SSH into the device
ssh <username>@IP-Address configure set service ubnt-discover interface <interface-name> disable commit save
On a router, you will definitely want to disable it on the WAN interface. If you are using Ubiquiti's cloud management you will need to verify that it works after making this change.
SSH into the device
ssh <username>@IP-Address configure set service ubnt-discover interface <interface-name> disable commit save
To look at what the discover sends out, you can use the following commands. No authentication is required to get the output. As with all network devices, you should use a dedicated management vlan and ACL it off so that only authorized stations can access the management interface.
This is from a NanoStation 5 AC loco in my lab. It has the following settings:
- SSID - death2all
- firmware version - WA.v8.5.11.39842.190109.1449.bin
- Device name - Office
echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:192.168.10.50:10001 - | hexdump -C 00000000 01 00 00 9b 01 00 06 fc ec da c4 6e 55 02 00 0a |...........nU...| 00000010 fc ec da c4 6e 55 c0 a8 0a 32 02 00 0a fc ec da |....nU...2......| 00000020 c4 6e 55 a9 fe 6e 55 03 00 23 57 41 2e 61 72 39 |.nU..nU..#WA.ar9| 00000030 33 34 78 2e 76 38 2e 35 2e 31 31 2e 33 39 38 34 |34x.v8.5.11.3984| 00000040 32 2e 31 39 30 31 30 39 2e 31 34 34 39 0a 00 04 |2.190109.1449...| 00000050 00 00 38 69 0b 00 06 4f 66 66 69 63 65 0c 00 03 |..8i...Office...| 00000060 4e 35 4c 0d 00 09 64 65 61 74 68 32 61 6c 6c 0e |N5L...death2all.| 00000070 00 01 03 10 00 02 e7 fa 13 00 06 fc ec da c4 6e |...............n| 00000080 55 14 00 14 4e 61 6e 6f 53 74 61 74 69 6f 6e 20 |U...NanoStation | 00000090 35 41 43 20 6c 6f 63 6f 18 00 04 00 00 00 00 |5AC loco.......|
Explanation of the Linux commands
echo the STRING(s) to standard output.
-n do not output the trailing newline
-e enable interpretation of backslash escapes
socat
Socat is like the cat command but it can transfer data between two locations instead of just from a file to stdout.
-t Delay
- Write to stdout
hexdump
From the man page - The hexdump utility is a filter which displays the specified files, or the standard input, if no files are specified, in a user specified format.
-C Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters.
To look for multiple devices, you can use this simple loop. Change the IP to match your network.
for ip in 192.168.10.{50..51} do echo "------ ${ip} ------" echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:$ip:10001 - | hexdump -C done ------ 192.168.10.50 ------ 00000000 01 00 00 9a 01 00 06 fc ec da c4 6e 55 02 00 0a |...........nU...| 00000010 fc ec da c4 6e 55 c0 a8 0a 32 02 00 0a fc ec da |....nU...2......| 00000020 c4 6e 55 a9 fe 6e 55 03 00 22 57 41 2e 61 72 39 |.nU..nU.."WA.ar9| 00000030 33 34 78 2e 76 38 2e 35 2e 38 2e 33 38 38 34 35 |34x.v8.5.8.38845| 00000040 2e 31 38 30 39 31 38 2e 31 30 31 36 0a 00 04 00 |.180918.1016....| 00000050 af 11 86 0b 00 06 4f 66 66 69 63 65 0c 00 03 4e |......Office...N| 00000060 35 4c 0d 00 09 64 65 61 74 68 32 61 6c 6c 0e 00 |5L...death2all..| 00000070 01 03 10 00 02 e7 fa 13 00 06 fc ec da c4 6e 55 |..............nU| 00000080 14 00 14 4e 61 6e 6f 53 74 61 74 69 6f 6e 20 35 |...NanoStation 5| 00000090 41 43 20 6c 6f 63 6f 18 00 04 00 00 00 00 |AC loco.......| 0000009e ------ 192.168.10.51 ------ 00000000 01 00 00 9b 01 00 06 fc ec da c4 77 0b 02 00 0a |...........w....| 00000010 fc ec da c4 77 0b c0 a8 0a 33 02 00 0a fc ec da |....w....3......| 00000020 c4 77 0b a9 fe 77 0b 03 00 23 57 41 2e 61 72 39 |.w...w...#WA.ar9| 00000030 33 34 78 2e 76 38 2e 35 2e 31 31 2e 33 39 38 34 |34x.v8.5.11.3984| 00000040 32 2e 31 39 30 31 30 39 2e 31 34 34 39 0a 00 04 |2.190109.1449...| 00000050 00 00 08 29 0b 00 06 47 61 72 61 67 65 0c 00 03 |...)...Garage...| 00000060 4e 35 4c 0d 00 09 64 65 61 74 68 32 61 6c 6c 0e |N5L...death2all.| 00000070 00 01 02 10 00 02 e7 fa 13 00 06 fc ec da c4 77 |...............w| 00000080 0b 14 00 14 4e 61 6e 6f 53 74 61 74 69 6f 6e 20 |....NanoStation | 00000090 35 41 43 20 6c 6f 63 6f 18 00 04 00 00 00 00 |5AC loco.......| 0000009f
Look for outdated or mismatched firmware
I find this useful on customer networks. It lets me quickly check for outdated or mismatched firmware versions.for ip in 192.168.10.{50..51} do echo "------ ${ip} ------" echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:$ip:10001 - | hexdump -C | grep v done ------ 192.168.10.50 ------ 00000030 33 34 78 2e 76 38 2e 35 2e 38 2e 33 38 38 34 35 |34x.v8.5.8.38845| ------ 192.168.10.51 ------ 00000030 33 34 78 2e 76 38 2e 35 2e 31 31 2e 33 39 38 34 |34x.v8.5.11.3984|
Nmap
There is an Nmap script for Ubiquiti Discovery - ubiquiti-discovery.nse. It pulls down more information than the bash script and will work on Windows. The home page for the script is here.
You will need to download two files from the nmap repository:
On Windows
Save tableaux.lua to c:\Program Files (x86)\nselib
Save ubiquiti-discovery.nse to c:\Program Files (x86)\scripts
On Linux, as root
Save tableaux.lua to /usr/share/nmap/nselib
Save ubiquiti-discovery.nse to /usr/share/nmap/scripts
sudo nmap -sU -p 10001 --script ubiquiti-discovery.nse -oG ubnt 192.168.10.50 Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-10 22:16 PST Nmap scan report for 192.168.10.50 Host is up (0.0027s latency). PORT STATE SERVICE 10001/udp open ubiquiti-discovery | ubiquiti-discovery: | protocol: v1 | firmware: WA.ar934x.v8.5.11.39842.190109.1449 | version: v8.5.11 | uptime_seconds: 196320 | uptime: 2 days 06:32:00 | hostname: Office | product: N5L | essid: death2all | model: NanoStation 5AC loco | interface_to_ip: | fc:ec:da:c4:6e:55: | 192.168.10.50 | 169.254.110.85 | mac_addresses: |_ fc:ec:da:c4:6e:55 MAC Address: FC:EC:DA:C4:6E:55 (Ubiquiti Networks) Service Info: OS: Linux Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
On Linux, If you want to compare the firmware of more than one device:
sudo nmap -sU -p 10001 --script ubiquiti-discovery.nse -oG ubnt 192.168.10.50-51 | grep firmware | firmware: WA.ar934x.v8.5.11.39842.190109.1449 | firmware: WA.ar934x.v8.5.11.39842.190109.1449
Remember, as always, only run discovery scripts on networks you have explicit permission on.
References
Understanding Ubiquiti Discovery Service ExposuresRapid7 Sonar Project
Understanding UDP Amplification Vulnerabilities
Add Metasploit module to discover Ubiquiti devices
UDP broadcasts on port 10001 - Ubiquiti KB on disabling discovery protocol
EdgeRouter - Ubiquiti Device Discovery - Ubiquiti KB on disabling discovery protocol on routers
Security Now show notes - Search for ubiquiti
hexdump command in Linux with examples
socat: The General Bidirectional Pipe Handler
Source Code Beautifier - Used to create the code blocks in this blog
Shodan - Search Engine for the Internet of Things
No comments:
Post a Comment