mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-21 02:23:30 +00:00
282 lines
18 KiB
Markdown
282 lines
18 KiB
Markdown
# Spoofing SSDP and UPnP Devices with EvilSSDP
|
||
|
||
<details>
|
||
|
||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|
||
|
||
**This post was copied from** [**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/)
|
||
|
||
## **Introduction**
|
||
|
||
### **What is SSDP?**
|
||
|
||
SSDP or Simple Service Discovery Protocol is a network protocol designed for **advertisement and discovery of network services**. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on **port 1900**. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.
|
||
|
||
### **What are UPnP devices?**
|
||
|
||
UPnP or Universal Plug and Play is a set of **networking protocols** that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to **discover each other’s availability on the network** and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, **announce its name, advertise or convey its capabilities** upon request, and learn about the presence and capabilities of other devices.
|
||
|
||
### **Flow**
|
||
|
||
The **UPnP** stack consists of **six layers**: addressing, discovery, description, control, eventing, and presentation.
|
||
|
||
In the addressing layer, UPnP-enabled systems try to get an IP address through **DHCP**. If that isn’t possible, they’ll **self-assign an address** from the 169.254.0.0/16 range (RFC 3927), a process known as AutoIP.
|
||
|
||
Next is the discovery layer, in which the system searches for other devices on the network using the **Simple Service Discovery Protocol** (SSDP). The two ways to discover devices are **actively** and **passively**. When using the **active** method, UPnP-capable devices **send a discovery message** (called an **M-SEARCH request**) to the multicast address **239.255.255.250 on UDP port 1900.** We call this request HTTPU (HTTP over UDP) because it contains a header similar to the HTTP header. The M-SEARCH request looks like this:
|
||
|
||
```
|
||
M-SEARCH * HTTP/1.1
|
||
ST: ssdp:all
|
||
MX: 5
|
||
MAN: ssdp:discover
|
||
HOST: 239.255.255.250:1900
|
||
```
|
||
|
||
UPnP systems that listen for this request are expected to reply with a **UDP unicast message that announces the HTTP location of the description XML** file, which lists the device’s supported services.
|
||
|
||
When using the **passive** **method** for discovering devices, UPnP-capable devices periodically announce their services on the network by sending a **NOTIFY message to the multicast address** 239.255.255.250 on UDP port 1900. This message, which follows, looks like the one sent as a response to the active discovery:
|
||
|
||
```
|
||
NOTIFY * HTTP/1.1\r\n
|
||
HOST: 239.255.255.250:1900\r\n
|
||
CACHE-CONTROL: max-age=60\r\n
|
||
LOCATION: http://192.168.10.254:5000/rootDesc.xml\r\n
|
||
SERVER: OpenWRT/18.06-SNAPSHOT UPnP/1.1 MiniUPnPd/2.1\r\n
|
||
NT: urn:schemas-upnp-org:service:WANIPConnection:2
|
||
```
|
||
|
||
The description of every UPnP profile is referenced in either the LOCATION field value of the response message received during active discovery or the NOTIFY message received during passive discovery.
|
||
|
||
The **control layer** is probably the most **important** one; it allows **clients to send commands** to the UPnP device using the URLs from the description file. They can do this using the Simple Object Access Protocol (**SOAP**), a messaging protocol that uses XML over HTTP. Devices send SOAP requests to the controlURL endpoint, described in the \<service> tag inside the description file. A \<service> tag looks like this:
|
||
|
||
```xml
|
||
<service>
|
||
<serviceType>urn:schemas-upnp-org:service:WANIPConnection:2</serviceType>
|
||
<serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId>
|
||
<SCPDURL>/WANIPCn.xml</SCPDURL>
|
||
<controlURL>/ctl/IPConn</controlURL>
|
||
<eventSubURL>/evt/IPConn</eventSubURL>
|
||
</service>
|
||
```
|
||
|
||
### **IGD - Internet Gateway Device**
|
||
|
||
**IGD** maps ports in network address translation (NAT) setups. IGD **allows** an application to dynamically **add a temporary port mapping on the router** for a certain time period (without needing the user to perform any manual step).
|
||
|
||
Most devices **don’t** normally **accept** **SSDP** packets through the **WAN** **interface**, but some of them can still **accept IGD** commands through open SOAP control points.
|
||
|
||
In the **Umap tool section** you can find a way to exploit this vector.
|
||
|
||
## **Tools**
|
||
|
||
### **Miranda**
|
||
|
||
[**Miranda**](https://raw.githubusercontent.com/0x90/miranda-upnp/master/src/miranda.py) is a **python2** **UPnP** **client** that can be useful to **discover** UPnP services, get the **details** and **send commands** to them:
|
||
|
||
```
|
||
upnp> msearch
|
||
|
||
Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop...
|
||
|
||
|
||
SSDP reply message from 192.168.1.254:49152
|
||
XML file is located at http://192.168.1.254:49152/wps_device.xml
|
||
Device is running Unspecified, UPnP/1.0, Unspecified
|
||
|
||
|
||
|
||
SSDP reply message from 192.168.1.254:53350
|
||
XML file is located at http://192.168.1.254:53350/37699b14/rootDesc.xml
|
||
Device is running Linux/3.4.11 UPnP/1.0 MiniUPnPd/1.9
|
||
|
||
|
||
upnp> host list
|
||
[0] 192.168.1.254:49152
|
||
[1] 192.168.1.254:53350
|
||
|
||
upnp> host get 0
|
||
upnp> host details 0
|
||
|
||
Host name: 192.168.1.254:49152
|
||
UPNP XML File: http://192.168.1.254:49152/wps_device.xml
|
||
|
||
|
||
Device information:
|
||
Device Name: WFADevice
|
||
Service Name: WFAWLANConfig
|
||
controlURL: wps_control
|
||
eventSubURL: wps_event
|
||
serviceId: urn:wifialliance-org:serviceId:WFAWLANConfig1
|
||
SCPDURL: wps_scpd.xml
|
||
fullName: urn:schemas-wifialliance-org:service:WFAWLANConfig:1
|
||
ServiceActions:
|
||
PutMessage
|
||
NewInMessage
|
||
InMessage:
|
||
dataType: bin.base64
|
||
|
||
[...]
|
||
|
||
upnp> host send 0 WFADevice WFAWLANConfig PutMessage
|
||
```
|
||
|
||
### Umap
|
||
|
||
The tool [**umap**](https://github.com/0x90/upnp-arsenal/blob/master/umap-bypass.py) can help to **discover upnp commands** that are **available** from **WAN** interfaces even if those aren't advertised in those interfaces (this is because of buggy implementations). Note that if, for example, you are testing a router and you have access to it from both the internal network and the WAN interface, you should try to **enumerate all the services from the internal** network (using **miranda** for example) and then try to **call those services from the external** network.
|
||
|
||
### **Other UPnP Tools**
|
||
|
||
Find in [**https://github.com/0x90/upnp-arsenal**](https://github.com/0x90/upnp-arsenal) more upnp tools
|
||
|
||
### **Evil SSDP**
|
||
|
||
The Evil SSDP too was developed by [initstring](https://twitter.com/init\_string). This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.
|
||
|
||
```bash
|
||
git clone https://github.com/initstring/evil-ssdp.git
|
||
cd evil-ssdp/ls
|
||
python3 evil-ssdp.py --help
|
||
```
|
||
|
||
![](https://i0.wp.com/1.bp.blogspot.com/-O6lddDvxqts/Xkq5PHqeE\_I/AAAAAAAAisQ/FKOCxVwT9cMy54lLy0SsYcKoM5Q95K5mQCLcBGAsYHQ/s1600/1.png?w=687\&ssl=1)
|
||
|
||
In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.
|
||
|
||
## **Spoofing Scanner SSDP**
|
||
|
||
Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.
|
||
|
||
### **Template Configuration**
|
||
|
||
To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.
|
||
|
||
After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.
|
||
|
||
```bash
|
||
ls temlates/
|
||
python3 evil-ssdp.py eth0 --template scanner
|
||
```
|
||
|
||
![](https://i0.wp.com/1.bp.blogspot.com/-kg05jQ03Fnw/Xkq5Qing\_qI/AAAAAAAAisk/GYK8MuCKqKUalqh3DHGWVRoyDlAQaxUrwCLcBGAsYHQ/s1600/2.png?w=687\&ssl=1)
|
||
|
||
### **Manipulating User**
|
||
|
||
The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.
|
||
|
||
![](https://i1.wp.com/1.bp.blogspot.com/-\_05xXp10Buk/Xkq5Qz4yosI/AAAAAAAAiso/HdHr0qJ59rkR2ur\_UYcrHMdf93uqMhXUwCLcBGAsYHQ/s1600/3.png?w=687\&ssl=1)
|
||
|
||
Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.
|
||
|
||
![](https://i2.wp.com/1.bp.blogspot.com/-lp2DBNRl12A/Xkq5RBtGvgI/AAAAAAAAiss/G9jSOVdBO4wnRKixpXlbj6BJeCTBWz7cACLcBGAsYHQ/s1600/4.png?w=687\&ssl=1)
|
||
|
||
### **Grabbing the Credentials**
|
||
|
||
As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.
|
||
|
||
![](https://i1.wp.com/1.bp.blogspot.com/-RAI02igc4F4/Xkq5RSJ3j2I/AAAAAAAAisw/p47jd\_jyyAE3RQIpms6nd-TzsPygD4CXQCLcBGAsYHQ/s1600/5.png?w=687\&ssl=1)
|
||
|
||
## **Spoofing Office365 SSDP**
|
||
|
||
In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.
|
||
|
||
### **Template Configuration**
|
||
|
||
As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.
|
||
|
||
```bash
|
||
python3 evil-ssdp.py eth0 --template office365
|
||
```
|
||
|
||
![](https://i1.wp.com/1.bp.blogspot.com/-8GWxmKPDkIo/Xkq5RmgF8\_I/AAAAAAAAis0/bxVTcd4aBCUZBEDuUIg3-G39aMu7l5YCgCLcBGAsYHQ/s1600/6.png?w=687\&ssl=1)
|
||
|
||
As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.
|
||
|
||
### **Manipulating User**
|
||
|
||
As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.
|
||
|
||
![](https://i0.wp.com/1.bp.blogspot.com/-txqBOw02D6w/Xkq5RgolUcI/AAAAAAAAis4/wkQTzYBmtdU\_Nbq9X1qI47FlJtdqHvIjQCLcBGAsYHQ/s1600/7.png?w=687\&ssl=1)
|
||
|
||
Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.
|
||
|
||
![](https://i1.wp.com/1.bp.blogspot.com/-69Tf3PRpvhM/Xkq5RziDXzI/AAAAAAAAis8/vjejKgh0XigRHFC2Ib8QCpPlzx\_RAu4eACLcBGAsYHQ/s1600/8.png?w=687\&ssl=1)
|
||
|
||
### **Grabbing the Credentials**
|
||
|
||
As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.
|
||
|
||
![](https://i0.wp.com/1.bp.blogspot.com/-3KXN6DKT\_E0/Xkq5SEwhKHI/AAAAAAAAitA/a2gTi5UwNE0JsMH-XQEW33MchkxgjPGSwCLcBGAsYHQ/s1600/9.png?w=687\&ssl=1)
|
||
|
||
## **Diverting User to a Password Vault SSDP**
|
||
|
||
Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.
|
||
|
||
### **Template Configuration**
|
||
|
||
As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.
|
||
|
||
```bash
|
||
python3 evil-ssdp.py eth0 --template password-vault
|
||
```
|
||
|
||
![](https://i2.wp.com/1.bp.blogspot.com/-YPQirClmWN4/Xkq5O5WFgoI/AAAAAAAAisI/4\_i4ogVRWE0C\_ez3p6EkL8YdJ0ot48DmwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
|
||
|
||
### **Manipulating User**
|
||
|
||
Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.
|
||
|
||
![](https://i2.wp.com/1.bp.blogspot.com/-3oMPYaCZ46k/Xkq5PB4zQ\_I/AAAAAAAAisM/i5C8qZVB8RYWBwAkiKCZbdptIbsnk4CUwCLcBGAsYHQ/s1600/11.png?w=687\&ssl=1)
|
||
|
||
As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.
|
||
|
||
![](https://i0.wp.com/1.bp.blogspot.com/-SrCMlWIUxCM/Xkq5Pg\_IznI/AAAAAAAAisU/L\_ZIvQKfltkyk9iUCrEGyXCojx5b86uFgCLcBGAsYHQ/s1600/12.png?w=687\&ssl=1)
|
||
|
||
## **Spoofing Microsoft Azure SSDP**
|
||
|
||
While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing. This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil\_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.
|
||
|
||
To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.
|
||
|
||
```bash
|
||
python3 evil-ssdp.py eth0 --template microsoft-azure -u https://malicous-site.com
|
||
```
|
||
|
||
![](https://i2.wp.com/1.bp.blogspot.com/-ReHCqgFazX0/Xkq5QBiQ7jI/AAAAAAAAisY/\_DFdnzBpSGY1iDP1YJxeVTHF3iS5PZnqwCLcBGAsYHQ/s1600/13.png?w=687\&ssl=1)
|
||
|
||
### **Manipulating User**
|
||
|
||
Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.
|
||
|
||
![](https://i1.wp.com/1.bp.blogspot.com/-rROTfEGP3z8/Xkq5QBn46dI/AAAAAAAAisc/7RDv7fI3BPYt1XmrKVRKOEHurkGY1xeogCLcBGAsYHQ/s1600/14.png?w=687\&ssl=1)
|
||
|
||
After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.
|
||
|
||
![](https://i2.wp.com/1.bp.blogspot.com/-gU36s2kyIbg/Xkq5QVRh61I/AAAAAAAAisg/hN3uVMTPh-suDiH5ID3-mWcQiNvDVYeJACLcBGAsYHQ/s1600/15.png?w=687\&ssl=1)
|
||
|
||
This concludes our practical of this awesome spoofing tool.
|
||
|
||
## **Mitigation**
|
||
|
||
* Disable UPnP devices.
|
||
* Educate Users to prevent phishing attacks
|
||
* Monitor the network for the password travel in cleartext.
|
||
|
||
<details>
|
||
|
||
<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|