Let's talk about UPNP and DLNA protocols

Preface

There is no love, only technology. Let me share with you the UPnP and DLNA protocols.

The concept of UPnP

Universal Plug and Play (UPnP) is a set of network protocols promoted by the UPnP™ Forum. The goal of the protocol is to enable various devices in home networks (data sharing, communication and entertainment) and corporate networks to connect seamlessly to each other and simplify the implementation of related networks. UPnP achieves this goal by defining and publishing the UPnP device control protocol based on open, Internet communication network protocol standards. The concept of UPnP is derived from Plug-and-play, which is a hot-swap technology.

Generally speaking, it is currently used on routers, as shown in the following screenshot ;

About UPnP protocol stack;

About UPnP workflow

1. Addressing

DHCP protocol;

2. Discovery

The SSDP protocol is used, which is an HTTP protocol working on UDP ;

3. Description

By scanning ports and traversing paths, you can find the UPnP service interface of the router; of course, each manufacturer has its own fixed path suffix, which can also be searched online ;

 <?xml version="1.0"?>
 <root xmlns="urn:schemas-upnp-org:device-1-0">
 <specVersion>
 <major>1</major>
 <minor>0</minor>
 </specVersion>
 <device>
 <deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1</deviceType> //Device type, the format is: "urn:schemas-upnp-org:device:deviceType:v", where deviceType and v are defined by the device.
 <presentationURL>http://192.168.0.1:80</presentationURL>
 <friendlyName>Wireless N Router MW313R</friendlyName> //A more friendly device name
 <manufacturer>MERCURY</manufacturer> //Manufacturer
 <manufacturerURL>http://www.mercurycom.com.cn</manufacturerURL>
 <modelDescription>MW313R 5.0</modelDescription>
 <modelName>MW313R</modelName>
 <modelNumber>5.0</modelNumber>
 <UDN>uuid:upnp-InternetGatewayDevice-4D5A5C269D27</UDN> //Device UUID
 <UPC>123456789001</UPC>
 <serviceList>
 <service>
 <serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1</serviceType>
 <serviceId>urn:upnp-org:serviceId:L3Forwarding1</serviceId>
 <controlURL>/l3f</controlURL> //URL for control
 <eventSubURL>/l3f</eventSubURL> //URL for subscribing to events
 <SCPDURL>/l3f.xml</SCPDURL> // URL of service description
 </service>
 </serviceList>
 <deviceList>
 <device>
 <deviceType>urn:schemas-upnp-org:device:WANDevice:1</deviceType>
 <friendlyName>WAN Device</friendlyName>
 <manufacturer>MERCURY</manufacturer>
 <manufacturerURL>http://www.mercurycom.com.cn</manufacturerURL>
 <modelDescription>WAN Device</modelDescription>
 <modelName>WAN Device</modelName>
 <modelNumber>1.0</modelNumber>
 <modelURL></modelURL>
 <serialNumber>12345678900001</serialNumber>
 <UDN>uuid:upnp-WANDevice-4D5A5C269D27</UDN>
 <UPC>123456789001</UPC>
 <serviceList>
 <service>
 <serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1</serviceType>
 <serviceId>urn:upnp-org:serviceId:WANCommonInterfaceConfig</serviceId>
 <controlURL>/ifc</controlURL>
 <eventSubURL>/ifc</eventSubURL>
 <SCPDURL>/ifc.xml</SCPDURL>
 </service>
 </serviceList>
 <deviceList>
 <device>
 <deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1</deviceType>
 <friendlyName>WAN Connection Device</friendlyName>
 <manufacturer>MERCURY</manufacturer>
 <manufacturerURL>http://www.mercurycom.com.cn</manufacturerURL>
 <modelDescription>WAN Connection Device</modelDescription>
 <modelName>WAN Connection Device</modelName>
 <modelNumber>1</modelNumber>
 <modelURL></modelURL>
 <serialNumber>12345678900001</serialNumber>
 <UDN>uuid:upnp-WANConnectionDevice-4D5A5C269D27</UDN>
 <UPC>123456789001</UPC>
 <serviceList>
 <service>
 <serviceType>urn:schemas-upnp-org:service:WANIPConnection:1</serviceType>
 <serviceId>urn:upnp-org:serviceId:WANIPConnection</serviceId>
 <controlURL>/ipc</controlURL>
 <eventSubURL>/ipc</eventSubURL>
 <SCPDURL>/ipc.xml</SCPDURL>
 </service>
 </serviceList>
 </device>
 </deviceList>
 </device>
 </deviceList>
 </device>
 </root>

4. Control

Use SOAP protocol to complete control ;

5. Events

By returning an XML message, using the GENA format ;

UPnP related tests

miranda

I learned that Kali originally came with this tool, but it was deleted in the new version. I found the source file on GitHub and can use it; https://github.com/0x90/miranda-upnp ;

I'm not too sure why the new version of Kali deleted this tool, but I understand that UPnP is basically enabled by default on routers. Although the UPnP protocol does not have any authentication mechanism, the actual use scenario is still relatively weak. If the router is a public network IP, it is said that a channel can be built to go out of the network. Generally speaking, the router is a LAN IP, and then if it can be turned on, it has entered the intranet. There are many other ways to go out of the network. The UPnP protocol only builds a forwarding route, and the premise is that there is a problem with the forwarding IP .

Scan Mode:

• pcap: Passive discovery of devices obtains device information by sniffing the NOTIFY messages sent by the device when it accesses the network.
• msearch: discovers devices by actively sending M-serach messages. (Usually, msearch is faster) After testing, I couldn't find anything with msearch, but after scanning with msearch for a while, the results appeared immediately after cutting pcap .

Information Acquisition

After discovering the device, you can use the host command to view detailed information.

• host list: view the discovered device list;
• Host get: Get information (need to be executed before querying summary);
• host info: displays the queried information (n is the number of the device in the list);
• host summary 0: displays summary information of the XML file;

use

 host info 0 deviceList //Device list, or device information
 host info 0 deviceList WANConnectionDevice services //Device service list 

 host info 0 deviceList WANConnectionDevice services WANIPConnection serviceStateVariables //Service status list
 host info 0 deviceList WANConnectionDevice services WANIPConnection actions //Service control list, operation functions 

 host send 0 WANConnectionDevice WANIPConnection AddPortMapping //Rule configuration 

Log in to the backend and you can see that the rules have been configured and are effective ;

Analysis of other functions: some of these are actually customized by the manufacturer, and some are default built-in functions ;

 AddPortMapping : {}
 GetNATRSIPStatus : {}
 GetGenericPortMappingEntry: {}
 GetSpecificPortMappingEntry: {}
 ForceTermination : {}
 GetExternalIPAddress : {}
 GetConnectionTypeInfo : {}
 GetStatusInfo : {}
 SetConnectionType : {}
 DeletePortMapping : {}
 RequestConnection : {}

Tips: Since it is difficult to find the UPnP service, you need to rediscover it after being disconnected or exiting the process, and you can only wait. After searching, I found that the official provides storage and recovery functions ;

 upnp> save info 0 wrt54g
 Host info for '192.168.1.1:2869' saved to 'info_wrt54g.mir'

 upnp> save data wrt54g
 Host data saved to 'struct_wrt54g.mir'

 upnp> load struct_wrt54g.mir
 Host data restored:
 [0] 192.168.1.1:2869

A brief overview of DLNA

The Digital Living Network Alliance (DLNA) is an alliance organization composed of consumer electronics, mobile phone and computer manufacturers. The organization's goal is to create a set of industrial standards that can enable the products of various manufacturers to connect and adapt to each other, so as to realize digital life for consumers. Alliance members include many industry leaders such as Philips, Samsung Electronics, Panasonic, HP, Sony, Microsoft, Intel and Nokia.

In fact, DLNA should be a collective name for a series of protocol stacks, not a single protocol .

NetWorking Connectivity Network interconnection mode: 802.3 Ethernet, 802.11WiFi, 802.15 Bluetooth;

NetWorking Stack network protocol stack: IPv4, IPv6;

Device Discovery&Control: UPnP. For details, please refer to the relevant documents of UPnP.

Media Management: identification, management, distribution, and recording;

Media Transport: HTTP;

Media Formats: various audio and picture formats: avi, rmvb, mkv;

Remote UI remote user interface: interface;

It can be seen that the risk points are mainly in 3, 5, and 7. The analysis of 3 still refers to the UPnP section. 5 and 7 are regular http services. Since neither the design of DLNA nor the original design of UPnP protocol has the authentication and authorization link, it is mainly service discovery and request construction. As long as you can enter the local area network and connect to the service, you can call the service at will.

Since you don’t have a DLNA device, you can refer to: https://breezetemple.github.io/2019/02/25/dlan-introduction/.

From the article, we can find that both DLNA and UPnP use soap to complete control calls, and the format is xml; but miranda-upnp is for upnp, and I don't know if it can also discover DLNA services based on UPnP. Even if it can, it is estimated that the subsequent service discovery needs to adjust the source code xml parsing; refer to the source code parsing for details.

Summarize

Neither UPnP nor DLNA has a verification and authorization mechanism, which means that they can be called at will as long as they enter the local area network. If it is just UPnP, it is generally used for routing configuration and link forwarding on the router, and the service is generally turned on by default. This utilization scenario is relatively low-risk because it requires problems with other devices and the router has a public network IP address to achieve the utilization scenario of direct access to the public network. There is no need to use this scenario for other scenarios (it may also be that I did not think of it); DLNA services are generally used for screen projection, which can be used directly; then there are special scenarios, video stream pulling, operation command control, etc.

Leave a pit, miranda source code analysis;

refer to:

https://blog.csdn.net/braddoris/article/details/41646789

https://breezetemple.github.io/2019/02/25/dlan-introduction/

https://github.com/CharonChui/AndroidNote/blob/master/VideoDevelopment/DLNA%E7%AE%80%E4%BB%8B.md