SSDP Scanning for UPnP Vulnerabilities

One day I was monitoring a system for network traffic and noticed that an SSDP service was communicating out from the machine to the IP4 and IPv6 broadcast ranges. Kind of odd, as the machine was firewalled and should not have been communicating with anything at that individual time.

So what was it?

SSDP (Simple Service Discovery Protocol) is a protocol that advertises and looks for network services. On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP).

Well uPnP has not been without it’s issues and earlier this year HD Moore of Rapid7 created a utility that would both scan for SSDP communication and notify you if the system was vulnerable to uPnP exploits.

What is interesting about the “UPnP SSDP M-SEARCH Information Discovery” tool is that it not only tells you if the machine is vulnerable to uPnP exploits, but also returns interesting information about  the machine.

So if the system isn’t vulnerable, chances are that you will at least be able to tell that:

  • It is up and running
  • The service that is running
  • And a valid user name!

The search tool is already included in Metasploit. So all you need to do is run it and feed it a network range:

SSDP search

Then type “run” or “exploit” and it will scan the network range looking systems advertising uPnP services:

SSDP search results 1

Okay, it found one. It doesn’t appear to be vulnerable, if it were the uPnP vulnerabilities would be listed with the return.

But if you notice there is an html link. In this case, if we click the link, we are presented with a bunch of information that includes the machine name and a valid user name!

User results

As you can see from the scan results above, the Media Server was running on this machine, and a valid PC name and username is listed (blocked out to protect the innocent).

For security departments, running this utility against your company will quickly show any services that are being openly broadcasted on your net. If these services are reachable from the internet (over 40 million are!) then you have some serious configuration issues that need to be addressed.

Secure E-Mails Services Going Offline – NSA replacing Snowdens with Machines

Looks like the privacy war continues to heat up. Though the NSA claims that they are not reading everyone’s mail, two secure online e-mail providers just shutdown citing pressure from the US government. Also Gen. Keith Alexander wants to replace NSA system administrators (like Snowden) with machines!

First Snowden’s e-mail provider Lavabit closed it’s doors:


I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Ladar Levison
Owner and Operator, Lavabit LLC

And now Silent Circle has announced that they too are shutting down:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

Crazy stuff and the news just keep getting better. This morning, Foxnews announced that in an effort to reduce leaks, NSA Chief Gen. Keith Alexander wants to replace up to 90% of it’s systems administrators with… Machines.

We trust people with data. At the end of the day it’s all about trust. If they misuse that trust, they can cause huge damage,” He said.

Misusing trust? Umm… Yeah, it’s like that…