What is GoatseAP?

GoatseAP is a Linux box with HostAP, ISC DHCPD, BIND9, and Apache, set up to act as a standalone wireless access point and serve up whatever in place of whatever the client was looking for. I chose to do this because it was possible to do it without an actual network connection on the AP side.

GoatseFW is basically the same as above, except instead of static content, known and/or authenticated clients are able to bypass the “goatse” part and actually access the internet via a second network interface. There’ll be a page on this soon.

How it works

Basically, it’s the same as any other wireless network, to a point.

• You associate to the wireless access point.
• The client requests a DHCP lease, which supplies an IP address and a DNS server address. This is the important part.
• The DNS server wildcards everything to the IP address of the GoatseAP server.
• Apache is configured to rewrite all requests to, say, Goatse.

A little bonus I like to throw in is changing the MAC and IP addresses of the card to a Linksys, with the help of Kismet’s ap_manuf database, and my randmac hack. This throws Kismet way off.

DHCP configuration

This part is pretty easy. Here’s what the dhcpd.conf I used looked like:

subnet 192.168.1.0
netmask 255.255.255.0
{
        range   192.168.1.100   192.168.1.254;
        option  domain-name             "HELL";
        option  domain-name-servers     192.168.1.1; # IMPORTANT!
        option  routers                 192.168.1.1;
        option  ip-forwarding           false;
        one-lease-per-client            true;
        max-lease-time                  900;
        default-lease-time              300;
        allow   bootp;
        allow   declines;
        deny    client-updates;
 }

Nothing to it.

BIND9

Remember when Verisign unleashed SiteFinder? Same idea, except everything gets wildcarded, instead of domains that don’t exist.

The first thing you’ll need to do is edit your named.conf: you’ll see a line looking something like this.

zone "." {
        type hint;
        file "/etc/bind/db.root";
 }

This is basically telling the nameserver to ask the root nameservers about domains. You’ll want to change it to this.

zone "." {
        type master;
        file "/etc/bind/db.pwn";
 }

This tells named that it is now a root nameserver, as far as it’s concerned. Nobody will actually be using you as a nameserver, of course, except for people associated to your GoatseAP access point.

The next thing you need is a zone file for… well. The internet. Per above, /etc/bind/db.pwn should look like this:

 $TTL   604800
 @      IN      SOA     .       root.localhost. (
        1 604800 86400 2419200 604800 )
 @      IN      NS      192.168.1.1
 *.     IN      A       192.168.1.1

Apache

This is the longest part. Basically, we have a vhost that rewrites everything to whatever. In keeping with our theme, Goatse.

Note that this is kind of a biblical translation of the original “GoatseAP-HOWTO” in that it’s gone through a few revisions in a few different formats. As the last incarnation of this document said:

Note that since I’m not running my own live site any more and don’t have the original version of this document with the working Apache directives handy (disk crash), I haven’t fully tested out whether this will step on your real Apache config. You may need to tweak it.

Anyway.

#
# Bonus: set up a LogFormat so we can see what site they're trying to get to.
#
LogFormat "%h -> %{Host}i: %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{forensic-id}n\"" goatse

#
# Set up the VirtualHost
#
NameVirtualHost        192.168.1.1

<VirtualHost 192.168.1.1>
        ServerName      192.168.1.1
        ServerAdmin     root@goatse.cx
        DocumentRoot    /var/www/goatseap

        CustomLog       /var/log/apache/goatseap-access.log goatse
        ErrorLog        /var/log/apache/goatseap-error.log

        RewriteEngine   On

        # This rewrites image requests to hello.jpg
        RewriteCond     %{REQUEST_URI}  \.(jpg|gif|png|bmp)$
        RewriteCond     %{REQUEST_URI}  !/goatse
        RewriteRule     ^.+             http://192.168.1.1/goatse/hello.jpg

        # This rewrites anything that's not under /goatse to be
        # /goatse/index.html.
        RewriteCond     %{REQUEST_URI}  !^/goatse
        RewriteRule     ^.+             /goatse/index.html
</VirtualHost>

And you’re all set for Apache. Since your DNS server is now saying that everything resolves to you, all HTTP requests will go to your Apache server, which will in turn rewrite anything that doesn’t contain “goatse” in the URL to “/var/www/goatseap/goatse/index.html”.

Speaking of which, now would be a good time to create that file. Put whatever you want in it, just make sure that images you include are under /var/www/goatseap/goatse.

HostAP

As I mentioned earlier, I like to emulate a Linksys access point. I use my own program to choose a suitable IP and MAC address. Try something like:

$ perl randmac -f /etc/kismet/ap_manuf -m linksys -c wap11
MANUF="Linksys"
MODEL="WAP11"
ESSID="linksys"
CHANNEL="6"
IP="192.168.1.1"
MAC="00:04:5A:0E:2B:D6"

So, our MAC address is 00:04:5A:0E:2B:D6, and our IP is 192.168.1.1.

# ifconfig wlan0 hw ether 00:04:5A:0E:2B:D6 192.168.1.1 up

And we tell the HostAP drivers to go into AP mode with essid “linksys” and no encryption on channel 6:

# iwconfig wlan0 mode master essid linksys channel 6 enc off

Misc

You’ll probably want to restart dhcpd and Apache to get them to pay attention on the interface you just brought up. You’ll also probably want to firewall out everything but ports 53/tcp, 53/udp, and 80/tcp from the 192.168 net.

Alternatives

GoatseFW is basically the same idea, but instead of wildcarding all DNS queries to the IP of the gateway, the gateway has another network interface connected to the internet, and transparently proxies (via iptables) all 80/tcp requests to the local network interface. See the GoatseFW page (when I get around to writing it) for more information on this method.

History

This page is based on this document.