Friday 4 February 2011

LAP - WPA Wireless Security

OK, this one was one of the tasks I set myself at the end of my project last year. I just could not get to grips with the wpa-supplicant documentation. It seemed from reading it that I would have to rebuild my network driver or get a new one or, or, some other bloody stupid thing. Anyway, pleasantly it turned out to be considerably easier than I had lead myself to believe.

So, grab the source code, and move to the ramdisk in the usual way:

cd /sources/extras
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
cd /dev/shm

Now, we unpack the source code, and build it with these commands. The [defconfig] is a default config file which basically contains all the usual settings that you would use a [./configure] script to set. It is fucking painful to wade through, and was really what put me off this whole endeavour to date. Helpfully, though, with my Compaq Mini, it worked fine with the default settings. i haven't tested it on any other hardware yet, and it may well b0rk if I do.

tar -xzvf /sources/extras/wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10
cd wpa_supplicant &&
cp defconfig .config
make $CORES_TO_USE
cp -v wpa_cli wpa_supplicant wpa_passphrase /sbin
cd ..
rm -rvf wpa_supplicant-0.6.10

You will notice we did not [make install]. There as no need, we are just installing the three programs that we [c]o[p]ied to [/sbin].

The software also needs a configuration file to work. To connect to a WPA2 enable network with a personal key, you would make the following configuration file:

cat > /etc/wpa_supplicant.conf << "EOF"
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1

network={
        ssid="NAME OF NETWORK"
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=CCMP TKIP
        group=CCMP TKIP
        psk="VERY SECRET PASSPHRASE"
}
EOF

The NAME OF NETWORK and VERY SECRET PASSPHRASE should be obvious. If you just want to connect to a WEP enabled network, wpa_supplicant can handle that as well. Just make this configuration file instead:

cat > /etc/wpa_supplicant.conf << "EOF"
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
update_config=1
network={
        ssid="NAME OF NETWORK"
        key_mgmt=NONE
        #wep_key0="passphrase"
        wep_key0=HEXCODE
        wep_tx_keyidx=0
}
EOF

Obviously you set the [wep_key0] to whatever you use, either hexcode or passphrase. The [#] operates in the usual way, so that line is blanked out in the example above.

You have the option of putting both the WPA2 and WEP in the same .conf file. What you do is just copy the [network={...}] bit and paste it at the bottom of your .conf file. If you move your laptop/netbook around different locations, you will end of with a list of different network settings. What you then have to do is, at the end of each [network={...}] bit, put a line just before the [}] saying [priority=] and then a number. The software will try the highest numbered networks first, so make sure you give your usual networks the highest priorities.

Incidentally if you want to use WPA rather than WPA2 and you have a Compaq Mini netbook, then as far as my rigorous testing has been able to determine, you are going to have to learn to live with disappointment. I have tried three separate routers, and it just doesn't fucking work.

Lastly we need to create a script to run on boot to run the software:

cat > ~/wifi_wpa_wl.sh << "EOF"
rmmod b43 
rmmod ssb 
rmmod wl
rmmod lib80211
modprobe lib80211
modprobe wl
wpa_supplicant -D wext -i eth1 -c/etc/wpa_supplicant.conf -B
dhcpcd eth1
EOF

You will spot the similarity to the iwconfig wifi script I used in the past. The [-D wext] setting tells the software it can use the standard linux [w]ireless [ext]tensions, and not some fancy driver. These must be installed with the kernel, because I do not remember compiling them. The [i]interface and [c]onfiguration file commands are self explanatory. The [B] option tells it to run as a daemon.

Useful tips:
Run the wpa_supplicant command from the script with -d instead of -B to test the settings and report back error messages. The command:

wpa_passphrase ESSID PASSPHRASE

(where ESSID is the name of your wireless network, and PASSPHRASE is, well, work it out) will output an encrypted version of your passphrase for you to pop into the wpa_supplicant.conf file instead of the clear text. Remember to:

chmod 600 /etc/wpa_supplicant.conf

to protect the file from all but root. You can also run:

wpa_cli status
wpa_cli scan
wpa_cli scan_results

to obtain some self evident information.

No comments:

Post a Comment