Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Detecting UPnP With Nessus & PVS

Conficker Attacks UPnP

The Conficker worm behavior has been analyzed by many security professionals who have shared their findings with the community (the paper from SRI is a great example). One of the common findings is that Conficker will connect to the local route/gateway via UPnP and make changes to the firewall, if the firewall supports unauthenticated UPnP. If so, it uses UPnP to open a high numbered port in the firewall, allowing access to that port from the Internet. It then opens the same port on the infected host, and uses it to distribute the worm further across Internet. The use of UPnP as well as insecure UPnP devices can be detected by Tenable's Nessus and PVS products.

Identify UPnP With Nessus

To test how Nessus identifies UPnP, I setup a Linksys WRT54G V8 router, running the factory firmware, with UPnP enabled. I used Nessus to scan the WRT54G and two plugins detected the presence of UPnP on hosts and devices. There are other Nessus plugins that detect UPnP, but the following two provided the most interesting information. The first is plugin 35711, "UPnP discovery", which connects to UDP/1900 and tests to see if the host supports UPnP. This port is associated with SSDP, or Simple Service Discovery Protocol, used by systems implementing UPnP to advertise the services they are offering.


The above plugin queries the device and retrieves the UPnP configuration. Notice that the URL, is hosting an XML file which contains the complete UPnP configuration and supporting features. If this exists, Nessus plugin 35709, "UPnP Internet Gateway Device", will connect to the TCP port found hosting the XML file (in this case 2869/TCP) and attempt to create a new firewall rule using UPnP. If successful, you will see an entry as shown in the following report:


Detect UPnP with PVS

The Tenable Passive Vulnerability Scanner (PVS ) can passively detect UPnP activity on the network. Below you can see the UPnP activity flagged in a summary report on the Tenable Security Center:


You can also view the details on this alert to see which host triggered it:


Detecting Change With LCE

The Tenable LCE (Log Correlation Engine) will also detect if a firewall supporting UPnP rules is updated. Most firewall/SOHO routers will generate a log entry as follows:

Fri Mar 13 08:32:09 2009 D-Link Systems DIR-825 System Log: UPnP added entry TCP timeout:-1 'uTorrent (TCP)'

Fri Mar 13 08:32:09 2009 D-Link Systems DIR-825 System Log: UPnP added entry UDP timeout:-1 'uTorrent (UDP)'

This particular entry comes from a Dlink DIR-825 and shows IP address and port pairs, displayed in bold, that were opened using UPnP. Both TCP and UDP ports 47944 were opened from host to host The application name is included at the end of each entry, in this case uTorrent. uTorrent is the application running on and most likely opens the specified ports to allow BitTorent traffic (uTorrent is a popular BiTorent client). If this device is is configured to send logs to the LCE, you will see the change detected as shown below:


The above graph depicts the detected change as occurring 163 times in a 24 hour period. If the device is a firewall, as in this example, this is a significant number of changes for the time frame and deserves further investigation.


The availability of UPnP services poses a risk to your network as it can allow unauthenticated requests change device settings. Enterprise firewalls often do not support this feature (although most support TFTP which also does not have authentication built-in). This does not mean UPnP is absent from corporate networks, users could bring UPnP capable devices to work, and other embedded devices will typically support UPnP (network-based web cameras for example). Don't just rely on your firewalls to make sure UPnP is not enabled in your environment: scan your network to make sure.


Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.