Skip to content

Instantly share code, notes, and snippets.

@reelsense

reelsense/brute_upnproxy.sh

Created May 29, 2018 20:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save reelsense/b0eb31e1c93f4695e5444d3c8ce8474d to your computer and use it in GitHub Desktop.
Save reelsense/b0eb31e1c93f4695e5444d3c8ce8474d to your computer and use it in GitHub Desktop.
Download ZIP
The best way to identify if a device is vulnerable or actively being leveraged for UPnProxying is to scan the endpoint and audit your NAT table entries.
Raw
brute_upnproxy.sh
#!/bin/bash
url=$1
soap_head='<?xml version="1.0" encoding="utf-8"?><s:Envelopes:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><u:GetGenericPortMappingEntry xmlns:u="urn:upnporg:serviceId:WANIPConnection.1#GetGenericPortMappingEntry"><NewPortMappingIndex>'soap_tail='</NewPortMappingIndex></u:GetGenericPortMappingEntry></s:Body></s:Envelope>'
for i in `seq 1 1000`; do
payload=$soap_head$i$soap_tail
curl -H 'Content-Type: "text/xml;charset=UTF-8"' -H 'SOAPACTION: "urn:schemasupnp-org:service:WANIPConnection:1#GetGenericPortMappingEntry"'--data "$payload"
"$url"
echo ""
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment