Thomas BuchananNMAP:UPNP-INFO.NSEupnp-info NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Attempts to extract system information from the UPnP service.
Script Arguments
upnp-info.override
Controls whether we override the IP address information returned by the UPNP service for the location of the XML file that describes the device. Defaults to true for unicast hosts.
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
max-newtargets, newtargets
See the documentation for the target library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -sU -p 1900 --script=upnp-info <target>
Script Output
| upnp-info: System/1.0 UPnP/1.0 IGD/1.0
|_ Location: http://192.168.1.1:80/UPnP/IGD.xml
Requires
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local upnp = require "upnp"
description = [[
Attempts to extract system information from the UPnP service.
]]
---
-- @usage
-- nmap -sU -p 1900 --script=upnp-info <target>
-- @output
-- | upnp-info: System/1.0 UPnP/1.0 IGD/1.0
-- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml
--
-- @args upnp-info.override Controls whether we override the IP address information
-- returned by the UPNP service for the location of the XML
-- file that describes the device. Defaults to true for
-- unicast hosts.
-- 2010-10-05 - add prerule support <[email protected]>
-- 2010-10-10 - add newtarget support <[email protected]>
-- 2010-10-29 - factored out all of the code to upnp.lua <[email protected]>
author = "Thomas Buchanan"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
---
-- Runs on UDP port 1900
portrule = shortport.portnumber(1900, "udp", {"open", "open|filtered"})
---
-- Sends UPnP discovery packet to host,
-- and extracts service information from results
action = function(host, port)
local override = stdnse.get_script_args("upnp-info.override")
local helper = upnp.Helper:new( host, port )
if ( override ~= nil ) and ( string.lower(override) == "false" ) then
helper:setOverride( false )
else
helper:setOverride( true )
end
local status, result = helper:queryServices()
if ( status ) then
nmap.set_port_state(host, port, "open")
return stdnse.format_output(true, result)
end
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%