Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NSE] Ubiquiti Discovery Service and decoding (unicast) #1457

Closed
wants to merge 5 commits into from

Conversation

TomSellers
Copy link

@TomSellers TomSellers commented Feb 4, 2019

This script leverages Ubiquiti's Discovery Service to discover Ubiquiti's networking gear if it is listening on 10001/udp. This was the default state for many devices and versions of firmware. This is related to PR #1454.

This is a unicast probe to the specified target.

Context: https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/

If there aren't any objections or changes requested I will commit this code and the corresponding Changelog entry this week.

nmap -sU -p 10001 --script ubiquiti-discovery.nse <target>
 PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (ER-X v1.10.7)

| ubiquiti-discovery: 
|   uptime_seconds: 84592
|   uptime: 0 days 23:29:52
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   mac_ip: 
|     80:2a:a8:df:a1:63: 192.168.0.1
|     80:2a:a8:df:a1:5e: 55.55.55.55
|   mac_addresses: 
|     80:2a:a8:df:a1:63
|_    80:2a:a8:df:a1:5e

There is potential for a multicast script but this will need to wait until next week.

Copy link

@nnposter nnposter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few thoughts

scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Show resolved Hide resolved
scripts/ubiquiti-discovery.nse Outdated Show resolved Hide resolved
@TomSellers
Copy link
Author

The code has been updated to handle the v2 version of the discovery protocol. The output has been updated to reflect this additional detail as well as the fact that different devices have different fields.

Here is an example of updated output.

Protocol v1

PORT      STATE SERVICE            VERSION
10001/udp open  ubiquiti-discovery Ubiquiti Discovery Service (v1 protocol, ER-X software ver. v1.10.7)
| ubiquiti-discovery:
|   protocol: v1
|   uptime_seconds: 113144
|   uptime: 1 days 07:25:44
|   hostname: ubnt-router
|   product: ER-X
|   firmware: EdgeRouter.ER-e50.v1.10.7.5127989.181001.1227
|   version: v1.10.7
|   interface_to_ip:
|     80:2a:a8:ae:f1:63:
|       192.168.0.1
|       172.25.16.1
|     80:2a:a8:ae:f1:5e:
|       55.55.55.10
|       55.55.55.11
|       55.55.55.12
|   mac_addresses:
|     80:2a:a8:ae:f1:63
|_    80:2a:a8:ae:f1:5e

Protocol v2

PORT      STATE SERVICE            REASON       VERSION
10001/udp open  ubiquiti-discovery udp-response Ubiquiti Discovery Service (v2 protocol, UCK-v2 software ver. 5.9.29)
| ubiquiti-discovery:
|   protocol: v2
|   firmware: UCK.mtk7623.v0.12.0.29a26c9.181001.1444
|   version: 5.9.29
|   model: UCK-v2
|   config_status: managed/adopted
|   interface_to_ip:
|     78:8a:20:21:ae:7b:
|       192.168.0.30
|   mac_addresses:
|_    78:8a:20:21:ae:7b

@TomSellers
Copy link
Author

Thanks very much @nnposter for the feedback.

@nmap-bot nmap-bot closed this in 75eed67 Feb 9, 2019
@TomSellers TomSellers deleted the ubiquiti_script branch February 9, 2019 23:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants