August 6, 2012 at 05:24AirOS Vulnerability
I decided to talk about the AirOS vulnerability using the NanoStation M2 hack as an example.
It all started with the fact that I was connected to the Internet. And since I live in the private sector, the provider put directional wi-fi and on my roof there is a NanoStation M2 2.4 GHz .
I was very indignant that they did not tell me the password for wi-fi or the password for NanoStation (although I understand the reasons for that). How do I get the password from wi-fi read under cat.
Having learned that the access point works on AirOS created on the basis of linux, I easily found a description of the vulnerability of this OS on the network .
Then I go to the link 192.168.1 . *** / admin.cgi / ds.css
And I understand that almost full access to the OS is obtained.
By downloading the file / etc / passwd
I saw the following contents As expected, the password hashed. Of course, you could also download the password change script and figure out its algorithm, but I decided to make it easier. in the /usr/etc/system.cfg file are the default settings, including the ubnt password hash. Further, I edit the downloaded “passwd” file on my machine, changing the password hash to the default one and upload it to the access point, after which it remains to put it in place Profit =) We go to the access point using the default username / password ubnt / ubnt Find out the password from wi- fi is already a technical matter. These manipulations did not give me full access to the OS. because when changing the password, the OS swears that the ubnt password is not correct, but I got the desired result.
I hope someone will tell you how to completely reset / change the password
It all started with the fact that I was connected to the Internet. And since I live in the private sector, the provider put directional wi-fi and on my roof there is a NanoStation M2 2.4 GHz .
I was very indignant that they did not tell me the password for wi-fi or the password for NanoStation (although I understand the reasons for that). How do I get the password from wi-fi read under cat.
Having learned that the access point works on AirOS created on the basis of linux, I easily found a description of the vulnerability of this OS on the network .
Then I go to the link 192.168.1 . *** / admin.cgi / ds.css
And I understand that almost full access to the OS is obtained.
By downloading the file / etc / passwd
I saw the following contents As expected, the password hashed. Of course, you could also download the password change script and figure out its algorithm, but I decided to make it easier. in the /usr/etc/system.cfg file are the default settings, including the ubnt password hash. Further, I edit the downloaded “passwd” file on my machine, changing the password hash to the default one and upload it to the access point, after which it remains to put it in place Profit =) We go to the access point using the default username / password ubnt / ubnt Find out the password from wi- fi is already a technical matter. These manipulations did not give me full access to the OS. because when changing the password, the OS swears that the ubnt password is not correct, but I got the desired result.
ubnt:PpI8IMUqKVKCw:0:0:Administrator:/etc/persistent:/bin/sh
users.status=enabled
users.1.status=enabled
users.1.name=ubnt
users.1.password=VvpvCwhccFv6Qubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/shI hope someone will tell you how to completely reset / change the password