Difference between revisions of "Spacenet"

Revision as of 10:18, 19 April 2019

Project: Spacenet
Featured:	No
State	Completed
Members	Xopr, Stuiterveer
GitHub	No GitHub project defined. Add your project here.
Description	Connect to an encrypted accesspoint using your own credentials in every hackerspace
Picture

Certificate

NOTE

We have this new certificate (since April 2015)

the certificate, as from /etc/freeradius/certs/server.pem

Connecting

Go to the chapter of your operating system below.

Linux

Copy & Paste the certificate above into a file and name it ackspace.pem

Put it in your own home folder.

Linux WIFI settings:

field	setting
Network name	spacenet and/or spacenet_legacy
Wireless security	WPA & WPA2 Enterprise
Authentication	Tunneled TLS (TTLS), or PEAP
Anonymous identity	anonymous@ackspace.nl
CA certificate	ackspace.pem
PEAP version (optional)	automatic Inner
Inner authentication	MSCHAPv2 (or PAP without a certificate)
Username	<user>@ackspace.nl
Password	you should know this

Windows 7

<Da_Syntax>

Windows 7 uses ntlm v2 and will fail trying to authenticate with the router.

In order to fix this run (win+'r') "secpol.msc" and do the following:

Open "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level"

and select "Send LM & NTLM - use NTLMv2 session security if negotiated" from the dropdown box

Press Ok, reboot ... profit!!

</Da_Syntax>

Windows 7 will either support EAP-MSCHAPv2 (username/password) or EAP-TLS (certificates) out-of-the-box.

You should manually create a wireless network under "Manage wireless networks".

Depending on the configuration of your home-RADIUS you should either choose EAP-MSCHAPv2 or EAP-TLS.

EAP-MSCHAPv2

SSID: spacenet
Security type: WPA2-Enterprise
Encryption type: AES
Authentication: Microsoft: Protected EAP (PEAP)

DO NOT USE CERTIFICATE WITH WINDOWS.

DO NOT ENTER RADIUS NAME OR IP.

Validate server certificate (good practice)
- Connect to these servers: common-name of the certificate installed on your RADIUS server
- Trusted root certification authorities: select the CA which signed the certificate installed on your RADIUS server
Authentication method: secured passwords (EAP-MSCHAP v2)
- Do NOT use windows logon name and password (will probably not work for you)
Use user authentication
- Save credentials: user@ackspace.nl with your password

EAP-TLS

Make sure your device has a client certificate issued by your PKI
SSID: spacenet
Security type: WPA2-Enterprise
Encryption type: AES
Authentication: Microsoft: Smart Card or other certificate
Validate server certificate (good practice)
- Connect to these servers: common-name of the certificate installed on your RADIUS server
- Trusted root certification authorities: select the CA which signed the certificate installed on your RADIUS server

iOS (iPhone and iPad)

just use your username and password an accept the certificate.

SailfishOS (Jolla)

For ease of typing on a big keyboard, make sure you have Developer mode and Remote connection enabled. Connect to the phone using SSH, gain root, and create the server certificate.

ssh nemo@<ip>
su-devel
vi /etc/ssl/certs/ACKspace.pem

press i, paste the certificate info, press Esc, :wq followed by enter

Create the WPA2 enterprise config:

vi /var/lib/connman/wifi_spacenet.config

press i and paste the following text:

[service_spacenet]
Type=wifi
Name=spacenet
EAP=peap
CACertFile=/etc/ssl/certs/ACKspace.pem
Phase2=MSCHAPV2
Identity=<user>@ackspace.nl
Passphrase=<your password>

Logout, disable wifi, enable it again. Go to System, WLAN, connect to internet, and tap WLAN spacenet shouldbe in the list; tap to connect.

How to register

To use Spacenet, ACKspace needs to store your plain text username (the part before @ackspace.nl) and an NTLM hash of your password you wish to use. If you use the hashes generator, make sure you enter your password without username or domain etc.

Contact PsychiC, Vicarious, Xopr or Stuiterveer if you'd wish to register.

Info for freeradius admin

edit /etc/freeradius/users Add either one of lines

noobuser Cleartext-Password := "foobar123"

leetuser NT-Password := "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

NTLM hash generator
(note that there is no roundtrip involved, hash is generated client-side using utf8-to-utf16 little endian and md4 hash)

NTLM.py

Click here to view python examples of NTLM hash generators

  import hashlib,binascii
  passwd = '$password'
  print 'NTLM hash is', binascii.hexlify(hashlib.new('md4', passwd.encode('utf-16le')).digest())
# OR use
  import smbpasswd # via [apt-get install | yum install] python-smbpasswd
  passwd = '$password'
  print 'NTLM hash is', smbpasswd.nthash(passwd)

Available SSID's

We also have some materials for it (TODO: not an exact list):

SSID	description
spacenet	spacenet
ackspacewifi	Needs WPA2 key (ask a participant)

@@ Line 183: / Line 183: @@
 == Available SSID's ==
+We also have some materials for it (TODO: not an exact list):
+* [[WLAN::spacenet;5GHz;802.11ac;Spacenet]]
+* [[WLAN::spacenet_legacy;2.4GHz;802.11g;Spacenet for hardware that does not have a 5GHz WLAN interface]]
+* [[WLAN::ackspacewifi;2.4GHz;802.11g;More or less reserved for IoT and the like. Usage is discouraged]]
+{{#subobject:
+ |SSID=test
+ |Band=2.4GHz
+ |IEEE=802.11g
+ |Text=Fake!
+}}
+{{#ask: [[WLAN:: ~spacenet*; ?; ? ; ?]] }}
 {| class="wikitable"
 ! scope="col" | SSID

Difference between revisions of "Spacenet"

Revision as of 10:18, 19 April 2019

Contents

Certificate

Connecting

Linux

Windows 7

EAP-MSCHAPv2

EAP-TLS

iOS (iPhone and iPad)

SailfishOS (Jolla)

How to register

Info for freeradius admin

NTLM.py

Available SSID's

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools