Turns out, UPnP is terrible when it comes to security. The entire protocol exists to have devices easily find and connect to one another without any authentication at all. This is all good fun to poke around with. Here are a few tools and notes I've found along the way.
UPnP devices can be found by listening to UDP packets on port 1900. To actively discover these services on your network, send an HTTP M-SEARCH request to the default UDP mulicast address: 239.255.255.250.
There are some great Linux tools that make interfacing with all of these stuff a synch:
sudo apt update
# install the MiniUPnP Client and gUPnP Tools
sudo apt install miniupnpc gupnp-tools
gupnp-universal-cp is a great GUI tool that behaves as a general purpose UPnP control point. You can use it to discover services, but even more exciting, actually interface with the services directly and make RPC calls without having to get your hands dirty writing nasty SOAP XML. If your network doesn't have any UPnP devices, you can use the gupnp-network-light for testing.
To discover these services in the terminal instead, you can run gssdp-discover.
Turns out most home routers have UPnP enabled by default and implement UPnP IGD. This allows any unauthenticated device on the network to do all kinds of nastyness to your router. The most interesting/damaging stuff you can do is enable arbitrary port forwarding with NO AUTHENTICATION. Supposedly this exists so that games and other software can easily open and manage inbound port connections. Sounds like a security nightmare...
upnpc is a niftly little cli tool for interfacing with routers that support UPnP IGD:
# discover a UPnP IGD device and get status info
upnpc -s
# list the current port mappings
upnpc -l
# add a new PORT forwarding entry
# ip port external_port protocol
upnpc -a 192.168.1.199 8080 8888 tcp
# delete a port mapping entry
# external_port protocol
upnpc -d 8888 tcp