Difference between revisions of "Spacenet"

Revision as of 17:55, 6 February 2021

Project: Spacenet
Featured:	No
State	Completed
Members	Xopr, Stuiterveer
GitHub	No GitHub project defined. Add your project here.
Description	Connect to an encrypted accesspoint using your own credentials in every hackerspace
Picture

Certificate

Note: this certificate is from April 2015 and is for spacenet only. There is another certificate inside File:Ackspace.ovpn.7z which is for VPN only.

the certificate, as from /etc/freeradius/certs/server.pem

Connecting

Go to the chapter of your operating system below.

Linux

Copy & Paste the certificate above into a file and name it ackspace.pem

Put it in your own home folder.

Linux WIFI settings:

field	setting
Network name	spacenet_legacy (2.4GHz) and/or spacenet (5GHz)
Wireless security	WPA & WPA2 Enterprise
Authentication	Tunneled TLS (TTLS), or PEAP
Anonymous identity	anonymous@ackspace.nl
CA certificate	ackspace.pem
PEAP version (optional)	automatic Inner
Inner authentication	MSCHAPv2 (or PAP without a certificate)
Username	<user>@ackspace.nl
Password	you should know this

auto VPN

If you're using spacenet on a remote (untrusted) location, it's a good idea to use the ACKspace VPN on top of it. You can auto-connect by:

click on the network icon
click Edit Connections...
doubleclick spacenet
go to tab General
check Automatically connect to VPN
select ackspace
click Save

Windows 7

<Da_Syntax>

Windows 7 uses ntlm v2 and will fail trying to authenticate with the router.

In order to fix this run (win+'r') "secpol.msc" and do the following:

Open "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level"

and select "Send LM & NTLM - use NTLMv2 session security if negotiated" from the dropdown box

Press Ok, reboot ... profit!!

</Da_Syntax>

Windows 7 will either support EAP-MSCHAPv2 (username/password) or EAP-TLS (certificates) out-of-the-box.

You should manually create a wireless network under "Manage wireless networks".

Depending on the configuration of your home-RADIUS you should either choose EAP-MSCHAPv2 or EAP-TLS.

EAP-MSCHAPv2

SSID: spacenet
Security type: WPA2-Enterprise
Encryption type: AES
Authentication: Microsoft: Protected EAP (PEAP)

DO NOT USE CERTIFICATE WITH WINDOWS.

DO NOT ENTER RADIUS NAME OR IP.

Validate server certificate (good practice)
- Connect to these servers: common-name of the certificate installed on your RADIUS server
- Trusted root certification authorities: select the CA which signed the certificate installed on your RADIUS server
Authentication method: secured passwords (EAP-MSCHAP v2)
- Do NOT use windows logon name and password (will probably not work for you)
Use user authentication
- Save credentials: user@ackspace.nl with your password

EAP-TLS

Make sure your device has a client certificate issued by your PKI
SSID: spacenet
Security type: WPA2-Enterprise
Encryption type: AES
Authentication: Microsoft: Smart Card or other certificate
Validate server certificate (good practice)
- Connect to these servers: common-name of the certificate installed on your RADIUS server
- Trusted root certification authorities: select the CA which signed the certificate installed on your RADIUS server

iOS (iPhone and iPad)

just use your username and password an accept the certificate.

SailfishOS (Jolla)

For ease of typing on a big keyboard, make sure you have Developer mode and Remote connection enabled. Connect to the phone using SSH, gain root, and create the server certificate.

ssh nemo@<ip>
su-devel
vi /etc/ssl/certs/ACKspace.pem

press i, paste the certificate info, press Esc, :wq followed by enter

Create the WPA2 enterprise config:

vi /var/lib/connman/wifi_spacenet.config

press i and paste the following text:

[service_spacenet]
Type=wifi
Name=spacenet
EAP=peap
CACertFile=/etc/ssl/certs/ACKspace.pem
Phase2=MSCHAPV2
Identity=<user>@ackspace.nl
Passphrase=<your password>

Logout, disable wifi, enable it again. Go to System, WLAN, connect to internet, and tap WLAN spacenet shouldbe in the list; tap to connect.

How to register

To use Spacenet, ACKspace needs to store your plain text username (the part before @ackspace.nl) and an NTLM hash of your password you wish to use.

Note that this hash is based on MD4 which can be cracked in microseconds (Also see wikipedia; Don't use an important password for this. If you use the hashes generator, make sure you enter your password without username or domain etc.

Contact PsychiC, Vicarious, Xopr or Stuiterveer if you'd wish to register.

Info for freeradius admin

edit /etc/freeradius/users Add either one of lines

noobuser Cleartext-Password := "foobar123"

leetuser NT-Password := "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

NTLM hash generator
(note that there is no roundtrip involved, hash is generated client-side using utf8-to-utf16 little endian and md4 hash)

NTLM.py

Click here to view python examples of NTLM hash generators

  import hashlib,binascii
  passwd = '$password'
  print 'NTLM hash is', binascii.hexlify(hashlib.new('md4', passwd.encode('utf-16le')).digest())
# OR use
  import smbpasswd # via [apt-get install | yum install] python-smbpasswd
  passwd = '$password'
  print 'NTLM hash is', smbpasswd.nthash(passwd)

Available SSID's

Here is the list of available wireless networks:

SSID	Band	IEEE	Text"Text" is a predefined property that represents text of arbitrary length and is provided by Semantic MediaWiki.
spacenet_legacy	2.4GHz	802.11g	Spacenet for hardware that does not have a 5GHz WLAN interface
ACKspaceWifi	2.4GHz	802.11g	More or less reserved for IoT and the like. Usage is discouraged
spacenet	5GHz	802.11ac	Spacenet

Difference between revisions of "Spacenet"

Revision as of 17:55, 6 February 2021

Contents

Certificate

Connecting

Linux

auto VPN

Windows 7

EAP-MSCHAPv2

EAP-TLS

iOS (iPhone and iPad)

SailfishOS (Jolla)

How to register

Info for freeradius admin

NTLM.py

Available SSID's

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

@@ Line 1: / Line 1: @@
+{{Project
+|Featured=No
+|State=Completed
+|Members=Xopr, Stuiterveer,
+|Description=Connect to an encrypted accesspoint using your own credentials in every hackerspace
+|Picture=Linux_spacenet_connect_dialog.png
+}}
 __TOC__
-We haz [http://spacefed.net/wiki/index.php/Spacenet spacenet].
+We haz [https://spacefed.net/index.php?title=Spacenet spacenet].
 == Certificate ==
+Note: this certificate is from April 2015 and is for spacenet only.
+There is another certificate inside [[file:ackspace.ovpn.7z]] which is for [[VPN]] only.
- -----BEGIN CERTIFICATE-----
+the certificate, as from /etc/freeradius/certs/server.pem
- MIICvDCCAaQCCQCxaXLQG5/vsTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVy
+{{ACKspaceNetCert}}
- YWRpdXMuYWNrc3BhY2UubG9jYWwwHhcNMTExMTIxMjAwMjI1WhcNMjExMTE4MjAw
- MjI1WjAgMR4wHAYDVQQDExVyYWRpdXMuYWNrc3BhY2UubG9jYWwwggEiMA0GCSqG
- SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0bIFcc/ChNW2WQScUimA0Rb+FqgqiBRUD
- YVp41JVG2LZG6UWorYIk6Sm3nM5ysB3DyPOi6TQVscntO7xtb9IINELjPdPNpKBW
- h44XHvxL2jlBGy1NfFIr8et7PPkU/OyeneL4Rx+eYB/X084vqw9iRQTmbrEnJP2s
- a8iWxFcUZehJ+0TFDhOj44iTfGaF6x1J1UzaEy4N3etxwRjEHF4SnsVB/WndQrVR
- gRVTfi42n5vMaXDuTt/VvcWRM07W9kuTJQecgXdik38eXFQ+bNqAWaqM3WA1y/Un
- SNWHK4ikZdrvDjZceC6HEc7AjcXD3y2DyzkmgyZSTNyMj+YMCSd3AgMBAAEwDQYJ
- KoZIhvcNAQEFBQADggEBAGIfSDy1ZbI+ULiZLDbOxUzI6jdSvwVk2ZdYj4WHdCNc
- rOoRTvUr1UQMFdBwjmvIesQDXWNSRpb5FQxRG7XWBEH5EbEHTPrgM3tB41m0/L5/
- S8lguvTWyDLiUA3du7HSke5RI4YRjBwFyjDB4HmL3QUmbx5O9EZ6bKDQZ8hWx4of
-Rz/ESV8j8K57LyX09EIqNap0h9H4D99KFTuITRZCQCkz5QX//JQvvCI9+SOSme
- IT6xYVaF+vdaRSOZR7YJqt4ILAQR8hOUr8dBoHP57lOoC/cWkZtsS5YnjF1PvKbK
- S49zoEg+BUz+iIl2vQgH/+LGQeJG3XaotKes+QBwfoM=
- -----END CERTIFICATE-----
 == Connecting ==
@@ Line 28: / Line 22: @@
 === Linux ===
-Copy &amp; Paste the certificate above into a file and name it ackspace.pem
+Copy & Paste the certificate above into a file and name it ackspace.pem
 Put it in your own home folder.
-Linux WIFI settings&nbsp;:
+Linux WIFI settings:
-* Wireless security&nbsp;: WPA &amp; WPA2 Enterprise
-* Authentication&nbsp;: Protected EAP (PEAP)
-* Anonymous identity&nbsp;: &lt;leeg&gt;
-* CA certificate&nbsp;: ackspace.pem
-* PEAP version&nbsp;: automatic Inner
-* Authentication&nbsp;: MSCHAPv2
-* Username&nbsp;: &lt;user&gt;'''@ackspace.nl'''
-* Password&nbsp;: &lt;password&gt;
-=== Windows 7 ===
+{| class="wikitable"
+! scope="col" | field
+! scope="col" | setting
+|-
+| Network name || {{#ask:
+ [[SSID::~spacenet*]]
+ |mainlabel=-
+ |headers=hide
+ |?SSID
+ |?Band
+ | format=list
+|sep=&nbsp;and/or&nbsp;
+}}
+|-
+| Wireless security || WPA & WPA2 Enterprise
+|-
+| Authentication || Tunneled TLS (TTLS), or PEAP
+|-
+| Anonymous identity || anonymous@ackspace.nl
+|-
+| CA certificate || ackspace.pem
+|-
+| PEAP version (optional) || automatic Inner
+|-
+| Inner authentication || MSCHAPv2 (or PAP without a certificate)
+|-
+| Username || &lt;user&gt;'''@ackspace.nl'''
+|-
+| Password || you should know this
+|}
-<Da_Syntax>
+[[Image:linux spacenet connect dialog.png|400px]]
-Windows 7 uses ntlm v2 and will fail trying to authenticate with the router.
+==== auto VPN ====
+If you're using spacenet on a remote (untrusted) location, it's a good idea to use the ACKspace [[VPN]] on top of it.
+You can auto-connect by:
+* click on the network icon
+* click ''Edit Connections...''
+* doubleclick '''spacenet'''
+* go to tab ''General''
+* check ''Automatically connect to VPN''
+* select '''ackspace'''
+* click ''Save''
-In order to fix this run (win+'r') "secpol.msc" and do the following:
+[[Image:auto_vpn.png|400px]]
-Open "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level"
+=== Windows 7 ===
-and select "Send LM & NTLM - use NTLMv2 session security if negotiated" from the dropdown box
+<Da_Syntax>
-Press Ok, reboot ... profit!!
+:Windows 7 uses ntlm v2 and will fail trying to authenticate with the router.
+:In order to fix this run (win+'r') "secpol.msc" and do the following:
+:Open "Local Policies" > "Security Options" > "Network Security: LAN Manager authentication level"
+:and select "Send LM & NTLM - use NTLMv2 session security if negotiated" from the dropdown box
+:Press {{b|Ok}}, reboot ... profit!!
 </Da_Syntax>
@@ Line 66: / Line 94: @@
 Depending on the configuration of your home-RADIUS you should either choose EAP-MSCHAPv2 or EAP-TLS.
-=== EAP-MSCHAPv2 ===
+==== EAP-MSCHAPv2 ====
 * SSID: spacenet
 * Security type: WPA2-Enterprise
 * Encryption type: AES
 * Authentication: Microsoft: Protected EAP (PEAP)
+DO NOT USE CERTIFICATE WITH WINDOWS.
+DO NOT ENTER RADIUS NAME OR IP.
 * Validate server certificate (good practice)
 ** Connect to these servers: common-name of the certificate installed on your RADIUS server
@@ Line 90: / Line 125: @@
 [[Image:windows_mschap_5.png]]
-=== EAP-TLS ===
+==== EAP-TLS ====
 * Make sure your device has a client certificate issued by your PKI
 * SSID: spacenet
@@ Line 104: / Line 139: @@
 [[Image:windows_tls_2.png]]
-=== iOS ===
+=== iOS (iPhone and iPad) ===
 just use your username and password an accept the certificate.
+=== SailfishOS (Jolla) ===
+For ease of typing on a big keyboard, make sure you have Developer mode and Remote connection enabled.
+Connect to the phone using SSH, gain root, and create the server certificate.
+ ssh nemo@<ip>
+ su-devel
+ vi /etc/ssl/certs/ACKspace.pem
+press {{k|i}}, paste the certificate info, press {{k|Esc}}, {{k|:}}{{k|w}}{{k|q}} followed by {{k|enter}}
+Create the WPA2 enterprise config:
+ vi /var/lib/connman/wifi_spacenet.config
+press {{k|i}} and paste the following text:
+ [service_spacenet]
+ Type=wifi
+ Name=spacenet
+ EAP=peap
+ CACertFile=/etc/ssl/certs/ACKspace.pem
+ Phase2=MSCHAPV2
+ Identity=&lt;user&gt;'''@ackspace.nl'''
+ Passphrase=<your password>
+Logout, disable wifi, enable it again.
+Go to System, WLAN, connect to internet, and tap WLAN
+spacenet shouldbe in the list; tap to connect.
 == How to register ==
 To use Spacenet, ACKspace needs to store your plain text username (the part before @ackspace.nl) and an '''NTLM hash''' of your password you wish to use.
+Note that this hash is based on MD4 which can be cracked in microseconds (Also see [https://en.wikipedia.org/wiki/MD4#Security wikipedia]; Don't use an important password for this.
 If you use the hashes generator, make sure you enter your password without username or domain etc.
-Contact [[user:PsychiC|PsychiC]] or [[user:Vicarious|Vicarious]] if you'd wish to register.
+Contact [[user:PsychiC|PsychiC]], [[user:Vicarious|Vicarious]], [[User:Xopr|Xopr]] or [[User:Stuiterveer|Stuiterveer]] if you'd wish to register.
-[[Category:Howto/Spacenet]]
+[[Category:Information]]
+== Info for freeradius admin ==
-== Info voor psy ==
+edit /etc/freeradius/users
+Add either one of lines
+:noobuser Cleartext-Password := "foobar123"
+:leetuser NT-Password := "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
-/etc/freeradius/users
+{{#Widget:NTLMgenerator}}
+<div class="mw-collapsible mw-collapsed" id="mw-customcollapsible-spacestate_py">
+==== NTLM.py ====
+<div class="mw-customtoggle-spacestate_py mw-code">Click here to view python examples of NTLM hash generators</div>
+<pre class="mw-collapsible-content">
+  import hashlib,binascii
+  passwd = '$password'
+  print 'NTLM hash is', binascii.hexlify(hashlib.new('md4', passwd.encode('utf-16le')).digest())
+# OR use
+  import smbpasswd # via [apt-get install | yum install] python-smbpasswd
+  passwd = '$password'
+  print 'NTLM hash is', smbpasswd.nthash(passwd)
+</pre>
+</div>
-www.insidepro.com/hashes.php { WARNING PASSWORD IS SENT IN PLAINTEXT}
+== Available SSID's ==
+{{#subobject:
+ |SSID=spacenet
+ |Band=5GHz
+ |IEEE=802.11ac
+ |Text=Spacenet
+}}
+{{#subobject:
+ |SSID=spacenet_legacy
+ |Band=2.4GHz
+ |IEEE=802.11g
+ |Text=Spacenet for hardware that does not have a 5GHz WLAN interface
+}}
+{{#subobject:
+ |SSID=ACKspaceWifi
+ |Band=2.4GHz
+ |IEEE=802.11g
+ |Text=More or less reserved for IoT and the like. Usage is discouraged
+}}
-NTLM:
+Here is the list of available wireless networks:
-Python script (source https://code.google.com/p/py-smbpasswd/)
+{{#ask:
-[apt-get install | yum install] python-smbpasswd
+ [[-Has subobject::{{FULLPAGENAME}}]]
+ |mainlabel=-
+ |?SSID
+ |?Band
+ |?IEEE
+ |?Text
+}}
-  import smbpasswd
+[[Category:Network]]
-  passwd = '$password'
-  print 'LANMAN hash is', smbpasswd.lmhash(passwd)
-  print 'NTLM hash is', smbpasswd.nthash(passwd)
-  print 'both hashes at once = %s:%s (lm:nt)' % smbpasswd.hash(passwd)