Wednesday, 1 May 2019

Netcomm NF18ACV CLI scripting

Background

My previous two posts have shown how to get stats from the Netcomm gateway using wget, this post shows how to do it using ssh and the gateway's command line interface (CLI).



Setup

This post assumes you have enabled ssh access to your gateway, and that username / password is "admin" / "password".

Manual login to gateway

Before automating the process, let's try to do it manually: 
pi@rpi3:~$ ssh admin@192.168.20.1
Unable to negotiate with 192.168.20.1 port 22: no matching cipher found. Their offer: 3des-cbc

Ok, so that didn't work, we need to specify a cipher (-c): 
pi@rpi3:~$ ssh -c 3des-cbc admin@192.168.20.1
Connection closed by 192.168.20.1 port 22

That failed too, and gave no error, so try again with verbose (-v) output: 
pi@rpi3:~$ ssh -v -c 3des-cbc admin@192.168.20.1

This gives some clues to what is going wrong, and you can eventually figure out that you need to specify a couple more options (-o).

What I ended up with was this: 
pi@rpi3:~$ ssh -c 3des-cbc -o MACs=hmac-sha1 -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.20.1
The authenticity of host '192.168.20.1 (192.168.20.1)' can't be established.
RSA key fingerprint is SHA256:ituLfblahCi3blah/97Pnblah1aEqblahJjt7g8DYJR.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.1' (RSA) to the list of known hosts.
admin@192.168.20.1's password:
 >

So, now we have made it to the command prompt, but have to manually type the password - so not too useful for scripting just yet.

To save entering those highlighted switches on the command line, you can put them in your ~/.ssh/config file: 
pi@rpi3:~/.ssh $ cat config
Host 192.168.20.1
    KexAlgorithms +diffie-hellman-group1-sha1
    Ciphers 3des-cbc
    MACs hmac-sha1

CLI commands

To get a list of available CLI commands, run the help command. To get help on individual commands, some of them take a "-h" switch, some take "--help", or you can run with no, or invalid, arguments.

A simple command is uptime:
 > uptime
14D 19H 27M 5S

A more interesting command is adsl, which will display the status of your ADSL (VDSL) connection: 
 > adsl info
adsl: ADSL driver and PHY status
Status: Showtime
Last Retrain Reason:    1
Last initialization procedure status:   0
Max:    Upstream rate = 10230 Kbps, Downstream rate = 36464 Kbps
Bearer: 0, Upstream rate = 10230 Kbps, Downstream rate = 37556 Kbps
Bearer: 1, Upstream rate = 0 Kbps, Downstream rate = 0 Kbps

Here you can see the connection Status and line rates. The status here is "Showtime", which means the connection is up and running. Other possible values for Status are:

"Idle" - connection is down
"G.994 Training", "G.993 Started" or "G.993 Channel Analysis" - trying to connect.

Other interesting command is voice, which you can use to determine if youi VOIP service is operational.

So, now to to try to automate the login so that we don't need to enter a password.

First attempt, using Public Key Authentication

Following the guide here: https://www.linuxtrainingacademy.com/ssh-login-without-password/ 

This failed at the second step:
pi@pi3:~$ ssh-copy-id admin@192.168.20.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
admin@192.168.20.1's password:
 > ssh-rsa blahstuffblah pi@rpi3
 > CLI exiting now.

Bye bye. Have a nice day!!!
sshd:error:859.182:processInput:391:unrecognized command ssh-rsa blahstuffblah pi@rpi3

That error is coming from sshd on the gateway, so doesn't look like this is supported.

Second attempt, using "expect"

This is not very secure, as you will have to put the gateway password in plaintext in a script.

On my Raspberry Pi, I had to install expect first.

Create a script checkgw.sh:

#!/bin/sh

# check Netcomm gateway status by using ssh and CLI

expect -c '
spawn ssh admin@192.168.20.1
expect "*password: "
send "password\r"
expect " > "
send "adsl info\r"
expect " > "
send "quit\r"
' | \
nawk '
{ sub("\r", "") }       # remove <cr> from end of line
$1 == "Status:" { statusmsg = $0 }
$1 == "Bearer:" && $11 > 0 {
    uprate = $6
    downrate = $11
}
END {
    print statusmsg " | uprate=" uprate ", downrate=" downrate
}
'

And run it: 
pi@rpi3:~$ ./checkgw.sh
Status: Showtime | uprate=10230, downrate=37556

Other CLI commands

This gateway seems to have a similar CLI to another couple of devices, including:
  • Calix 844-G Gigacenter
  • ZyXEL VMG1312
So, a bit of searching for info on these will give some help on some other commands.

What next

I would like to know if this script will work on the new "NC2" version of the firmware, although I'm guessing it will. Might just try it one day.

References

Posted by at
Labels: , ,

3 comments:

  1. The Bream27 December 2019 at 10:08

    Have now updated my device to the new NC2 firmware, and above script DOES still work.

    ReplyDelete
  2. Intuitive15 November 2021 at 08:52

    Well, I'm here on November 2021, from a New Zealand ISP, and this router still uses very insecure encryption...

    ReplyDelete
  3. Intuitive15 November 2021 at 08:55

    Some interesting (and unbelievable) info: this router is using version 0.46 of Dropbear SSHD, from July 9 2005.

    Surely they are spoofing the version number because, Dropbear is now so many versions ahead that they've changed the syntax of the version number! Very disturing.

    https://matt.ucc.asn.au/dropbear/CHANGES

    ReplyDelete

Subscribe to: Post Comments (Atom)