no matching cipher found. Their offer: aes128-cbc,3des-cbc…

When trying to SSH to older devices like a Ubiquiti Bullet2, you may receive an error saying.

no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc

Work around it to manually specify the cipher with the “-c” option. You will also probably need to specify the KexAlgorithm

ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.20

You can see what ciphers ssh supports by running “ssh -Q cipher”

Example output

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

More information
https://www.openssh.com/legacy.html

Change Channel Width on Ubiquiti AC CPE Over SSH

SSH into CPE

ssh ubnt@192.168.1.20

open up the “/tmp/system.cfg” file

vi /tmp/system.cfg

Find the “radio.1.chanbw=” line and change to the following

radio.1.chanbw=10

Note: it may say “radio.1.chanbw=0” that looks to be the default and works for 20mhz

exit file with

esc + :wq + Return or Enter

Save settings with

/usr/etc/rc.d/rc.softrestart save 

Change AP to 10Mhz and the CPE should reconnect.

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Work around is to use the -o option and specify KexAlgorithms with the correcct option.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.11.1

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0#340853

no matching host key type found. Their offer: ssh-dss

Reason for it not working is some of the older weaker SSH encryption algorithms have been disabled. You can allow ssh to use it by specifying the following option.

 -oHostKeyAlgorithms=+ssh-dss 

so whole command would look like

ssh  -o HostKeyAlgorithms=+ssh-dss root@192.168.111.4 

http://www.openssh.com/legacy.html

https://askubuntu.com/questions/836048/ssh-returns-no-matching-host-key-type-found-their-offer-ssh-dss#836064

Mikrotik hAP – Change SSID via command line

Problem – Need 2.4 Ghz network enabled and SSID set to WiFi. Wireless router is behind a NAT, using UNMS to ssh into the radio, and from the radio ssh into hAP. Enter/Return key not working to run commands, so running the commands over ssh from the radio.

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="MikroTik" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless set disabled=no ssid=WiFi wlan1'
admin@192.168.88.2's password: 
WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="WiFi" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless registration-table print'
admin@192.168.88.2's password: 
 # INTERFACE           RADIO-NAME       MAC-ADDRESS       AP  SIGNAL... TX-RATE
 0 wlan2                                A7:32:54:EE:E4:35 no  -77dBm... 18Mbps 
 1 wlan2                                34:7A:F4:43:AD:81 no  -69dBm... 6Mbps  

WA.v8.4.2# exit

Ubiquiti AirMax – Set radio to use DHCP from command line

Gain access to radio via ssh

ssh ubnt@192.168.1.20

open up the /tmp/system.cfg

vi /tmp/system.cfg

Delete the following line. To move the cursor to the following line and type “dd” and vi will delete the whole line.

dhcpc.status=disabled   

Add the following 5 lines. Hit “i” to enter vi insert mode.
br0 should be correct interface in most scenarios.

dhcpc.1.devname=br0          
dhcpc.1.fallback=192.168.1.20
dhcpc.1.fallback_netmask=255.255.255.0
dhcpc.1.status=enabled
dhcpc.status=enabled

Save the file by hitting esc and then “:wq” followed by Return/Enter

Save the config changes and reboot the radio so it pulls an address.

/usr/etc/rc.d/rc.softrestart save && reboot

Hydra – SSH Example

Hydra is a network login cracker. You’ll need a password list and username(s) to get started.

Install Hydra

sudo apt-get install -y hydra 

Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file

SSH Example

hydra -l ubnt -P password.lst 192.168.1.20 ssh

Run hydra -h to get the full help.

Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
 Options:
   -R        restore a previous aborted/crashed session
   -I        ignore an existing restore file (don't wait 10 seconds)
   -S        perform an SSL connect
   -s PORT   if the service is on a different default port, define it here
   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
   -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
   -y        disable use of symbols in bruteforce, see above
   -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
   -u        loop around users, not passwords (effective! implied with -x)
   -C FILE   colon separated "login:pass" format, instead of -L/-P options
   -M FILE   list of servers to attack, one entry per line, ':' to specify port
   -o FILE   write found login/password pairs to FILE instead of stdout
   -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
   -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
   -t TASKS  run TASKS number of connects in parallel per target (default: 16)
   -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
   -w / -W TIME  wait time for a response (32) / between connects per thread (0)
   -c TIME   wait time per login attempt over all threads (enforces -t 1)
   -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
   -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
   -O        use old SSL v2 and v3
   -q        do not print messages about connection errors
   -U        service module usage details
   -h        more command line options (COMPLETE HELP)
   server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
   service   the service to crack (see below for supported protocols)
   OPT       some service modules support additional input (-U for module help)
 Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
 Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
 v3.0. The newest version is always available at http://www.thc.org/thc-hydra
 Don't use in military or secret service organizations, or for illegal purposes.
 These services were not compiled in: afp ncp oracle sapr3.
 Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
 E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
      % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
      % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
      % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
 Examples:
   hydra -l user -P passlist.txt ftp://192.168.0.1
   hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
   hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
   hydra -l admin -p password ftp://[192.168.0.0/24]/
   hydra -L logins.txt -P pws.txt -M targets.txt ssh

Ubiquiti AirOS 8.5.12 disable Wireless Security

It appears that with one of the latest 8.5 updates that you can no longer change Wireless Security to none from the web interface. Work around is to disable it in a config then apply the config. You can do this from the command line or upload a config under the System tab.

Web Interface

Go to the System tab, backup configuration

open configuration in a text editor and change
“aaa.1.status=enabled” to “aaa.1.status=disabled”

Upload Configuration and Apply to device

Command line

ssh admin@192.168.1.20
sed -i '/aaa.1.status=enabled/aaa.1.status=disabled/g' /tmp/system.cfg
/usr/etc/rc.d/rc.softrestart save

The above should be it, or you can manually edit “/tmp/system.cfg” and change the following line

aaa.1.status=enabled

to

aaa.1.status=disabled

Save changes

/usr/etc/rc.d/rc.softrestart save

Ubiquiti AirOS – “test” changes from command line

The following is a method to recover from a command that may inadvertenly make a radio go offline.

The idea is to launch a process in the background that sleeps for 5 minutes and then reboots the radio, so any changes not saved will be reverted. If the changes were successful, you’ll just need to log back in and kill the background process to keep the device from rebooting.

This can be helpful if your changing networking settings using ifconfig, trying to change routes, or something went wrong while trying to apply a system.cfg setting.

Commands

sleep 300 && reboot &

Execute whatever command you need to. i.e.

ifconfig 192.168.1.100

If your command worked you can log back into the device and search for the process id of the sleep command and kill it so the radio doesn’t reboot.

ps | grep sleep

Example output

2XC.v8.5.12# ps | grep sleep
412 admin 1636 S sleep 500
414 admin 1640 S grep sleep
2XC.v8.5.12#

Kill the pid

kill 412