Howto: H4x0roam with netcfg and encrypted wpa supplicant config

From syn2cat - HackerSpace.lu
Revision as of 01:11, 4 November 2010 by Hardfalcon (Talk | contribs)

Jump to: navigation, search

This howto was written with Archlinux in mind, but it should also work on any other distro. Before trying this, you should make sure that netcfg, openssl, and wpa_supplicant are installed on your machine. Execute all shell commands as root unless specified otherwise.

The configuration file for wpa_supplicant is going to be stored only in an encrypted form on the hard drive, as it contains you Hackerspace account credentials in clear text. The decrypted version of the config will *only* be stored in a ramdisk, which is going to be automatically mounted and dismounted upon starting and stopping the h4x0roam network profile. This should provide an acceptable level of security even on computers which do not have an encrypted hard drive (for example due to a slow CPU). Please note, however, that this does *not* offer any protection against keyloggers or other malware intercepting your encryption password or your syn2cat credentials on your local computer. Setting up an HDD password might be a solution to (at least partly) mitigate the risk of attacks conducted by casual attackers with physical access to your machine.

Let's get started:

Create the directory for the ramdisk:

mkdir -p /etc/network.d/secure/ramdisks/h4x0roam
chmod -R 0700 /etc/network.d/secure

Create the network profile as /etc/network.d/h4x0roam with the following content:

CONNECTION='wireless'
DESCRIPTION='A secure wpa_supplicant configuration based wireless connection'
INTERFACE='wlan0'
SECURITY='wpa-config'
PRE_UP="mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/ ; openssl enc -d -aes-256-cbc -in /etc/network.d/secure/h4x0roam.aes -out /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam"
PRE_DOWN="cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam ; umount h4x0roam-ramdisk"
WPA_CONF='/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam'
IP='dhcp' 

Now we temporarily mount a ramdisk where we will create the configuration file for wpa_supplicant:

mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/

Create a file /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam with the following content (you'll obviously have to fill in your own username and password):

ctrl_interface=/var/run/wpa_supplicant
network={
	ssid="h4x0roam"
	bssid=00:21:29:E9:D1:AA
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="YOUR HACKERSPACE USERNAME"
	password="YOUR HACKERSPACE PASSWORD"
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
	client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt"
}

Save an encrypted version of the file to /etc/network.d/secure/h4x0roam.aes (remember the encryption password!) and dismount the ramdisk:

openssl enc -aes-256-cbc -salt -in /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam -out /etc/network.d/secure/h4x0roam.aes
chmod 0600 /etc/network.d/secure/h4x0roam.aes
cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam
umount /etc/network.d/secure/ramdisks/h4x0roam/

Install h4x0roam's SSL certificate chain:

mkdir -p /etc/ssl/h4x0roam
wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt
wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt
wget http://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt -O /etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt
cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem
chmod 0644 /etc/ssl/h4x0roam/*

Now you should be ready to go, so let's test your new network profile:

netcfg h4x0roam
Personal tools
Namespaces

Variants
Actions
Navigation
syn2cat
Hackerspace
Activities
Initiatives
Community
Tools
Tools