Episode75

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Wireless Guest Network: Part I

Equipment Used:

  • 2 WRT54GLs
  • 2 LINKSYS POE Adapter WAPPOE12 12V
  • OpenWrt "Whiterussian" 0.9

The nice part is, all this can be done for under $300, and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Below are the step-by-step guidelines for getting the initial setup going:

  • Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
  • Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:
nvram set lan_ipaddr="10.10.10.5"
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
nvram commit

[Larry] Added the nvram commit.

  • Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
  • Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet
  • Step 5 - Enable DHCP on each of the access points:
cat > /etc/init.d/S60dnsmasq
#! /bin/ash

/usr/sbin/dnsmasq &

<CRTL-D>

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative                         
dhcp-range=10.10.10.100,10.10.10.150,255.255.255.0,12h
dhcp-leasefile=/tmp/dhcp.leases                           
                                                          
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>                                           
read-ethers                                                   

# other useful options:                                       

# Default Gateway      
dhcp-option=3,10.10.10.1

# DNS Servers             
dhcp-option=6,10.10.10.6,10.10.10.7
  • Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
  • Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command "nvram set wl0_channel=1". Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command "nvram set wl0_ssid="guestwireless" and "nvram commit" in order to save the nvram changes. [Larry] Added nvram commit.

You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.

In Part II, we will show you how to implement a captive portal for guest authentication, and maybe even how to add some further layers of security such as intrusion detection and IP filtering.


Listener Feedback

Steve Gibson Clarification


I have been listening to your podcast for several months now and I
find it fun to listen to but also informative...... alot of the time.
I am a little confused about the jibs and jabs at Steve Gibson. I know
Steve has been around for a while, as a matter of fact, I didn't even
know
he had a podcast. So I went back and gave a listen to one or two of
them.
Granted the subject matter is a little more rudimentary and theres no
doubt that it is directed at less experienced windows users. The few
podcasts
I listen to though seemed like they would benefit those that might
listen 
to it. Is this a private joke between Security Weekly and GRC ? Or have I
just not 
been listening long enough ?

=========================================================================
Is linux saying the king has no cloths ? 

Gary Keen

[Paul] - So lets clear the air about Steve Gibson. First, he has done much good for the security community, no doubt. Say what you will about him, he has contributed stuff that has helped improve the security of the Internet. However, we pick on him because he's an easy target, shame on us. HOWEVER, he does have tons of listeners and will often say things that are not technically correct (heh, so do we), but will then go uncorrected. We have written them several times to help correct them, with no response. They don't seem to want to collaborate and communicate with us in the same manner that *Every other security podcast in production today* has and continues to. We have a great working relationship with Cyberspeak, Hak.5, Sploitcast, and many others. Security Now! just chooses to ignore us, making them the target of public ridicule because well, they are an easy target and we have no spine (Kidding!!). Another thing, Steve often presents things in a confusing manner, and I think this is because he tries to explain some of the more advanced security topics to an audience with a very low level of computer knowledge. Sometimes, this just doesn't work no matter how hard you try and causes confusion (hence the sweeper). So, we don't dislike Steve or Security Now!, but we have our moments with them.


Guiding RF (Jim S.)

In episode 76 when you were discussing the new WiFi distance record, Nick was saying you can't direct a radio wave in flight.  We beg to differ. <pictures of waveguide>

[Larry] - So,I went back and read everything I could on Intel's new wireless bending. We were waaaay off the mark. Not in flight, but at transmit, for long range and "moving antennas". Only for slight variations!


Blackholign MySpace (Chris B)

Hi Paul, 

On the last podcast you mentioned blackholing myspace on your home network.   Instead of blackholing myspace, I elected to rate limit the traffic to the slowest possible allowed on my home Cisco 831 router, which comes out to the equivalent of about a 9600bps modem.  This makes it very painful to browse as it takes a hell of a long time for the graphics to load. 

I did this because I have family and a cousin that lives with us.  They all know I work in computers/networks/security.  Without just blocking the sites, I can blame the 'slowness' on the web site and not 'something I did'.  Of course, the cousin gets his own limited user profile with no access to IE and a 'noscript' version of Firefox. 

Anyway, I was wondering what myspace networks you were blackholing?  I know they have a couple of CIDRs but they also use content distribution providers like Limelight networks and CWIE.   The networks I have on the rate limited access list are: 

63.208.226.0/24 CWIE 
216.178.32.0/20 myspace 
208.111.128.0/18 LLNW 
69.28.128.0/18 LLNW 
68.142.64.0/18 LLNW 
204.16.32.0/22 myspace 

And thanks for podcasting! 

[Larry] - A couple of comments here. Honestly, to protect my (and paul's networks, wouldn't even make those address ranges work at a slow speed! It is not the speed of the attack, it is just the access. Paul, if I recall, you use your own internal caching name server (see book). and created a sone for *.myspace.com, and redirect them to 127.0.0.1. If you want myspace, go elsewhere. This makes it easier to get the big offender, but still allow some of the legit media distribution - akamai, and other providers.


Email added by [Larry] - (Shlomo D.)

I was thinking about what you guys said in Episode 72.  It seems that
the most clueless tech people have access and are responsible for the
most important private information.  I'm talking about HR.  I know
that I wouldn't trust some of our HR people with a laptop, if I had a
choice.  They are very nice people, but not clueful on privacy issues.
From what I hear from our helpdesk crew, they can barely use outlook.
Try explaining how to "print" to a pdf and they give you the thousand
yard stare.  Now, put them in charge of 1000 people's confidential
information and I get worried.

You say, what about our Information Security people.  Oh, them,
they're in the US, and I'm in Israel. Not only that, they're from Arab
countries and will NEVER come here.  They scan our server subnet and
DMZ regularly.  They complain here and there about technical issues or
about someone they find doing P2P.  But company policy regarding HR
issues?  No, ours is on their own and Info Sec doesn't deal with them
at all.  Now I'm really worried.

Is there anything I can do about it?  Probably not.  I guess it's not
as much of an issue, b/c the payroll is on a closed system (seperate
PCs and network connections) and there is no SSN in this country, at
least nothing that is secret, everyone wants our Number for something.

Just my 2 cents worth. 

[Larry] Wow, so much seems to be wrong here. Let's discuss - onsite, policies, education, identifiable information....

Zigbee Security (Grimreaper)

Guys,

Just want to say still enjoying the podcast, it makes the commute easier,
keep up the good work.

I'm considering taking a new job and one of the projects I would be working
on deals w/the ZigBee wireless standard.  I'm no expert but I've heard it
compared to BlueTooth and that was a bit concerning in light of reading
about hacks for that standard.

I was wondering if you know about ZigBee and what your opinions might be
where security is concerned.


Thx,

Grim Reaper

[Paul] - I found this resource: http://www.cs.berkeley.edu/~nks/papers/15.4-wise04.pdf "Secuity Considerations for IEEE 802.15.4 Networks" and if I remember correctly, Josh said that it suffers from many of the problems that bluetooth and 802.11 suffer from in authentication of mgt frames.

Kismet on WRT54G (Jason)

Hey guys,
I'm mucking around with kismet on my wrt and can't get the thing to report
the power levels of the networks around.  Have you guys run into this?  I've
been all over, but so far no luck.  Any suggestions?

Jason

[Paul] - Broadcom drivers suck and don't give you the RSSI info. However, using Kamikaze and the 2.6 kernel you can get Atheros drivers to work on your platform. No configuration in /etc/config, however you can use the wlanconfig commands to configure. You will then need to compile Kismet drone with atheros support, which I just haven't gotten around to. [Larry] - This requires you to have a device with an Atheros chipset! An ASUS WL500g Premium will work nicely with a swap out on the mini-pci card. On WRT, you are hosed for Signal strenght - which was part of my problems while writing my GAWN Gold Paper (in the SANS RR). The other problem is with multiple Kismet Drones - unable to determine which drone spotted the AP. Allegedly there is a fix in newcore for this one.

WEP & WRT54G Models (Andy)

Hey, I "discovered" the Hak5 podcasts and they mentioned your site.  I watched episode 66 the other day and had a few questions.

Which is the better alternative to WEP, standard stuff available on most routers?  The stuff I've seen since I heard the podcast suggests WPA, but even that isn't very strong (coWPAtty, etc).

Are there any video postings of the Episodes, besides the TV episodes?

You all talked about the WRT54G.  I read that only versions 1-4 were usable (linux versions), then linksys switches systems after that.  Is that not true or were you guys mostly refering to the WRT54GS?  And then the most important question is where to get a WRT54G (v1-4) or WRT54GS at a good price.  I expected wardriving.com to have something but they linked to the linksys site.

Thank for the help.

Andy

[Paul] - <Shameless Book Plug>There is a hack in the book that shows you how to get WPA-Enterprise working on a standalone WRT54G. This is the most secure option, and does not have the vulnerabilities that are contained within WEP or WPA-PSK. The WRT54GL router is the one recommended in the book and is still produced by Linksys for hacking. The WRTSL54GS is great too and used in the book too, its $99 if that fits into your budget. With respects to war driving, the book has an awesome hack, poineered by renderman and improved upon by Larry, called war-driving in a box!</Shameless Book Plug> [Larry] - As a future update, I'm going to port the Wardriving-in-a-Box to the WRTSL54GS. This will make it easier for even n00bs to complete the hack (and by n00bs, I mean those with out soldering skillz).

Secure Web Development (d4ncingd4n)

"Twitchy" has mentioned several times how much Java, PHP, AJAX, and
Web 2.0in general suck. Recognizing that programs can be written
insecurely in any
language, what do you guys feel is the best development platform that
balances security, responsiveness, ease of development/deployment, and
scalability for a client-server environment? What are the reasons for your
opinions? I would prefer to use open source to avoid drinking the MS
Kool-aid (and besides my company is cheap...).

I have a couple of suggestions for the show: 1) On the website, keep a list
of the beers you mention. Sometimes you mention a really good beer but,
since I don't know how the name is spelled, I can't find the beer so I can
try it also. 2) On the website, keep a list of resources available for
learning such as the SANS reading room, SecurityForest, OWASP project,
especially links to podcasts of the various conferences.

Here's some demographics..
First computer: VIC-20 (I still have it along with "Compute Gazattes". I
used to start a program load from cassette and then walk to buy beer at the
corner market.)
Location: Nashville, TN
Job title: Network admin
Newest gadget: Nokia 770 (love it)

Keep up the good work!

D4ncingD4n 

[Paul] - I would suggest using whatever web application platform you are most comfortable with, take SANS Secure coding courses and web application courses, and regularly audit your code and application. [Larry] - Mmmm, beer. Good idea on list of beers, and for a list of education resources.