So I do networking (computers and wifi things) at a number of security conferences (Thotcon & DEF CON). In order to do so, I sometimes need hardware to play with. In December I decided to watch a few auctions on eBay for some of the newer, but maybe off-lease, Aruba gear.
Specifically, I was looking for something that would support IPv6. Well, I found two Aruba 651 Controllers and put in bids. Unfortunately for me, I managed to win both auctions and pick both of them up. I was really only hoping for one controller. But what the heck...
The first one arrived within a few days of the auction's close. It was in the original Aruba box and sold as "New--Open Box". I booted it up and popped on the serial console. It had the default-config on it. Boo! Did someone wipe it? Chances were that this unit was never even setup. It didn't come with any licenses, and so it was really only good for one internal AP + POE. That is unless I can convince Aruba to sell me a license to add Access Points to it.
About a week later the second unit arrived. This unit was in a USPS box and swaddled in bubble-wrap. I guessed that this unit was in service and maybe even in a production environment. The top of the case had two dents in it, but it did look clean.
Then came the fun part! I booted the system and hooked up a serial console to check out the licenses.
And hey! Look at that: this one had a ton of licenses! Some, unfortunately, were expired, but in total it had 10 AP licenses and firewall licenses. The firewall licenses were important so that I can disable peer-to-peer and client traffic on the conference networks.
One thing that I found odd was that upon booting the system, it had a name. Not the generic "Aruba651" that the other unit had, but "CityName651". Included with the package was a print-out of the Aruba version and licenses and a hand-written Post-it note stating that the username was set to "admin" and the password was set to "password".
From that, I deduced that someone knew enough to wipe the username and password setting from the system. Without the Post-it I might have been annoyed that I couldn't login to the darn thing. Now, that said, I think that was the only piece of information that was changed.
It had their old subnets, the SNMP profile stated their location "XXXXXXCityOffices," "netdestination PrivateSubnets" and a listing of their internal networks. I also found something about their water department profile and more.
However, most of the information was harmless and completely useless to me.
Then as I skimmed the running configuration I spotted this:
That was interesting, and it appeared that they left the four SSIDs in configurations with the device as well. And each profile had an "encrypted" WPA passphrase.
I wondered if I could reverse-engineer that?
So off to Google I went. First I looked for tools that could crack the hash, but no luck. Then I searched for "aruba controller config wpa-passphrase". Bam! I found an article about someone who had just taken over for a sysadmin that hadn't documented their work. In the forum post, they asked whether there was a way to recover the static WPA passphrase.
Drum roll please.... Yes! There is!
If you issue the command "encrypt disable" and then do a "show run", the config is no longer "encrypted". This will show you the raw passwords of the wpa-passphrase.
Now, if I was a cracker and wanted to be thrown in jail, I could list all kinds of nasty things that one could do with this information. But I'm not and the purpose of this exercise was to bring attention to the fact that folks need to do a "write erase" and "delete filename default-XXX.cfg" before shipping these things off to someone else.
The one command to erase all the configs and make it a new device is key here. It keeps the licenses, which give value to the hardware, but removes the private configuration from the device.
A number of years back I got a Cisco fiber switch off of eBay for $600. We used that thing for a number of years in the DEF CON network. It also had the previous owner's company data on it. It was from a large software company that makes accounting software. It included the passwords for the device, but I would have needed network access to use that information.
Whereas in this particular instance, this device recovery gains me access to the network from outside the office. If I were going to act on this, it would only be a matter of time before I've captured a user credential and am going to town on the internal network.
A lot of the time, information security is about creating and following a process. And clearly, this seller failed to follow a strong process.