[dundee] Instant hotspot Idea

Marcel Hecko marcel at shmu.org.uk
Fri Dec 11 12:30:16 UTC 2009 

Arron M Finnon wrote:
> Marcel Hecko wrote:
>> Sean gimme a break! If you want anything to be connected to the internet 
>> you need some kind of "device" - all the time I am talking about an 
>> ADDITIONAL device to the one already being used. DNAT and DHCP are 
>> available on basically any DSL/whatever modem and I am presuming DNS is 
>> set through DHCP in most of the cases.
>> Tunneling TCP/80 traffic through UDP/53 (most of the cases) would be an 
>> interesting idea though :)
>> The easiest way would be for user to change DNS server, however if you 
>> DNAT all TCP,UDP/53 requests to the dedicated DNS server the above 
>> threat dissapears.
>>   
> Just out of interest; i'm thinking that tunnelling SSH over DNS might 
> still be answer for an attacker and then tunnel their traffic through 
> an SSH session.   http://www.dnstunnel.de/

I have used `corkscrew` and `tinc` to tunnel out of Robert Gordons Uni 
dormitory network - but that wat TCP over HTTP through uni's proxy.
m.

>> Marcel
>>
>> Sean McRobbie wrote:
>>   
>>> DNAT = device required
>>> DHCP = device required
>>> DNS via DHCP = optional
>>>
>>> You can apparently tunnel via DNS too to break out of some hotspots.
>>>
>>> Regards,
>>> Sean McRobbie
>>>
>>> ----- Original Message -----
>>> From: "Marcel Hecko" <marcel at shmu.org.uk>
>>> To: "Tayside Linux User Group" <dundee at lists.lug.org.uk>
>>> Sent: Friday, 11 December, 2009 9:41:24 AM
>>> Subject: Re: [dundee] Instant hotspot Idea
>>>
>>> Sorry, to more clear - you only need one public installation for many 
>>> LANs. So the solution can be offered on SaS basis.
>>>
>>> Marcel
>>>
>>> Robert Ladyman wrote:
>>>   
>>>     
>>>> I'm puzzled - if there's no hardware involved, what's handing out your DNS 
>>>> addresses and CSS?
>>>>
>>>>   
>>>>     
>>>>       
>>>>> Sean, what is the Mikrotik bug you heave reported?
>>>>>
>>>>> Well, it might not be that simple to bypass. If you force DNS for the
>>>>> users using DNAT it will be ratrer more complex, because you will have
>>>>> to either:
>>>>> - disable cookies
>>>>> - disable CSS
>>>>> - block the retreival of one particular CSS file (if the name of the css
>>>>> file is not generated randomly:))
>>>>> - rewrite HTML upon its retreival from proxy
>>>>>
>>>>> Well, of course the solution is not very secure, however it does create
>>>>> the possibility to create extremely simple Captive system for
>>>>> non-sysadmins for Internet Cafes, small hotspot networks and so on - and
>>>>> absolutely no HW necessarry.
>>>>>
>>>>> Im working on the Proof of concept right now. Will let you know once
>>>>> this is ready.
>>>>>
>>>>> Marcel
>>>>>
>>>>> Sean McRobbie wrote:
>>>>>     
>>>>>       
>>>>>         
>>>>>> Mikrotik still haven't fixed some majorly annoying bug I've reported on
>>>>>> hotspot.
>>>>>>
>>>>>> The DNS idea is unfortunately too simple - people like me will bypass it
>>>>>> (without even knowing so too).
>>>>>>
>>>>>> Regards,
>>>>>> Sean McRobbie
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Marcel Hecko" <marcel at shmu.org.uk>
>>>>>> To: "Tayside Linux User Group" <dundee at lists.lug.org.uk>
>>>>>> Sent: Friday, 11 December, 2009 8:44:16 AM
>>>>>> Subject: Re: [dundee] Instant hotspot Idea
>>>>>>
>>>>>> That would require a separate physical PC between the Internet and LAN -
>>>>>> I have tested many solutions like that and we are using the one from
>>>>>> Mikrotik on one of our networks right now, however that is not exactly
>>>>>> my vision - the idea plotted is based on the premise that no additional
>>>>>> equipments has to be installed and yet works per-user.
>>>>>> It has many many limitations, but for the basic service it's a brilliant
>>>>>> idea :)
>>>>>>
>>>>>> Marcel
>>>>>>
>>>>>> Robert Ladyman wrote:
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>> I think that ZoneCD might be what you want.
>>>>>>>
>>>>>>> http://www.publicip.net/
>>>>>>>
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>> I have a dream.
>>>>>>>> A dream about instant captive portal solution. The deployment would
>>>>>>>> only require the network admin to change the DNS settings for LAN
>>>>>>>> users. The idea flows in my head approximately like this:
>>>>>>>>
>>>>>>>> USER requests foo.com
>>>>>>>> DNS responds with IP for pong.com
>>>>>>>> pong.com is a (Squid) proxy which downloads foo.coms index.html
>>>>>>>> proxy adds a link for css stylesheet file located on pong.com server to
>>>>>>>> index.html page from foo.com
>>>>>>>> the changed index.html is served to USER
>>>>>>>> USER requests css file from pong.css server - creates HTTP GET request
>>>>>>>> if (HTTP request for style.css on pong.com includes users cookies) {
>>>>>>>>   the style.css is a blank file
>>>>>>>>   } else {
>>>>>>>>   the stylesheet is designed the way to render the foo.com index page
>>>>>>>> unreadable and displays notice on how to register on pong.com
>>>>>>>> }
>>>>>>>> the registration would set proper cookie in users browser for pong.com
>>>>>>>>  domain
>>>>>>>>
>>>>>>>> Of course, style.css can easily be changed to any other element of the
>>>>>>>> page - such as IMG , but stylesheet would serve quite well.
>>>>>>>>
>>>>>>>> Now, is there any DNS/HTTP/COOKIE expert who can tell me whether this
>>>>>>>> is actually technically possible to do? I believe it is and I also
>>>>>>>> think that I have never seen such a service in practice.
>>>>>>>>
>>>>>>>> I am finishing this mail with one of my mottos:
>>>>>>>> "Life is to short to keep secrets"
>>>>>>>>
>>>>>>>> Marcel
>>>>>>>>
>>>>>>>> please reply to
>>>>>>>> marcel at shmu.org.uk
>>>>>>>>
>>>>>>>> Marcel Hecko
>>>>>>>> Connected SHMU Project Manager
>>>>>>>> Station House Media Unit
>>>>>>>> Station Road, Woodside,
>>>>>>>> Aberdeen  AB24 2WB
>>>>>>>> Tel - 01224 487174
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> www.shmu.org.uk
>>>>>>>>
>>>>>>>> listen to our community radio station live at www.shmufm.net
>>>>>>>>
>>>>>>>> -----------------------------------------------------------------------
>>>>>>>> ---- ------------ This message is not intended to have contractual
>>>>>>>> effect
>>>>>>>> -----------------------------------------------------------------------
>>>>>>>> ---- ------------
>>>>>>>>
>>>>>>>> Save a tree -  don't print this e-mail or any attachment unless
>>>>>>>> absolutely necessary.
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> dundee GNU/Linux Users Group mailing list
>>>>>>>> dundee at lists.lug.org.uk  http://dundeelug.org.uk
>>>>>>>> https://mailman.lug.org.uk/mailman/listinfo/dundee
>>>>>>>> Chat on IRC, #tlug on irc.lug.org.uk
>>>>>>>>           
>>>>>>>>             
>>>>>>>>               
>>>>   
>>>>     
>>>>       
>>>   
>>>     
>>
>>
>>   
>
>
> -- 
> Arron "finux" Finnon
>
> Finux.co.uk/blog - Twitter.com/f1nux - facebook.com/finux
>
> Podcasting for HPR, shows can be found at;
> http://hackerpublicradio.org/correspondents.php?hostid=85
>
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk


-- 
please reply to
marcel at shmu.org.uk

Marcel Hecko
Connected SHMU Project Manager
Station House Media Unit
Station Road, Woodside,
Aberdeen  AB24 2WB
Tel - 01224 515013	

www.shmu.org.uk

listen to our community radio station live on 99.8FM and at www.shmufm.net

SHMU is a charity registered in Scotland - SC034211 and a registered Limited Company - SC332413


---------------------------------------------------------------------------------------
This message is not intended to have contractual effect
---------------------------------------------------------------------------------------

More information about the dundee mailing list