SlideShare uma empresa Scribd logo

U Plug, We Play - NED Summit. Cork, Ireland

D
DTM Security

Presentation given at NED Summit, Cork, Ireland / Cyber Cork (http://www.nedforum.com/#!ned-summit-ireland/c1hl6) on some of the research he has been carrying out on UPnP. This presentation introduces a new open source tool called 'UPnP Pentest Tookit' available at http://upnp.ninja/ or https://github.com/nccgroup/UPnP-Pentest-Toolkit

Tecnologia
1 de 35
U Plug, We Play David Middlehurst NEDSummit > Ireland Thursday 13 November 2014
Who am I? David Middlehurst Twitter: @dtmsecurity • Security Consultant • Specialisms: • Application Security • Develops Security Testing Tools • Previous Research • Near Field Communications (NFC) • Virtualisation
Agenda • Brief overview of UPnP • Introduce a new UPnP assessment tool • Tool overview • Demo • Authorisation • Common flaws and their implications • Places you might expect to find vulnerabilities • Conclusion
UPnP Universal Plug and Play (UPnP) allows devices to discover each others presence on a network and identify available services
UPnP – Basic Discovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
UPnP – NOTIFY Packet Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ ST: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
UPnP – M-SEARCH A device can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
UPnP – M-SEARCH Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
New Tool Is Born – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
UPnP Pentest Toolkit Windows GUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
Discovery
Interaction
Interaction
Spoofing
Spoofing
Learning
Spoofing – Learnt Device
Spoofing – Learnt Device
Windows Enumeration
Windows Network Device Spoofing
What happens if you click?
Demo
Authorisation - Bad Vendor Practices • Mostly: “What do you mean by authorisation?” • Intentional or not you see some security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
Authorisation - Good Vendor Practices
Flaws – M-SEARCH Spoofing “Devices respond by sending a 'HTTP 1/1 200’ response via UDP to the source IP and source port that the M-SEARCH packet originated from.” • 60% of devices I looked at will respond to any routable destination • Most will send traffic to any port We can cause devices to send UDP traffic to an arbitrary target
Flaws – External Device URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet • 40% of devices / apps that I looked at will make requests to any routable destination • Most will send traffic to any port We can cause devices to make a TCP connection and HTTP request to an arbitrary target HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
Flaws – External Traffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
Trust Boundaries Connect your work laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
Bugs to look for • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML based attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
Memory Management Many UPnP implementations reviewed have problems i.e. Lots of iOS apps
Where are we heading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum]. From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
Conclusion • I think UPnP can be a hidden gem on security assessments • Vendor best practices vary to huge degree • I have introduced some common classes of bug. I am sure there are plenty of bugs to be identified. • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started in carrying out research in this area
Get UPnP Pentest Toolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
Keep updated Tool: Via GitHub page or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

Recomendados

Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Open Source Software
Open Source SoftwareOpen Source Software
Open Source SoftwareAndrew Nolen, MCJ/FP, CDCA
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
 

Recomendados

Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Open Source Software
Open Source SoftwareOpen Source Software
Open Source SoftwareAndrew Nolen, MCJ/FP, CDCA
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrsSecurity Weekly
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksPriyanka Aash
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
Network Management (CEN166) Project Presentation By Matthew Utin
Network Management (CEN166) Project Presentation By Matthew UtinNetwork Management (CEN166) Project Presentation By Matthew Utin
Network Management (CEN166) Project Presentation By Matthew UtinMatthew Utin, Dip.IT, BSc (Hons) 1st Class
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesCal Leeming
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
Presentation.firewell.pptx
Presentation.firewell.pptxPresentation.firewell.pptx
Presentation.firewell.pptxyashukapil
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
DEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapDEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapFelipe Prado
 
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.HeadlessZeke
 

Mais conteúdo relacionado

Mais procurados

Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksPriyanka Aash
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopPriyanka Aash
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Dncybersecurity
DncybersecurityDncybersecurity
DncybersecurityAnne Starr
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesCal Leeming
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON
 
Presentation.firewell.pptx
Presentation.firewell.pptxPresentation.firewell.pptx
Presentation.firewell.pptxyashukapil
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 

Mais procurados (20)

Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networksDefcon 22-gregory-pickett-abusing-software-defined-networks
Defcon 22-gregory-pickett-abusing-software-defined-networks
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Network Management (CEN166) Project Presentation By Matthew Utin
Network Management (CEN166) Project Presentation By Matthew UtinNetwork Management (CEN166) Project Presentation By Matthew Utin
Network Management (CEN166) Project Presentation By Matthew Utin
 
RPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slidesRPS/APS vulnerability in snom/yealink and others - slides
RPS/APS vulnerability in snom/yealink and others - slides
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
Presentation.firewell.pptx
Presentation.firewell.pptxPresentation.firewell.pptx
Presentation.firewell.pptx
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 

Semelhante a U Plug, We Play - NED Summit. Cork, Ireland

DEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapDEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapFelipe Prado
 
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.HeadlessZeke
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toasterguest66dc5f
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalPacSecJP
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Security flawsu pnp
Security flawsu pnpSecurity flawsu pnp
Security flawsu pnplosalamos
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
UPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H ElenbaasUPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H Elenbaasmfrancis
 
IoT prototyping made simple
IoT prototyping made simpleIoT prototyping made simple
IoT prototyping made simpleBhavana Srinivas
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsIke Clinton
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 

Semelhante a U Plug, We Play - NED Summit. Cork, Ireland (20)

DEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soapDEF CON 23 - Rickey Lawshae - lets talk about soap
DEF CON 23 - Rickey Lawshae - lets talk about soap
 
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.Let's Talk About SOAP, Baby. Let's Talk About UPnP.
Let's Talk About SOAP, Baby. Let's Talk About UPnP.
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
 
Security flawsu pnp
Security flawsu pnpSecurity flawsu pnp
Security flawsu pnp
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
UPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H ElenbaasUPnP Forum Overview - H Elenbaas
UPnP Forum Overview - H Elenbaas
 
UpnP in Digital Home Networking
UpnP in Digital Home NetworkingUpnP in Digital Home Networking
UpnP in Digital Home Networking
 
IoT prototyping made simple
IoT prototyping made simpleIoT prototyping made simple
IoT prototyping made simple
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 

Último

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

U Plug, We Play - NED Summit. Cork, Ireland

  • 1. U Plug, We Play David Middlehurst NEDSummit > Ireland Thursday 13 November 2014
  • 2. Who am I? David Middlehurst Twitter: @dtmsecurity • Security Consultant • Specialisms: • Application Security • Develops Security Testing Tools • Previous Research • Near Field Communications (NFC) • Virtualisation
  • 3. Agenda • Brief overview of UPnP • Introduce a new UPnP assessment tool • Tool overview • Demo • Authorisation • Common flaws and their implications • Places you might expect to find vulnerabilities • Conclusion
  • 4. UPnP Universal Plug and Play (UPnP) allows devices to discover each others presence on a network and identify available services
  • 5. UPnP – Basic Discovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
  • 6. UPnP – NOTIFY Packet Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ ST: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
  • 7. UPnP – M-SEARCH A device can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
  • 8. UPnP – M-SEARCH Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
  • 9. New Tool Is Born – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
  • 10. UPnP Pentest Toolkit Windows GUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
  • 21. What happens if you click?
  • 22. Demo
  • 23. Authorisation - Bad Vendor Practices • Mostly: “What do you mean by authorisation?” • Intentional or not you see some security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
  • 24. Authorisation - Good Vendor Practices
  • 25. Flaws – M-SEARCH Spoofing “Devices respond by sending a 'HTTP 1/1 200’ response via UDP to the source IP and source port that the M-SEARCH packet originated from.” • 60% of devices I looked at will respond to any routable destination • Most will send traffic to any port We can cause devices to send UDP traffic to an arbitrary target
  • 26. Flaws – External Device URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet • 40% of devices / apps that I looked at will make requests to any routable destination • Most will send traffic to any port We can cause devices to make a TCP connection and HTTP request to an arbitrary target HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
  • 27. Flaws – External Traffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
  • 28. Trust Boundaries Connect your work laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
  • 29. Bugs to look for • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML based attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
  • 30. Memory Management Many UPnP implementations reviewed have problems i.e. Lots of iOS apps
  • 31. Where are we heading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum]. From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
  • 32. Conclusion • I think UPnP can be a hidden gem on security assessments • Vendor best practices vary to huge degree • I have introduced some common classes of bug. I am sure there are plenty of bugs to be identified. • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started in carrying out research in this area
  • 33. Get UPnP Pentest Toolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
  • 34. Keep updated Tool: Via GitHub page or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
  • 35. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland