Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.

Goto Port 4988
Probe Port 5000
Enter Port: 0-65535
Goto Port 5001

Port Authority Database

Port 5000


Universal Plug N' Play Event

This TCP port is opened and used by Universal Plug N' Play (UPnP) devices to accept incoming connections from other UPnP devices. UPnP devices connect to each other using TCP protocol over port 5000.

Related Ports: 

Background and Additional Information:

The Universal Plug N' Play (UPnP) system operates over two ports: UDP/1900 and TCP/5000.

UDP protocol is used over Port 1900 because the UDP protocol supports a "broadcast semantics" which allows a single UPnP announcement message to be received and heard by all devices listening on the same sub-network. TCP, being inherently a point-to-point connection-oriented protocol, does not support message broadcasts.

When UPnP devices wish to announce themselves, or "shout out" to find out what other UPnP devices are hanging around on the network, they issue a UDP message aimed at port 1900 of the special IP address []. This special "multicast" broadcast address has been set aside for UPnP devices and will be received by all of them listening on UDP port 1900.

After such an announcement broadcast is made, any devices wishing to reply or respond to the broadcaster initiate a TCP connection to the broadcaster's TCP port 5000. The devices then engage in a dialog to meet their needs.

As you can see, UPnP enabled devices will be opening and listening on UDP port 1900 and TCP port 5000.

It is probably worth mentioning that, here again, Microsoft's exposed UPnP Internet servers were found to have remotely exploitable unchecked buffers that would allow, in principle, remote malicious hackers to commandeer Windows ME or XP computers. Microsoft quickly issued a patch to fix this known vulnerability, but since there might well be others, and since unused Internet servers and services should not be left running of they are not actively needed, I wrote a quick, simple, and small 22 kbyte utility which allows the Universal Plug N' Play servers in Windows ME and XP to be easily started, stoped, and semi-permanently deactivated (until they are possibly needed at some future time.)

Please see our UnPnP page for more details.

Trojan Sightings: Back Door Setup, BioNet Lite, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page