Clément Durand wrote, on Sat, 09 Aug 2014 21:05:32 +0000:

How do I find what machines are connected & their traffic?
I can log into my ubiquiti Rocket M2 radio from Linux using:
$ ssh -l ubnt IP ADDRESS
I know the IP address of the home broadband router (192.168.1.100) which
is connected to the radio, but my first question is how I would find that
router IP address if I didn't already know it?

Route -n doesn't seem to report the router (which is 192.168.1.100):
XM.v5.5.6# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.50.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
0.0.0.0 10.50.0.1 0.0.0.0 UG 0 0 0 ath0

I'm surprised Jeff Liebermann hasn't responded, since he knows
everything about setting up WiFi security, but, luckily, I *think*
I have figured out one potential way to tell what the home broadband
router IP address might be from the Ubiquiti AirOS command line.

Assuming the rooftop antenna Rocket M2 is at IP 192.168.1.20 and the
home broadband router connected to it by wire is at 192.168.1.1 ...

$ ssh -l ubnt 192.168.1.20
XM.v5.5.8#

At that prompt, cat this file:
XM.v5.5.8# cat /tmp/dhcpd.leases

More often than not, that file seems to contain the IP address of the
home broadband router which is connected to the rooftop transceiver.

If you know of a *better* way to find the IP address of the router which
is connected to your Ubiquiti AirOS device, please let me know.

The router IP address will also be in the radio /proc/net/nf_conntrack
file, so, I think we can grep for it using a syntax sort of like the following:

XM.v5.5.8# grep 192.168.1. /proc/net/nf_conntrack

On Mon, 11 Aug 2014 10:10:05 +0000 (UTC), Clément Durand
wrote:

I'm surprised Jeff Liebermann hasn't responded, since he knows
everything about setting up WiFi security,

I don't do security. I hate security. I'm also busy, lazy, bored,
and playing with a few new toys and software. However, I don't have a
Ubiquiti M2 handy to test my guesswork.

Try:
arp -a
and see what it produces. You might get lucky.

Also, play with iwlist and iwconfig to see if they show connected
wireless devices (by MAC address).

Otherwise, try a bash script that pings everything in your IP block.
Something like this (untested):

#!/bin/bash
test_with_ping()
{
ping -c 1 $1 /dev/null
[ $? -eq 0 ] && echo $IP,UP
[ $? -eq 1 ] && echo $IP,dn
}

for IP in 192.168.1.{1..254}
do
test_with_ping $IP & disown # run in background
done

Use "nohup" if your bash doesn't do "disown". To run 254 IP's, at
about 1 second per IP, will take about 5 minutes. There's also no
guarantee that the connected machine will respond to an ICMP ping
request.

Are you perhaps trying to build a network map from scratch? If so,
there are network mapping tools that will do the heavy lifting for
you.

"Russia Bans Anonymous Access To Wi-Fi"
http://cellular-news.com/story/Regulatory/66778.php



--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:

Try:
arp -a

Hi Jeff,
I had tried that. While "route" exists, "arp" is not installed on
the default Ubiquiti Rocket M2 2.4GHz WiFi radio:
$ ssh -l ubnt -p 22 192.168.1.20
BusyBox v1.11.2 (2014-02-05 18:21:05 EET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
XM.v5.5.8# arp
-sh: arp: not found

Also, play with iwlist and iwconfig to see if they show connected
wireless devices (by MAC address).

Both iwlist & iwconfig exist, so I will try to learn their syntax.

Are you perhaps trying to build a network map from scratch? If so,
there are network mapping tools that will do the heavy lifting for
you.

I'm mainly trying to understand what's going on, by looking at
whatever information is available to me as I log into the rooftop
radio.

Some of the key stuff I'm trying to figure out remotely is what
IP addresses are connected to the home broadband router, and, what
destination IP addresses those clients are attempting to visit.

I think I have made headway on finding the home broadband router
IP address by lookint at the /etc/dnsmasq.conf file.

I think there's a ton of information about the destination IP
addresses in the /proc/net/nf_conntrack file.

Since there is so much IP information in the conntrack file, I'm
now looking for a command-line method of querying the destination
IP addresses found (some of which are suspiciously from China and
Russia) in the conntrack file, to find out who they belong to.

The one problem with the huge amount of IP data found in the
conntrack file is that I can't tell which client device initiated
the connection to those IP addresses.

So, I have a long way to go ... but every bit of advice helps,
and, I, for my part, will echo back what I've learned to the
group by way of payback.

Jeff Liebermann wrote, on Mon, 11 Aug 2014 09:43:50 -0700:

#!/bin/bash
test_with_ping()
{
ping -c 1 $1 /dev/null
[ $? -eq 0 ] && echo $IP,UP
[ $? -eq 1 ] && echo $IP,dn
}

for IP in 192.168.1.{1..254}
do
test_with_ping $IP & disown # run in background
done

Use "nohup" if your bash doesn't do "disown".

I think I can figure out the IP addresses connected to the home broadband
router by looking for src=192.168.1.XXX addresses in the previously
mentioned /proc/net/nf_conntrack file.

I did try the script on the Ubiquiti Rocket M2 2.5GHz radio, but, bash
wasn't found (so I changed the shell to "ash") and neither "disown" nor
"nohup" were found.

The script did run, but it didn't output anything (so I need to debug it
further).

But, I think the main issue now is to glean all the information I need
out of the /proc/net/nf_conntrack file because it *seems* to contain
every IP address that goes in and out of the rooftop radio.

While this is WISP, for people with DSL or cable, logging into that
rooftop transceiver would be equivalent to logging into their modem.

Clément Durand wrote, on Mon, 11 Aug 2014 19:46:01 +0000:

Both iwlist & iwconfig exist, so I will try to learn their syntax.

Running iwconfig first, it tells me "ath0" is the NIC of interest:

$ ssh 192.168.1.20 -l ubnt

XM.v5.5.8# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
eth1 no wireless extensions.
wifi0 no wireless extensions.
br0 no wireless extensions.
ath0
IEEE 802.11ng ESSID:"ROCKET_M2" Nickname:"Rocket_WiFi"
Mode:Managed Frequency:2.417 GHz Access Point: 00:AF:00:BFA:48
Bit Rate:104 Mb/s Tx-Power=26 dBm Sensitivity:0/0
Retryff RTS thrff Fragment thrff
Encryption key:0922-02A0-4792-CBFA-A89F-1CDC
Security mode:restricted
Power Managementff
Link Quality=40/94 Signal level=-56 dBm Noise level=-88 dBm
Rx invalid nwid:7 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Then, running "iwlist ath0", I find out some information.

This looks like it gives me the local access points nearby:

XM.v5.5.8# iwlist ath0 ap
ath0 Peers/Access-Points in range:
DA:8FC:14:E2:BC Quality=46/94 Signal level=-50 dBm Noise level=-96 dBm
10:57:22:9F:AC:5E Quality=41/94 Signal level=-55 dBm Noise level=-88 dBm
10:90:48:69:92:33 Quality=22/94 Signal level=-74 dBm Noise level=-88 dBm
CC:C8:55:8C:6F:41 Quality=18/94 Signal level=-78 dBm Noise level=-88 dBm
CA:8F:15:27:97:68 Quality=18/94 Signal level=-78 dBm Noise level=-96 dBm
61:3A:4C:E5:B91 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
91:72:4F:1F:91:1C Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
15:80:4E:69:92:34 Quality=16/94 Signal level=-80 dBm Noise level=-88 dBm
10:15:8D:AC:03:88 Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
F11:F9:12:9D:1E Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
21:C9:80:F3:98:7C Quality=10/94 Signal level=-86 dBm Noise level=-88 dBm
1B:12:C6:22:24:9F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
10:1C:63:2B:4F:47 Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
F1:13:4E:10:35:4F Quality=09/94 Signal level=-87 dBm Noise level=-88 dBm
18:0F:C3:F30:66 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm
1A:23:87:1C:F7:17 Quality=07/94 Signal level=-89 dBm Noise level=-96 dBm

This seems to list the rooftop radio transmit power:
XM.v5.5.8# iwlist ath0 txpower
ath0 8 available transmit-powers :
10 dBm (10 mW)
16 dBm (39 mW)
18 dBm (63 mW)
20 dBm (100 mW)
22 dBm (158 mW)
24 dBm (251 mW)
26 dBm (398 mW)
28 dBm (630 mW)
Current Tx-Power=24 dBm (251 mW)

This seems to scan for all the WiFi routers in the vicinity of the rooftop
radio:
XM.v5.5.8# iwlist ath0 scanning
It lists dozens of "cells", here's just one example:
Cell 02 - Address: 00:A0:55:AC:83:2A
ESSID:"Netgear"
Mode:Master
Frequency:2.417 GHz (Channel 2)
Quality=15/94 Signal level=-81 dBm Noise level=-88 dBm
Encryption keyn
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:bcn_int=100
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
Extra:mtik_ie=really long number

In summary, these two commands (iwconfig & iwlist) are interesting,
as they provide information about signal strengths of nearby
access points, none seem to tell me which PCs are attached to the
home broadband router, nor what destination IP addresses those
devices are going to.

Nice commands otherwise!

On Mon, 11 Aug 2014 19:46:01 +0000 (UTC), Clément Durand
wrote:

-sh: arp: not found

Try:
cat /proc/net/arp
or:
ip neigh show dev br0
br0 might be eth0 or something else if your M2 is setup as a router.

I'm mainly trying to understand what's going on, by looking at
whatever information is available to me as I log into the rooftop
radio.

One must suffer before enlightenment.

Some of the key stuff I'm trying to figure out remotely is what
IP addresses are connected to the home broadband router,

http://home.comcast.net/~jay.deboer/airsnare/

and, what
destination IP addresses those clients are attempting to visit.

I usually use SNMP in the router in order to get that info.
If (and only if) your Ubiquiti is setup as a bridge, you can sniff the
traffic between the wireless bridge and the router (on the router WAN
port), and get the same information. Insert a HUB (not a SWITCH)
between the Ubiquiti M2 and your unspecified router. Add a PC running
WireShark or your favorite sniffer software, and you should get
something useable.

You can also sniff just the HTTP traffic with:
http://www.nirsoft.net/utils/http_network_sniffer.html
Take a good look at Nir Sofer's tools. They're quite useful:
http://www.nirsoft.net

I think I have made headway on finding the home broadband router
IP address by lookint at the /etc/dnsmasq.conf file.

Go thee unto Google at:
https://www.google.com
Inscribe into the designated search box the words of empowerment:
"what is my IP"
Through the magic of Google, your WAN IP address will be displayed.

I think there's a ton of information about the destination IP
addresses in the /proc/net/nf_conntrack file.

Dunno. I don't have any Ubiquiti hardware handy to test it.

So, I have a long way to go ... but every bit of advice helps,
and, I, for my part, will echo back what I've learned to the
group by way of payback.

Learn by destroying, which means that if you haven't broken something,
you don't really understand how it works.

http://www.darkreading.com/application-security/10-free-or-low-cost-network-discovery-and-mapping-tools/d/d-id/1141182

Now, go away so I can get some paying work done.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote, on Mon, 11 Aug 2014 16:19:40 -0700:

Now, go away so I can get some paying work done.

Thanks for your help. I do appreciate it.
Since the documentation on interpreting the nf_conntrack file
was so dismal, I wrote my own documentation, from many sources.

Here is it, as payback, for all the help from others.

Here's my first attempt at an interpretation of a sample line from my nf_conntrack file:

ipv4 2 tcp 6 56808 ESTABLISHED src=72.167.183.54 dst=69.63.240.15 sport=80 dport=49437 [UNREPLIED] src=69.63.240.15 dst=72.167.183.54 sport=49437 dport=80 mark=0 use=2
My interpretation:
An ESTABLISHED TCP connection from source host 72.167.183.54, port 80
To destination host 69.63.240.15, port 49437
From which responses are sent to host 72.167.183.54, port 49437
Timing out in 56808 seconds (i.e., more than 15 hours)
UNREPLIED means traffic hasn't been seen in the response direction yet
In addition, the:
Network layer protocol name is ipv4
Network layer protocol number is 2
Transmission layer protocol name is tcp
Transmission layer protocol number is 6
Seconds until the entry is invalidated is 56808 (i.e., more than 15 hours)


Here is another attempt at interpreting an example from my nf_conntrack log file:

ipv4 2 icmp 1 16 src=142.28.53.15 dst=10.50.0.241 type=8 code=0 id=39196 src=10.50.0.241 dst=142.28.53.15 type=0 code=0 id=39196 mark=0 use=2
My interpretation:
An ICMP echo request packet from source host 142.28.53.15
To destination host 10.50.0.241
With an expected echo reply packet from source hosts 10.50.0.241
To destination host 142.28.53.15
Timing out in 16 seconds
In addition, the:
Network layer protocol name is ipv4
Network layer protocol number is 2
Transmission layer protocol name is icmp
Transmission layer protocol number is 1
Seconds until the entry is invalidated is 16 seconds


It seems both ip_conntrack & nf_conntrack are similar in format, where nf_conntrack simply has two extra columns at the beginning of each line, so this list below attempts to describe the first six nf_conntrack columns, as I understand them:

1. Network layer protocol name (e.g., ipv4)
2. Network layer protocol number (e.g., 2)
3. Transmission layer protocol name (e.g., tcp)Transmission layer protocol number (e.g., 6)
4. Seconds until the entry is invalidated (e.g., 75114)
5. The connection state (e.g., ESTABLISHED, but this is not always there for all protocols)

It seems that the #5 connection state can be any of the following:

DCCP

CLOSEREQ
CLOSING
IGNORE
INVALID
NONE
OPEN
PARTOPEN
REQUEST
RESPOND
TIME_WAIT

SCTP

CLOSED
COOKIE_ECHOED
COOKIE_WAIT
ESTABLISHED == many of mine were this
NONE
SHUTDOWN_ACK_SENT
SHUTDOWN_RECD
SHUTDOWN_SENT

TCP

CLOSE
CLOSE_WAIT
ESTABLISHED
FIN_WAIT
LAST_ACK
NONE
SYN_RECV
SYN_SENT
SYN_SENT2
TIME_WAIT == many of mine were this

The rest of the columns are apparently either of the format KEY=VALUE or they represent FLAGs.

KEY=VALUE examples:

src=123.456.789.001
dst=123.456.789.002
sport=80 (tcp & udp only)
dport=54259 (tcp & udp only)
mark=0 (if CONFIG_NF_CONNTRACK_MARK is enabled)
use=2
type=0 (for icmp only)
code=0 (for icmp only)
id=39196 (for icmp only)
bytes (if accounting is enabled)
delta-time (if CONFIG_NF_CONNTRACK_TIMESTAMP is enabled)
packets (if accounting is enabled, request and response)
secctx (if CONFIG_NF_CONNTRACK_SECMARK is enabled)
zone (if CONFIG_NF_CONNTRACK_ZONES is enabled)

Note that the response destination host can differ from the request source host when the request source address has been masqueraded by the response destination host.

FLAG examples:

[ASSURED]: Traffic has been seen in both directions (request & response)
[UNREPLIED]: Traffic has not been seen in the response direction yet
-----
ESTABLISHED (connection state)
TIME_WAIT (connection state)