[dundee] Instant hotspot Idea

Arron M Finnon finux at finux.co.uk
Fri Dec 11 11:59:12 UTC 2009 

Marcel Hecko wrote:
> Sean gimme a break! If you want anything to be connected to the internet 
> you need some kind of "device" - all the time I am talking about an 
> ADDITIONAL device to the one already being used. DNAT and DHCP are 
> available on basically any DSL/whatever modem and I am presuming DNS is 
> set through DHCP in most of the cases.
> Tunneling TCP/80 traffic through UDP/53 (most of the cases) would be an 
> interesting idea though :)
> The easiest way would be for user to change DNS server, however if you 
> DNAT all TCP,UDP/53 requests to the dedicated DNS server the above 
> threat dissapears.
>   
Just out of interest; i'm thinking that tunnelling SSH over DNS might
still be answer for an attacker and then tunnel their traffic through an
SSH session.   http://www.dnstunnel.de/
> Marcel
>
> Sean McRobbie wrote:
>   
>> DNAT = device required
>> DHCP = device required
>> DNS via DHCP = optional
>>
>> You can apparently tunnel via DNS too to break out of some hotspots.
>>
>> Regards,
>> Sean McRobbie
>>
>> ----- Original Message -----
>> From: "Marcel Hecko" <marcel at shmu.org.uk>
>> To: "Tayside Linux User Group" <dundee at lists.lug.org.uk>
>> Sent: Friday, 11 December, 2009 9:41:24 AM
>> Subject: Re: [dundee] Instant hotspot Idea
>>
>> Sorry, to more clear - you only need one public installation for many 
>> LANs. So the solution can be offered on SaS basis.
>>
>> Marcel
>>
>> Robert Ladyman wrote:
>>   
>>     
>>> I'm puzzled - if there's no hardware involved, what's handing out your DNS 
>>> addresses and CSS?
>>>
>>>   
>>>     
>>>       
>>>> Sean, what is the Mikrotik bug you heave reported?
>>>>
>>>> Well, it might not be that simple to bypass. If you force DNS for the
>>>> users using DNAT it will be ratrer more complex, because you will have
>>>> to either:
>>>> - disable cookies
>>>> - disable CSS
>>>> - block the retreival of one particular CSS file (if the name of the css
>>>> file is not generated randomly:))
>>>> - rewrite HTML upon its retreival from proxy
>>>>
>>>> Well, of course the solution is not very secure, however it does create
>>>> the possibility to create extremely simple Captive system for
>>>> non-sysadmins for Internet Cafes, small hotspot networks and so on - and
>>>> absolutely no HW necessarry.
>>>>
>>>> Im working on the Proof of concept right now. Will let you know once
>>>> this is ready.
>>>>
>>>> Marcel
>>>>
>>>> Sean McRobbie wrote:
>>>>     
>>>>       
>>>>         
>>>>> Mikrotik still haven't fixed some majorly annoying bug I've reported on
>>>>> hotspot.
>>>>>
>>>>> The DNS idea is unfortunately too simple - people like me will bypass it
>>>>> (without even knowing so too).
>>>>>
>>>>> Regards,
>>>>> Sean McRobbie
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Marcel Hecko" <marcel at shmu.org.uk>
>>>>> To: "Tayside Linux User Group" <dundee at lists.lug.org.uk>
>>>>> Sent: Friday, 11 December, 2009 8:44:16 AM
>>>>> Subject: Re: [dundee] Instant hotspot Idea
>>>>>
>>>>> That would require a separate physical PC between the Internet and LAN -
>>>>> I have tested many solutions like that and we are using the one from
>>>>> Mikrotik on one of our networks right now, however that is not exactly
>>>>> my vision - the idea plotted is based on the premise that no additional
>>>>> equipments has to be installed and yet works per-user.
>>>>> It has many many limitations, but for the basic service it's a brilliant
>>>>> idea :)
>>>>>
>>>>> Marcel
>>>>>
>>>>> Robert Ladyman wrote:
>>>>>       
>>>>>         
>>>>>           
>>>>>> I think that ZoneCD might be what you want.
>>>>>>
>>>>>> http://www.publicip.net/
>>>>>>
>>>>>>         
>>>>>>           
>>>>>>             
>>>>>>> I have a dream.
>>>>>>> A dream about instant captive portal solution. The deployment would
>>>>>>> only require the network admin to change the DNS settings for LAN
>>>>>>> users. The idea flows in my head approximately like this:
>>>>>>>
>>>>>>> USER requests foo.com
>>>>>>> DNS responds with IP for pong.com
>>>>>>> pong.com is a (Squid) proxy which downloads foo.coms index.html
>>>>>>> proxy adds a link for css stylesheet file located on pong.com server to
>>>>>>> index.html page from foo.com
>>>>>>> the changed index.html is served to USER
>>>>>>> USER requests css file from pong.css server - creates HTTP GET request
>>>>>>> if (HTTP request for style.css on pong.com includes users cookies) {
>>>>>>>   the style.css is a blank file
>>>>>>>   } else {
>>>>>>>   the stylesheet is designed the way to render the foo.com index page
>>>>>>> unreadable and displays notice on how to register on pong.com
>>>>>>> }
>>>>>>> the registration would set proper cookie in users browser for pong.com
>>>>>>>  domain
>>>>>>>
>>>>>>> Of course, style.css can easily be changed to any other element of the
>>>>>>> page - such as IMG , but stylesheet would serve quite well.
>>>>>>>
>>>>>>> Now, is there any DNS/HTTP/COOKIE expert who can tell me whether this
>>>>>>> is actually technically possible to do? I believe it is and I also
>>>>>>> think that I have never seen such a service in practice.
>>>>>>>
>>>>>>> I am finishing this mail with one of my mottos:
>>>>>>> "Life is to short to keep secrets"
>>>>>>>
>>>>>>> Marcel
>>>>>>>
>>>>>>> please reply to
>>>>>>> marcel at shmu.org.uk
>>>>>>>
>>>>>>> Marcel Hecko
>>>>>>> Connected SHMU Project Manager
>>>>>>> Station House Media Unit
>>>>>>> Station Road, Woodside,
>>>>>>> Aberdeen  AB24 2WB
>>>>>>> Tel - 01224 487174
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> www.shmu.org.uk
>>>>>>>
>>>>>>> listen to our community radio station live at www.shmufm.net
>>>>>>>
>>>>>>> -----------------------------------------------------------------------
>>>>>>> ---- ------------ This message is not intended to have contractual
>>>>>>> effect
>>>>>>> -----------------------------------------------------------------------
>>>>>>> ---- ------------
>>>>>>>
>>>>>>> Save a tree -  don't print this e-mail or any attachment unless
>>>>>>> absolutely necessary.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> dundee GNU/Linux Users Group mailing list
>>>>>>> dundee at lists.lug.org.uk  http://dundeelug.org.uk
>>>>>>> https://mailman.lug.org.uk/mailman/listinfo/dundee
>>>>>>> Chat on IRC, #tlug on irc.lug.org.uk
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>   
>>>     
>>>       
>>   
>>     
>
>
>   


-- 
Arron "finux" Finnon

Finux.co.uk/blog - Twitter.com/f1nux - facebook.com/finux

Podcasting for HPR, shows can be found at;
http://hackerpublicradio.org/correspondents.php?hostid=85




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20091211/a3221038/attachment.htm

More information about the dundee mailing list