UPnP Mapping

Presented at DEF CON 19 (2011), Aug. 5, 2011, 5 p.m. (20 minutes)

Universal Plug and Play(UPnP) is a technology developed by Microsoft in 1999, as a solution for NAT traversal(among other things). This talk explores the exploiting of port mapping services in UPnP/IGD devices from the WAN. It also talks about a tool called Umap to help process the UPnP requests. Attacking UPnP allows attackers to use devices as a proxy that can establish connections to internal and external IP addresses. The software allows scanning internal hosts behind the device NAT, manual port-mapping(WAN to LAN, WAN to WAN) and a SOCKSv4 proxy service that automatically maps requests to UPnP devices. Most UPnP attacks have focused on the exploiting of UPnP from the LAN side of the device, this talk focuses on attacking from the WAN side. Attackers can use these techniques to hide IP addresses and attack internal hosts behind common household gateway devices.

Presenters:

• Daniel Garcia
  Daniel Garcia (FormateZ on Undernet) is a security researcher/consultant with 15+ years of experience in security. He also founded Toor, a security consultant group that focuses on penetration testing, secure architectures and application assesments.Aside from security, he has also worked with numerous projects and platforms like DOCSIS, Wimax, Wi-Fi(city-wide), PLC and DHE.

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Garcia
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Daniel Garcia - UPnP Mapping - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=FU6qX0-GHRU

Similar Presentations:

• ekoparty 14 (2018) / How To Hack SD-WAN And Keep Your Sanity?
• DEF CON 29 (2021) / UPnProxyPot: fake the funk, become a blackhat proxy, MITM their TLS, and scrape the wire
• THOTCON 0x9 (2018) / IP You P, We All P on UPnP