Jump to content

Securing A Public Access Point


RuudschMaHinda

Recommended Posts

Hey there savy hackers and coders... I am in need of your help.

I want to setup a public AP. So far so good.. BUT I want every connection to be secure from the other users currently logged in.

This is what I have in mind:

I will build some cheap router, like Darren did some episodes ago, with a ITX-board onboard LAN and a WiFi-card... there I would want to install ubuntu and use coovachilli to redirect to the hotspotlogin.cgi... the hotspotlogin.cgi would be SSL-encrypted...

Now here is the thing I want to do, and can't find any kind of guide on the net... so let's work together:

I want the URL the user entered into his webbrowser caught by coovachilli, and thought of putting this one into a frame in the hotspotlogin.cgi... which then again would be SSL-encrypted... thus no one could sniff the traffic...

(besides using sslstrip, but that would suggest the missing 's' and lock)

So my main questions are:

How can I catch the URL the user has entered into his browser?

And would it actually work to put an unencrypted http-site into a frame of a https-site (hotspotlogin.cgi?), meaning: would it realy encrypt everything?

Will I need a radius-server for that?

Or is there another easier way to secure every users connection without them having to do anything but to connect to the AP (which would be way cooler, since they could use pop3 and smtp as well)?

At the moment I am as far as having installed ubuntu server 10.04 LTS and soon apache2 (which will provide the hotspotlogin.cgi - so the tutorials say)

lot's of thanks in advance...

RMH

p.s.: I hope I chose the right forum section, and please forgive any strange english since I am german...

Link to comment
Share on other sites

One possibility is to do something similar to my university, which has a captive portal that, once authenticated, downloads, installs and runs Juniper Network Connect which connects to a SSL VPN.

A cheaper possibility is to have 2 SSIDs. One one of them, capture all traffic and give each user a username and password. On the second one, run WPA2-Enterprise and let them authenticate with said username and password. I don't know how easy it would be to set up though.

Link to comment
Share on other sites

I think a proxy server in this scenarion would work a lot better. The moment the proxy server, intercepts a connection going out to the internet, it coud use some form of redirection mechanism to reroute the client to a HTTPS server that contains the captitive portal sign on page.

As soon as the client enters the login details it would send the client out to the internet. By the way, you could use squid to set up a proxy server, and for the authentication side of it, you could use Windows Active Directory.

Edited by Infiltrator
Link to comment
Share on other sites

thanks for the fast answers...

I think I'll try the proxy idea first, since this would be a little cheaper and I don't want to limit the use of the AP to windows users

but then again I don't want anyone having to use a password... yet I think this should be possible (since it will be a public AP)

yet there are questions to ask:

could the proxy provide ssl encryption to every client? (as I said, I wouldn't want the AP users to spy on each other)

I'll let you know about my advances.. in a few days...

RMH

Link to comment
Share on other sites

@RuudschMahinda, I have found a wiki directly from squid website that explains how to configure HTTPS, however I did not have much success in getting it to work. I have also read in other forums that it may not be possible to configure squid as a HTTPS proxy.

http://wiki.squid-cache.org/ConfigExamples...dcardCertifiate

Link to comment
Share on other sites

You are probably going to end up implementing SSH or VPN in one way or another.

There are quite a few Java SSH clients that you could probably pre-configure.

KiTTY is a great way to distribute a pre-configured SSH client for Windows users.

A quick google seems to show that creating a VPN using ONLY Java isn't possible, although I wouldn't be surprised if I was wrong.

Another problem with VPN is the user will have to have admin privileges.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...