The Shadowserver Foundation

Vulnerable NAT-PMP Device Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at port 5351/udp.

Exposed NAT-PMP services have the potential to expose information about a clients network without the client's knowledge.

These devices have the potential to be used by miscreants to conduct surveillance on the client's network and may possibly lead to compromise. If at all possible, we would like to see these devices made un-available to miscreants that would misuse them.

Information on these vulnerable devices has been incorporated into our reports and are being reported on a daily basis.

More information on this vulnerabilty can be found on CERT's website at: http://www.kb.cert.org/vuls/id/184540

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 5351/udp with two NULL characters (0x00) and capturing the response. We intend no harm, but if we are causing problems, please contact us at gro [tod] revfooreswodahs [ta] nacbarssnd

If you would like to test your own device to see if NAT-PMP is exposed, try the command: "nc -u [IP] 5351" and enter the control character ^@ [CTRL-@] twice. If indecipherable text appears, then your device probably has NAT-PMP exposed. If your system does not have the command "nc", it may also be called "netcat". If you would like to know what data is being returned, please take a look at RFC 6886 for hints on decoding the response.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://natpmpscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run

Other Statistics

Stats from the most current scan are listed below.


All Vulnerable NAT-PMP Devices

All NAT-PMP

(Click image to enlarge)

If you would like to see more regions click here

All Vulnerable NAT-PMP Devices

All NAT-PMP

(Click image to enlarge)



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation