Ubiquiti’s or UI’s GPONs do not have a SSH client by default. Or do they?
If you type “ssh” and hit return, you’ll receive a “not found” error.
Typically on devices like home routers, GPONs, UniFi AP’s etc, ssh is handled by Dropbear. Dropbear provides a Secure Shell compatible server and client and is typically used in embedded systems.
To SSH from a GPON to another device, use dbclient
dbclient ubnt@192.168.1.20
dbclient is the Dropbear client. AKA, SSH client.
Here are some links for setting up a custom SSL Certificate of a UniFi Cloud Key. Should be similar to do on a UDM, or other UniFi Controller.
https://community.spiceworks.com/how_to/128281-use-lets-encrypt-ssl-certs-with-unifi-cloud-key
https://www.ssldragon.com/how-to/install-ssl-certificate/unifi-cloud-key/
Who is this mcuser on ubiquiti devices? Nothing shows up in the radio config file about it, but the user shows up in /etc/passwd
mcuser is used for AirControl2. If we look what is in the passwd file, we’ll notice that there is a ! at the beginning of the hash. Meaning that this password is disabled as the hash is not a proper hash. It’s only 10 characters long instead of the normal 13 for Unix DES hashes.
mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh
https://community.ui.com/questions/Virus-atack-v2/be924ab6-5cb0-4f9b-a4f7-246025196cc0?page=10
There is a valid ssh key, so the mcuser can ssh to the device without a password and do what it needs to do. Doing an ls on a device shows the following.
Refer to the following article on removing AirControl Provisioning
Ubiquiti changed up their download pages and it appears that there is not a page to download the AirGateway Pro firmware.
The normal AirGateway and AirGateway LR use the same firmware. The Pro can use either 2.4 or 5Ghz frequencies and has a different firmware download.
When we search for AirGateway, we only find results for the regular and LR.
There is also no download link on either AirGateway page for the Pro.
https://ui.com/download/software/airgateway
Fortunately, we can copy the download link, and change the firmware name to download the Pro version. All we need to do is change “AirGW” to “AirGWP”
Here is the direct link.
https://dl.ubnt.com/firmwares/airgateway/v1.1.12/AirGWP.v1.1.12.1028.190918.0702.bin
Recently ran across some AirGateway configs that had an extra user account on them. Typically on most Ubiquiti AirMax and AirGateway equipment, there are two user accounts that show up in the config.
A cool trick we can do is add users in the config i.e. (users.3, users.4 etc.)
So what do you do when you see a third user showing up that you didn’t put there?!
The user account looked like the following.
users.3.name=112233AABBCC users.3.password=Gczz8EBQEdAIg users.3.status=enabled
The username was the MAC address of the device and the password field is a DES(Unix) hash of what appears to be an 8 character randomly generated upper and lower case password.
Older AirOS versions only let a user select a password up to 8 characters long. You could create a longer one and log in via SSH, but you wouldn’t be able to log into the web interface.
So how did these get on here in the first place?
I am guessing that the users were created at some point while trying to adopt them to UNMS/UISP before there was firmware that supported it. The user name is the actual MAC address of the device and the passwords do seem to be randomly generated. There do not appear to be any major differences between the support files from a normal AirGateway and a suspicious AirGateway.
Also appears to only affects AirGateways which were the only devices that had issues in the past connecting to UNMS/UISP. The rest of the AirMax equipment uses very similar firmware so if there was a security issue, it should have affected all the devices.
The hashing type “DES(Unix)” does not appear to be used anymore, being replaced with MD5 Crypt. So this does appear to have happened awhile ago.
You’ll need hashcat installed and setup to crack the hash. Kali Linux has hashcat included (you will just want to have the NVIDIA drivers installed for optimal performance). You can also check out installing hashcat on Fedora, or check out the hashcat website for other systems. https://hashcat.net/hashcat/
Put the hashes of interest into a text file called hash.txt
Command to crack the passwords
./hashcat.bin -a 3 -m 1500 ./hash.txt -1?l?u ?1?1?1?1?1?1?1?1 -w 3 --session airgateway
the -1?l?u let’s us specify a custom character list made up of -l and -u. Lower and Upper case letters. –session airgateway will record a checkpoint ever so often. So if our run gets interrupted, we can restore the session with
./hashcat.bin --session airgateway --restore
Fortunately, remediation is fairly simple.
SSH into the affected device and open up the config file
vi /tmp/system.cfg
Find the lines that start with “users.3.”, delete them, and save the file
Run the following command to save the changes.
/usr/etc/rc.d/rc.softrestart save
If you are not comfortable with the command line, then you can, through the web gui, download a backup, edit the backup file in a text editor, then upload/restore the backup.
Something else you may run across is a mcuser that shows up in /etc/passwd. This is typically a user used for AirControl, so if you have used AirControl in the past that is most likely why it is there. Check out the following article to remove the user.
Install etherwake with
apt install etherwake -y
After it is installed, run etherwake with the target mac address.
etherwake AA:BB:CC:00:11:22
Ubiquiti Airmax gear has tcpdump included. We can easily use it to capture packets to a file and then use SCP from the device to copy the file for analysis.
SSH to the device
ssh ubnt@192.168.1.20 cd /tmp/
Start tcpdump with the following command. Change ath0 and file.cap to the appropriate interface and file name.
tcpdump -i ath0 -w file.cap
After we are done collecting, we can quit with ctrl + c
Now we can use scp or sftp to copy the files off. There is an issue using scp or sftp from a normal Linux machine to the radio, fails with a “sh: /usr/libexec/sftp-server: not found”. It works fine if you initiate scp from the radio.
scp /tmp/file.cap username@remoteip:~/
The format for the UniFi inform URL should be similar to the following
a38927b1-23aa-e95d-94b4-8394abce9302.unifi-hosting.ui.comThe inform URL is supposed to be on the cloud console page. However, it appears that it doesn’t show the link if you are not Owner.
Web Development Tools to the rescue!
On the UniFi console page, click on “About this Console”
Open up the Web Tools, Click on the Network tab, make sure that you have the Domain column enabled.
Refresh the page.
Look for the Domain that matches the UniFi Cloud URL format.
Example: a38927b1-23aa-e95d-94b4-8394abce9302.unifi-hosting.ui.com
You can confirm this is the correct URL by browsing to it directly. It should redirect to your cloud instance.
Extra tip: If you are migrating from a UniFi Console (CloudKey, UDM, DreamMachine) to UniFi Cloud, you can restore a backup of your CloudKey (Or other console) and then use the Host Inform Override option (from CloudKey) to tell all the devices on the network to connect to the cloud instance. May need to reboot or force provision.
First we’ll need to ssh into the device
ssh ubnt@192.168.1.20
Next lets open up the config file
vi /tmp/system.cfg
Now search for vlan and replace the vlan id with the appropriate number
In VI you can search by hitting / and then type in vlan
After you have changed all the vlan ids, save the file with esc, wq, enter.
Now we can save the config with
cfgmtd -f /tmp/system.cfg -w && reboot
Update: Found this handy dandy FAQs link https://help.ui.com/hc/en-us/articles/115009192828
Included in the FAQ is a section on “How to Disable Wireless Security on airMAX AC Devices?”
The default security configuration for AC devices since firmware version 8.5.11 was changed to WPA2 AES with a pre-shared key 0000:0000.
Ubiquiti Default AC device WPA2 Preshared key
On Ubiquiti AC radios, you can not disable WPA 2 security through the web interface. This is not necessarily bad, however, what happens if you have a client that is reset and will only connect to the default ubnt SSID?
Fortunately there is a way to disable the WPA2 Preshared key.
sed -i s/aaa.1.wpa.mode=2/aaa.1.wpa.mode=0/g /tmp/system.cfg/usr/etc/rc.d/rc.softrestart saveAfter you are done, you can click the enable button to re-enable Wireless Security.
