December 2008
I reinstall the Soekris 5501 done in , this time with different partitioning, and a newer version of OpenBSD: 4.4. This time, we partition differently, to this effect:
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 148M 29.7M 110M 21% /
/dev/wd0e 123M 2.0K 117M 0% /home
/dev/wd0d 984M 382M 553M 41% /usr
/dev/wd0f 2.3G 2.9M 2.1G 0% /var
We pick up the routine at the and replace it here...
Edit /etc/fstab
to contain:
/dev/wd0a / ffs rw 1 1 /dev/wd0e /home ffs rw,nodev,nosuid 1 2 /dev/wd0d /usr ffs rw,nodev 1 2 /dev/wd0f /var ffs rw,nodev,nosuid 1 2 swap /tmp mfs -s=128000,rw,nodev,nosuid 0 0
Now say mount -a. The command df -h should now give something along the lines of:
# df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 148M 29.7M 110M 21% /
/dev/wd0e 123M 2.0K 117M 0% /home
/dev/wd0d 984M 382M 553M 41% /usr
/dev/wd0f 2.3G 2.9M 2.1G 0% /var
mfs:2675 60.5M 1.0K 57.4M 0% /tmp
visudo
<snip>
Defaults !lecture,!insults
username
ALL=(ALL) SETENV: ALL
Put in ~/.profile
a stanza:
PKG_PATH=ftp://osis.service.rug.nl/pub/os/bsd/openbsd/4.4/packages/i386/ export PKG_PATH
and resource the profile: . ~/.profile
/etc/hostname.vr0
:
dhcp NONE NONE NONE
/etc/hostname.vr1
:
dhcp NONE NONE NONE
/etc/hostname.vr2
inet 10.0.30.1 255.255.255.0 NONE
/etc/hostname.vr3
inet 10.0.14.1 255.255.255.0 NONE
Install a virtual machine with plenty of space to build software
Get the ISC DHCP daemon, version 4.1.0
./configure --enable-paranoia --enable-early-chroot
make
cd ..
tar cvzf dhcp-4.1.0-compiled.tgz dhcp-4.1.0
![]() | Warning |
---|---|
Note that the DHCP dameon uses some very insecure C calls, so once the intruder is inside the network where it is used, the DHCP server should be considere compromised. |
scp root@buildbox:/root/dhcp-4.1.0-compiled.tgz ./
tar zxvf dhcp-4.1.0-compiled.tgz
sudo su -
ln -s /home/ordinaryuser/dhcp-4.1.0 ./
cd dhcp-4.1.0
make install
![]() | Warning |
---|---|
As before, the path from where make install is run on the target machine must be identical to the path where make is run on the build machine. |
Steal or create a suitable DHCP config, create the leases database, and start the daemon, running in the foreground, logging to stdout, with config in /etc/dhcp3/dhcpd.conf, and listening on (e.g.) vr0:
touch /var/db/dhcpd.leases
dhcpd -f -d -cf /etc/dhcp3/dhcpd.conf if0
if1
etc.
# create a directory for vnode disks and a mount point for the DHCP vnode disk
sudo mkdir -p /var/fs /var/
# create a 16MB file to form the DHCP vnode disk
sudo dd if=/dev/zero of=/var/fs/dhcpdfs bs=1024 count=16310
# associate the (existing) special device /dev/vnd0c with the file /var/fs/dhcpdfs
sudo vnconfig -c -v /dev/svnd0c /var/fs/dhcpdfs
# put a filesystem on the _raw_ device
sudo newfs /dev/rsvnd0c
# mount the block device on the directory
sudo mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd/
# create the necessary directories in the chroot jail
sudo mkdir -p /var/dhcpd/dev /var/dhcpd/etc /var/dhcpd/var/run /var/dhcpd/var/db
# put proper ownership and permissions on the dirs
sudo chgrp _dhcp /var/dhcpd/var/run /var/dhcpd/var/db/
sudo chmod 0775 /var/dhcpd/var/run/ /var/dhcpd/var/db
# Put the lease file in the jail and link it back to the real world
sudo touch /var/dhcpd/var/db/dhcpd.leases
sudo chown _dhcp /var/dhcpd/var/db/dhcpd.leases
sudo chmod 0755 /var/dhcpd/var/db/dhcpd.leases
sudo ln -sf /var/dhcpd/var/db/dhcpd.leases /var/db/dhcpd.leases
# create PF interface devices that dhcpd (well, at least the OpenBSD patched version) uses
# create one interface for each shared-network statement in the dhcpd.conf
BPFMAJ="`ls -l /dev/bpf0 | awk '{ print $5; }' | sed -e 's/,//g'`"
export BPFMAJ
cd /var/dhcpd/dev
sudo mknod -m 0600 bpf0 c $BPFMAJ 0
sudo mknod -m 0600 bpf1 c $BPFMAJ 1
sudo mknod -m 0600 bpf1 c $BPFMAJ 2
sudo mknod -m 0600 bpf1 c $BPFMAJ 3
sudo mknod -m 0600 bpf1 c $BPFMAJ 4
sudo mknod -m 0600 bpf1 c $BPFMAJ 5
# move the dhcpd.conf to the jail, and link back to it from the real world
sudo mv /etc/dhcpd.conf /etc/dhcpd.conf.starters
sudo cp /etc/dhcpd.conf.starters /var/dhcpd/etc/dhcpd.conf
sudo ln -s /var/dhcpd/etc/dhcpd.conf /etc/dhcpd.conf
sudo /usr/sbin/dhcpd -f -d -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd vr2 vr3 sis0 sis1\
Put the following sections in their respective files:
# no use even starting if executable missing or flags not set if [ -x /usr/sbin/dhcpd -a "X${dhcpd_flags}" != X"NO" ]; then # if there is a jail, use it if [ -f /var/fs/dhcpdfs ] ; then if vnconfig -c /dev/svnd0c /var/fs/dhcpdfs ; then if fsck -p /dev/svnd0c ; then if mount -o rw,softdep,nosuid /dev/svnd0c /var/dhcpd ; then if [ "X${dhcpd_leases}" != "X" ]; then touch "${dhcpd_leases}" else touch /var/db/dhcpd.leases fi if [ -f /etc/dhcpd.interfaces ]; then dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces` fi echo -n ' dhcpd (v4.1)(chrooted)'; /usr/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs} fi fi fi else if [ "X${dhcpd_leases}" != "X" ]; then touch "${dhcpd_leases}" else touch /var/db/dhcpd.leases fi if [ -f /etc/dhcpd.interfaces ]; then dhcpd_ifs=`awk -F\# '{ print $1; }' < /etc/dhcpd.interfaces` fi echo -n ' dhcpd (v4.1)(not chrooted)'; /usr/local/sbin/dhcpd ${dhcpd_flags} ${dhcpd_ifs} fi else echo "not starting DHCP daemon: executable missing or no parameters set" fi
/etc/rc.conf.local
:
dhcpdv3_flags="-cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q" dhcpdv3_leases="/var/dhcpd/var/db/dhcpd.leases"
/etc/dhcpd.interfaces
:
vr2
vr3
sis0
sis1
ps axu|grep dhcpd
_dhcp 23450 0.0 0.2 2696 976 ?? Is 4:35PM 0:00.01 /usr/sbin/dhcpd -cf /etc/dhcpd.conf -user _dhcp -group _dhcp -chroot /var/dhcpd -q vr2 vr
Put in /etc/rc.conf.local
:
named_flags='-4'
Edit /var/named/etc/named.conf
to your tastes.
In /etc/sysctl.conf
uncomment:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
In /etc/inetd.conf
, uncomment or add:
#127.0.0.1/6969 dgram tcp wait root /usr/libexec/tftp-proxy tftp-proxy -v 127.0.0.1/6969 dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
in /etc/pf.conf
:
# NAT nat on $wan_if from $datanet to any -> ($wan_if:0) no nat on $wan_if to port tftp nat-anchor "tftp-proxy/*" rdr-anchor "tftp-proxy/*" rdr on $datanet_if proto udp from $datanet to any port tftp -> 127.0.0.1 port 6969 # for now pass all # anchor "tftp-proxy/*"
![]() | Note |
---|---|
At this point, tftp from $datanet will work, but only if we have proper routing, which means a default route must be added by hand, since the router is acting as the DHCP server already, and doesn't use DHCP on the WAN interface yet. This will be corrected later on, when the $wan_if uses DHCP and adds a default route when it comes up. |