New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module to discover Ubiquiti devices #11338

Merged
merged 4 commits into from Feb 1, 2019

Conversation

Projects
None yet
6 participants
@jhart-r7
Copy link
Contributor

jhart-r7 commented Jan 31, 2019

This adds a scanner module to facilitate discovering devices made by Ubiquiti using a simple UDP protocol that operates on 10001.

This service can be disabled and can include metadata about the device in question including name, model, version, MACs and IPs. A future improvement, perhaps as part of this PR, would be to use these fields more officially in the report_ calls.

Verification

  • Locate a network known or suspected to house Ubiquiti devices
  • Start msfconsole
  • Do: use auxiliary/scanner/ubiquiti_discovery
  • Do: set RHOSTS <some_targets>
  • Do: run
[+] a.b.c.d:10001 Ubiquiti Discovery metadata: {"ips"=>["a.b.c.d"], "macs"=>["f0:9f:c2:4c:aa:bb"], "name"=>"mFi4c5051", "model_short"=>"P8U", "firmware"=>"MF.ar933x.v2.0.25.1238.140624.1356"}

jhart-r7 added some commits Jan 30, 2019

@busterb busterb added docs and removed docs labels Jan 31, 2019

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Jan 31, 2019

Cool; I scanned a quick selection of Ubuquiti stuff I have and got replies from an AP, a camera, and 2 powerstrips (all unmanaged). FWIW, I did not get a reply from a security gateway that was also in the range and unmanaged.

msf5 exploit(multi/handler) > use auxiliary/scanner/ubiquiti/ubiquiti_discover 
msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > set rhosts 192.168.132.0/24
rhosts => 192.168.132.0/24
msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > run

[+] 192.168.132.193:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.132.193"], "macs"=>["80:2a:a8:xx:xx:xx"], "name"=>"UBNT", "model_short"=>"U7PG2", "firmware"=>"BZ.qca956x.v3.9.27.8537.180317.1235", "model_long"=>"UAP-AC-Pro-Gen2"}
[+] 192.168.132.191:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.132.191"], "macs"=>["f0:9f:c2:xx:xx:xx"], "name"=>"UVC G3", "model_short"=>"UVC G3", "firmware"=>"UVC.S2L.v4.2.59.67.ddb1280.180405.2139"}
[+] 192.168.132.224:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.132.224"], "macs"=>["f0:9f:c2:xx:xx:xx"], "name"=>"mFixxxxxx", "model_short"=>"P8U", "firmware"=>"MF.ar933x.v2.1.11.1309.150406.1423"}
[+] 192.168.132.231:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.132.231"], "macs"=>["f0:9f:c2:xx:xx:xx"], "name"=>"mFixxxxxx", "model_short"=>"P8U", "firmware"=>"MF.ar933x.v2.0.25.1238.140624.1356"}
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > services
Services
========

host             port   proto  name                state  info
----             ----   -----  ----                -----  ----
192.168.132.191  10001  udp    ubiquiti_discovery  open   {:ips=>["192.168.132.191"], :macs=>["f0:9f:c2:xx:xx:xx"], :name=>"UVC G3", :model_short=>"UVC G3", :firmware=>"UVC.S2L.v4.2.59.67.ddb1280.180405.2139"}
192.168.132.193  10001  udp    ubiquiti_discovery  open   {:ips=>["192.168.132.193"], :macs=>["80:2a:a8:xx:xx:xx"], :name=>"UBNT", :model_short=>"U7PG2", :firmware=>"BZ.qca956x.v3.9.27.8537.180317.1235", :model_long=>"UAP-AC-Pro-Gen2"}
192.168.132.224  10001  udp    ubiquiti_discovery  open   {:ips=>["192.168.132.224"], :macs=>["f0:9f:c2:xx:xx:xx"], :name=>"mFi46xxxx", :model_short=>"P8U", :firmware=>"MF.ar933x.v2.1.11.1309.150406.1423"}
192.168.132.231  10001  udp    ubiquiti_discovery  open   {:ips=>["192.168.132.231"], :macs=>["f0:9f:c2:xx:xx:xx"], :name=>"mFi46xxxx", :model_short=>"P8U", :firmware=>"MF.ar933x.v2.0.25.1238.140624.1356"}

@wvu-r7
Copy link
Contributor

wvu-r7 left a comment

Did you want to use the Msf::Auxiliary::DRDoS mixin you wrote?

@bwatters-r7 bwatters-r7 merged commit f0519a5 into rapid7:master Feb 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Feb 1, 2019

Land #11338, Add module to discover Ubiquiti devices
Merge branch 'land-11338' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Feb 1, 2019

Release notes

The ubiquiti_discover scanner module has been added to the framework. This module facilitates the discovery of Ubiquiti devices using a UDP protocol that operates on 10001.

msjenkins-r7 added a commit that referenced this pull request Feb 1, 2019

Land #11338, Add module to discover Ubiquiti devices
Merge branch 'land-11338' into upstream-master
@jhart-r7

This comment has been minimized.

Copy link
Contributor Author

jhart-r7 commented Feb 1, 2019

Excellent thank you all for the help!

@jhart-r7 jhart-r7 deleted the jhart-r7:feature/ubiquity_discover branch Feb 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment