Skip to content

Instantly share code, notes, and snippets.

@physhster
Last active April 16, 2020 19:48
Show Gist options
  • Save physhster/8b5dd0aeb214c70792c593ec8e7601dc to your computer and use it in GitHub Desktop.
Save physhster/8b5dd0aeb214c70792c593ec8e7601dc to your computer and use it in GitHub Desktop.
Complete-ish guide to WPA Supplicant bypass on AT&T U-verse Fiber with Unifi USG
The entirety of this guide assumes your WAN port is eth0. Make sure to adjust accordingly.
Get certs, run the mfg_dat_decode tool. You should end up with 3 certs: CA_*.pem, Client_*.pem and PrivateKey_PKCS1_*.pem, as well as a a wpa_supplicant.conf file
Edit wpa_supplicant.conf to add the full path /config/auth/ to all 3 files, and make sure the MAC address matches the one you're going to spoof:
---
network={
ca_cert="/config/auth/CA_xxxxxx.pem"
client_cert="/config/auth/Client_xxxxxx.pem"
eap=TLS
eapol_flags=0
identity="AA:AA:AA:AA:AA:AA" # Gateway MAC address
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/config/auth/PrivateKey_PKCS1_xxxxxx.pem"
}
---
Download the compiled WPA Supplicant binary: https://www.dslreports.com/r0/download/2382315~c173ce2d062cf92116ed2427bb79dd18/wpa_supplicant.zip
Create wpa_supplicant.sh and make sure it matches your WAN port
---
#!/usr/bin/env bash
#Start EAP-TLS on eth0
#Check if already running to avoid multiple instances
IF_WAN=eth0
PROCESS_NAME=wpa_supplicant
PROCESS_PATH=/config/scripts/wpa_supplicant
PROCESS_COUNT=$(ps -A | grep $PROCESS_NAME | egrep -v "grep|$(basename $0)" | grep -c $PROCESS_NAME)
if [ $PROCESS_COUNT = 0 ] && [ -x $PROCESS_PATH ]; then
$PROCESS_PATH -s -B -Dwired -i$IF_WAN -c/config/scripts/wpa_supplicant.conf -g/var/run/wpa_supplicant.ctrl -P/var/run/wpa_supplicant.pid
fi
---
SCP into usg and drop the following files into the following locations:
/config/scripts/wpa_supplicant (the binary file from 2.)
/config/scripts/post-config.d/wpa_supplicant.sh
/config/wpa_supplicant.conf
3 certificate PEM files to /config/auth
Run the following commands:
---
sudo chmod +x /config/scripts/wpa_supplicant
sudo chmod +x /config/scripts/post-config.d/wpa_supplicant.sh
sudo chmod -R 0600 /config/auth
---
Set your WAN port VLAN to 0, you might need to use the old UI for this as the new one errors out when choosing VLAN 0.
Create a config.gateway.json file to ensure the MAC spoofing is persistent, make sure the values of "eth" and "mac" updated:
---
{
"interfaces":{
"ethernet":{
"eth0":{
"mac":”AA:AA:AA:AA:AA:AA"
}
}
}
}
---
Follow the USG documentation: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration#2
Reboot the gateway.
Monitor logs on the gateway by running
---
tail -n 50 -f /var/log/messages
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment