My Access Point firmware is a playground where you can learn by experience. You’ll have the opportunity to try on both offensive security and defensive security.
Gaining experience with offensive techniques is valuable because hacking is perceived as a magical power. If you know a spell and cast it correctly- you can do things that other people can’t. It isn’t magic. It’s logic & taste. If you know where to look, you’ll find spiders in any house. Hackers work the same way. We have an easy time gaining control of systems for four reasons.
- Software quality standards are poor.
- Assessing software quality requires reverse engineering experience
- Humans assume usability is a proxy for measuring software quality
- A defender needs to be right 100% of the time. A hacker only needs to be right once.
There are too many instances of dev education that indexes on getting a demo working quickly. Implementing AuthN/AuthZ logic that protects sensitive operations is a topic that’s typically reserved for advanced courses that not everyone takes. This means hackers tend to have an easy time discovering predictable implementation mistakes. Knowing how hackers are able to access your system forces you to learn the changes you need to make to secure it.
Gaining experience with defensive techniques is not easy. Assessing logs for evidence of attacks & compromise is pretty abstract unless you have an active attacker. When you run the attacks, you can look at the logs for evidence of attack activity. This also helps you get context on the privacy implications of accessing websites. I want to make sure ambitious kids understand that tampering with websites is easy to detect. I don’t want to see any kids getting into trouble with the law because they didn’t understand how traceable scanning is.
Below are the challenges I’ve shared with my daughter. I did quite a bit of hand-holding to get her across the line for hacking the wifi network. My objective is to have her go through these challenges on her own. Ideally, she’ll search the web for context on these questions and start learning how to work these things out on her own. It was self education that got me to this stage of my career. It’s a pattern that I know works, but it seems to be dying in certain subsets of the infosec world. If you decide to run this access point, you can use these challenges as a guide on what to try:
Easy Challenges
- What is the Wifi Password?
- When you are connected to the network, what is default gateway ipaddress and hostname of the default gateway? What is the IP address that was assigned to the device you were attached to? What is the DNS server’s IP address while you’re connected to the hotspot? (Need a clue? check out this video: https://www.youtube.com/watch?v=6PZp7LNKHgk)
- Are you able to connect to the Internet over the hotspot in its default configuration? How did you determine this? Why does or doesn’t it work?
- What possible entry points exist for gaining access to the Hotspot? Describe you tested to discover if the attack is possible? How can you gain shell access to the device? Do not continue to the next section until you have been able to gain access
Medium Challenges
- How do you change the password on the Access Point?
- How do you configure SSHD so that you don’t have to rely on passwords?
- What is the operating system version of the device?
- What services are listening on the device?
- What web server is running on the device?
- Describe any web page you found on the device. What was the URL? Were you able to view it?
- Where are the logs for the webserver stored?
- Where are the files for the webserver stored?
- Can you view the web page?
Advanced Challenges
- What is HostAPD?
- What is an interface?
- What interface is HostAPD running on?
- What is the ipaddress on wlan0?
- What is the ipaddress on eth0? Why?
- Where are the HostAPD access logs?
- What file do you need to edit to change the SSID, Password and wifi security settings?
- What is IP forwarding? What is ip Masquerading?
- What is a “router”?
- What are the major steps for turning our Hacking hotspot into a working wifi access point that gives access to the Internet?
- What is IP Forwarding? How do we enable it?
- How can you change your device into a working access point?
- How do you get connectivity working on the Ethernet Interface?
- Plugging it into a network with DHCP
- Plugging it into a network with static ip addresses
- How do you turn on ip forwarding in linux?
- How do you make it a permanent change?
- How do you activate Network Address translation?
- How do you vend IP addresses to devices that are attached to your network?
Privacy/Security Defense Challenges
- What does an admin know about you while you’re attached to the device?
- What do you see when running tail –f /var/log/hostapd.log while a device attaches to the wifi network?
- What do you see when running tail-f /var/log/dnsmasq.log while a device attaches to the wifi network?
- What do you see when running tail –f /var/log/lighttpd/access.log while a device browses to the web site?
- What are the privacy implications for connecting to a wifi network?
- What information does an Access Point operator have about you if you attach to that network?
- What kind of attacks can an admin execute while you’re attached to the device?
- What is packet sniffing? How could it be done?
- What is a MITM attack? How could it be done?
- What is DNS hijacking? How could it be done?
- How can you harden this access point so that no one could reproduce the attacks you used?
- How do you install software?
- How could you configure SSHD to resist brute force password guesses?
- What is Fail2Ban
- What is nftables?