Spoofing SSDP and UPnP Devices with EvilSSDP

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Check https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/ for further information.

SSDP & UPnP Overview

SSDP (Simple Service Discovery Protocol) is utilized for network service advertising and discovery, operating on UDP port 1900 without needing DHCP or DNS configurations. It's fundamental in UPnP (Universal Plug and Play) architecture, facilitating seamless interaction among networked devices like PCs, printers, and mobile devices. UPnP's zero-configuration networking supports device discovery, IP address assignment, and service advertising.

UPnP Flow & Structure

UPnP architecture comprises six layers: addressing, discovery, description, control, eventing, and presentation. Initially, devices attempt to obtain an IP address or self-assign one (AutoIP). The discovery phase involves the SSDP, with devices actively sending M-SEARCH requests or passively broadcasting NOTIFY messages to announce services. The control layer, vital for client-device interaction, leverages SOAP messages for command execution based on device descriptions in XML files.

IGD & Tools Overview

IGD (Internet Gateway Device) facilitates temporary port mappings in NAT setups, allowing command acceptance via open SOAP control points despite standard WAN interface restrictions. Tools like Miranda aid in UPnP service discovery and command execution. Umap exposes WAN-accessible UPnP commands, while repositories like upnp-arsenal offer an array of UPnP tools. Evil SSDP specializes in phishing via spoofed UPnP devices, hosting templates to mimic legitimate services.

Evil SSDP Practical Usage

Evil SSDP effectively creates convincing fake UPnP devices, manipulating users into interacting with seemingly authentic services. Users, tricked by the genuine appearance, may provide sensitive information like credentials. The tool's versatility extends to various templates, mimicking services like scanners, Office365, and even password vaults, capitalizing on user trust and network visibility. Post credential capture, attackers can redirect victims to designated URLs, maintaining the deception's credibility.

Mitigation Strategies

To combat these threats, recommended measures include:

Disabling UPnP on devices when not needed.
Educating users about phishing and network security.
Monitoring network traffic for unencrypted sensitive data.

In essence, while UPnP offers convenience and network fluidity, it also opens doors to potential exploitation. Awareness and proactive defense are key to ensuring network integrity.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

PreviousSpoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks NextPentesting Wifi

Last updated 2 months ago