Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

What Dirty Little Secrets You Find on eBay

So I do networking (computers and wifi things) at a number of security conferences (Thotcon & DEF CON). In order to do so, I sometimes need hardware to play with. In December I decided to watch a few auctions on eBay for some of the newer, but maybe off-lease, Aruba gear.

Specifically, I was looking for something that would support IPv6. Well, I found two Aruba 651 Controllers and put in bids. Unfortunately for me, I managed to win both auctions and pick both of them up. I was really only hoping for one controller. But what the heck...


The first one arrived within a few days of the auction's close. It was in the original Aruba box and sold as "New--Open Box". I booted it up and popped on the serial console. It had the default-config on it. Boo! Did someone wipe it? Chances were that this unit was never even setup. It didn't come with any licenses, and so it was really only good for one internal AP + POE. That is unless I can convince Aruba to sell me a license to add Access Points to it.

About a week later the second unit arrived. This unit was in a USPS box and swaddled in bubble-wrap. I guessed that this unit was in service and maybe even in a production environment. The top of the case had two dents in it, but it did look clean.

Then came the fun part! I booted the system and hooked up a serial console to check out the licenses.


And hey! Look at that: this one had a ton of licenses! Some, unfortunately, were expired, but in total it had 10 AP licenses and firewall licenses. The firewall licenses were important so that I can disable peer-to-peer and client traffic on the conference networks.

One thing that I found odd was that upon booting the system, it had a name. Not the generic "Aruba651" that the other unit had, but "CityName651". Included with the package was a print-out of the Aruba version and licenses and a hand-written Post-it note stating that the username was set to "admin" and the password was set to "password".

From that, I deduced that someone knew enough to wipe the username and password setting from the system. Without the Post-it I might have been annoyed that I couldn't login to the darn thing. Now, that said, I think that was the only piece of information that was changed.

It had their old subnets, the SNMP profile stated their location "XXXXXXCityOffices," "netdestination PrivateSubnets" and a listing of their internal networks. I also found something about their water department profile and more.

However, most of the information was harmless and completely useless to me.

Then as I skimmed the running configuration I spotted this:


That was interesting, and it appeared that they left the four SSIDs in configurations with the device as well. And each profile had an "encrypted" WPA passphrase.

I wondered if I could reverse-engineer that?

So off to Google I went. First I looked for tools that could crack the hash, but no luck. Then I searched for "aruba controller config wpa-passphrase". Bam! I found an article about someone who had just taken over for a sysadmin that hadn't documented their work. In the forum post, they asked whether there was a way to recover the static WPA passphrase.

Drum roll please.... Yes! There is!

If you issue the command "encrypt disable" and then do a "show run", the config is no longer "encrypted". This will show you the raw passwords of the wpa-passphrase.


Now, if I was a cracker and wanted to be thrown in jail, I could list all kinds of nasty things that one could do with this information. But I'm not and the purpose of this exercise was to bring attention to the fact that folks need to do a "write erase" and "delete filename default-XXX.cfg" before shipping these things off to someone else.

The one command to erase all the configs and make it a new device is key here. It keeps the licenses, which give value to the hardware, but removes the private configuration from the device.

A number of years back I got a Cisco fiber switch off of eBay for $600. We used that thing for a number of years in the DEF CON network. It also had the previous owner's company data on it. It was from a large software company that makes accounting software. It included the passwords for the device, but I would have needed network access to use that information.

Whereas in this particular instance, this device recovery gains me access to the network from outside the office. If I were going to act on this, it would only be a matter of time before I've captured a user credential and am going to town on the internal network.

A lot of the time, information security is about creating and following a process. And clearly, this seller failed to follow a strong process.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More