Last active
April 16, 2020 19:48
-
-
Save physhster/8b5dd0aeb214c70792c593ec8e7601dc to your computer and use it in GitHub Desktop.
Complete-ish guide to WPA Supplicant bypass on AT&T U-verse Fiber with Unifi USG
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The entirety of this guide assumes your WAN port is eth0. Make sure to adjust accordingly. | |
Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file | |
Edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files, and make sure the MAC address matches the one you're going to spoof: | |
--- | |
network={ | |
ca_cert="/config/auth/CA_xxxxxx.pem" | |
client_cert="/config/auth/Client_xxxxxx.pem" | |
eap=TLS | |
eapol_flags=0 | |
identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address | |
key_mgmt=IEEE8021X | |
phase1="allow_canned_success=1" | |
private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem" | |
} | |
--- | |
Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip | |
Create wpa_supplicant.sh and make sure it matches your WAN port | |
--- | |
#!/usr/bin/env bash | |
#Start EAP-TLS on eth0 | |
#Check if already running to avoid multiple instances | |
IF_WAN=eth0 | |
PROCESS_NAME=wpa_supplicant | |
PROCESS_PATH=/config/scripts/wpa_supplicant | |
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME) | |
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then | |
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid | |
fi | |
--- | |
SCP into usg and drop the following files into the following locations: | |
/config/scripts/wpa_supplicant (the binary file from 2.) | |
/config/scripts/post-config.d/wpa_supplicant.sh | |
/config/wpa_supplicant.conf | |
3 certificate PEM files to /config/auth | |
Run the following commands: | |
--- | |
sudo chmod +x /config/scripts/wpa_supplicant | |
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh | |
sudo chmod -R 0600 /config/auth | |
--- | |
Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0. | |
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the values of "eth" and "mac" updated: | |
--- | |
{ | |
"interfaces":{ | |
"ethernet":{ | |
"eth0":{ | |
"mac":”AA:AA:AA:AA:AA:AA" | |
} | |
} | |
} | |
} | |
--- | |
Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2 | |
Reboot the gateway. | |
Monitor logs on the gateway by running | |
--- | |
tail -n 50 -f /var/log/messages | |
--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment