[NSE] Ubiquiti Discovery Service and decoding (unicast)

[TomSellers]

This script leverages Ubiquiti's Discovery Service to discover Ubiquiti's networking gear if it is listening on 10001/udp. This was the default state for many devices and versions of firmware. This is related to PR #1454.

This is a unicast probe to the specified target.

Context: https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/

If there aren't any objections or changes requested I will commit this code and the corresponding Changelog entry this week.

nmap -sU -p 10001 --script ubiquiti-discovery.nse <target>

 PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (ER-X v1.10.7)

| ubiquiti-discovery: 
|   uptime_seconds: 84592
|   uptime: 0 days 23:29:52
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   mac_ip: 
|     80:2a:a8:df:a1:63: 192.168.0.1
|     80:2a:a8:df:a1:5e: 55.55.55.55
|   mac_addresses: 
|     80:2a:a8:df:a1:63
|_    80:2a:a8:df:a1:5e

There is potential for a multicast script but this will need to wait until next week.

[nnposter]

Just a few thoughts

[nnposter]

Just a few thoughts

[TomSellers]

The code has been updated to handle the v2 version of the discovery protocol. The output has been updated to reflect this additional detail as well as the fact that different devices have different fields.

Here is an example of updated output.

Protocol v1

PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (v1 protocol, ER-X software ver. v1.10.7)
| ubiquiti-discovery:
|   protocol: v1
|   uptime_seconds: 113144
|   uptime: 1 days 07:25:44
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   interface_to_ip:
|     80:2a:a8:ae:f1:63:
|       192.168.0.1
|       172.25.16.1
|     80:2a:a8:ae:f1:5e:
|       55.55.55.10
|       55.55.55.11
|       55.55.55.12
|   mac_addresses:
|     80:2a:a8:ae:f1:63
|_    80:2a:a8:ae:f1:5e

Protocol v2

PORT      STATE SERVICE            REASON       VERSION
10001/udp open  ubiquiti-discovery udp-response Ubiquiti Discovery Service (v2 protocol, UCK-v2 software ver. 5.9.29)
| ubiquiti-discovery:
|   protocol: v2
|   firmware: UCK.mtk7623.v0.12.0.29a26c9.181001.1444
|   version: 5.9.29
|   model: UCK-v2
|   config_status: managed/adopted
|   interface_to_ip:
|     78:8a:20:21:ae:7b:
|       192.168.0.30
|   mac_addresses:
|_    78:8a:20:21:ae:7b

[TomSellers]

Thanks very much @nnposter for the feedback.