UPnP: change a router’s firewall rules from a client machine



Universal Plug and Play support is available on most modern wireless and DSL routers. Among other things, it allows client machines on the local network to remotely configure the router’s port forwarding, typically without authenticated access.

Adrian Crenshaw has a nice screencast which shows how to detect UPnP capable devices on your network and how to use the PortForward utility in Windows to remotely configure port forwarding for routers on your LAN.

After looking at this, you’ll probably come to the conclusion that, while convenient, unauthenticated UPnP is pretty dangerous. It allows someone who has momentary access to your network to easily reconfigure your router to punch holes through its NAT firewall. This could be somone on your wireless network, or it could be as simple as a malicious program that you accidentally execute on your own machine.

Fortunately, most routers allow you to disable UPnP, and you should probably take advantage of this and turn off UPnP on your devices now.

UPnP Port Forwarding and Security Screencast – Link
UPNPScan – Link
UPNP PortForward (exe, source and documentation) – Link

Discuss this article with the rest of the community on our Discord server!