Spooky Wifi

    When casually doing what I like to do and scanning the open air for fun and profit, I found something rather peculiar. 

    In today's world an unencrypted wireless network is pretty rare as it allows risks of spoofing, mitm, and various exploitation techniques which may be hard to defend against in courts. Many businesses offering wifi to it's customers stopped doing so because they couldn't maintain appropriate logging to prove when someone did something they shouldn't or which user it was. Captive portals weren't very affective and that was before iam services like keycloak were popular. So to see one in 2026 seemed a little bit wild.


    When anything is "open" the data is shared unencrypted over the air. This can be sniffed and accessed by anyone passing by, and in the right, or I guess wrong, scenarios it can actually be mitm or spoofed without actually associating to the wifi network. This was the premise that created wep, then wpa, and now we're on wpa 3 standard. So you could imagine this as opening everyone on their network to 1995 wireless internet in 2026. Wild. But wait, it's gets better. Capturing this one network just so happens to show a LOT of traffic from one particular client (check the frames and lost frames section). For anyone who cares this is on wifi channel 52 which is basically just a fancy way of saying 5260 MHz.


    Now mind you, where I am, this is a much less populated frequency than in many other areas. Channel 52 is also part of a group of wifi ranges considered unii2a, which makes this particularly interesting. 



    Not knowing what it was, I started researching what ubiquiti devices use channel 52 and apparently a lot of them do including by not limited to some point to point wifi devices. Not accomplishing much in this search, I went ahead and looked at the packets captured. Using tshark filtering on fields eth.src, ip.src, udp.srcport, etc... I was able to build a list of interesting communications over port 10002.



    Trying to decode some of this I made a quick scapy parser using copilot:

#!/usr/bin/env python3
from scapy.all import *
from collections import defaultdict
import argparse
import datetime
import re

UBNT_PORT = 10002
def extract_ascii(raw):
    return ''.join(chr(b) if 32 <= b < 127 else ' ' for b in raw)

def split_fields(ascii_data):
    parts = re.split(r'[\x00\s]+', ascii_data)
    return [p for p in parts if len(p) > 1]

def analyze_pcap(pcap_file):
    pkts = rdpcap(pcap_file)
    devices = defaultdict(lambda: {
        "fields": set(),
        "timestamps": []
    })
    for pkt in pkts:
        if not pkt.haslayer(IP) or not pkt.haslayer(UDP):
            continue
        ip = pkt[IP]
        udp = pkt[UDP]
        if udp.sport != UBNT_PORT and udp.dport != UBNT_PORT:
            continue
        try:
            payload = bytes(udp.payload)
            ts = datetime.datetime.fromtimestamp(float(pkt.time))
        except Exception:
            continue
        ascii_data = extract_ascii(payload)
        fields = split_fields(ascii_data)
        if not fields:
            continue
        devices[ip.src]["fields"].update(fields)
        devices[ip.src]["timestamps"].append(ts)
    return devices

def print_results(devices):
    print("\n=== DEVICE INVENTORY ===\n")
    for ip, info in devices.items():
        print(f"Device: {ip}")
        for f in sorted(info["fields"]):
            print(f"   {f}")
        print(f"  Broadcasts: {len(info['timestamps'])}")
        print()
    print("\n=== BROADCAST TIMELINES ===\n")
    for ip, info in devices.items():
        print(f"{ip}:")
        for ts in info["timestamps"][:10]:
            print(f"   {ts}")
        if len(info["timestamps"]) > 10:
            print(f"   ... ({len(info['timestamps'])} total)")
        print()

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Analyze Ubiquiti UDP/10002 discovery packets (Ethernet or 802.11)")
    parser.add_argument("pcap", help="Path to pcap file")
    args = parser.parse_args()
    devices = analyze_pcap(args.pcap)
    print_results(devices)


    This allowed me to see that in fact this includes businesses, personal names, etc.. in these broadcasts over an unencrypted publicly hear-able network.


    If you'll note, this also shows the PBE-5ac-gen2 and other sorts of powerbeam device names. These devices are available on the ubiquiti store as you might exepect, as point to point devices (https://store.ui.com/us/en/products/powerbeam-5ac). Meaning these are devices in the network meant to form directional antenna for network sharing. Turning this into an almost certainly ISP level routers that were connecting. There was of course other data, like people connecting to roku, and router specific protocols like ospf being broadcast as well. Which further pointed towards how these devices were relevant. (as a higher-than-consumer level network infrastructure. Meaning this was almost definitely an ISP of some kind). 





    In my initial scan, I only got private, autoconfigure, or carrier grade nat IP addresses so I tried to reach out to the fire department and the local facebook groups for help identifying this.


    Buuuuuuut after asking someone brought up that a local ISP had some of these ubiquiti devices up recently that may be the cause of this. Around the same time I'd just found where I accidently filtered on the most important part... arp requests.

Reaching out to the provider



    As many of the technical folks who read this will immediately see this and think wait what, for anyone else that's some public ip addresses (starting in 52. and 107.) being broadcast on this network. I used this as evidence to both email and call the provider. They said they'd create a trouble ticket internally and get it resolved. The customer support tech was very friendly and was willing to make things happen which is nearly unheard of in the ISP world. So props to them for that. 

As of the next day, it was fixed and back up and running as wpa2.



    While I've asked for information about what happened, as of this writing I  have not received word back about what happened or a technical description of the problems.

Educated guesses?

    If  I was to make an assumption, it would make me think someone setup these networks to replace broken equipment. Sometimes, when pushing down configurations to devices parts or all of the configuration gets lost in transit. A big reason why I like to push configs then validate configs before moving on. I've just seen it too many times to count and it often stays unrecognized for a long time before someone comes around and fixes it.

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.
Location: 725 East Ovilla Road, Red Oak, TX 75154, USA

Comments

Post a Comment

Popular Posts

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

Yara hunting phishing samples

Image
     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...
Read more

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more