Full disclosure: I wrote this tool, so I might be a bit biased. 

If you've been following along with GNUCitizen over the past year, you've no doubt heard about their foray into UPNP attacks. I wanted to test some of my own devices against UPNP, but was discouraged by the lack of good UPNP utilities, especially for Linux.

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

    * Interactive shell with tab completion and command history
    * Passive and active discovery of UPNP devices
    * Customizable MSEARCH queries (query for specific devices/services)
    * Full control over application settings such as IP addresses, ports and headers
    * Simple enumeration of UPNP devices, services, actions and variables
    * Correlation of input/output state variables with service actions
    * Ability to send actions to UPNP services/devices
    * Ability to save data to file for later analysis and collaboration
    * Command logging

So far I've tested it in Linux (though, being Python, most functionality should be available in other platforms as well) against Linksys, D-Link, Belkin and ActionTec routers with some very interesting results.

More on UPNP hacking can be found at http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play and http://www.upnp-hacks.org

You can check out Miranda here: http://www.sourcesec.com/2008/11/07/miranda-upnp-administration-tool/