Lab: Secure Wireless Home Network
Introduction
Equipment in the Lab
Configuring tuxy3
Configuring tuxy2
Configuring tuxy3 to monitor the WLAN
Configuring the WLAN without security
Configuring the WLAN with WEP
Configuring the WLAN with WPA-PSK
Configuring the WLAN with WPA-EAP
Questions to answer at home
- Introduction
This work consists in configuring a small network composed by a router, an ethernet switch, an 802.11 acess point, and 2 PCs (one communicating via ethernet and the other via 802.11).
(isp)
| v...(802.11)
+--------+ |
| router |--+
+----+---+
|
| (ethnet)
+---+----+ (ethnet)
| switch +----------[pc1]
+---+----+
|
| (802.11)
| v.........v
+---+--+ | |
| AP +--+ +---[pc2]
+------+
The router will have a network interface to an ISP, to which one public IP address is associated. In order to provide connectivity to multiple PCs (pc1, pc2, ...) the router will also implement the following functions:
- Network Address Translation (NAT), which enables the formation of a private
IPv4 network and in mapping private IP addresses into the public IP address;
- Dynamic Host Control Protocol (DHCP) service, which enables pc1 and pc2 to get
a private IP address and to autoconfigure themselves when they boot;
- Domain Name Service (DNS) relay, which will enable the PCs to obtain
information about the server they must consult in order to translate names
into IP addresses.
The switch is a layer 2 equipment (no IP) and it is used to interconnect other
PCs (pc1 in our case) or other bridges (the AP, in our case). The Access Point
(AP) is a layer 2 equipment and it has two interfaces: one ethernet, and one
wireless 802.11 to which pc2 is connected.
Please note that some commercial equipments contain these functions in a
single box.
- Equipment in the Lab
In the lab, the equipment and the addresses shown in the figure below will be used. As usual, "y" designates the number of your "bancada" in the lab.
(isp)
|
| eth0=172.16.1.y3/24
|
| v...(802.11)(Monitor)
+--------+ |
| tuxy3 |--+
+----+---+
| eth1=172.16.y0.3/24
|
|
+---+----+ (ethnet)
| switch +----------[tuxy2]
+---+----+
|
| (802.11)
| v.........v
+---+--+ | |
| AP +--+ +---[tuxy4]
+------+
- Configuring tuxy3
- Configure the network interfaces of tuxy3:
tuxy3$ ifconfig eth0 172.16.1.y3 netmask 255.255.255.0 (the "ISP" interface)
tuxy3$ ifconfig eth1 172.16.y0.3 netmask 255.255.255.0
tuxy3$ echo 1 > /proc/sys/net/ipv4/ip_forward
- Configure the NAT:
tuxy3$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
tuxy3$ iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
To observe the table contents:
tuxy3$ iptables -L
tuxy3$ iptables -t nat -L
- Configure the DNS SERVER:
tuxy3$ apt-get install bind9
tuxy3$ vi /etc/resolv.conf
search netlab.fe.up.pt
nameserver 127.0.0.1
tuxy3$ vi /etc/bind/named.conf.options
...
options{
...
forwarders{
172.16.1.2; //laboratory/ISP name server
};
...
};
tuxy3$ /etc/init.d/bind9 restart
- Configure the DHCP SERVER:
tuxy3$ apt-get install dhcp3-server
tuxy3$ vi /etc/dhcp3/dhcpd.conf
option domain-name "netlab.fe.up.pt";
option domain-name-servers 172.16.y0.3;
option subnet-mask 255.255.255.0;
default-lease-time 600;
max-lease-time 7200;
subnet 172.16.y0.0 netmask 255.255.255.0 {
range 172.16.y0.100 172.16.y0.150;
option broadcast-address 172.16.y0.255;
option routers 172.16.y0.3;
}
subnet 172.16.1.0 netmask 255.255.255.0 {
}
tuxy3$ /etc/init.d/dhcp3-server restart
- Activate 2 instances of Wireshark:
one of them capturing at "
any", and
the other capturing at "eth1":
tuxy3$ wireshark &
...
tuxy3$ wireshark &
...
- Configuring tuxy2
- To get tuxy2 IP configured, execute:
tuxy2$ dhclient eth0
- Observe the configuration acquired:
tuxy2$ ifconfig
tuxy2$ route -n
tuxy2$ cat /etc/resolv.conf
- Test the connectivity:
tuxy2$ ping www.google.com
tuxy2$ firefox www.google.com
- Configuring tuxy3 to monitor the WLAN
tuxy3$ wlanconfig ath0 destroy
tuxy3$ wlanconfig ath0 create wlandev wifi0 wlanmode monitor
tuxy3$ iwconfig ath0 channel y*2
tuxy3$ ifconfig ath0 up
tuxy3$ wireshark &
(interface ath0)
- Configuring the WLAN without security
- Configuring the AP
The AP is managed and configured using HTTP
http://172.16.y0.8 (the default address is 192.168.0.50)
Username: admin
Password (none)
The IP address of your AP is used only for configuration purposes and it can
be changed.
Configure the AP so that: ssid = bancaday, channel = y*2, and no security is used (open authentication).
- Configuring tuxy4
- If not already created, create and verify the virtual network interface
ath0:
tuxy4$ ifconfig eth0 down
tuxy4$ ifconfig eth1 down
tuxy4$ wlanconfig ath0 create wlandev wifi0 wlanmode sta
tuxy4$ iwconfig
- Configure it with no security:
tuxy4$ iwconfig ath0 essid "bancaday" key off
- Configure the IP of tuxy4
tuxy4$ dhclient ath0
- Observe the configuration acquired
tuxy4$ ifconfig
tuxy4$ route -n
tuxy4$ cat /etc/resolv.conf
- Test the connectivity
tuxy4$ ping www.google.com
tuxy4$ firefox www.google.com
- Configuring the WLAN with WEP
- Configure the AP
with encryption
(open authentication):
WEP key; 64 (40 WEP+24 IV) bit key (hexadecimal) = y123456789
- Configure tuxy4
tuxy4$ iwconfig ath0 essid "bancaday" key y123456789
tuxy4$ dhclient ath0
tuxy4$ ping www.google.com
tuxy4$ firefox www.google.com
- Stop and save the 3 Wireshark instances in the router (tuxy3).
- Configuring the WLAN with WPA-PSK (Personal)
- Install the WPA supplicant in tuxy4
(before loosing connectivity)
tuxy4$ apt-get install wpasupplicant
- Configure the AP
Security (authentication): WPA-PSK
Cypher Type: TKIP
Passphrase: pskbancaday
- Return to tuxy4. Configure the WPA Supplicant for WPA-PSK
tuxy4$ cp /usr/share/doc/wpasupplicant/examples/wpa-psk-tkip.conf .
tuxy4$ vi wpa-psk-tkip.conf
network={
ssid="bancaday"
key_mgmt=WPA-PSK
proto=WPA
pairwise=TKIP
group=TKIP
psk="pskbancaday"
}
tuxy4$ wpa_supplicant -i ath0 -c wpa-psk-tkip.conf -d
To run wpa_supplicant as daemon add the option -B
- See the status of the interface
ath0; when associated, configure the IP:
tuxy4$ wpa_cli stat
tuxy4$ dhclient ath0
- Test the connectivity:
tuxy4$ ping www.google.com
- Configuring the WLAN with WPA-EAP (Enterprise)
- Configure the AP:
Security (authentication): WPA-EAP
Cypher Type: TKIP
RADIUS Server: 172.16.y0.3 (tuxy3)
RADIUS Secret: radiusbancaday
- Install the RADIUS Server (FreeRADIUS) in tuxy3. Note: due to licensing problems the package available via apt-get doesn't support TLS based authentication methods.
tuxy3$ wget http://www.fe.up.pt/~jaime/0809/CMO/freeradius_2.1.0-0_i386.deb
tuxy3$ dpkg -i ./freeradius_2.1.0-0_i386.deb
- Configure the RADIUS Server. The configuration files can be found in
/etc/freeradius/
- Configure the authentication method PEAP/MSCHAPv2:
tuxy3$ vi eap.conf
Replace the line default_eap_type = md5 with default_eap_type = peap
-
Add the AP as a client:
tuxy3$ vi clients.conf
client 172.16.y0.8{
secret = radiusbancaday
shortname=apbancaday
}
-
Create the user
user1 with password "teste":
tuxy3$ vi users
user1 Cleartext-Password := "teste"
- Restart the RADIUS Server in debug mode:
tuxy3$ /etc/init.d/freeradius stop
tuxy3$ freeradius -X
-
Test the RADIUS Server:
tuxy3$ radtest user1 teste localhost 1645 testing123
- Configure the WPA Supplicant for WPA-EAP
in tuxy4:
tuxy4$ vi wpa-eap.conf
network={
ssid="bancaday"
key_mgmt=WPA-EAP
eap=PEAP
pairwise=TKIP
group=TKIP
identity="user1"
password="teste"
}
tuxy4$ wpa_supplicant -i ath0 -c wpa-eap.conf -d
- See the status of the interface
ath0; when associated, configure the IP:
tuxy4$ wpa_cli stat
tuxy4$ dhclient ath0
- Test the connectivity:
tuxy4$ ping www.google.com
- Questions to answer at home
Please remember: 1) not more than 2 A4 pages; 2) deliver it in the
next week (until 11/12/2008) to [email protected].
- NAT. The NAT mechanism enables a set of computers (pc1 and pc2) to share a public IP address. Using the log captured in the router at "any", identify the messages used by pc1 to contact the HTTP server located at www.google.pt. Based on these messages, their IP addresses and ports, describe the behaviour of the NAT mechanism.
- DHCP. The DHCP protocol enables a PC to configure itself. Based on the log captured in the router at "eth1", select the relevant DHCP messages and describe the mechanism used by your pc1 (tuxy2) to obtain its IP address, routes and nameserver.
- MAC 802.11. Using the log obtained in the router at "ath0", identify the 802.11 frames associated to a ping (echo request, echo reply and 2 acks). For each of these frames, characterise their MAC addresses (source, destination, bssid, receiver address) and associate them to the devices/equipment you are using. Can you associate them to the ARP protocol?
- WEP. Using the log obtained in the router at "ath0" select 2 data frames: one encrypted the other non-encrypted. Compare these frames and describe the purpose of the most relevant fields observed? What weaknesses can you associate to the WEP mechanism?
- WPA-PSK. What are the vantages of WPA-PSK over WEP?
- WPA-EAP. The configuration file
wpa_configuration.conf is incomplete. As it is, an attacker is able to forge a rogue AP. How is the attack possible? What is missing?
Good work!
Jaime Dias, Manuel Ricardo
Updated:
3/12/08
|