Looking at CallStranger with Zeek in CloudShark

2 min read

Last month we learned about a new vulnerability dubbed “CallStranger” which shows how UPnP can be used to exfiltrate data and perform DDoS amplification attacks. Billions of devices are vulnerable.

Essentially, an attacker can use the UPnP SUBSCRIBE mechanism to force a device to connect to an arbitrary URL.

The folks over at Corelight put together a Zeek plugin which is capable of detecting attempts at exploiting this vulnerability. They have a fantastic writeup we recommend reading to learn more.

Taking it for a spin

We loaded up their plugin in CloudShark’s new Zeek Logs analysis tool and took it for a spin! In order to create some network traffic of an attempt at exploiting the vulnerability, Tom used the published Proof-of-Concept tool to poke at a Sonos speaker on his network and take this capture.

Using our new Zeek Logs analysis tool in CloudShark we can see the new Notice entry that the Corelight plugin is creating!

Look at the Zeek Log in CloudShark

Take a moment to look around CloudShark at the other Zeek logs that are created.

Get back to the packets

In the log view, clicking on a row will open a dialog with all the details for that row. From there you can click on the “View Packets” button to expose the raw packets related to that Zeek notice! You can also jump straight to the Follow Stream here.


What did we learn? UPnP is bad, Zeek is good, and CloudShark brings you the tools to understand network traffic and communicate your findings.

Have an awesome day.

Photo by Nick Fewings on Unsplash

Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking