Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2737
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?


@JustJoe wrote:

I was trying shodan with airOS radios.  It seems like if I started tcpdump scanning for only port 10001 on those radios, shodan did not need to send a packet with that port in it, but still was able to grab the Discovery data and display that port open???


I believe it periodically broadcasts out discovery packets, but that wouldn't travel further than the local L2 segment.

Senior Member
Posts: 2,568
Registered: ‎03-23-2008
Kudos: 514
Solutions: 18

Re: Does the UBNT Discovery Protocol face the internet?


@NVX wrote:

@JustJoe wrote:

I was trying shodan with airOS radios.  It seems like if I started tcpdump scanning for only port 10001 on those radios, shodan did not need to send a packet with that port in it, but still was able to grab the Discovery data and display that port open???


I believe it periodically broadcasts out discovery packets, but that wouldn't travel further than the local L2 segment.


That's what I had thought. In my case, my PC with shodan, started off being on my side of our firewall, but not on the same L2 segment.  But then I moved it to have access from outside, and it also showed up in shodan there.

 

I have the feeling Discovery also periodically sends multicast packets on various multicast addresses .  Still I wouldn't think those would be reaching across the Internet.

 

I have been wondering what ports all the different flavors of aircontrol have been using, and whether any of those can trigger unicast UDP 10001 replies?

Best Regards ... Joe

If the communication industry had been built on the backs of yes-men,
we would be submitting our forum posts at the telegraph office in town.
Veteran Member
Posts: 7,812
Registered: ‎03-24-2016
Kudos: 2035
Solutions: 896

Re: Does the UBNT Discovery Protocol face the internet?

@JustJoe 
You ran tcpdump to try and grab shodan touching your device:

did you specify  UDP instead of TCP on tcpdump cmdline options?

Senior Member
Posts: 2,568
Registered: ‎03-23-2008
Kudos: 514
Solutions: 18

Re: Does the UBNT Discovery Protocol face the internet?


@16again wrote:

@JustJoe 
You ran tcpdump to try and grab shodan touching your device:

did you specify  UDP instead of TCP on tcpdump cmdline options?


I did

 

tcpdump -i ath0 port 10001

 

I am first to admit I am not a tcpdump guru, but I thought that would capture either  UDP or TCP.

Am I wrong so that it defaults to just TCP ?

Best Regards ... Joe

If the communication industry had been built on the backs of yes-men,
we would be submitting our forum posts at the telegraph office in town.
Highlighted
Senior Member
Posts: 2,568
Registered: ‎03-23-2008
Kudos: 514
Solutions: 18

Re: Does the UBNT Discovery Protocol face the internet?

[ Edited ]

Hi @16again & @NVX

 

I know that with airOS, I am completely in the wrong forum.  But it seems like there might be a bug that was stopping me from seeing the UDP 10001 exchange with shodan.

 

So far I have only reproduced this on v6.0.4.  (According to release notes, tcpdump last updated in v6.0.1)

 

With the radio's http window closed (so that shodan is not monitoring it), if I do:

tcpdump -i ath0 udp port 10001

 

The radio accepts the command with no error.  But if I go open that radio's http session in Firefox + shodan, shodan reports 10001, BUT the running tcpdump catches nothing.

 

On the other hand, again, with the http closed I do:

tcpdump -i ath0 udp

 

The radio again accepts the command with no error. But if I so open that http window, shodan again reports 10001, AND the running tcpdump DOES CATCH the UDP 10001 requests and replies from shodan (in addition to tons of other unrelated UDP exchanges!

 

I am sure that port numbers have been successfully used in tcpdump in the past ... Could it be that airOS's tcpdump is unable to handle more than four digits in the port number???

 

Are either of you guys able to reproduce this?

Best Regards ... Joe

If the communication industry had been built on the backs of yes-men,
we would be submitting our forum posts at the telegraph office in town.