https://www.freebsd.org/doc/handbook/backup-basics.html
The dump command can be used to dump a backup of a FreeBSD system. You can pipe it to a remote system using SSH.
dump -0uan -f - /usr | gzip -2 | ssh username@server-ip-address dd of=/backup/freebsd/dump-usr-backup.gz
[VERBOSE] Disabled child 2 because of too many errors
[VERBOSE] Disabled child 6 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
Looks like the issue can happen if you have too many threads going at once. Lower the amount of threads your using with -t. Recommended amount for ssh is 4.
hydra -L usernames.txt -P "passwords.txt" 192.168.1.20 ssh -t4
When trying to SSH to older devices like a Ubiquiti Bullet2, you may receive an error saying
no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc
The work around is to manually specify the cipher with the “-c” option. You will also probably need to specify the KexAlgorithm “Key Exchange Algorithm”
ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.20
You can see what ciphers SSH supports by running “ssh -Q cipher”
Example output
ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
More information
https://www.openssh.com/legacy.html
SSH into CPE
ssh ubnt@192.168.1.20
open up the “/tmp/system.cfg” file
vi /tmp/system.cfg
Find the “radio.1.chanbw=” line and change to the following
radio.1.chanbw=10
Note: it may say “radio.1.chanbw=0” that looks to be the default and works for 20mhz
exit file with
esc + :wq + Return or Enter
Save settings with
/usr/etc/rc.d/rc.softrestart save
Change AP to 10Mhz and the CPE should reconnect.
Work around is to use the -o option and specify KexAlgorithms with the correct option.
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.11.1
The following are errors that are returned when trying to ssh to a device.
Cambium 450i PMP Equipment
Unable to negotiate with 192.168.0.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
2023 Update: Recent versions of REHL have completely disabled DES which can cause issues even when using the +ssh-rsa or +ssh-rsa. You can use the following command to enable SHA1, however, upgrading the server would be recommended.
update-crypto-policies --set DEFAULT:SHA1
Reason for it not working is some of the older weaker SSH encryption algorithms have been disabled. You can allow ssh to use it by specifying the following option.
-oHostKeyAlgorithms=+ssh-dss
The whole command would look like
ssh -o HostKeyAlgorithms=+ssh-dss root@192.168.111.4
Problem – Need 2.4 Ghz network enabled and SSID set to WiFi. Wireless router is behind a NAT, using UNMS to ssh into the radio, and from the radio ssh into hAP. Enter/Return key not working to run commands, so running the commands over ssh from the radio.
WA.v8.4.2# ssh admin@192.168.88.2 'interface wireless print'
admin@192.168.88.2's password:
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3
arp=enabled interface-type=Atheros AR9300 mode=station ssid="MikroTik"
frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel=""
scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
1 R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2
arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi"
frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel=""
scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
WA.v8.4.2# ssh admin@192.168.88.2 'interface wireless set disabled=no ssid=WiFi wlan1'
admin@192.168.88.2's password:
WA.v8.4.2# ssh admin@192.168.88.2 'interface wireless print'
admin@192.168.88.2's password:
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3
arp=enabled interface-type=Atheros AR9300 mode=station ssid="WiFi"
frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel=""
scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
1 R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2
arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi"
frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel=""
scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default compression=no
WA.v8.4.2# ssh admin@192.168.88.2 'interface wireless registration-table print'
admin@192.168.88.2's password:
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE
0 wlan2 A7:32:54:EE:E4:35 no -77dBm... 18Mbps
1 wlan2 34:7A:F4:43:AD:81 no -69dBm... 6Mbps
WA.v8.4.2# exit
Gain access to radio via ssh
ssh ubnt@192.168.1.20
open up the /tmp/system.cfg
vi /tmp/system.cfg
Delete the following line. To move the cursor to the following line and type “dd” and vi will delete the whole line.
dhcpc.status=disabled
Add the following 5 lines. Hit “i” to enter vi insert mode.
br0 should be correct interface in most scenarios.
dhcpc.1.devname=br0
dhcpc.1.fallback=192.168.1.20
dhcpc.1.fallback_netmask=255.255.255.0
dhcpc.1.status=enabled
dhcpc.status=enabled
Save the file by hitting esc and then “:wq” followed by Return/Enter
Save the config changes and reboot the radio so it pulls an address.
/usr/etc/rc.d/rc.softrestart save && reboot
Hydra is a network login cracker. You’ll need a password list and username(s) to get started.
Install Hydra
sudo apt-get install -y hydra
Launch against device
Change the IP address to the target IP
Change ubnt to target Username
Change password.lst to your password list file
SSH Example
hydra -l ubnt -P password.lst 192.168.1.20 ssh
Run hydra -h to get the full help.
Alfred@localhost:~$ hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
SSH into radio
ssh ubnt@192.168.1.20
Put the following two lines into the /tmp/system.cfg file. Doesn’t matter where
unms.uri=REPLACE-WITH-UNMS-KEY unms.status=enabled
Apply changes with
/usr/etc/rc.d/rc.softrestart save
Go accept device in UNMS.