SSH into the device
On a router, you will definitely want to disable it on the WAN interface. If you are using Ubiquiti's cloud management you will need to verify that it works after making this change.
SSH into the device
To look at what the discover sends out, you can use the following commands. No authentication is required to get the output. As with all network devices, you should use a dedicated management vlan and ACL it off so that only authorized stations can access the management interface.
This is from a NanoStation 5 AC loco in my lab. It has the following settings:
- SSID - death2all
- firmware version - WA.v220.127.116.11842.190109.1449.bin
- Device name - Office
Explanation of the Linux commands
echo the STRING(s) to standard output.
-n do not output the trailing newline
-e enable interpretation of backslash escapes
Socat is like the cat command but it can transfer data between two locations instead of just from a file to stdout.
- Write to stdout
From the man page - The hexdump utility is a filter which displays the specified files, or the standard input, if no files are specified, in a user specified format.
-C Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters.
To look for multiple devices, you can use this simple loop. Change the IP to match your network.
Look for outdated or mismatched firmwareI find this useful on customer networks. It lets me quickly check for outdated or mismatched firmware versions.
There is an Nmap script for Ubiquiti Discovery - ubiquiti-discovery.nse. It pulls down more information than the bash script and will work on Windows. The home page for the script is here.
You will need to download two files from the nmap repository:
Save tableaux.lua to c:\Program Files (x86)\nselib
Save ubiquiti-discovery.nse to c:\Program Files (x86)\scripts
On Linux, as root
Save tableaux.lua to /usr/share/nmap/nselib
Save ubiquiti-discovery.nse to /usr/share/nmap/scripts
On Linux, If you want to compare the firmware of more than one device:
Remember, as always, only run discovery scripts on networks you have explicit permission on.
ReferencesUnderstanding Ubiquiti Discovery Service Exposures
Rapid7 Sonar Project
Understanding UDP Amplification Vulnerabilities
Add Metasploit module to discover Ubiquiti devices
UDP broadcasts on port 10001 - Ubiquiti KB on disabling discovery protocol
EdgeRouter - Ubiquiti Device Discovery - Ubiquiti KB on disabling discovery protocol on routers
Security Now show notes - Search for ubiquiti
hexdump command in Linux with examples
socat: The General Bidirectional Pipe Handler
Source Code Beautifier - Used to create the code blocks in this blog
Shodan - Search Engine for the Internet of Things