[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

TomSellers · 2019-02-04T13:28:00Z

This script leverages Ubiquiti's Discovery Service to discover Ubiquiti's networking gear if it is listening on 10001/udp. This was the default state for many devices and versions of firmware. This is related to PR #1454.

This is a unicast probe to the specified target.

Context: https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/

If there aren't any objections or changes requested I will commit this code and the corresponding Changelog entry this week.

nmap -sU -p 10001 --script ubiquiti-discovery.nse <target>

 PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (ER-X v1.10.7)

| ubiquiti-discovery: 
|   uptime_seconds: 84592
|   uptime: 0 days 23:29:52
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   mac_ip: 
|     80:2a:a8:df:a1:63: 192.168.0.1
|     80:2a:a8:df:a1:5e: 55.55.55.55
|   mac_addresses: 
|     80:2a:a8:df:a1:63
|_    80:2a:a8:df:a1:5e

There is potential for a multicast script but this will need to wait until next week.

nnposter

Just a few thoughts

scripts/ubiquiti-discovery.nse

TomSellers · 2019-02-05T00:56:38Z

The code has been updated to handle the v2 version of the discovery protocol. The output has been updated to reflect this additional detail as well as the fact that different devices have different fields.

Here is an example of updated output.

Protocol v1

PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (v1 protocol, ER-X software ver. v1.10.7)
| ubiquiti-discovery:
|   protocol: v1
|   uptime_seconds: 113144
|   uptime: 1 days 07:25:44
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   interface_to_ip:
|     80:2a:a8:ae:f1:63:
|       192.168.0.1
|       172.25.16.1
|     80:2a:a8:ae:f1:5e:
|       55.55.55.10
|       55.55.55.11
|       55.55.55.12
|   mac_addresses:
|     80:2a:a8:ae:f1:63
|_    80:2a:a8:ae:f1:5e

Protocol v2

PORT      STATE SERVICE            REASON       VERSION
10001/udp open  ubiquiti-discovery udp-response Ubiquiti Discovery Service (v2 protocol, UCK-v2 software ver. 5.9.29)
| ubiquiti-discovery:
|   protocol: v2
|   firmware: UCK.mtk7623.v0.12.0.29a26c9.181001.1444
|   version: 5.9.29
|   model: UCK-v2
|   config_status: managed/adopted
|   interface_to_ip:
|     78:8a:20:21:ae:7b:
|       192.168.0.30
|   mac_addresses:
|_    78:8a:20:21:ae:7b

TomSellers · 2019-02-05T00:56:52Z

Thanks very much @nnposter for the feedback.

TomSellers added 2 commits Feb 4, 2019

Add ubiquiti-discovery.nse

75c22f3

ubiquiti-discovery whitespace cleanup

b6a9e05

TomSellers mentioned this pull request Feb 4, 2019

Service Detection: Add Ubiquiti Discovery Service on 10001/udp #1454

Closed

nnposter reviewed Feb 4, 2019

View changes

handle v2, address feedback

7435c07

TomSellers added 2 commits Feb 9, 2019

sanity check

9b1318f

remove cpe without product

f412cc7

nmap-bot closed this in 75eed67 Feb 9, 2019

TomSellers deleted the TomSellers:ubiquiti_script branch Feb 9, 2019

nmap / nmap Public

[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

TomSellers commented Feb 4, 2019 •

edited

nnposter left a comment

TomSellers commented Feb 5, 2019

TomSellers commented Feb 5, 2019

nmap / nmap Public

[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

Conversation

TomSellers commented Feb 4, 2019 • edited

nnposter left a comment

TomSellers commented Feb 5, 2019

TomSellers commented Feb 5, 2019

TomSellers commented Feb 4, 2019 •

edited