sudo apt full-upgrade
When prompted type in the following to continue the upgrade
Yes, do as I say!
You may need to remove libsnmp-base if you have package issues.
sudo apt-get remove libsnmp-base
Install crunch and then generate a word list with the following command. The 8 8 tells crunch to generate combinations that have a minimum and maximum length of 8. All the numbers from 1-0 tells crunch to use these characters, -o writes to output file.
Change options if desired.
crunch 8 8 1234567890 -o 8numberchars.lst
Further reading. https://tools.kali.org/password-attacks/crunch
Doing a port scan on the 50000-59999 port range reveals all the connected subscriber modules.
Alfred@localhost:~$ nmap -p 1-65535 10.0.0.2 Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-30 23:55 CDT Nmap scan report for 10.0.0.2 Host is up (0.026s latency). Not shown: 65520 closed ports PORT STATE SERVICE 80/tcp open http 7547/tcp open cwmp 27149/tcp open unknown 59423/tcp open unknown 54984/tcp open unknown 51241/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds
Should be able to access the login page for the subscriber module by going to https://enodb-ip:xxxxx
Where xxxxx is the port number from the scan. Should be 5 with the last four IMSI numbers of the subscriber unit.
Based upon multiple nmap scans on Baicells eNoceB’s it appears that they use port 27149 as the default SSH port.
Example scan
Alfred@localhost:~$ nmap -p 1-28999 10.0.0.2 Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-27 21:19 CDT Nmap scan report for 10.0.0.2 Host is up (0.044s latency). Not shown: 28996 closed ports PORT STATE SERVICE 80/tcp open http 7547/tcp open cwmp 27149/tcp open unknown <-- SSH Port Nmap done: 1 IP address (1 host up) scanned in 10.81 seconds
SSH into eNodeB
ssh -p 27149 admin@10.0.0.2
Example:
ssh -p27149 admin@10.0.0.2 Password: CELL> ? enable Turn on privileged mode command exit Exit current mode and down to previous mode list Print command list passwd User password ping Send echo messages quit Exit current mode and down to previous mode show Show running system information ssh Open an ssh connection telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination whoami Show current user in system CELL>
Hydra is a network login cracker. You’ll need a password list and username(s) to get started.
Install Hydra
sudo apt-get install -y hydra
Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file
SSH Example
hydra -l ubnt -P password.lst 192.168.1.20 ssh
Run hydra -h to get the full help.
Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
The LineageOS Updater downloads updates fine, but crashes as soon as you hit Install.
Looks like there may be a bug that has something to do with an update that it already downloaded and installed, but waiting on the device to reboot.
Reboot the device to resolve the issue.
Other things to try would include deleting and redownloading the update and/or trying a different update.
Note that the following commands have not been tested, but based off of other ones so should work.
Open a terminal and run the following two commands to delete level.dat and level.dat_old
rm ~/.minecraft/saves/Demo_World/level.dat rm ~/.minecraft/saves/Demo_World/level.dat_old
Should be able to open up Minecraft and have the timer reset. Note that all the achievments in the game will be reset as well.
Open Windows File Explorer, in the Address Bar paste the following and hit enter.
%APPDATA%\.minecraft\saves\Demo_World\
You should now be in the demo world folder.
Delete the “level.dat” and “level.dat_old” files and restart minecraft. Your timer should now be reset as well as all the game objectives.
In LibreNMS, you can hit the “Show RRD Command” to give you the command to manually create a graph. Copy the command.
In the command below, the path shows the IP address of the device to generate the graph from. Theoretically you can change that to a different IP to generate graphs from other devices.
SSH into server server and run the command, change /tmp/randomtext to something like /root/mikrotik_092619.png or whatever you want. You can also adjust the size, color etc of the graph.
rrdtool graph /tmp/randomtext --alt-y-grid --alt-autoscale-max --rigid -E --start 1515946500 --end 1516551300 --width 1712.7 --height 483 -c BACK#EEEEEE00 -c SHADEA #EEEEEE00 -c SHADEB#EEEEEE00 -c FONT#000000 -c CANVAS#FFFFFF00 -c GRID#a5a5a5 -c MGRID#FF9999 -c FRAME#5e5e5e -c ARROW#5e5e5e -R normal --font LEGEND:8:DejaVuSansMono --font AXIS:7:DejaVuSansMono - -font-render-mode normal COMMENT:'Volts Cur Min Max\n' DEF:sensor495=/opt/librenms/rrd/192.168.88.1/sensor-voltage-routeros-0.rrd:sensor:AVERAGE LINE1:sensor495#CC0000:'Voltage 0 ' GPRINT:sensor495:LAST:%5.1lfV GPRINT:sensor495:MIN:%5.1lfV GPRINT:sensor495:MAX:%5.1lfV\l
Scenario: Remote device in a PTP configuration has been reset to factory defaults and is not connected.
Objective: Reconnect remote device and reconfigure using backup file
We’ll refer to Radio A as the radio you initially have access to
Radio B will be the remote radio that was reset.
Reinitiate temporary wireless connection
We know that the default Ubiquiti Wireless settings are
SSID=ubnt
Channel Width=20Mhz
Security=None
To reconnect the device wirelessly we can setup the Radio A as an AP with the above wireless settings.
Setup temporary network connection
Radio B should now connect wirelessly, but is going to be on a static 192.168.1.20 address. There are a handful of ways to overcome this.
Configure remote device via SSH
Open up your backup file with a text editor and copy the whole config
Once access is gained to Radio B, open up the /tmp/system.cfg file, delete all the contents and paste in the contents of the backup configuration.
Save file and write changes to radio with
/usr/etc/rc.d/rc.softrestart save
Final steps
The device should now apply the backup settings and disconnect again as it should now have the proper SSID and settings.
Restore Radio A’s settings and verify that both sides reconnect.