Ubiquiti AirMax – Set radio to use DHCP from command line

Gain access to radio via ssh

ssh ubnt@

open up the /tmp/system.cfg

vi /tmp/system.cfg

Delete the following line. To move the cursor to the following line and type “dd” and vi will delete the whole line.


Add the following 5 lines. Hit “i” to enter vi insert mode.
br0 should be correct interface in most scenarios.


Save the file by hitting esc and then “:wq” followed by Return/Enter

Save the config changes and reboot the radio so it pulls an address.

/usr/etc/rc.d/rc.softrestart save && reboot

Hydra – SSH Example

Hydra is a network login cracker. You’ll need a password list and username(s) to get started.

Install Hydra

sudo apt-get install -y hydra 

Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file

SSH Example

hydra -l ubnt -P password.lst ssh

Run hydra -h to get the full help.

Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
   -R        restore a previous aborted/crashed session
   -I        ignore an existing restore file (don't wait 10 seconds)
   -S        perform an SSL connect
   -s PORT   if the service is on a different default port, define it here
   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
   -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
   -y        disable use of symbols in bruteforce, see above
   -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
   -u        loop around users, not passwords (effective! implied with -x)
   -C FILE   colon separated "login:pass" format, instead of -L/-P options
   -M FILE   list of servers to attack, one entry per line, ':' to specify port
   -o FILE   write found login/password pairs to FILE instead of stdout
   -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
   -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
   -t TASKS  run TASKS number of connects in parallel per target (default: 16)
   -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
   -w / -W TIME  wait time for a response (32) / between connects per thread (0)
   -c TIME   wait time per login attempt over all threads (enforces -t 1)
   -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
   -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
   -O        use old SSL v2 and v3
   -q        do not print messages about connection errors
   -U        service module usage details
   -h        more command line options (COMPLETE HELP)
   server    the target: DNS, IP or (this OR the -M option)
   service   the service to crack (see below for supported protocols)
   OPT       some service modules support additional input (-U for module help)
 Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
 v3.0. The newest version is always available at http://www.thc.org/thc-hydra
 Don't use in military or secret service organizations, or for illegal purposes.
 These services were not compiled in: afp ncp oracle sapr3.
 Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
 E.g. % export HYDRA_PROXY=socks5://l:p@ (or: socks4:// connect://)
      % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
      % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
      % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
   hydra -l user -P passlist.txt
   hydra -L userlist.txt -p defaultpw imap://
   hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
   hydra -l admin -p password ftp://[]/
   hydra -L logins.txt -P pws.txt -M targets.txt ssh

Ubiquiti AirOS 8.5.12 disable Wireless Security

It appears that with one of the latest 8.5 updates that you can no longer change Wireless Security to none from the web interface. Work around is to disable it in a config then apply the config. You can do this from the command line or upload a config under the System tab.

Web Interface

Go to the System tab, backup configuration

open configuration in a text editor and change
“aaa.1.status=enabled” to “aaa.1.status=disabled”

Upload Configuration and Apply to device

Command line

ssh admin@
sed -i '/aaa.1.status=enabled/aaa.1.status=disabled/g' /tmp/system.cfg
/usr/etc/rc.d/rc.softrestart save

The above should be it, or you can manually edit “/tmp/system.cfg” and change the following line




Save changes

/usr/etc/rc.d/rc.softrestart save

Ubiquiti AirOS – “test” changes from command line

The following is a method to recover from a command that may inadvertenly make a radio go offline.

The idea is to launch a process in the background that sleeps for 5 minutes and then reboots the radio, so any changes not saved will be reverted. If the changes were successful, you’ll just need to log back in and kill the background process to keep the device from rebooting.

This can be helpful if your changing networking settings using ifconfig, trying to change routes, or something went wrong while trying to apply a system.cfg setting.


sleep 300 && reboot &

Execute whatever command you need to. i.e.


If your command worked you can log back into the device and search for the process id of the sleep command and kill it so the radio doesn’t reboot.

ps | grep sleep

Example output

2XC.v8.5.12# ps | grep sleep
412 admin 1636 S sleep 500
414 admin 1640 S grep sleep

Kill the pid

kill 412

Setting up Proxy over SSH on Linux

Initiate a ssh connection to the server or device you want to use as a proxy. You can change the port to something else if so desired.

ssh username@ipaddress -D 1880

Log in and leave the session running

You can now setup your computer or browser to use the Proxy.
Specify SOCKS Host, hostname is either localhost or, the port is 1880.

Firefox example below.

Setting up Proxy over SSH with Putty on Windows

What we are going to do is create a proxy using ssh so we can tunnel our web traffic in Firefox through it.

First, launch putty and setup a SSH connection like you normally would.

Next, in Putty, go to the Connection, SSH, Tunnels.  Set source port, change to Dynamic, and add.  In this example we are using port 1880.

After you have it set, Open the connection and log in.

Now go to the Proxy settings in Firefox.  You can open new tab, type about:preferences, hit enter, search proxy.

Set to Manual proxy configuration, then under SOCKS Host put localhost and the port number from Putty above, 1880 in our case.

You should now be running over the proxy, can test by running a whats my ip address.

This can be particularly useful in cases where you need to access a local IP address range on something like a Ubiquiti radio or router.  Or you need to check something from a different IP address.

Remove AirControl provisioning from Ubiquiti radio via SSH

Short version

List AirControl server(s)


Remove from AirControl Server

mca-provision-rm http://server-address


Expanded Steps

First you’ll need to SSH into your radio


ssh ubnt@

Next run “mca-provision-list” to list the connection(s) the radio has, or is trying to connect to.  If you have had the radio connected to multiple AirControl servers it will show more than one entry.


XM.v6.1.3# mca-provision-list
unknown @ -

To remove, run “mca-provision-rm” with the AirControl address.  You can simple use the “http://server-ip”, shouldn’t have to worry about the port number/AC2/report.


XM.v6.1.3# mca-provision-rm
Found 1 entries matching '':
Removing: unknown @ ...
Found Backup1 on[1] ...
Found Active on[2] ...
Storing Active[1] ... [%100]
Active->Backup[2] ... [%100]