Miranda UPNP Administration Tool

November 7th, 2008

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

  • Interactive shell with tab completion and command history
  • Passive and active discovery of UPNP devices
  • Customizable MSEARCH queries (query for specific devices/services)
  • Full control over application settings such as IP addresses, ports and headers
  • Simple enumeration of UPNP devices, services, actions and variables
  • Correlation of input/output state variables with service actions
  • Ability to send actions to UPNP services/devices
  • Ability to save data to file for later analysis and collaboration
  • Command logging

Miranda was built on and for a Linux system and has been tested on a Linux 2.6 kernel with Python 2.5. However, since it is written in Python, most functionality should be available for any Python-supported platform. Miranda has been tested against IGDs from various vendors, including Linksys, D-Link, Belkin and ActionTec. All Python modules came installed by default on a Linux Mint 5 (Ubuntu 8.04) test system.

For more information about UPNP, visit the UPNP Forum. For information regarding UPNP vulnerabilities, see UPNP Hacks and GNUCitizen.

Download Miranda!

, ,

40 Responses to “Miranda UPNP Administration Tool”

  1. hake Says:

    Anyone using Miranda under Windows XP? Miranda.py won’t run because of unresolved references, e.g. IN.

    I installed ActivePython- Is there something in the Linux implementation that is missing in Windows? I’m not Python literate so perhaps I’m missing something.

    Miranda would be most useful to check router security for me and my friends who need UPNP enabled router operation for Live Messenger use.

  2. craig Says:


    I just tested Miranda out on a WinXP box. The IN module is not needed for Windows, so you could change the ‘import IN,urllib,urllib2′ line to read ‘import urllib,urllib2′. However, Windows apparently doesn’t have a readline module either (gah!), which Miranda uses for its command shell. I tried a “windows alternative” readline module, but it doesn’t support tab completion correctly and seems to hang.

    We’ll keep working on this and hopefully have something working in Windows by tomorrow; stay posted.

  3. hake Says:

    Thanks Craig. I will look out for your mods. Miranda looks like a most useful tool. The subject of UPNP security in routers is almost completely elusive. Hardly anyone knows anything about it. Raise the issue in forums and the result is silence.

    It will be fascinating to test my preferred router boxes (BT Voyager 2100 and Viking chipped Solwise SAR110 and SmartAX MT882) with your software.

    My present defence is based on blocking the IP address of the router (using Agnitum Outpost Firewall Pro and the associated BlockPost plugin) and extremely strong password.

  4. cheffner Says:


    OK, so this took a little longer than expected. Your particular error can be resolved by removing the IN module from the imports, but it appears that Windows also does not have a readline module (which is used to do the tab completion and get user input). I tried a readline Windows alternative (http://newcenturycomputers.net/projects/readline.html), but tab completion does not work and it seems to hang when performing the msearch/pcap commands. You can try it out if you want, but until we find a decent readline alternative, you might want to use one of the shareware UPNP tools available for Windows. I haven’t used any of them, so I can’t vouch for them personally.

    FYI, we have had reports that Miranda works fine in Mac OSX 10.

  5. sm Says:

    Just used the tool in Windows XP.

    For readline installed module from here:

    Then it needed win32con, and I installed module form here:

    Now testing …

  6. craig Says:

    Thanks a lot for the suggestions sm; the readline from UNC tools that you linked to seems to work better than the one that I initially tried, but still not 100%. It tab completes properly on some commands but not others, and it still seems to hang when you run the msearch or pcap commands. This likely is a readline issue as well, since the cmdCompleter class is updated with new info when new hosts are discovered. I’ll have to look into it a little deeper…

  7. Miranda - UPNP Administration and Audit Tool » IHackedThisBox Blog Says:

    [...] To keep updated with the tool visit the project’s homepage at: http://www.sourcesec.com/2008/11/07/miranda-upnp-administration-tool/ [...]

  8. philobyte Says:

    trying to figure out how a droboshare upnp works…
    nmap shows port is open, but when I do msearch it doesn’t
    show up. any idea ?

    oot@tough:/home/peter/python/miranda# nmap droboshare

    Starting Nmap 4.76 ( http://nmap.org ) at 2009-02-16 22:29 EST
    Interesting ports on droboshare.bsqt.homeip.net (
    Not shown: 995 closed ports
    22/tcp open ssh
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    5000/tcp open upnp
    5001/tcp open commplex-link
    MAC Address: 00:1A:62:00:01:36 (Data Robotics, Incorporated)

    Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds

  9. philobyte Says:

    more data:

    mnt/DroboShares/Drobo01/slash $ tcpdump -A host pepino
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on egiga0, link-type EN10MB (Ethernet), capture size 96 bytes

    01:41:33.983337 IP pepino.bsqt.homeip.net.50571 > droboshare.bsqt.homeip.net.5001: Flags [P.], ack 1052872291, win 261, length 16
    01:41:33.984407 IP droboshare.bsqt.homeip.net.5001 > pepino.bsqt.homeip.net.50571: Flags [.], ack 16, win 1728, length 0
    01:41:34.014391 IP pepino.bsqt.homeip.net.60351 > UDP, length 18
    01:41:34.014460 IP pepino.bsqt.homeip.net.60350 > UDP, length 18
    01:41:38.983181 IP pepino.bsqt.homeip.net.50571 > droboshare.bsqt.homeip.net.5001: Flags [P.], ack 1, win 261, length 16

    Is there an email list somewhere?

  10. craig Says:

    @ philobyte:

    The standard UPNP port is port 1900, which is the port that Miranda uses by default. You can change the socket (multicast IP address and port number) interactively inside the Miranda shell:

    upnp> seti socket

    Note that if droboshare is using a port other than 1900, they might also be using a different multicast IP as well. You might also try putting in the droboshare IP address as well ( from what you’ve provided).

  11. rayv5n Says:

    First off! Miranda rocks! I came across this tool because I’m seeing SSDP/UPnP more in more in corporate environments. I’ve always wanted to explore UPnP but never had the time. :D

    I’m not sure this is the right place to post this? Please let me know if not?

    If so I’m having a bit of a problem querying actions.
    running on Linux 2.6 with python 2.5 I get a “Caught main exception: ChosenAction” every time I attempt to get info on an action. Enabling debug hasn’t helped much, can anyone point me in the right direction to solving this problem?

    upnp> host info 1 deviceList MediaServer services ContentDirectory “Browse”

    running tcpdump dump show that the request above got a response but Miranda exits with out displaying the information.

    HTTP/1.1 200 OK
    Date: 3 Mar 2009 14:55:43
    Server: Linux, UPnP/1.0, MythTv 0.20.20070821-1
    Accept-Ranges: bytes
    Cache-Control: no-cache=”Ext”, max-age = 5000
    User-Agent: redsonic
    Connection: Keep-Alive
    Content-Type: text/xml
    Content-Length: 7708




    ………. Really long data return…..

  12. rayv5n Says:

    ooops sorry


    …………. Really long data return

  13. craig Says:


    Glad you find it useful! As to the exception you’re encountering, it’s probably due to the quotes around the word “Browse” (Miranda doesn’t expect quotes here, which is a bug that should be fixed). Any reason you’re quoting that word though?

    Miranda hasn’t been tested against MythTV. I assume that it is returning valid XML and the blog content filter striped out the brackets from your post, but if you are still having trouble, it would help immensely if you could email us (dev [at] sourcesec.com) any of the tcpdump data and XML files, or save the Miranda data to a file and send us that:

    upnp> save data

    We’d appreciate it!

  14. rayv5n Says:

    This is one for the FAQ sheet

    I’m an idiot! I was using the tool incorrectly. This is what I should have done.

    host info 1 deviceList MediaServer services ContentDirectory actions Browse arguments UpdateID

    What I did was swap actions with Browse showing that I didn’t clearly understand the protocol :D

    Now that I know I’ll be glad to send you data from all of the UPnP systems I have on my network. BTW where I noticed SSDP running was on a Enterprise Linksys SRW2024P Gig switch. Of course I’ll send what I have on it if you like as well.

    Thanks again for your help!

  15. craig Says:

    “I’m an idiot!”

    Haha, I wrote the tool and didn’t catch that in your above post, so don’t feel bad. :)

    I would *love* to get any UPnP data that you are willing to send – the SRW2024P sounds especially interesting…

  16. csbac Says:

    I needed some functionality to automatically create PortMappings, so, I added parsing code for additional arguments to the miranda.py script.

    — miranda.py.orig 2009-03-15 13:51:03.000000000 +0100
    +++ miranda.py 2009-03-15 13:58:37.000000000 +0100
    @@ -1065,11 +1065,15 @@
    #Send SOAP requests
    index = False
    inArgCounter = 0
    - if argc != 6:
    + #sbr: allow to pass arguments to the call
    + numReqArgs = 6
    + if argc 0:
    + arg = argv[numReqArgs+extraArgsUsed]
    + print “Using “, arg, ” for “, argName
    + sendArgs[argName] = (arg,stateVar['dataType'])
    + extraArgsUsed += 1
    + else:
    print “Required argument:”
    print “\tArgument Name: “,argName
    print “\tData Type: “,stateVar['dataType']

  17. csbac Says:

    Sorry – writing the patch into the comment did not work … there are some more than the lines shown. < broke the formatting, of course …
    I posted it in my own blog, instead …

    Have fun,

  18. craig Says:

    Very cool patch csbac! Definitely a useful feature; we’ll be sure to add it to the next release of Miranda. FYI, we’ve put Miranda up on Google Code, so be sure to check there for new releases: http://code.google.com/p/mirandaupnptool/ .

  19. avi_cool Says:

    HI ,
    Can anyone help me in this. I have a laptop where i have installed ubuntu that works in Windows through virtual box.
    Now i am trying to run Miranda under ubuntu ,but it does,t shows anything.ALl it shows is

    “Entering discovery mode for ‘upnp:rootdevice’, Ctl+C to stop… ”

    I have a wireless router and i am wirelessely connected to router through laptop.THe upnp is enabled in router and when i run a toll called UPNP tester in my windows it shows my router but when i wsitch to ubuntu the mirands does,nt detect anything.
    I took my laptop to a different place wherein we had the axis camera,the similar thing happened there,THe upnp tester in windows work and detects the camera but not miranada in ubuntu.

    NOte : i am able to go online through ubuntu>

    Please help if anyone has any suggestion,Is this happening as Ubuntu is running inside WIndows?
    THanks in advance

  20. craig Says:


    I would suspect that this is an issue with running Miranda in the VM. What are your network configurations for VirtualBox? By default VirtualBox puts hosts on their own little subnet, so your Ubuntu VM is probably not getting the multicast UPnP traffic routed to it.

    I would run Wireshark on both the Windows host and the Ubuntu VM. If you can see the UPnP traffic (labeled as SSDP traffic by Wireshark) while running Wireshark inside of Ubuntu, then it’s likely a bug in Miranda. If not, then the UPnP traffic is never getting to the Ubuntu box, likely due to the VM network configuration.

  21. gejohpcoigi Says:

    uZSbgw rjzmmouizpzi, [url=http://wledszidonwy.com/]wledszidonwy[/url], [link=http://qiwajdiosygg.com/]qiwajdiosygg[/link], http://zbrbhbohtikt.com/

  22. Степан Макаров Says:

    Любопытно, а есть хоть кто-то, кто не согласен с автором? :)

  23. NAT router, I’ve breached through you! « technocake.net Says:

    [...] Last ned miranda! [...]

  24. Linux Shared Hosting Says:

    I agree with everything that was posted in this article, I’m a loyal follower so please keep updating so often!

  25. Universal Plug and Play (UPnP) Hacking Says:

    [...] [...]

  26. Flávio Says:

    Hey, im trying to use it on Windows and i’ve already installed the alternative version of readline. Took of the IN too, but when i ask the command line to msearch the console hangs and doesn’t find my router. On my Ubuntu linux everything works very well.

    Can some1 help me on this issue?

  27. Carlo Dentremont Says:

    20. I really copy your article and i sent it to my buddy because it is rather pertinent to her and that i think about your article as one of my preferred among my lists.

  28. vpn Says:

    I am not really sure if best practices have emerged around things like that, but I am sure that your great job is clearly identified. I was wondering if you offer any subscription to your RSS feeds as I would be very interested and can?t find any link to subscribe here.

  29. Sex shop Says:

    Hi, I browse your site for a long time and I’m honored that I can visit it. I would like to commend my site Sex Shop , which was created for my friends who buy such things.

  30. graphic design careers Says:

    You actually dealt with several curious points here. I came across this article by searching Bing and I must confess that I already subscribed to the blog, it is extremely good :D

  31. Murray Dunlop Says:

    I am impressed with these thought provoking concepts. What other vendors deal with Miranda? best blender

  32. rift platinum Says:

    Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can’t wait to read lots of your posts
    rift platinum

    rift plat

  33. cheap maxi dresses Says:

    Resources this kind of as the one you mentioned here will be extremely useful to myself! I will publish a hyperlink to this web page on my personal weblog. I am positive my site site visitors will find that quite effective.

  34. dentist in monroeville pa Says:

    An intriguing discussion is worth mention. I judge that you should make solon on this subject, it power not be a inhibition matter but generally people are not enough to speak on specified topics.

  35. Burton Haynes Says:

    That’s a great post. Thank you so much.

  36. Betting Systems Says:


    [...]Nice blog here! Also your website a lot up fast![...]…

  37. PenTest – Listado de Herramientas con Links | Seguridad Etica Says:

    [...] miranda [...]

  38. Dalton Sempertegui Says:

    Hi, As a RW new user your advice and tips on SEO for RW are very much greatly appreciated, thank you for the informative and clear advice you have provided.

  39. Tools list for PenTesting – Description and Links | Security & Ethic Says:

    [...] miranda [...]

  40. seo Says:

    This details actually helped me

Leave a Reply