Not Fail
Replies
5
Views
510
Appletax
Appletax
Back
Top