diff --git a/code/hostapd.conf b/code/hostapd.conf index 236b4bf..7f297fe 100644 --- a/code/hostapd.conf +++ b/code/hostapd.conf @@ -6,8 +6,7 @@ channel=11 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 -wpa=3 +wpa=2 wpa_passphrase=11help22help33 wpa_key_mgmt=WPA-PSK -wpa_pairwise=TKIP rsn_pairwise=CCMP diff --git a/code/initSwAP b/code/initSwAP index e69de29..b4689b1 100755 --- a/code/initSwAP +++ b/code/initSwAP @@ -0,0 +1,35 @@ +#!/bin/bash +# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM: +# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ +# Usage: ./initSoftAP +########### Initial wifi interface configuration ############# +ip link set $1 down +ip addr flush dev $1 +ip link set $1 up +ip addr add 10.0.0.1/24 dev $1 + +# If you still use ifconfig for some reason, replace the above lines with the following +# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0 +sleep 2 +########### + +########### Start dnsmasq ########## +if [ -z "$(ps -e | grep dnsmasq)" ] +then + dnsmasq +fi +########### +########### Enable NAT ############ +iptables -t nat -A POSTROUTING -o $2 -j MASQUERADE +iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i $1 -o $2 -j ACCEPT + +#Thanks to lorenzo +#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details +#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +sysctl -w net.ipv4.ip_forward=1 +########### +########## Start hostapd ########### +hostapd $PWD/hostapd.conf ## TODO! either put config in normal place +#killall dnsmasq diff --git a/code/initSwAP_nftables b/code/initSwAP_nftables new file mode 100755 index 0000000..4fbce19 --- /dev/null +++ b/code/initSwAP_nftables @@ -0,0 +1,36 @@ +#!/bin/bash +# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM: +# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ +# Usage: ./initSoftAP +########### Initial wifi interface configuration ############# +ip link set $1 down +ip addr flush dev $1 +ip link set $1 up +ip addr add 10.0.0.1/24 dev $1 + +# If you still use ifconfig for some reason, replace the above lines with the following +# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0 +sleep 2 +########### + +########### Start dnsmasq ########## +if [ -z "$(ps -e | grep dnsmasq)" ] +then + dnsmasq +fi +########### +########### Enable NAT ############ +nft add table nat +nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } +nft add chain nat postrouting { type nat hook postrouting priority 100 \; } +nft add rule nat postrouting oifname wlp44s0 wlp masquerade + +#Thanks to lorenzo +#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details +#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +sysctl -w net.ipv4.ip_forward=1 +########### +########## Start hostapd ########### +hostapd $PWD/hostapd.conf ## TODO! either put config in normal place +#killall dnsmasq diff --git a/notes/journal/Mon, 25 March 2024.md b/notes/journal/Mon, 25 March 2024.md new file mode 100644 index 0000000..0082c59 --- /dev/null +++ b/notes/journal/Mon, 25 March 2024.md @@ -0,0 +1,5 @@ +First success using mac mini. +Could record some data of amazon echo. +Setup gues network on router without any security, this enabled some capture since no keys had to be configured or handshakes captured (would be an issue without any channel controll) +Issue: Channalhopping -> missing a lot of traffic +To avoid channelhopping: Somehow fix the channel on router. diff --git a/notes/journal/Tue, 19. March 2024.md b/notes/journal/Tue, 19. March 2024.md index 98700fd..96ccea0 100644 --- a/notes/journal/Tue, 19. March 2024.md +++ b/notes/journal/Tue, 19. March 2024.md @@ -1,3 +1,117 @@ Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e) -AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. \ No newline at end of file +AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. + +# 1st attempt AP setup +### Config files +File:`/etc/dnsmasq.d/dhcp-for-ap.conf` +Content: +```config +interface=wlp0s20f0u1 +dhcp-range=10.0.0.3,10.0.0.20,12h +``` +**BEWARE**: Must load above into `/etc/dnsmasq.conf` with a line that goes `conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf` or `conf-dir=/etc/dnsmasq.d/,*.conf` see [here](https://wiki.archlinux.org/title/Dnsmasq#Configuration) +Other configs in `code/` directory. +## Used commands +See `code/` dir commit `devel@299912e` . +## Sanity Check +```bash +$ sudo hostapd ./hostapd.conf +# Output upon trying to connect with iPhone +wlp0s20f0u1: interface state UNINITIALIZED->ENABLED +wlp0s20f0u1: AP-ENABLED +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) +wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 +wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2 +wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) +wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 +``` +Connection established but no internet as expected. +## Test +*Input* +```bash +sudo ./initSwAP wlp +``` +*Output* +``` +net.ipv4.ip_forward = 1 +wlp0s20f0u1: interface state UNINITIALIZED->ENABLED +wlp0s20f0u1: AP-ENABLED +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) +wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 +wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3 +wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) +wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 +``` +Unfortunatly still no internet connection. + +## Analysis +Had forgot to import dhcp config file. +**Changes**: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security. +Unfortunatly still no internet connectino can be established. + +## Todays 2nd attempt at Establishing an internet connection. +__Remarks/Observations:__ +- iPhone connects to AP. Receieves IP Address `169.254.196.21` with subnet mask `255.255.0.0`. I +- P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server. +- Could firewall be the problem? TODO -> iptables for dns and dhcp +- Maybe need to set static ip first etc as mentioned [here](https://woshub.com/create-wi-fi-access-point-hotspot-linux/) + ```bash + # nano /etc/network/interfaces + auto wlp0s20f0u1 + iface wlp0s20f0u1 inet static + address 10.10.0.1 + netmask 255.255.255.0 + ``` +- `/etc/network/interfaces` doesn't exist on my machine... +### Some configs to remember for later +dnsmasq: +``` +#interface=wlp0s20f0u1 +listen-address=10.0.0.2 +dhcp-range=10.0.0.3,10.0.0.20,12h +dhcp-option=3,192.168.1.1 +dhcp-option=6,192.168.1.1 +domain-needed +bogus-priv +filterwin2k +server=1.1.1.1 +no-hosts +``` +Maybe need to enable ipv6 forwarding? +``` +net.ipv4.ip_forward = 1 +net.ipv4.conf.all.forwarding = 1 +net.ipv6.conf.all.forwarding = 1 +``` +Flushing iptables: `iptables -F` flushes all tables. For more see [archwiki/iptables/Reset Rules](https://wiki.archlinux.org/title/Iptables#Resetting_rules) +- `sudo systemctl status iptables` says there is no such service unit!? -> Fedora uses [[firewalld]], which _is_ reported as running ......... +#### Firewalld exploring +```bash +sudo firewall-cmd --get-active-zones +# Output: +# FedoraWorkstation (default) +# interfaces: wlp44s0 +``` +### Steps taken after restarting with [[firewalld]] +1. Followed steps in chapters 2.3.3 and 2.4 [here](https://wiki.archlinux.org/title/Internet_sharing#Enable_packet_forwarding). This should have enabled masquerading and have the ports ACCEPT for dns and dhcp. +2. Firewalld is not powerfull enough it seems +### nfttables +Overview of a common configuration and packet flow + +A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook: + + a prerouting chain, for all newly-arrived IP traffic + an input chain, for traffic addressed to the local host itself + an output chain, for traffic originating from the local host itself + a forward chain, for packets the host is asked to simply pass from one network to another + a postrouting chain for all IP traffic leaving the firewall + +For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain. + +If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packet’s destination) attach to the prerouting chain. + +Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins. \ No newline at end of file diff --git a/notes/todos/todo.md b/notes/todos/todo.md index bdea236..3ba0dfc 100644 --- a/notes/todos/todo.md +++ b/notes/todos/todo.md @@ -3,3 +3,12 @@ - [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop - [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters. - [ ] Look into how to route to internet! + + + + +IEEE 802.11: www.ieee802.org/11/ +FCC 2.4 GHz: https://transition.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00312.pdf +WPA3 Specification: www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf +Wireless LAN Display Filters: www.wireshark.org/docs/dfref/w/wlan.html +WPA-PSK Key Generator Tool: www.wireshark.org/tools/wpa-psk.html \ No newline at end of file diff --git a/notes/wiki/firewalld.md b/notes/wiki/firewalld.md new file mode 100644 index 0000000..8e1717c --- /dev/null +++ b/notes/wiki/firewalld.md @@ -0,0 +1 @@ +Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld) diff --git a/notes/wiki/nmcli.md b/notes/wiki/nmcli.md index c2d40a8..f69e4fb 100644 --- a/notes/wiki/nmcli.md +++ b/notes/wiki/nmcli.md @@ -1,5 +1,7 @@ -***TLDR:*** Command line utility of NetworkManager -Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager) . +**TLDR:** Command line utility of [NetworkManager](https://networkmanager.dev) + +Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). + # Commands ```bash @@ -17,4 +19,30 @@ sudo systemctl restart NetworkManager # for config changes to take effect ```bash sudo nmcli device set managed no # make sure itnerface is not managed by NetworkManager. Can use d instead of device. ``` +More examples [here](https://networkmanager.dev/docs/api/latest/nmcli-examples.html) + +# Config +## Ignoring specific devices +This is mostly taken from different parts of [archwiki/NetworkManager](https://wiki.archlinux.org/title/NetworkManager). This is desirable so it wont interfere with our [[hostapd]] or [[dnsmasq]] config. +In ``/etc/NetworkManager/conf.d/unmanaged.conf`` : +MAC addr based: +```config +[keyfile] +unmanaged-devices=mac: +``` +Interface name based: +```config +[keyfile] +unmanaged-devices=interface-name: +``` +After modifying run +```bash +sudo nmcli general reload +``` + +Resources: https://wiki.archlinux.org/title/Software_access_point#NetworkManager_is_interfering and https://wiki.archlinux.org/title/NetworkManager#Ignore_specific_devices + + + +