From a44719257a6bc2bc00a9e91e33416c8c1f13d6b5 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Mon, 18 Mar 2024 12:17:05 +0100 Subject: [PATCH 1/7] Upadte some notes. --- code/hostapd.conf | 13 ++++++++++++ code/make_ap.sh | 17 +++++++++++++++- notes/journal/Fri, 15. March 2024.md | 12 +++++++++++ .../Mon, 11. March 2024.md} | 10 +--------- notes/journal/Tue, 12. March.md | 4 ++++ notes/todo.md | 4 ---- notes/todos/TODO1.md | 0 notes/todos/todo.md | 4 ++++ notes/wiki/AP configuration.md | 6 ++++++ notes/{wiki.md => wiki/Tools.md} | 8 ++++++-- notes/wiki/aircrack-ng.md | 0 notes/wiki/hostapd.md | 0 notes/wiki/iw.md | 10 ++++++++++ notes/wiki/monitoring.md | 19 ++++++++++++++++++ notes/wiki/nmcli.md | 20 +++++++++++++++++++ 15 files changed, 111 insertions(+), 16 deletions(-) create mode 100644 code/hostapd.conf create mode 100644 notes/journal/Fri, 15. March 2024.md rename notes/{journal.md => journal/Mon, 11. March 2024.md} (62%) create mode 100644 notes/journal/Tue, 12. March.md delete mode 100644 notes/todo.md create mode 100644 notes/todos/TODO1.md create mode 100644 notes/todos/todo.md create mode 100644 notes/wiki/AP configuration.md rename notes/{wiki.md => wiki/Tools.md} (65%) create mode 100644 notes/wiki/aircrack-ng.md create mode 100644 notes/wiki/hostapd.md create mode 100644 notes/wiki/iw.md create mode 100644 notes/wiki/monitoring.md create mode 100644 notes/wiki/nmcli.md diff --git a/code/hostapd.conf b/code/hostapd.conf new file mode 100644 index 0000000..912372e --- /dev/null +++ b/code/hostapd.conf @@ -0,0 +1,13 @@ +interface=wlp0s20f0u1 +driver=nl80211 +ssid=t3u +hw_mode=g +channel=1 +macaddr_acl=0 +auth_algs=1 +ignore_broadcast_ssid=0 +wpa=3 +wpa_passphrase=11help22help33 +wpa_key_mgmt=WPA-PSK +wpa_pairwise=TKIP +rsn_pairwise=CCMP diff --git a/code/make_ap.sh b/code/make_ap.sh index 867923a..4b80739 100755 --- a/code/make_ap.sh +++ b/code/make_ap.sh @@ -1,7 +1,22 @@ #! /bin/env bash -nmcli con add type wifi ifname wlp44s0 mode ap con-name WIFI_AP_TEST ssid MY_AP_TEST && + +TYPE="wifi" +IFNAME="wlp0s20f0u1" +CONNAME="T3UminiConn" +SSID="T3Umini" +BAND="bg" +CHAN=1 +KMGMT="wpa-psk" +PSK=11223344 + +nmcli con add type wifi ifname wlp0s20f0u1 mode ap con-name WIFI_AP_TEST ssid MY_AP_TEST && nmcli con modify WIFI_AP_TEST 802-11-wireless.band bg && nmcli con modify WIFI_AP_TEST 802-11-wireless.channel 1 && nmcli con modify WIFI_AP_TEST 802-11-wireless-security.key-mgmt wpa-psk && +nmcli con modify WIFI_AP_TEST 802-11-wireless-security.pairwise ccmp && nmcli con modify WIFI_AP_TEST 802-11-wireless-security.psk 11223344 && nmcli con modify WIFI_AP_TEST ipv4.method shared && nmcli con up WIFI_AP_TEST + +' nmcli con modify WIFI_AP_TEST 802-11-wireless-security.proto rsn && +nmcli con modify WIFI_AP_TEST 802-11-wireless-security.group ccmp && NOT USED FOR APPLE` + diff --git a/notes/journal/Fri, 15. March 2024.md b/notes/journal/Fri, 15. March 2024.md new file mode 100644 index 0000000..b95dc32 --- /dev/null +++ b/notes/journal/Fri, 15. March 2024.md @@ -0,0 +1,12 @@ +Plan: Setup wifi adapter to capture Amazon echodot. +Flow for setting up Access Point: +1. Setup Access Point +2. Configure Routing/Bridge or similar so IoT device can access internet. + +Tried [linux-wifi-hotspot](https://github.com/lakinduakash/linux-wifi-hotspot) repo. Running it makes AP visible to iPhone, but issue is IP Address. Need to configure dhcp server or manually assign address. + +Problem: Wifi Adapter In monitor mode sees nothing. +Neither Adapter has driver for modern macos +Archer T3U is using rtw_8822bu driver from kernel, this supports mac + +Decide to go down hostapd route. diff --git a/notes/journal.md b/notes/journal/Mon, 11. March 2024.md similarity index 62% rename from notes/journal.md rename to notes/journal/Mon, 11. March 2024.md index cc0ffd6..2578a45 100644 --- a/notes/journal.md +++ b/notes/journal/Mon, 11. March 2024.md @@ -1,19 +1,11 @@ -# Mon, 11. March 2024 -[[11032024]] ### Completed: - All Devices unpacked except [[xiaomi tv stick]]. - [[ledvance led strip]] wont enter pairing mode. - [[echodot]] is setup and works. - [[mi 360 home security camera]] needs microsd card. - ## Plan for this week: - Get microsd card - MAINLY: Get AP working or find other way to capture traffic. ## Misc.: Much time lost resetting router. [[ledvance led strip]] will only connect to 2.5GHz networks. -If laptop is connected to internet via ethernet, then I can make a AP, but iPhone wont connect to it. But IoT devices connect - -# Tue, 12. March -- Bought two USB Wifi Adapters: - - tp-link AC1300 Archer T3U (Mini Wireless MU-MIMO USB Adapter) - - tp-link AC1300 Archer T3U Plus (High Gain Wireless Dual Band USB Adapter) \ No newline at end of file +If laptop is connected to internet via ethernet, then I can make a AP, but iPhone wont connect to it. But IoT devices connect \ No newline at end of file diff --git a/notes/journal/Tue, 12. March.md b/notes/journal/Tue, 12. March.md new file mode 100644 index 0000000..150b03b --- /dev/null +++ b/notes/journal/Tue, 12. March.md @@ -0,0 +1,4 @@ + +- Bought two USB Wifi Adapters (Completes [[TODO1]]): + - tp-link AC1300 Archer T3U (Mini Wireless MU-MIMO USB Adapter). + - tp-link AC1300 Archer T3U Plus (High Gain Wireless Dual Band USB Adapter) \ No newline at end of file diff --git a/notes/todo.md b/notes/todo.md deleted file mode 100644 index 0397703..0000000 --- a/notes/todo.md +++ /dev/null @@ -1,4 +0,0 @@ -1. Need microsd card for Mi 360 home camera -2. Cannot get Ledvance LED strip into discovery mode s.t. connection could be established -3. Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop -4. ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters. \ No newline at end of file diff --git a/notes/todos/TODO1.md b/notes/todos/TODO1.md new file mode 100644 index 0000000..e69de29 diff --git a/notes/todos/todo.md b/notes/todos/todo.md new file mode 100644 index 0000000..67e2770 --- /dev/null +++ b/notes/todos/todo.md @@ -0,0 +1,4 @@ +- [ ] [[TODO1]] Need microsd card for Mi 360 home camera +- [ ] Cannot get Ledvance LED strip into discovery mode s.t. connection could be established +- [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop +- [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters. diff --git a/notes/wiki/AP configuration.md b/notes/wiki/AP configuration.md new file mode 100644 index 0000000..0707423 --- /dev/null +++ b/notes/wiki/AP configuration.md @@ -0,0 +1,6 @@ +# Using NetworkManager +See [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). Can use the command line tool [[nmcli]]. + +# Using [[hostapd]] +Must first make sure that the interface is not managed by nmcli, see [[nmcli]]. + diff --git a/notes/wiki.md b/notes/wiki/Tools.md similarity index 65% rename from notes/wiki.md rename to notes/wiki/Tools.md index 0d309c9..5c416de 100644 --- a/notes/wiki.md +++ b/notes/wiki/Tools.md @@ -1,5 +1,9 @@ -# WiFi -## Wifi Adapter not found anymore +# Wifi Tools +- [[aircrack-ng]]can easily enable monitor mode +- [[nmcli]] NetworkManager cli +- [[hostapd]] +- [[iw]] +# Wifi Adapter not found anymore - __Issue__: After using `airmon-ng` to put my wifi adapter into monitor mode and then supposedly back into normal mode: network manager couldn't find wifi adapter anymore. - `sudo nmcli dev` showed that `wlp44s0` interface was "unmanaged". - __Fix__: `sudo nmcli set wlp44s0 managed yes` \ No newline at end of file diff --git a/notes/wiki/aircrack-ng.md b/notes/wiki/aircrack-ng.md new file mode 100644 index 0000000..e69de29 diff --git a/notes/wiki/hostapd.md b/notes/wiki/hostapd.md new file mode 100644 index 0000000..e69de29 diff --git a/notes/wiki/iw.md b/notes/wiki/iw.md new file mode 100644 index 0000000..3ef3dad --- /dev/null +++ b/notes/wiki/iw.md @@ -0,0 +1,10 @@ +***TLDR***: show / manipulate wirless devices and their configs. + +# Commands used: +- `iw list` shows extensive info about all wirless devices. +- To check if any devices is AP ready: +```bash +iw list | grep -i ap -A 5 -B 5 +``` + + diff --git a/notes/wiki/monitoring.md b/notes/wiki/monitoring.md new file mode 100644 index 0000000..fc99af5 --- /dev/null +++ b/notes/wiki/monitoring.md @@ -0,0 +1,19 @@ +***TLDR:*** How to monitor/sniff wifi network traffic of IoT Devices. Two strategies: +Use a wifi adapter to setup an #AP and have the devices connect to via that or use wifi card in monitor mode. + +# Funnel traffic via AP +**Issues**: iPhone has problems connecting to the provided APs. But need iPhone to configure network connection of devices. +# Monitor Mode +--- +## HowTo +Insert wifi adapter and make sure it shows up as a interface with e.g. `nmcli dev`. +### Manually activate: +1. Find out which interfaces already exist with names like`mon_N_`: `ifconfig -a`. +2. `iw dev _interface_ interface add _mon_num_ type monitor` +3. `ifconfig _mon_num up` +### Using [[aircrack-ng]] : +Activate monitor mode on interface `wlp0s20f0u1`: +```bash +sudo airmon-ng start wlp0s20f0u1 +``` +Output: diff --git a/notes/wiki/nmcli.md b/notes/wiki/nmcli.md new file mode 100644 index 0000000..c2d40a8 --- /dev/null +++ b/notes/wiki/nmcli.md @@ -0,0 +1,20 @@ +***TLDR:*** Command line utility of NetworkManager +Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager) . + +# Commands +```bash +nmcli dev #list network devices +``` +```bash +nmcli con down # disable AP config +``` +```bash +nmcli con delete # permanently delete AP configuration +``` +```bash +sudo systemctl restart NetworkManager # for config changes to take effect +``` +```bash +sudo nmcli device set managed no # make sure itnerface is not managed by NetworkManager. Can use d instead of device. +``` + From 00fb396a49488897850e3df177a5e5b9c890f43c Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Tue, 19 Mar 2024 03:08:29 +0100 Subject: [PATCH 2/7] Try dnsmasq and hostapd setup from medium.com/p/3c18760ef73. --- code/dnsmasq.conf | 6 ++++++ code/hostapd.conf | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 code/dnsmasq.conf diff --git a/code/dnsmasq.conf b/code/dnsmasq.conf new file mode 100644 index 0000000..facab08 --- /dev/null +++ b/code/dnsmasq.conf @@ -0,0 +1,6 @@ +interface=wlp0s20f0u1 +dhcp-range=192.168.1.2,192.168.1.250,12h +# Gateway +dhcp-option=3,192.168.1.1 +# Dns server addr +dhcp-option=6,192.168.1.1 diff --git a/code/hostapd.conf b/code/hostapd.conf index 912372e..236b4bf 100644 --- a/code/hostapd.conf +++ b/code/hostapd.conf @@ -2,7 +2,7 @@ interface=wlp0s20f0u1 driver=nl80211 ssid=t3u hw_mode=g -channel=1 +channel=11 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 From cb72c67bf515854c32e3e7e1829e1e801d817101 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Tue, 19 Mar 2024 03:09:07 +0100 Subject: [PATCH 3/7] Update journal and todos." --- notes/journal/Tue, 19. March 2024.md | 3 +++ notes/todos/todo.md | 1 + 2 files changed, 4 insertions(+) create mode 100644 notes/journal/Tue, 19. March 2024.md diff --git a/notes/journal/Tue, 19. March 2024.md b/notes/journal/Tue, 19. March 2024.md new file mode 100644 index 0000000..98700fd --- /dev/null +++ b/notes/journal/Tue, 19. March 2024.md @@ -0,0 +1,3 @@ +Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) +Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e) +AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. \ No newline at end of file diff --git a/notes/todos/todo.md b/notes/todos/todo.md index 67e2770..bdea236 100644 --- a/notes/todos/todo.md +++ b/notes/todos/todo.md @@ -2,3 +2,4 @@ - [ ] Cannot get Ledvance LED strip into discovery mode s.t. connection could be established - [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop - [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters. +- [ ] Look into how to route to internet! From 299912e1b9743e222ac9861719141d82b426ffa2 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Tue, 19 Mar 2024 14:18:16 +0100 Subject: [PATCH 4/7] REFPOINT/TEST: Add prelim dhcp, nat config script. --- code/initSwAP | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100755 code/initSwAP diff --git a/code/initSwAP b/code/initSwAP new file mode 100755 index 0000000..e69de29 From 000cf610dfdc7a9b4ccfff59fc73885ef0d792c6 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:41:44 +0100 Subject: [PATCH 5/7] Update. --- code/hostapd.conf | 3 +- code/initSwAP | 35 ++++++++ code/initSwAP_nftables | 36 +++++++++ notes/journal/Mon, 25 March 2024.md | 5 ++ notes/journal/Tue, 19. March 2024.md | 116 ++++++++++++++++++++++++++- notes/todos/todo.md | 9 +++ notes/wiki/firewalld.md | 1 + notes/wiki/nmcli.md | 32 +++++++- 8 files changed, 232 insertions(+), 5 deletions(-) create mode 100755 code/initSwAP_nftables create mode 100644 notes/journal/Mon, 25 March 2024.md create mode 100644 notes/wiki/firewalld.md diff --git a/code/hostapd.conf b/code/hostapd.conf index 236b4bf..7f297fe 100644 --- a/code/hostapd.conf +++ b/code/hostapd.conf @@ -6,8 +6,7 @@ channel=11 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 -wpa=3 +wpa=2 wpa_passphrase=11help22help33 wpa_key_mgmt=WPA-PSK -wpa_pairwise=TKIP rsn_pairwise=CCMP diff --git a/code/initSwAP b/code/initSwAP index e69de29..b4689b1 100755 --- a/code/initSwAP +++ b/code/initSwAP @@ -0,0 +1,35 @@ +#!/bin/bash +# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM: +# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ +# Usage: ./initSoftAP +########### Initial wifi interface configuration ############# +ip link set $1 down +ip addr flush dev $1 +ip link set $1 up +ip addr add 10.0.0.1/24 dev $1 + +# If you still use ifconfig for some reason, replace the above lines with the following +# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0 +sleep 2 +########### + +########### Start dnsmasq ########## +if [ -z "$(ps -e | grep dnsmasq)" ] +then + dnsmasq +fi +########### +########### Enable NAT ############ +iptables -t nat -A POSTROUTING -o $2 -j MASQUERADE +iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i $1 -o $2 -j ACCEPT + +#Thanks to lorenzo +#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details +#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +sysctl -w net.ipv4.ip_forward=1 +########### +########## Start hostapd ########### +hostapd $PWD/hostapd.conf ## TODO! either put config in normal place +#killall dnsmasq diff --git a/code/initSwAP_nftables b/code/initSwAP_nftables new file mode 100755 index 0000000..4fbce19 --- /dev/null +++ b/code/initSwAP_nftables @@ -0,0 +1,36 @@ +#!/bin/bash +# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM: +# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ +# Usage: ./initSoftAP +########### Initial wifi interface configuration ############# +ip link set $1 down +ip addr flush dev $1 +ip link set $1 up +ip addr add 10.0.0.1/24 dev $1 + +# If you still use ifconfig for some reason, replace the above lines with the following +# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0 +sleep 2 +########### + +########### Start dnsmasq ########## +if [ -z "$(ps -e | grep dnsmasq)" ] +then + dnsmasq +fi +########### +########### Enable NAT ############ +nft add table nat +nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } +nft add chain nat postrouting { type nat hook postrouting priority 100 \; } +nft add rule nat postrouting oifname wlp44s0 wlp masquerade + +#Thanks to lorenzo +#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details +#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +sysctl -w net.ipv4.ip_forward=1 +########### +########## Start hostapd ########### +hostapd $PWD/hostapd.conf ## TODO! either put config in normal place +#killall dnsmasq diff --git a/notes/journal/Mon, 25 March 2024.md b/notes/journal/Mon, 25 March 2024.md new file mode 100644 index 0000000..0082c59 --- /dev/null +++ b/notes/journal/Mon, 25 March 2024.md @@ -0,0 +1,5 @@ +First success using mac mini. +Could record some data of amazon echo. +Setup gues network on router without any security, this enabled some capture since no keys had to be configured or handshakes captured (would be an issue without any channel controll) +Issue: Channalhopping -> missing a lot of traffic +To avoid channelhopping: Somehow fix the channel on router. diff --git a/notes/journal/Tue, 19. March 2024.md b/notes/journal/Tue, 19. March 2024.md index 98700fd..96ccea0 100644 --- a/notes/journal/Tue, 19. March 2024.md +++ b/notes/journal/Tue, 19. March 2024.md @@ -1,3 +1,117 @@ Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e) -AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. \ No newline at end of file +AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. + +# 1st attempt AP setup +### Config files +File:`/etc/dnsmasq.d/dhcp-for-ap.conf` +Content: +```config +interface=wlp0s20f0u1 +dhcp-range=10.0.0.3,10.0.0.20,12h +``` +**BEWARE**: Must load above into `/etc/dnsmasq.conf` with a line that goes `conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf` or `conf-dir=/etc/dnsmasq.d/,*.conf` see [here](https://wiki.archlinux.org/title/Dnsmasq#Configuration) +Other configs in `code/` directory. +## Used commands +See `code/` dir commit `devel@299912e` . +## Sanity Check +```bash +$ sudo hostapd ./hostapd.conf +# Output upon trying to connect with iPhone +wlp0s20f0u1: interface state UNINITIALIZED->ENABLED +wlp0s20f0u1: AP-ENABLED +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) +wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 +wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2 +wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) +wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 +``` +Connection established but no internet as expected. +## Test +*Input* +```bash +sudo ./initSwAP wlp +``` +*Output* +``` +net.ipv4.ip_forward = 1 +wlp0s20f0u1: interface state UNINITIALIZED->ENABLED +wlp0s20f0u1: AP-ENABLED +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated +wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) +wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 +wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3 +wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) +wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 +``` +Unfortunatly still no internet connection. + +## Analysis +Had forgot to import dhcp config file. +**Changes**: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security. +Unfortunatly still no internet connectino can be established. + +## Todays 2nd attempt at Establishing an internet connection. +__Remarks/Observations:__ +- iPhone connects to AP. Receieves IP Address `169.254.196.21` with subnet mask `255.255.0.0`. I +- P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server. +- Could firewall be the problem? TODO -> iptables for dns and dhcp +- Maybe need to set static ip first etc as mentioned [here](https://woshub.com/create-wi-fi-access-point-hotspot-linux/) + ```bash + # nano /etc/network/interfaces + auto wlp0s20f0u1 + iface wlp0s20f0u1 inet static + address 10.10.0.1 + netmask 255.255.255.0 + ``` +- `/etc/network/interfaces` doesn't exist on my machine... +### Some configs to remember for later +dnsmasq: +``` +#interface=wlp0s20f0u1 +listen-address=10.0.0.2 +dhcp-range=10.0.0.3,10.0.0.20,12h +dhcp-option=3,192.168.1.1 +dhcp-option=6,192.168.1.1 +domain-needed +bogus-priv +filterwin2k +server=1.1.1.1 +no-hosts +``` +Maybe need to enable ipv6 forwarding? +``` +net.ipv4.ip_forward = 1 +net.ipv4.conf.all.forwarding = 1 +net.ipv6.conf.all.forwarding = 1 +``` +Flushing iptables: `iptables -F` flushes all tables. For more see [archwiki/iptables/Reset Rules](https://wiki.archlinux.org/title/Iptables#Resetting_rules) +- `sudo systemctl status iptables` says there is no such service unit!? -> Fedora uses [[firewalld]], which _is_ reported as running ......... +#### Firewalld exploring +```bash +sudo firewall-cmd --get-active-zones +# Output: +# FedoraWorkstation (default) +# interfaces: wlp44s0 +``` +### Steps taken after restarting with [[firewalld]] +1. Followed steps in chapters 2.3.3 and 2.4 [here](https://wiki.archlinux.org/title/Internet_sharing#Enable_packet_forwarding). This should have enabled masquerading and have the ports ACCEPT for dns and dhcp. +2. Firewalld is not powerfull enough it seems +### nfttables +Overview of a common configuration and packet flow + +A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook: + + a prerouting chain, for all newly-arrived IP traffic + an input chain, for traffic addressed to the local host itself + an output chain, for traffic originating from the local host itself + a forward chain, for packets the host is asked to simply pass from one network to another + a postrouting chain for all IP traffic leaving the firewall + +For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain. + +If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packet’s destination) attach to the prerouting chain. + +Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins. \ No newline at end of file diff --git a/notes/todos/todo.md b/notes/todos/todo.md index bdea236..3ba0dfc 100644 --- a/notes/todos/todo.md +++ b/notes/todos/todo.md @@ -3,3 +3,12 @@ - [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop - [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters. - [ ] Look into how to route to internet! + + + + +IEEE 802.11: www.ieee802.org/11/ +FCC 2.4 GHz: https://transition.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00312.pdf +WPA3 Specification: www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf +Wireless LAN Display Filters: www.wireshark.org/docs/dfref/w/wlan.html +WPA-PSK Key Generator Tool: www.wireshark.org/tools/wpa-psk.html \ No newline at end of file diff --git a/notes/wiki/firewalld.md b/notes/wiki/firewalld.md new file mode 100644 index 0000000..8e1717c --- /dev/null +++ b/notes/wiki/firewalld.md @@ -0,0 +1 @@ +Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld) diff --git a/notes/wiki/nmcli.md b/notes/wiki/nmcli.md index c2d40a8..f69e4fb 100644 --- a/notes/wiki/nmcli.md +++ b/notes/wiki/nmcli.md @@ -1,5 +1,7 @@ -***TLDR:*** Command line utility of NetworkManager -Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager) . +**TLDR:** Command line utility of [NetworkManager](https://networkmanager.dev) + +Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). + # Commands ```bash @@ -17,4 +19,30 @@ sudo systemctl restart NetworkManager # for config changes to take effect ```bash sudo nmcli device set managed no # make sure itnerface is not managed by NetworkManager. Can use d instead of device. ``` +More examples [here](https://networkmanager.dev/docs/api/latest/nmcli-examples.html) + +# Config +## Ignoring specific devices +This is mostly taken from different parts of [archwiki/NetworkManager](https://wiki.archlinux.org/title/NetworkManager). This is desirable so it wont interfere with our [[hostapd]] or [[dnsmasq]] config. +In ``/etc/NetworkManager/conf.d/unmanaged.conf`` : +MAC addr based: +```config +[keyfile] +unmanaged-devices=mac: +``` +Interface name based: +```config +[keyfile] +unmanaged-devices=interface-name: +``` +After modifying run +```bash +sudo nmcli general reload +``` + +Resources: https://wiki.archlinux.org/title/Software_access_point#NetworkManager_is_interfering and https://wiki.archlinux.org/title/NetworkManager#Ignore_specific_devices + + + + From e213eee8abf8908671864d0bf7555ea85ef43572 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Tue, 26 Mar 2024 01:26:11 +0100 Subject: [PATCH 6/7] Add outline/ overview of what must be done to setup IoT experiment environment. --- code/hostapd.conf | 4 --- code/hostapd.conf.bak | 12 ++++++++ notes/journal/Mon, 25 March 2024.md | 5 ++++ notes/wiki/AP configuration.md | 6 ---- notes/wiki/EnvironmentSetup.md | 46 +++++++++++++++++++++++++++++ notes/wiki/firewalld.md | 2 ++ notes/wiki/hostapd.md | 31 +++++++++++++++++++ 7 files changed, 96 insertions(+), 10 deletions(-) create mode 100644 code/hostapd.conf.bak delete mode 100644 notes/wiki/AP configuration.md create mode 100644 notes/wiki/EnvironmentSetup.md diff --git a/code/hostapd.conf b/code/hostapd.conf index 7f297fe..643e74b 100644 --- a/code/hostapd.conf +++ b/code/hostapd.conf @@ -6,7 +6,3 @@ channel=11 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 -wpa=2 -wpa_passphrase=11help22help33 -wpa_key_mgmt=WPA-PSK -rsn_pairwise=CCMP diff --git a/code/hostapd.conf.bak b/code/hostapd.conf.bak new file mode 100644 index 0000000..7f297fe --- /dev/null +++ b/code/hostapd.conf.bak @@ -0,0 +1,12 @@ +interface=wlp0s20f0u1 +driver=nl80211 +ssid=t3u +hw_mode=g +channel=11 +macaddr_acl=0 +auth_algs=1 +ignore_broadcast_ssid=0 +wpa=2 +wpa_passphrase=11help22help33 +wpa_key_mgmt=WPA-PSK +rsn_pairwise=CCMP diff --git a/notes/journal/Mon, 25 March 2024.md b/notes/journal/Mon, 25 March 2024.md index 0082c59..7131510 100644 --- a/notes/journal/Mon, 25 March 2024.md +++ b/notes/journal/Mon, 25 March 2024.md @@ -3,3 +3,8 @@ Could record some data of amazon echo. Setup gues network on router without any security, this enabled some capture since no keys had to be configured or handshakes captured (would be an issue without any channel controll) Issue: Channalhopping -> missing a lot of traffic To avoid channelhopping: Somehow fix the channel on router. + +By leaving out any authentication/security config in hostapd.conf one can create an unsecured AP (on the usb wifi card) on my linux machine to. Having an open auth AP seems fine for this use case. +In the end this seems to be the way. For doing experiments we want to record all traffic. For this we cannot loose traffic just because we are not connected. This is why we'd want an access point we controll fully. We don't want to rely an some other router. But even then there would still be much manual config (channel, making an open access vlan or whatever). + +Essentially we need to know the channel exaclty and don't want to deal with any more cryptography than we must. So, ideally we can create an AP on a laptop or local computer, using a low cost wifi adapter. (Since we are talking about testing IoT devices we must rely on wireless internet, since this is how virtually all of them work.) We should be able to configure that device to be an AP. Then we need to forward to whatever interface the experiment computer has internet access to. diff --git a/notes/wiki/AP configuration.md b/notes/wiki/AP configuration.md deleted file mode 100644 index 0707423..0000000 --- a/notes/wiki/AP configuration.md +++ /dev/null @@ -1,6 +0,0 @@ -# Using NetworkManager -See [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). Can use the command line tool [[nmcli]]. - -# Using [[hostapd]] -Must first make sure that the interface is not managed by nmcli, see [[nmcli]]. - diff --git a/notes/wiki/EnvironmentSetup.md b/notes/wiki/EnvironmentSetup.md new file mode 100644 index 0000000..863c45a --- /dev/null +++ b/notes/wiki/EnvironmentSetup.md @@ -0,0 +1,46 @@ +Here I try to document the setup needed to perform reliable captures of IoT device traffic. Setting up the environment properly is a precondition for capture tools like +[[Wireshark]] et al. to capture ALL traffic needed reliable (while also avoiding nosie). + +Since most IoT devices use the internet, it is vital that any capturing mechanism/setup does not interfear with their ability to phone home. + +At this point I can descerne the following steps. +# Overview/Big Picture +Assumption: The machine used to capture traffic has internet acces either wired (ethernet) or wireless (wifi, maybe bluetooth?). +Since IoT devices work wirelessly the testing/experiment environment needs at least none wifi card which supports AP mode (see [[iw]]). It will act as the AP for the device to be tested. +Since many IoT devices are internet enabled we need a way to bridge the IoT<->AP network to the internet. +Problem: How do we get internet access to an IoT device? +1. It connects to a router. The router must then be able to: Mirror ports/run required capturing software itself +2. It connects to an AP on some other machine. The other machine is connected via some other iterface to the internet. + 1. Wired Internet: Either using a (software) bridge or NAT make sure traffic IoT<->Internet can be established and that it can capture all needed packets. + 2. Wifi Internet: Same as wired. But special care must be taken on a "unclean" system. Desktop systems tend to come with running network management utilities and daemons running. To avoid them interfereing with the AP card special care must be taken, see e.g. [[nmcli]]. +So what must a toolkit which sets up the experiment environment be able to do: +1. __AP Service__ Through config or detection setup a properly configure AP, possibly on a external adapter +2. __Internet Service__ Enable any IoT device to connect to the Internet +3. __Internet Service dependencies__ Since the experiment machine is replacing some functionality usually offered by the router to connecting host, some router functionality must be offerd. In particular [[dhcp]] (IoT device needs an IP) and [[dns]] (IoT device needs some way to get IPs of hosts it wants to connect to). That is, test machine must at least be a [[gateway]] and the IoT device should ideally be able to understand that without any configuration. +# AP Configuration +## Using NetworkManager +See [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). Can use the command line tool [[nmcli]]. + +## Using [[hostapd]] +Must first make sure that the interface is not managed by nmcli, see [[nmcli]]. +It turns out that _**leaving out**_ those parts of the config file which have to do with security and auth: +``` +# hostapd.conf +# Do not include in config if we wish to have an open auth AP! +wpa=2 +wpa_passphrase=11help22help33 +wpa_key_mgmt=WPA-PSK +rsn_pairwise=CCMP +``` +Further more we set the config option `auth_algs` appropriatly so open auth is allowed: +``` +auth_algs=1 +``` +see [[hostapd]] for description of the option. + +# DNS and DHCP +#TODO +Tools: [[dnsmasq]] +# Internet +#TODO +Possible tooling: [[iw]], [[firewalld]], [[iptables]], [[netables]] diff --git a/notes/wiki/firewalld.md b/notes/wiki/firewalld.md index 8e1717c..5d14591 100644 --- a/notes/wiki/firewalld.md +++ b/notes/wiki/firewalld.md @@ -1 +1,3 @@ Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld) + +Fazit: Not really viable since not enough fine grain control. \ No newline at end of file diff --git a/notes/wiki/hostapd.md b/notes/wiki/hostapd.md index e69de29..4726b1a 100644 --- a/notes/wiki/hostapd.md +++ b/notes/wiki/hostapd.md @@ -0,0 +1,31 @@ +```bash +# For nl80211, this parameter can be used to request the AP interface to be +# added to the bridge automatically (brctl may refuse to do this before hostapd +# has been started to change the interface mode). If needed, the bridge +# interface is also created. +bridge=br0 +``` + +# Operation mode +```bash +# (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), +# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used +# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this +# needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs +# to be set to hw_mode=a. When using ACS (see channel parameter), a +# special value "any" can be used to indicate that any support band can be used. +# This special case is currently supported only with drivers with which +# offloaded ACS is used. +# Default: IEEE 802.11b +hw_mode=g +``` + +```bash +# IEEE 802.11 specifies two authentication algorithms. hostapd can be +# configured to allow both of these or only one. Open system authentication +# should be used with IEEE 802.1X. +# Bit fields of allowed authentication algorithms: +# bit 0 = Open System Authentication +# bit 1 = Shared Key Authentication (requires WEP) +auth_algs=3 +``` From c3537e11bc0b9893982477a0ddaffdcc46df2fdf Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Tue, 26 Mar 2024 01:28:54 +0100 Subject: [PATCH 7/7] Restructure overview paragraph. --- notes/wiki/EnvironmentSetup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/notes/wiki/EnvironmentSetup.md b/notes/wiki/EnvironmentSetup.md index 863c45a..6e1e4cc 100644 --- a/notes/wiki/EnvironmentSetup.md +++ b/notes/wiki/EnvironmentSetup.md @@ -15,8 +15,8 @@ Problem: How do we get internet access to an IoT device? 2. Wifi Internet: Same as wired. But special care must be taken on a "unclean" system. Desktop systems tend to come with running network management utilities and daemons running. To avoid them interfereing with the AP card special care must be taken, see e.g. [[nmcli]]. So what must a toolkit which sets up the experiment environment be able to do: 1. __AP Service__ Through config or detection setup a properly configure AP, possibly on a external adapter -2. __Internet Service__ Enable any IoT device to connect to the Internet -3. __Internet Service dependencies__ Since the experiment machine is replacing some functionality usually offered by the router to connecting host, some router functionality must be offerd. In particular [[dhcp]] (IoT device needs an IP) and [[dns]] (IoT device needs some way to get IPs of hosts it wants to connect to). That is, test machine must at least be a [[gateway]] and the IoT device should ideally be able to understand that without any configuration. +2. __IP networking dependencies__ Since the experiment machine is replacing some functionality usually offered by the router to connecting host, some router functionality must be offerd. In particular [[dhcp]] (IoT device needs an IP) and [[dns]] (IoT device needs some way to get IPs of hosts it wants to connect to). +3. __Internet Gateway__ Enable any IoT device to connect to the Internet. That is, test machine must at least be a [[gateway]] and the IoT device should ideally be able to understand that without any configuration. # AP Configuration ## Using NetworkManager See [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager). Can use the command line tool [[nmcli]].