Update.

2024-03-25 22:41:44 +01:00 · 2024-03-25 22:41:44 +01:00 · 000cf610df
commit 000cf610df
parent 299912e1b9
8 changed files with 232 additions and 5 deletions
--- a/code/hostapd.conf
+++ b/code/hostapd.conf
@ -6,8 +6,7 @@ channel=11
 macaddr_acl=0
 auth_algs=1
 ignore_broadcast_ssid=0
-wpa=3
+wpa=2
 wpa_passphrase=11help22help33
 wpa_key_mgmt=WPA-PSK
 wpa_pairwise=TKIP
 rsn_pairwise=CCMP
--- a/code/initSwAP
+++ b/code/initSwAP
@ -0,0 +1,35 @@
 #!/bin/bash
 # DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM:
 # https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/
 # Usage: ./initSoftAP
 ########### Initial wifi interface configuration #############
 ip link set $1 down
 ip addr flush dev $1
 ip link set $1 up
 ip addr add 10.0.0.1/24 dev $1
 # If you still use ifconfig for some reason, replace the above lines with the following
 # ifconfig $1 up 10.0.0.1 netmask 255.255.255.0
 sleep 2
 ###########
 ########### Start dnsmasq ##########
 if [ -z "$(ps -e | grep dnsmasq)" ]
 then
 dnsmasq
 fi
 ###########
 ########### Enable NAT ############
 iptables -t nat -A POSTROUTING -o $2 -j MASQUERADE
 iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -i $1 -o $2 -j ACCEPT
 #Thanks to lorenzo
 #Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
 #iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 sysctl -w net.ipv4.ip_forward=1
 ###########
 ########## Start hostapd ###########
 hostapd $PWD/hostapd.conf ## TODO! either put config in normal place
 #killall dnsmasq
--- a/code/initSwAP_nftables
+++ b/code/initSwAP_nftables
@ -0,0 +1,36 @@
 #!/bin/bash
 # DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM:
 # https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/
 # Usage: ./initSoftAP
 ########### Initial wifi interface configuration #############
 ip link set $1 down
 ip addr flush dev $1
 ip link set $1 up
 ip addr add 10.0.0.1/24 dev $1
 # If you still use ifconfig for some reason, replace the above lines with the following
 # ifconfig $1 up 10.0.0.1 netmask 255.255.255.0
 sleep 2
 ###########
 ########### Start dnsmasq ##########
 if [ -z "$(ps -e | grep dnsmasq)" ]
 then
 dnsmasq
 fi
 ###########
 ########### Enable NAT ############
 nft add table nat
 nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
 nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
 nft add rule nat postrouting oifname wlp44s0 wlp masquerade
 #Thanks to lorenzo
 #Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
 #iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 sysctl -w net.ipv4.ip_forward=1
 ###########
 ########## Start hostapd ###########
 hostapd $PWD/hostapd.conf ## TODO! either put config in normal place
 #killall dnsmasq
--- a/notes/journal/Mon,
+++ b/notes/journal/Mon,
@ -0,0 +1,5 @@
 First success using mac mini.
 Could record some data of amazon echo.
 Setup gues network on router without any security, this enabled some capture since no keys had to be configured or handshakes captured (would be an issue without any channel controll)
 Issue: Channalhopping -> missing a lot of traffic
 To avoid channelhopping: Somehow fix the channel on router.
--- a/notes/journal/Tue,
+++ b/notes/journal/Tue,
@ -1,3 +1,117 @@
 Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)
 Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e)
 AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic.
 # 1st attempt AP setup
 ### Config files
 File:`/etc/dnsmasq.d/dhcp-for-ap.conf`
 Content: 
 ```config
 interface=wlp0s20f0u1
 dhcp-range=10.0.0.3,10.0.0.20,12h
 ```
 **BEWARE**: Must load above into `/etc/dnsmasq.conf` with a line that goes `conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf`  or `conf-dir=/etc/dnsmasq.d/,*.conf` see [here](https://wiki.archlinux.org/title/Dnsmasq#Configuration) 
 Other configs in `code/` directory.
 ## Used commands
 See `code/` dir commit `devel@299912e` .
 ## Sanity Check
 ```bash
 $ sudo hostapd ./hostapd.conf
 # Output upon trying to connect with iPhone
 wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
 wlp0s20f0u1: AP-ENABLED 
 wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
 wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
 wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
 wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
 wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2
 wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
 wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05
 ```
 Connection established but no internet as expected.
 ## Test
 *Input* 
 ```bash
 sudo ./initSwAP wlp
 ```
 *Output*
 ```
 net.ipv4.ip_forward = 1
 wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
 wlp0s20f0u1: AP-ENABLED 
 wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
 wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
 wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
 wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3
 wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
 wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05
 ```
 Unfortunatly still no internet connection.
 ## Analysis
 Had forgot to import dhcp config file. 
 **Changes**: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security.
 Unfortunatly still no internet connectino can be established.
 ## Todays 2nd attempt at Establishing an internet connection.
 __Remarks/Observations:__
 - iPhone connects to AP. Receieves IP Address `169.254.196.21` with subnet mask `255.255.0.0`. I
 - P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server.
 - Could firewall be the problem? TODO -> iptables for dns and dhcp
 - Maybe need to set static ip first etc as mentioned [here](https://woshub.com/create-wi-fi-access-point-hotspot-linux/) 
 	```bash
 	# nano /etc/network/interfaces
 	auto wlp0s20f0u1
 	iface wlp0s20f0u1 inet static
 	address 10.10.0.1
 	netmask 255.255.255.0
 	```
 - `/etc/network/interfaces` doesn't exist on my machine...
 ### Some configs to remember for later
 dnsmasq:
 ```
 #interface=wlp0s20f0u1
 listen-address=10.0.0.2
 dhcp-range=10.0.0.3,10.0.0.20,12h
 dhcp-option=3,192.168.1.1
 dhcp-option=6,192.168.1.1
 domain-needed
 bogus-priv
 filterwin2k
 server=1.1.1.1
 no-hosts
 ```
 Maybe need to enable ipv6 forwarding?
 ```
 net.ipv4.ip_forward = 1
 net.ipv4.conf.all.forwarding = 1
 net.ipv6.conf.all.forwarding = 1
 ```
 Flushing iptables: `iptables -F` flushes all tables. For more see [archwiki/iptables/Reset Rules](https://wiki.archlinux.org/title/Iptables#Resetting_rules) 
 - `sudo systemctl status iptables` says there is no such service unit!? -> Fedora uses [[firewalld]], which _is_ reported as running .........
 #### Firewalld exploring
 ```bash
 sudo firewall-cmd --get-active-zones
 # Output:
 #	FedoraWorkstation (default)
 #	  interfaces: wlp44s0
 ```
 ### Steps taken after restarting with [[firewalld]]
 1. Followed steps in chapters 2.3.3 and 2.4 [here](https://wiki.archlinux.org/title/Internet_sharing#Enable_packet_forwarding). This should have enabled masquerading and have the ports ACCEPT for dns and dhcp.
 2. Firewalld is not powerfull enough it seems
 ### nfttables
 Overview of a common configuration and packet flow
 A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook:
    a prerouting chain, for all newly-arrived IP traffic
    an input chain, for traffic addressed to the local host itself
    an output chain, for traffic originating from the local host itself
    a forward chain, for packets the host is asked to simply pass from one network to another
    a postrouting chain for all IP traffic leaving the firewall
 For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain.
 If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packet’s destination) attach to the prerouting chain.
 Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins.
--- a/notes/todos/todo.md
+++ b/notes/todos/todo.md
@ -3,3 +3,12 @@
 - [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop
 - [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters.
 - [ ] Look into how to route to internet!
 IEEE 802.11: www.ieee802.org/11/
 FCC 2.4 GHz: https://transition.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00312.pdf
 WPA3 Specification: www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf
 Wireless LAN Display Filters: www.wireshark.org/docs/dfref/w/wlan.html
 WPA-PSK Key Generator Tool: www.wireshark.org/tools/wpa-psk.html
--- a/notes/wiki/firewalld.md
+++ b/notes/wiki/firewalld.md
@ -0,0 +1 @@
 Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld)
--- a/notes/wiki/nmcli.md
+++ b/notes/wiki/nmcli.md
@ -1,5 +1,7 @@
-***TLDR:*** Command line utility of NetworkManager
+**TLDR:** Command line utility of [NetworkManager](https://networkmanager.dev)
-Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager) . 
+
 Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager).
 # Commands
 ```bash
@ -17,4 +19,30 @@ sudo systemctl restart NetworkManager # for config changes to take effect
 ```bash
 sudo nmcli device set <interface-name> managed no # make sure itnerface is not managed by NetworkManager. Can use d instead of device.
 ```
 More examples [here](https://networkmanager.dev/docs/api/latest/nmcli-examples.html)
 # Config
 ## Ignoring specific devices
 This is mostly taken from different parts of [archwiki/NetworkManager](https://wiki.archlinux.org/title/NetworkManager). This is desirable so it wont interfere with our [[hostapd]] or [[dnsmasq]] config.
 In ``/etc/NetworkManager/conf.d/unmanaged.conf`` :
 MAC addr based:
 ```config
 [keyfile]
 unmanaged-devices=mac:<hwaddr>
 ```
 Interface name based:
 ```config
 [keyfile]
 unmanaged-devices=interface-name:<ifname>
 ```
 After modifying run
 ```bash
 sudo nmcli general reload
 ```
 Resources: https://wiki.archlinux.org/title/Software_access_point#NetworkManager_is_interfering and https://wiki.archlinux.org/title/NetworkManager#Ignore_specific_devices
		`@ -0,0 +1 @@`
							`Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld)`