pfSense dns server active and cannot access the UI
-
Hello everyone. I recently took over a medium size business network and have no previous history or details about the devices or setup. -sigh So, working with our ISP there is a rogue DHCP device on the network. We narrowed down the IP offering dhcp confirmed listen ports of 80 and 443. We hit that IP in a web browser and the pfSense login page came up. Attempting log in to the pfSense page fails so the default user and/or password has been changed. I do not know the device which this package is running on so I cannot access the console even if there is one available. The only information I have to go on is an IP and a MAC address. Does anyone have any suggestions as to if ... 1) I can reset or break into the UI with ID and password 2) track down pfSense device physically by MAC address 3) disable dhcp within pfSense without the UI or console ... I know ... pretty narrow possibilities but I figured I would ask the experts. Any idea what specific devices this software is typically found as I could at least start putting my eyes on all devices in the building. I am guessing that anyone could install these packages into pretty much any devices. Thanks again for any thoughts or advice.
-
pfSense is a firewall and is thus pretty well hardened. So getting in with a "hack" is not going to work if you don't know the password. Your only shot is having direct access to the console (meaning at the physical box and its screen and keyboard if a PC, or some type of serial console connection if it is a headless appliance of some sort). pfSense is the entire operating system (based on FreeBSD). It's not a bolt-on package that you run on say Windows or a Linux machine.
Obviously you will need to find the physical box to proceed farther. If a visual search can't locate it, then the next thing is to start tracking down the MAC address matching the IP you connected to. If you have managed switches, you can hunt down that path to hopefully find the switch and port the device is connected to. If not, well .... .
Once you find the physical box and access the console you should be able to bring up the menu to change the password or shutdown the box. Also, once you find the box, if you don't want it on the network, just pull the plug.
-
@bmeeks
If you do some packet sniffing and look for the IP of that pfSense box you may find a clue of the manufacturer of the motherboard eg PCEngine, IntelCor etc.
Using arp-scan would tell you this too of course. -
@Timbergetter has an excellent suggestion that I fogot about. You may be able to do some rudimentary fingerprinting on that device by comparing the MAC address to standard lookup tables on the Internet of hardware manufacturers. Of course it could just come as "Intel" and not be very helpful, but if comes back as something else it might be a clue to use in the hunt.
-
Thank you for the feedback. I will definitely start the process to track this down and once I find it I will post back some quick details and comments. This at least gives me an idea of what I am up against. I had never experienced pfSense until I witnessed the login page. More to follow...