upnpScan.py:

#!/usr/bin/env python

from scapy.all import *
from upnp_func import *
import sys
import os
import string

def intro():
 print "UPnP Config File Scanner".center(80)
 print "Author: St0rn\n".center(80)
 print ""

def clear():
 os.system('cls' if os.name == 'nt' else 'clear')
 
upnp = upnp()
clear()

try:
 if len(sys.argv) < 2:
  print "\nUsage: %s [passive | active] [target if activ scan]\n" %(sys.argv[0])
  sys.exit()
 else:
  if string.lower(sys.argv[1]) == "passive":
   intro()
   print "[+] Passive UPnP Scan, Waiting".center(80)
   upnp.passive_scan()
  elif string.lower(sys.argv[1]) == "active":
   if len(sys.argv) < 3:
    print "\nUsage: %s [passiv | activ] [target if activ scan]\n" %(sys.argv[0])
    sys.exit
   else:
    intro()
    print "[+] Active UPnP Scan".center(80)
    upnp.active_scan(sys.argv[2])
except c:
 print "Error: %s\n" %c
 sys.exit()


upnp_func.py:

#!/usr/bin/env python

from scapy.all import *

class upnp:

 def passive_scan(self):
  def upnp_sniff(p):
   if p.haslayer(UDP) and p.haslayer(Raw):
    if p[UDP].dport == 1900:
     if "NOTIFY *" in p[Raw].load:
      print "\n\n"+p[Raw].load
  try:
   sniff(prn=upnp_sniff, filter="udp")
  except:
   print "\n[-] Can't launch sniffer :/\n"

 def active_scan(self, target):
  req = 'M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:"ssdp:discover"\r\nMX:3\r\n\r\n'
  ip=IP(dst=target)
  udp=UDP(sport=random.randint(1,65536), dport=1900)
  pck = ip/udp/req
  try:
   rep = sr1(pck, verbose=0)
   print "\n\n"+rep[Raw].load
  except:
   print "\n[-] Can't send packet :/\n"