Introduction: Project GATEKEEPER
For our Hackathon project, we decided to create a “gatekeeper” out of our Raspberry Pi device. In essence, we turned our Raspberry Pi into a wireless router, then used that router as a means to authenticate a network connection from a user. During the process, we had to set up two separate networks – one being an unsecured network used for authentication, and the other being a 802.1x protocol. To authenticate the connection, we used the network security tool “nmap”, and proceeded to parse the XML output file. If IP tables upload is successful and are right, the user is able to then utilize the internet.
Step 1: Configure the Raspberry Pi As Wireless Router
To begin, our first step was to configure the Raspberry Pi
device as a wireless router. Because we did not have an Ethernet port available, we had to configure it all via wireless connection. The steps are listed below for configuring the Raspberry Pi:
The first step was to check and see our network configuration:
ifconfig
Next, we had to disable the wlan0:
sudo ifdown wlan0
The next step consisted of simply updated all of the packages:
sudo apt-get update
sudo apt-get install hostapd isc-dhcp-server
We then needed to configure the DHCP server:
sudo nano /etc/dhcp/dhcpd.conf
Below is a brief look at our network setup:
subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.10 192.168.42.50;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;}
The INTERFACES variable then had to be set the value to “wlan0”. This allows the DHCP server to listen on that device for any inbound connections.
sudo nano /etc/network/interfaces
Below is a brief look at the wlan0 setup:
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
up iptables-restore < /etc/iptables.ipv4.nat
Then we needed to force wlan0 to use a static IP by entering:
sudo ifconfig wlan0 192.168.42.1
The next thing to do now is to set up how users connect with the wireless network:
sudo nano /etc/hostapd/hostapd.conf
Below is a brief look at the file parameters:
interface = wlan0
driver = nl80211
ssid = pi-ap
hw_mode = g
channel = 6
macaddr_acl = 0
auth_algs = 1
ignore_broadcast_ssid = 0
wpa = 2
wpa_passphrase = Raspberry
wpa_key_mgmt = WPA-PSK
wpa_pairwise = TKIP
rsn_pairwise = CCMP
Next you must specify this conf file in defaults:
sudo nano /etc/default/hostapd
Then, we had to activate NAT by entering:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Next we set up the iptables for forwarding:
sudo iptables -t nat -A POSTROUTING -o wan1 -j MASQUERADE
sudo iptables -A FORWARD -i wan1 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o wan1 -j ACCEPT
Now we had to save our iptables for next startup:
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
We edited the /etc/network/interfaces file earlier and added:
“up iptables-restore < /etc/iptables.ipv4.nat”.
This in turn restores the iptables from where we dumped them.
To test that we’ve done everything correctly, we launch hostapd:
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf
sudo service hostapd start
sudo service isc-dhcp-server start
Step 2: Setting Up the NMAP XML Parser
See below for part 1 of the the NMAP XML Parser script:
from libnmap.parser import NmapParser
rep = NmapParser.parse_fromfile('nmap_output.xml')
for _host in rep.hosts:
host = ', '.join(_host.hostnames)
ip = (_host.address)
print "HostName: ",host,"--", ip
host_string = ip
for osmatch in _host.os.osmatches:
os = osmatch.name
accuracy = osmatch.accuracy
print "Operating System Guess: ", os, "Accuracy Detection", accuracy
for services in _host.services:
print services.port, services.protocol, services.state, services.service server_address = (host_string,services.port)
Step 3: Setting Up DHCDETECT
from isc_dhcp_leases.iscdhcpleases import IscDhcpLeases
leasepath = '/var/insecure.lease'
def detect(oldlist): """ :
rtype: tuple of lists """
checkthese = []
tmplist = []
leasefile = IscDhcpLeases(leasepath)
leaselist = leasefile.get()
for lease in leaselist:
if lease.valid:
tmplist.append(lease.id)
if lease.ip in oldlist: # TODO: Decide on things
continue
checkthese.append(lease.ip)
lostlist = list(set(oldlist) - set(tmplist))
return (tmplist, checkthese, lostlist)
Step 4: Setting Up Authentication Server
We'll render HTML templates and access data sent by POST using the request object from flask.
Redirect and url_for will be used to redirect the user once the upload is done and send_from_directory will help us to send/show on the# browser the file that the user just uploaded
Step 5: Script to Run GATEKEEPER Program
import os
from auth import server
if __name__ == '__main__':
version = "0.0.1"
print "Welcome to DMZ scanning code version: " + version
# Spin up server
print os.getcwd()
server.app.run(
host="0.0.0.0",
port=int("8080"),
debug=True )