Introduction: Project GATEKEEPER

For our Hackathon project, we decided to create a “gatekeeper” out of our Raspberry Pi device. In essence, we turned our Raspberry Pi into a wireless router, then used that router as a means to authenticate a network connection from a user. During the process, we had to set up two separate networks – one being an unsecured network used for authentication, and the other being a 802.1x protocol. To authenticate the connection, we used the network security tool “nmap”, and proceeded to parse the XML output file. If IP tables upload is successful and are right, the user is able to then utilize the internet.

Step 1: Configure the Raspberry Pi As Wireless Router

To begin, our first step was to configure the Raspberry Pi

device as a wireless router. Because we did not have an Ethernet port available, we had to configure it all via wireless connection. The steps are listed below for configuring the Raspberry Pi:

The first step was to check and see our network configuration:

ifconfig

Next, we had to disable the wlan0:

sudo ifdown wlan0

The next step consisted of simply updated all of the packages:

sudo apt-get update

sudo apt-get install hostapd isc-dhcp-server

We then needed to configure the DHCP server:

sudo nano /etc/dhcp/dhcpd.conf

Below is a brief look at our network setup:

subnet 192.168.42.0 netmask 255.255.255.0 {

range 192.168.42.10 192.168.42.50;

option broadcast-address 192.168.42.255;

option routers 192.168.42.1;

default-lease-time 600;

max-lease-time 7200;

option domain-name "local";

option domain-name-servers 8.8.8.8, 8.8.4.4;}

The INTERFACES variable then had to be set the value to “wlan0”. This allows the DHCP server to listen on that device for any inbound connections.

sudo nano /etc/network/interfaces

Below is a brief look at the wlan0 setup:

allow-hotplug wlan0

iface wlan0 inet static

address 192.168.42.1

netmask 255.255.255.0

up iptables-restore < /etc/iptables.ipv4.nat

Then we needed to force wlan0 to use a static IP by entering:

sudo ifconfig wlan0 192.168.42.1

The next thing to do now is to set up how users connect with the wireless network:

sudo nano /etc/hostapd/hostapd.conf

Below is a brief look at the file parameters:

interface = wlan0

driver = nl80211

ssid = pi-ap

hw_mode = g

channel = 6

macaddr_acl = 0

auth_algs = 1

ignore_broadcast_ssid = 0

wpa = 2

wpa_passphrase = Raspberry

wpa_key_mgmt = WPA-PSK

wpa_pairwise = TKIP

rsn_pairwise = CCMP

Next you must specify this conf file in defaults:

sudo nano /etc/default/hostapd

Then, we had to activate NAT by entering:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Next we set up the iptables for forwarding:

sudo iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE

sudo iptables -A FORWARD -i wan1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i wlan0 -o wan1 -j ACCEPT

Now we had to save our iptables for next startup:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

We edited the /etc/network/interfaces file earlier and added:

“up iptables-restore < /etc/iptables.ipv4.nat”.

This in turn restores the iptables from where we dumped them.

To test that we’ve done everything correctly, we launch hostapd:

sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf

sudo service hostapd start

sudo service isc-dhcp-server start

Step 2: Setting Up the NMAP XML Parser

See below for part 1 of the the NMAP XML Parser script:


from libnmap.parser import NmapParser

rep = NmapParser.parse_fromfile('nmap_output.xml')

for _host in rep.hosts:

host = ', '.join(_host.hostnames)

ip = (_host.address)

print "HostName: ",host,"--", ip

host_string = ip

for osmatch in _host.os.osmatches:

os = osmatch.name

accuracy = osmatch.accuracy

print "Operating System Guess: ", os, "Accuracy Detection", accuracy

for services in _host.services:

print services.port, services.protocol, services.state, services.service server_address = (host_string,services.port)

Step 3: Setting Up DHCDETECT

from isc_dhcp_leases.iscdhcpleases import IscDhcpLeases

leasepath = '/var/insecure.lease'

def detect(oldlist): """ :

rtype: tuple of lists """

checkthese = []

tmplist = []

leasefile = IscDhcpLeases(leasepath)

leaselist = leasefile.get()

for lease in leaselist:

if lease.valid:

tmplist.append(lease.id)

if lease.ip in oldlist: # TODO: Decide on things

continue

checkthese.append(lease.ip)

lostlist = list(set(oldlist) - set(tmplist))

return (tmplist, checkthese, lostlist)

Step 4: Setting Up Authentication Server

We'll render HTML templates and access data sent by POST using the request object from flask.

Redirect and url_for will be used to redirect the user once the upload is done and send_from_directory will help us to send/show on the# browser the file that the user just uploaded

Step 5: Script to Run GATEKEEPER Program

import os

from auth import server

if __name__ == '__main__':

version = "0.0.1"

print "Welcome to DMZ scanning code version: " + version

# Spin up server

print os.getcwd()

server.app.run(

host="0.0.0.0",

port=int("8080"),

debug=True )

Step 6: View of Login Webpage

Step 7: Full Instructable (Word Doc)