Friday, February 8, 2019

Ubiquiti Discovery Protocol - Find the firmware version-SSID-Model

Ubiquiti devices use UDP on port 10001 for autodiscover of other Ubiquiti devices. If you are hard coding IPs and managing the devices individually, you can disable this discovery process. The references below have two links to Ubiquiti KBs on the issue. Here are the instructions:

SSH into the device

ssh <username>@IP-Address
configure
set service ubnt-discover interface <interface-name> disable
commit
save

On a router, you will definitely want to disable it on the WAN interface. If you are using Ubiquiti's cloud management you will need to verify that it works after making this change.

SSH into the device

ssh <username>@IP-Address
configure
set service ubnt-discover interface <interface-name> disable
commit
save

To look at what the discover sends out, you can use the following commands. No authentication is required to get the output. As with all network devices, you should use a dedicated management vlan and ACL it off so that only authorized stations can access the management interface.

This is from a NanoStation 5 AC loco in my lab. It has the following settings:

  • SSID - death2all
  • firmware version - WA.v8.5.11.39842.190109.1449.bin
  • Device name - Office
echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:192.168.10.50:10001 - | hexdump -C

echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:192.168.10.50:10001 - | hexdump -C
00000000  01 00 00 9b 01 00 06 fc  ec da c4 6e 55 02 00 0a  |...........nU...|
00000010  fc ec da c4 6e 55 c0 a8  0a 32 02 00 0a fc ec da  |....nU...2......|
00000020  c4 6e 55 a9 fe 6e 55 03  00 23 57 41 2e 61 72 39  |.nU..nU..#WA.ar9|
00000030  33 34 78 2e 76 38 2e 35  2e 31 31 2e 33 39 38 34  |34x.v8.5.11.3984|
00000040  32 2e 31 39 30 31 30 39  2e 31 34 34 39 0a 00 04  |2.190109.1449...|
00000050  00 00 38 69 0b 00 06 4f  66 66 69 63 65 0c 00 03  |..8i...Office...|
00000060  4e 35 4c 0d 00 09 64 65  61 74 68 32 61 6c 6c 0e  |N5L...death2all.|
00000070  00 01 03 10 00 02 e7 fa  13 00 06 fc ec da c4 6e  |...............n|
00000080  55 14 00 14 4e 61 6e 6f  53 74 61 74 69 6f 6e 20  |U...NanoStation |
00000090  35 41 43 20 6c 6f 63 6f  18 00 04 00 00 00 00     |5AC loco.......|

Explanation of the Linux commands


Echo
echo the STRING(s) to standard output.
       -n     do not output the trailing newline
       -e     enable interpretation of backslash escapes

socat
Socat is like the cat command but it can transfer data between two locations instead of just from a file to stdout.
-t     Delay
-      Write to stdout

hexdump
From the man page - The hexdump utility is a filter which displays the specified files, or the standard input, if no files are specified, in a user specified format.
-C     Canonical hex+ASCII display.  Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters.

To look for multiple devices, you can use this simple loop. Change the IP to match your network.


for ip in 192.168.10.{50..51}
 do
         echo "------ ${ip} ------" 
         echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:$ip:10001 - | hexdump -C
done

------ 192.168.10.50 ------
00000000  01 00 00 9a 01 00 06 fc  ec da c4 6e 55 02 00 0a  |...........nU...|
00000010  fc ec da c4 6e 55 c0 a8  0a 32 02 00 0a fc ec da  |....nU...2......|
00000020  c4 6e 55 a9 fe 6e 55 03  00 22 57 41 2e 61 72 39  |.nU..nU.."WA.ar9|
00000030  33 34 78 2e 76 38 2e 35  2e 38 2e 33 38 38 34 35  |34x.v8.5.8.38845|
00000040  2e 31 38 30 39 31 38 2e  31 30 31 36 0a 00 04 00  |.180918.1016....|
00000050  af 11 86 0b 00 06 4f 66  66 69 63 65 0c 00 03 4e  |......Office...N|
00000060  35 4c 0d 00 09 64 65 61  74 68 32 61 6c 6c 0e 00  |5L...death2all..|
00000070  01 03 10 00 02 e7 fa 13  00 06 fc ec da c4 6e 55  |..............nU|
00000080  14 00 14 4e 61 6e 6f 53  74 61 74 69 6f 6e 20 35  |...NanoStation 5|
00000090  41 43 20 6c 6f 63 6f 18  00 04 00 00 00 00        |AC loco.......|
0000009e

------ 192.168.10.51 ------
00000000  01 00 00 9b 01 00 06 fc  ec da c4 77 0b 02 00 0a  |...........w....|
00000010  fc ec da c4 77 0b c0 a8  0a 33 02 00 0a fc ec da  |....w....3......|
00000020  c4 77 0b a9 fe 77 0b 03  00 23 57 41 2e 61 72 39  |.w...w...#WA.ar9|
00000030  33 34 78 2e 76 38 2e 35  2e 31 31 2e 33 39 38 34  |34x.v8.5.11.3984|
00000040  32 2e 31 39 30 31 30 39  2e 31 34 34 39 0a 00 04  |2.190109.1449...|
00000050  00 00 08 29 0b 00 06 47  61 72 61 67 65 0c 00 03  |...)...Garage...|
00000060  4e 35 4c 0d 00 09 64 65  61 74 68 32 61 6c 6c 0e  |N5L...death2all.|
00000070  00 01 02 10 00 02 e7 fa  13 00 06 fc ec da c4 77  |...............w|
00000080  0b 14 00 14 4e 61 6e 6f  53 74 61 74 69 6f 6e 20  |....NanoStation |
00000090  35 41 43 20 6c 6f 63 6f  18 00 04 00 00 00 00     |5AC loco.......|
0000009f

Look for outdated or mismatched firmware

I find this useful on customer networks. It lets me quickly check for outdated or mismatched firmware versions.


for ip in 192.168.10.{50..51}
 do
         echo "------ ${ip} ------" 
         echo -ne "\x01\x00\x00\x00" | socat -t 1 udp:$ip:10001 - | hexdump -C | grep v
done
------ 192.168.10.50 ------
00000030  33 34 78 2e 76 38 2e 35  2e 38 2e 33 38 38 34 35  |34x.v8.5.8.38845|
------ 192.168.10.51 ------
00000030  33 34 78 2e 76 38 2e 35  2e 31 31 2e 33 39 38 34  |34x.v8.5.11.3984|

Nmap
There is an Nmap script for Ubiquiti Discovery - ubiquiti-discovery.nse. It pulls down more information than the bash script and will work on Windows. The home page for the script is here.

You will need to download two files from the nmap repository:

On Windows
Save tableaux.lua to c:\Program Files (x86)\nselib
Save ubiquiti-discovery.nse to c:\Program Files (x86)\scripts

On Linux, as root
Save tableaux.lua to /usr/share/nmap/nselib
Save ubiquiti-discovery.nse to /usr/share/nmap/scripts

sudo nmap -sU -p 10001 --script ubiquiti-discovery.nse -oG ubnt 192.168.10.50

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-10 22:16 PST
Nmap scan report for 192.168.10.50
Host is up (0.0027s latency).

PORT      STATE SERVICE
10001/udp open  ubiquiti-discovery
| ubiquiti-discovery: 
|   protocol: v1
|   firmware: WA.ar934x.v8.5.11.39842.190109.1449
|   version: v8.5.11
|   uptime_seconds: 196320
|   uptime: 2 days 06:32:00
|   hostname: Office
|   product: N5L
|   essid: death2all
|   model: NanoStation 5AC loco
|   interface_to_ip: 
|     fc:ec:da:c4:6e:55: 
|       192.168.10.50
|       169.254.110.85
|   mac_addresses: 
|_    fc:ec:da:c4:6e:55
MAC Address: FC:EC:DA:C4:6E:55 (Ubiquiti Networks)
Service Info: OS: Linux

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

On Linux, If you want to compare the firmware of more than one device:

sudo nmap -sU -p 10001 --script ubiquiti-discovery.nse -oG ubnt 192.168.10.50-51 | grep firmware
|   firmware: WA.ar934x.v8.5.11.39842.190109.1449
|   firmware: WA.ar934x.v8.5.11.39842.190109.1449


Remember, as always, only run discovery scripts on networks you have explicit permission on.


References

Understanding Ubiquiti Discovery Service Exposures
Rapid7 Sonar Project
Understanding UDP Amplification Vulnerabilities
Add Metasploit module to discover Ubiquiti devices
UDP broadcasts on port 10001 - Ubiquiti KB on disabling discovery protocol
EdgeRouter - Ubiquiti Device Discovery - Ubiquiti KB on disabling discovery protocol on routers
Security Now show notes - Search for ubiquiti
hexdump command in Linux with examples
socat: The General Bidirectional Pipe Handler
Source Code Beautifier - Used to create the code blocks in this blog
Shodan - Search Engine for the Internet of Things

No comments:

Post a Comment