From nobody Sat Oct 29 21:05:17 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N0BlH2hM7z4gs93 for ; Sat, 29 Oct 2022 21:05:31 +0000 (UTC) (envelope-from andrewlylegould@gmail.com) Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N0BlG31fBz3Xxn for ; Sat, 29 Oct 2022 21:05:30 +0000 (UTC) (envelope-from andrewlylegould@gmail.com) Received: by mail-ej1-x632.google.com with SMTP id kt23so20666352ejc.7 for ; Sat, 29 Oct 2022 14:05:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=AxrMert4A8CVxNN8D/L4zr5RFFu892kGThHl13kAJ64=; b=T7Hkhz8aRq5h90c4m7B+ZrcbujP7PRjErlqqZzAZjvSWrnni6BC95LZVudSlFMo0Qk HL7mN9usLvdAFGf2JTHMZcawYplqzogcqfBafVlZlgemh+m+flPZkf8elm9TsL8Z1sfw wdCt+a5l5Wg+gxy9vKoSbdeCex0dFOG8ucUqTWwcusQC0hAaOYs+P4CetrvNZc7mOwHw V4MxPdbQjswNim06hbIA5IwGDmdviz+CtITjPsykBytJSf3FhwLlILt6JcGakBX18npY tBuU7/4MHgC56kIZxCStIgaT0mmmeJTquURaosp2+v+8xI6sJLGFP+CItHbllR+KQKaO djAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AxrMert4A8CVxNN8D/L4zr5RFFu892kGThHl13kAJ64=; b=YNwaNfdrreHmaMXaQx/qyxhRBQRYlVMwjlAzHHL6neNivO3CxxSJNnN8hKym7J93rV 6VkbYq+Pq+sscc4rZD7Pk9wRFvBRDn4+P8lW+4DswdCsUIwiJ9qiH1FVL8XGrbu56gjh PFgytTuihXHqq5ECUkyjEbMZADy1zinakM7tq1HsVG2RIOIIptvg+azqyAlj9kFrGVa8 k4an1D+7/7zX1qs1kvmjbZWBhdbwGmsSCQNb1W/jLS1OGUFdvYgANS7jIopYMGcerP8e 6XelWrHUeaC5cnndNhamcKel59CIKSR4Ie7xf0A4SARyrVJQlP5LSKjN1UdcOxKIM0Jg IBGQ== X-Gm-Message-State: ACrzQf0CiUmTHXMovj/0EWBRq4m3vJ2iEvyIIoIq+5HmdetezFmJ4gVF t4byiEAPdk6dMEKxmP8D53CH4xaSWGiNYuNOlVwXls+f X-Google-Smtp-Source: AMsMyM45ZwsTS8WIIlFCy394VFgQcH30xCWjRgg+ly5aujgBFb9FJI967Ev3XB95u95dTmrPC71rV1ZsOhHgoxueINM= X-Received: by 2002:a17:907:31ca:b0:780:2170:e08c with SMTP id xf10-20020a17090731ca00b007802170e08cmr5219741ejb.145.1667077528404; Sat, 29 Oct 2022 14:05:28 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <20221028105804250197522@bob.proulx.com> In-Reply-To: <20221028105804250197522@bob.proulx.com> From: Andrew Gould Date: Sat, 29 Oct 2022 16:05:17 -0500 Message-ID: Subject: Re: accessing guest wireless networks To: FreeBSD Mailing List Content-Type: multipart/alternative; boundary="000000000000e4c76905ec32bbfa" X-Rspamd-Queue-Id: 4N0BlG31fBz3Xxn X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=T7Hkhz8a; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of andrewlylegould@gmail.com designates 2a00:1450:4864:20::632 as permitted sender) smtp.mailfrom=andrewlylegould@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::632:from]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N --000000000000e4c76905ec32bbfa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx wrote: > Andrew Gould wrote: > > I have wpa_supplicant.conf configured to successfully access two > different > > home networks; but I can=E2=80=99t seem to figure out how to access gu= est > networks > > (is this the right term?) at places like Starbucks. > > > > network=3D{ > > ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D > ^ ^ > ! ! > > bssid=3Dany > > key_mgmt=3DNONE > > scan_ssid=3D1 > > priority=3D4 > > } > > > > What else do I need? > > Those quotation marks are UTF-8 and not ASCII. Change those to the > traditional ASCII double quotes. > > I have only exactly this following in my wpa_supplicant.conf file and > this works for me. > > network=3D{ > ssid=3D"Starbucks WiFi" > key_mgmt=3DNONE > } > > Note that with the Starbucks captured portal one must open a web page > in a compatible browser, allow it to be attacked with a MITM attack, > land on the Starbucks authentication page, and click through their > agreement. I am using Firefox and Firefox automatically recognizes > many captured portals and will emit a dialog line with a button just > above the page body content. Clicking that Firefox dialog button > works for me. > > This captured portal access can be problematic if using a local DNSSEC > validating nameserver such as unbound because captured portals like > Starbucks are MITM attacks for which DNSSEC is designed to stop. > > Also DNS over HTTP DoH being enabled in the browser may prevent the > captured portal from the MITM attack needed to open the portal. > > Before attempting to authenticate with the captured portal disable DoH > in the web browser and stop any local caching nameserver. Inspect > /etc/resolv.conf to ensure that the Starbucks captured portal DHCP > assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 or > any of the other similar ones. Since you must to allow yourself to be > DNS attacked in order to gain access through the router you need to > use the DHCP provided nameservers. Attempting to go to any URL name > the DNS will resolve to a captured portal router which will issue an > http redirect causing the browser to visit the portal page. That's > the MITM that must be allowed to gain access. > > Then after completing the captured portal handshake and getting on the > network don't forget to return to a normal network configuration. > Start up unbound if using unbound. Enable DoH in the web browser > again if using DoH. > > Background reference. > > https://en.wikipedia.org/wiki/Captive_portal > > Bob > > Thank you for the help. I changed the security settings in Firefox so it wouldn=E2=80=99t block popups; but I didn=E2=80=99t know what else to chang= e. I=E2=80=99m not running any DNS services, and I=E2=80=99m using the standard firefox pkg fo= r FreeBSD 13.1. I did the OS installation last week. After I checked everything, I restarted netif. The output showed the correct ssid and status of associated. However, it also showed inet 0.0.0.0 . Restarting Firefox and trying to access the internet failed. Redirection to a login webpage did not occur. Andrew --000000000000e4c76905ec32bbfa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Oct 28, 2022 at 12:22 PM Bob Proulx <bob@proulx.com> wrote:
Andrew Gould wrote:
> I have wpa_supplicant.conf configured to successfully access two diffe= rent
> home networks;=C2=A0 but I can=E2=80=99t seem to figure out how to acc= ess guest networks
> (is this the right term?) at places like Starbucks.
>
> network=3D{
>=C2=A0 =C2=A0 ssid=3D=E2=80=9CStarbucks WiFi=E2=80=9D
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 ^
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 !=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 !
>=C2=A0 =C2=A0 bssid=3Dany
>=C2=A0 =C2=A0 key_mgmt=3DNONE
>=C2=A0 =C2=A0 scan_ssid=3D1
>=C2=A0 =C2=A0 priority=3D4
> }
>
> What else do I need?

Those quotation marks are UTF-8 and not ASCII.=C2=A0 Change those to the traditional ASCII double quotes.

I have only exactly this following in my wpa_supplicant.conf file and
this works for me.

=C2=A0 =C2=A0 network=3D{
=C2=A0 =C2=A0 =C2=A0 =C2=A0ssid=3D"Starbucks WiFi"
=C2=A0 =C2=A0 =C2=A0 =C2=A0key_mgmt=3DNONE
=C2=A0 =C2=A0 }

Note that with the Starbucks captured portal one must open a web page
in a compatible browser, allow it to be attacked with a MITM attack,
land on the Starbucks authentication page, and click through their
agreement.=C2=A0 I am using Firefox and Firefox automatically recognizes many captured portals and will emit a dialog line with a button just
above the page body content.=C2=A0 Clicking that Firefox dialog button
works for me.

This captured portal access can be problematic if using a local DNSSEC
validating nameserver such as unbound because captured portals like
Starbucks are MITM attacks for which DNSSEC is designed to stop.

Also DNS over HTTP DoH being enabled in the browser may prevent the
captured portal from the MITM attack needed to open the portal.

Before attempting to authenticate with the captured portal disable DoH
in the web browser and stop any local caching nameserver.=C2=A0 Inspect
/etc/resolv.conf to ensure that the Starbucks captured portal DHCP
assigned nameservers are in use and NOT "safe" ones like 8.8.8.8 = or
any of the other similar ones.=C2=A0 Since you must to allow yourself to be=
DNS attacked in order to gain access through the router you need to
use the DHCP provided nameservers.=C2=A0 Attempting to go to any URL name the DNS will resolve to a captured portal router which will issue an
http redirect causing the browser to visit the portal page.=C2=A0 That'= s
the MITM that must be allowed to gain access.

Then after completing the captured portal handshake and getting on the
network don't forget to return to a normal network configuration.
Start up unbound if using unbound.=C2=A0 Enable DoH in the web browser
again if using DoH.

Background reference.

=C2=A0 =C2=A0 https://en.wikipedia.org/wiki/Captive_por= tal

Bob

Thank you for the help.=C2=A0 I changed the securi= ty settings in Firefox so it wouldn=E2=80=99t block popups; but I didn=E2= =80=99t know what else to change.=C2=A0 I=E2=80=99m not running any DNS ser= vices, and I=E2=80=99m using the standard firefox pkg for FreeBSD 13.1.=C2= =A0 I did the OS installation last week.

After I checked everything, I restarted netif.=C2=A0 The output = showed the correct ssid and status of associated.=C2=A0 However, it also sh= owed inet 0.0.0.0 .=C2=A0 Restarting Firefox and trying to access the inter= net failed.=C2=A0 Redirection to a login webpage did not occur.

Andrew

<= /div>


--000000000000e4c76905ec32bbfa--