Change UniFi User Password from Command Line

Posted on by
Reply
  1. SSH into the UniFi server
  2. Connect to MongoDB
  3. Find user ObjectId
  4. Update user info with new Password

You will need a hash of the password to put into the database. We don’t cover that in this post. You could copy the password from a different user account or use a different UniFi instance to change the password and then check the DB to find the hash.

SSH into the UniFi Server

ssh unifiadmin@unifiserver

Connect to MongoDB

Connect to Mongo by typing in the following.

mongo -port 27117

Then select the ace database by typing

use ace

Find user ObjectId

The admins are in the admin collection/table. Use the following command to list all the users and their name, email, and password hash.

db.admin.find({ }, { name:"" , email : "", "x_shadow" : "" })

Update user info with new Password

The following looks complex. Fortunately though you should be able to copy and paste. You should only need to change the
– ObjectId to your User Id
– Password Hash to your password hash

db.admin.update({"_id" : ObjectId("223abc5489de0a93be758493")}, {$set: { "x_shadow" : "$6$nwpi7.q2$OuD9/UZGZt5cD739Dt7j8Gb1uPtfU99p0DeDSurSNBZVizieUrFVFbRufiZMgOk2IaaDZN9BVmL9yUwQ2mC8f."}});

Note: The hash above is password. Not recommended for use.

You should receive a confirmation that it succeeded. Test the new password by logging into the UniFi Controller.

For more MongoDB commands, check out this post.

Add UniFi Protect Self Sign Certificate to Windows

Posted on by
Reply

Manually adding the UniFi Protect self signed certificate can be helpful if you are accessing the controller over the local network. It has the benefit of letting your browser remember the password if wanted and not having to verify the certificate.

First we need to acquire the certificate.

Acquire UniFi Protect Certificate

In a Chrome based web browser, go to the IP address of the UniFi Protect NVR

Click in the URL bar where is says “Not secure” -> Certificate -> Details -> Copy to file

Follow the export Wizard. You can use the default settings.

Import Certificate

You can now import the certificate by double clicking on the cert.

Importing unifi.local cert

Note that it says to install the cert in the “Trusted Root Certification Authorities” store

Import unifi.local cert select Local Machine
Browse for Certificate Store
Select Trusted Root Certification Authorities
Importing unifi.local to the Trusted Root Certification Authorities
Confirm unifi.local certificate import

Now we can move on to Configuring the hosts file.

Add unifi.local to system hosts file

We need to add an entry for unifi.local as the cert if for unifi.local hostname and not the controllers IP address.

We’ll essentially be following the same steps outlined in the following post.

Add local DNS entry in Windows
Add local DNS entry for unifi protect
  • Launch notepad as administrator
  • Open the hosts file in 
C:\Windows\System32\drivers\etc\
Open Windows hosts file
  • Add the following line to the bottom of your hosts file. Change the IP address to the IP of your controller.
192.168.1.20 unifi.local
  • Save the file.

You should now be set. Open a browser and got to https://unifi.local to access the UniFi Protect Controller.

Import cert.pem on Windows

Posted on by
Reply

First thing you will need You will need the .pem certification.

Next launch PowerShell as Administrator

We’ll be using the certutil.exe utility to import the certificate.

.\certutil.exe -addstore -f "Root" 'C:\Users\path\to\cert.pem'

Example output for importing a self signed UniFi certificate.

PS C:\Windows\system32> certutil.exe -addstore -f "Root" 'C:\Users\path\to\cert.pem'
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "unifi.local" added to store.
CertUtil: -addstore command completed successfully.
PS C:\Windows\system32>

Extract UniFi .unf backup file

Posted on by
Reply

In this post we are going to extract the contents of a UniFi .unf backup.

This is helpful if we need to do any sort of recovery, or need to look through the database to find system information.

  1. Acquire backup
  2. Decrypt and extract backup
  3. Dump database to JSON file

Acquire Backup

This is easy to do. Log into the web interface go to Settings -> System -> Maintenance -> Backup and Restore

Scroll down to Available Backups and download.

Download Backup in UniFi Controller

You can also get the file via scp or sftp. Manual backups are located in

/usr/lib/unifi/data/backup

and auto backups are in 

/usr/lib/unifi/data/backup/autobackup

Decrypt and Extract Backup

We’ll be getting the following decrypt script from here. https://github.com/zhangyoufu/unifi-backup-decrypt More notes on it below.

We’ll need to make sure that openssl and zip are installed

sudo apt install openssl zip

Download the script with wget

wget https://raw.githubusercontent.com/zhangyoufu/unifi-backup-decrypt/master/decrypt.sh

Make it executable 

sudo chmod u+x decrypt.sh

And now we can convert the UniFi .unf backup file to a .zip

sudo ./decrypt.sh autobackup_6.2.33.unf autobackup_6.2.33.zip

Now we can extract the zip archive. You can do this on Windows, macOS, or Linux through the GUI or you can extract with 

sudo unzip autobackup_6.2.33.zip -d unifi

This will extract all the files and folders to a directory named unifi.

cd unifi

Dump database to JSON

You should now see the db.gz file. This is a compressed archive of the database in BSON (Binary JSON) format. We can use the mongo-tools to convert this to a more human readable JSON format.

sudo apt install mongo-tools

Now we can extract the archive and pipe it through bsondump.

gunzip -c db.gz | bsondump

You can run it through grep to filter out what you need.

You can also dump the db to a json file with

bsondump --bsonFile=db --outFile=db.json

More notes on the decrypt script.

The decrypt script is really simple. It looks like it uses a key to decrypt the UniFi backup and then puts all the contents into a zip file. There is also an encryption script. Theoretically you can decrypt, make changes to the config and then reencrypt and restore to a server.

#!/bin/sh

# Authors:
# 2017-2019 Youfu Zhang
# 2019 Balint Reczey <balint.reczey@canonical.com>

set -e

usage() {
    echo "Usage: $0 <input .unf file> <output .zip file>"
}

if [ -z "$2" -o ! -f "$1" ]; then
    usage
    exit 1
fi

INPUT_UNF=$1
OUTPUT_ZIP=$2

TMP_FILE=$(mktemp)
trap "rm -f ${TMP_FILE}" EXIT

openssl enc -d -in "${INPUT_UNF}" -out "${TMP_FILE}" -aes-128-cbc -K 626379616e676b6d6c756f686d617273 -iv 75626e74656e74657270726973656170 -nopad
yes | zip -FF "${TMP_FILE}" --out "${OUTPUT_ZIP}" > /dev/null 2>&1

Obtain and Decrypt Cambium WiFi Router Password

Posted on by
Reply

By default the passwords are “encrypted” so you can not tell what the password is.

No way to view cnPilot WiFi password in the Web UI

We covered decrypting the passwords from the config file from cambium cloud. But what about a local router that is not connected to the cloud. What then?

Thankfully everything you need is on the router. We’ll need to use the command line tools.

1. Enable SSH

First verify that SSH is enabled.

Enable SSH n cnPilot

2. SSH into router

You may need to specify the “diffie-hellman-group1” option if it throws an error.

ssh admin@192.168.11.1 -o KexAlgorithms=+diffie-hellman-group1-sha1

3. Extract Encrypted WiFi Password from config

The config file is stored in “etc/cambium/bkup-config.txt”

cat etc/cambium/bkup-config.txt | grep

This should dump the encrypted password(s).

Example Output.

WPAPSK1=[c760ba8ffe65c669]
RTDEV_WPAPSK1=[c760ba8ffe65c669]

4. Decrypt WiFi Password

Now we can decrypt the password. Replace the string at the end with the encrypted string 

3des_hex -d c760ba8ffe65c669

It should now display the decrypted password

# 3des_hex -d c760ba8ffe65c669
12345678#

Note that it puts the # symbol after the password and if you try to type something in, it clears the line. you can use the following to have cleaner output.

echo $(3des_hex -d c760ba8ffe65c669 )

That will print the password on it’s own line

# echo $(3des_hex -d c760ba8ffe65c669 )
12345678
#

How to Stop a Continuous Ping on Cambium Radio

Posted on by
Reply

The Cambium equipment comes with a nice little ping utility when you SSH to it. Very simple to use. Maybe we should say too simple.

usage: ping <host>
       ping -n <count> <host>
                count = 0 for continuous ping

So if I want to continuously ping a website, say incredigeek.com, I can put in the following

ping -n 0 incredigeek.com

Hit return and we are off to the races. But wait. I can’t get it to stop. Ctrl + C, doesn’t do anything, Ctrl + D or Ctrl +Z don’t help either.

Okay well fine. We’ll launch another terminal and ssh into it again and see what we can do. Excellent, now we are in aaand… wait… why are the ping results showing up here too? Help!!!

Buried in the heart of the helpful help command are these lines.

       ping -- Send ICMP ECHO_REQUEST packets to network hosts
    pingend -- End ICMP ECHO_REQUEST packets to network hosts

You don’t say. Well lets try typing in pingend with all the commotion going on in the terminal.

SSH+> pingend
Ping statistics for 142.250.191.206:
        Packets: Sent = 3, Received = 3, Lost = 0 (0% loss)

Well good to know. Saves having to reboot the device.

Adding Email Disclaimer for Entire Domain on WHM/cPanel

Posted on by
Reply
Email Disclaimer

Altermime is a small utility that allows you to append a disclaimer to all outbound emails on a cPanel server.

1. Installing altermime

You should be able to copy and paste the following commands in. You’ll need to be root.

cd /usr/local/src/ 
wget pldaniels.com/altermime/altermime-0.3.10.tar.gz 
tar xvfz altermime-0.3.10.tar.gz 
cd altermime-0.3.10 
make 
make install

2. Setup Disclaimer Text

Create two disclaimer files. One is text and the other is for HTML.

Text file

nano /usr/local/etc/exim/textdisclaimer

Add your disclaimer text.

-------------
incredigeek.com

HTML File

Create the HTML disclaimer file with

nano /usr/local/etc/exim/htmldisclaimer

And add your disclaimer HTML to the file. Example:

<p>
-----
<br />
  <a href="http://www.incredigeek.com">incredigeek.com </a>
</p>

3. Modify Exim Configuration

Now that we have the disclaimer files set up, we can move on to configuring Exim so the disclaimer text gets added to every email sent out.

Open up WHM and go to Exim Configuration Editor -> Advanced Editor

Exim Advanced Editor

A. Configuring Routers Configuration

Find the ROUTERS CONFIGURATION section. We will add some configuration in the “Section: PREROUTERS

Add disclaimer to Single Domain

Paste in the following to add the disclaimer to a single domain. Replace “incredigeek.com” with your domain.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = ${if eq {$sender_address_domain}{incredigeek.com}{disclaimer_smtp}{remote_smtp}}
no_more
Add Disclaimer to Single Domain

Add Disclaimer to Entire Server (Optional)

If you would rather apply the disclaimer to the entire server, use the following.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = disclaimer_smtp
Add Disclaimer to Entire Server

B. Configure Transports Configuration

Once we have that added we can find the “TRANSPORTS CONFIGURATION” section and under the first “Section: TRANSPORTSTART” add

disclaimer_smtp:
driver = smtp
transport_filter = /usr/local/bin/altermime  --input=- --disclaimer=/usr/local/etc/exim/textdisclaimer --disclaimer-html=/usr/local/etc/exim/htmldisclaimer
size_addition = 1
Add Disclaimer to TRANSPOTSTART

That should be everything that you need. Send a test email to an external email account to verify that it works.

Note that it looks like sending an email locally to email addresses on the same domain or to yourself bypass the filter and do not get the disclaimer added.

The following links were helpful for getting this set up.

https://forums.cpanel.net/threads/howto-footer-disclaimer-in-outgoing-mails.98465/

https://pldaniels.com/altermime/

Get list of IP DHCP Leases from Mikrotik RouterOS Command Line

Posted on by
Reply

Sometimes it is nice to have a list of just the IP addresses and the hostname or mac address. Can be especially helpful when you are trying to get a list of devices to do a bulk update in LibreNMS. Helpful LibreNMS links for renaming and showing down devices

we are going to run the command to pull the DHCP information and then use Unix utilities to parse the data out.

Replace dhcp8 with the correct dhcp server in the mikrotik.

First, SSH into your Mikrotik router.

ssh user@mikrotik

Next we’ll want to go to the ip dhcp-server lease directory

/ip dhcp-server lease

Now we can run the following command to loop through and pull out all the info we need.
You can change the info like “mac-address” for something like “status”. You can use Tab to see what options are available. Just delete mac-address and hit tab twice.

:foreach i in=[find] do={ :put ([get $i address].",".[get $i mac-address].",".[get $i server].",".[get $i host-name ])}

Found the above helpful info from the following pdf file.

https://mum.mikrotik.com/presentations/PH18/presentation_5113_1516612695.pdf

How to Find Yesterdays Date in Linux

Posted on by
Reply

The wrong way to find yesterdays date:

I had a command that was used to see if. It used some arithmetic operators to subtract 1 from the current day. That would give us yesterdays day which we could then use to check if a backup was created then.

day=$(date +%d) ; date=$(($day - 1)) ; echo "yesterday date is $date"

It worked great, unless you happened to be on the 8th or 9th of the month. Looks like bash is interpreting 08 and 09 in octal format. https://stackoverflow.com/questions/24777597/value-too-great-for-base-error-token-is-08

-bash: 08: value too great for base (error token is "08")

The better way

Fortunately there is an easier and more reliable way to do this. Using the date command, you can specify yesterday and it will print out yesterdays date.

date --date=yesterday +%d

Much easier to use.

Some more info.

https://www.cyberciti.biz/tips/linux-unix-get-yesterdays-tomorrows-date.html?cf_chl_captcha_tk=N9iBfod_b0qUxjB2jIGlETgiZ.JXSxGpLmvQ83CzBvY-1636407896-0-gaNycGzNBmU

https://stackoverflow.com/questions/18180581/subtract-days-from-a-date-in-bash