A wireless trap using OpenBSD – reloaded

Build a OpenBSD wireless access point that redirects any client request for any website to a website of your own design. With a little imagination you could adapt this technique for more nefarious purposes – but that is not something we endorse here. Something more applicable to our kind may be to use this technique to do basic DNS based filtering, ad-blocking or something along those lines.

Requirements

I assume you have a OpenBSD Box setup as a wireless access point – if not, go and read this previous post: http://www.bsdguides.org/2012/a-wireless-access-point-hotspot-using-openbsd/

Getting started

Done? Good. Now you have a functioning OpenBSD wireless access point and are ready to modify it to be a “wireless trap”. How it works is that we setup a web server and DNS service on our OpenBSD box, and then configure the DNS system so that for any hostname for any website the client wants to resolve, our DNS server answers with the IP address of the access point itself (10.0.3.1 in our example) – therefore loading up the website running on localhost.

Configure your DHCP Server

Make your /etc/dhcpd.conf look like the below:

option  domain-name "my.domain";
option  domain-name-servers 10.0.3.1;

subnet 10.0.3.0 netmask 255.255.255.0 {
        option routers 10.0.3.1;
        range 10.0.3.100 10.0.3.150;
}

The only difference from this dhcpd.conf to the one in our Hotspot post is the option domain-name-servers 10.0.3.1; which basically tells clients connecting to our access point that it is responsible for DNS.

Configure DNS using BIND

There are different ways to setup DNS – but when possible i like to use what the base system already provides – and therefore chose BIND. BIND’s configuration is held in /var/named/etc/.

Configure your /var/named/etc/named.conf like this:

acl clients {
        localnets;
        ::1;
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "FbxGpQ7kUF55caHrmmeZwfbfqKaLF367DYsQnJuTcQA=";
};

controls {
       inet 127.0.0.1 port 953
       allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
        version "";     // remove this to allow version queries
        listen-on    { any; };
        listen-on-v6 { any; };
        empty-zones-enable yes;
        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
        channel query_info {
                file "query.log" versions 3 size 10m;
                severity info;
                print-category yes;
                print-time yes;
        };
        category queries { query_info; };
        category resolver { query_info; };
};

# This is to setup the wifi trap
zone "." {
        type master;
        file "master/root.master";
};

zone "." {
        type hint;
        file "etc/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};

Configure your /var/named/etc/rndc.conf file like this:

key "rndc-key" {
        algorithm hmac-md5;
        secret "FbxGpQ7kUF55caHrmmeZwfbfqKaLF367DYsQnJuTcQA=";
};
options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};

Now we need a master zone file that basically makes our DNS Server claim itself to be responsible for whatever DNS query that comes in. Add a file called /var/named/master/root.master and make it look like this:

$ORIGIN .
$TTL 6h

@       IN      SOA     . root.localhost. (
                        1       ; serial
                        1h      ; refresh
                        30m     ; retry
                        7d      ; expiration
                        1h )    ; minimum

                NS      127.0.0.1
*       IN      A       10.0.3.1

Setting up Apache

Now this is very easy – open up your /var/www/conf/httpd.conf and adjust the relevant configuration directives as written below:

ServerName localhost
Listen *:80

Adjusting our /etc/pf.conf

We need to adjust our firewall configuration so that basically it drops all traffic except ports 80 and 53, for http and dns respectively.

wired = "alc0"
wireless = "athn0"

icmp_types = "{echoreq, unreach}"

set block-policy return
set loginterface $wireless
set skip on lo0

# to some packet scrubbing
match in all scrub (no-df max-mss 1440)

# Handles NAT for the wireless clients
match out on egress inet from !(egress:network) \
to any nat-to (egress:0)

# Block everything by default
block log all

# Let all traffic out
pass out quick

# Let just some traffic in (dns & http)
pass in quick inet proto { tcp udp } from any to ($wireless) port { 53 80 }
pass in quick inet proto icmp all icmp-type $icmp_types keep state

Adjusting our start-up script

As you know from reading the Hotspot tutorial i like to boot up my OpenBSD in a clean state with no settings set and then run a small script that sets everything up the way i need. Once things are perfect it is simple enough to start all the needed daemons at boot time, but especially while hacking around this is my preferred way. Copy my below setup script and adjust interface names etc. as needed. Once done – save it as setup_hotspot or whatever, and make it chmod +x.

#!/bin/sh

# Setup wired Network card
ifconfig alc0 inet 10.0.1.254 netmask 255.255.255.0 up

# Set our wireless open hotspot
ifconfig athn0 inet 10.0.3.1 255.255.255.0 media autoselect mediaopt hostap nwid 1FreeWifi chan 1 up

# default route
route add default 10.0.1.2

# start DHCP on our wireless interface
dhcpd athn0

# start our DNS Service
# and make sure it gets used to resolve DNS queries
named
echo nameserver 127.0.0.1 > /etc/resolv.conf
echo lookup file bind > /etc/resolv.conf.tail

# start our webserver which we configured
# to listen on *:80
apachectl start

# start our modified packet filter
pfctl -ef /etc/pf.conf

Testing

After you run above script, you should see a new wireless hotspot called 1FreeWifi. Connect to it – then try and browse to any website. You will notice how no matter which site you want to pull up, all you get is the default /var/www/conf/htdocs/index.html page. Have a look at our Youtube movie to see this in Action.

Conclusion

While this can be a lot of fun, specifically in a public place where everybody is like “Cool, free Wifi”, and then like “WTF?”, the use of this is kind of questionable. It does however show you some important concepts i think on neat stuff you can do with an OpenBSD based wireless access point. Go get creative with your index.html page, do something funny, or something useful.

If you have neat ideas or suggestions – please comment.

Speak Your Mind

*