Harlo has a blog.

A deaddrop i made

[31 May 2014] [tags: how-to dead_drops piratebox openwrt lol_tradecraft ]

The fabulous Aurelia Moser and I are going to be giving a talk at Hope X next month on the topic of dead drops. Dead drops are rad, and anyone who knows me just a little bit, knows that I have a thing for tradecraft. I’ve been putting it off and putting it off, but I finally used this beautiful late-spring day to slap together a digital dead drop.

###Imagine, if you will…###

You’re mad as hell, and you’re not going to take it anymore! Your boss has dicked you over for the last time, and you’re about to dump the biggest leak in history. You reach out to your reporter friend and invite her for coffee.

Sitting across from one another, after you’ve exchanged PGP keys, she says: “I’ll follow up with an email.” She downs her Jameson (who am I kidding, she’s not drinking coffee) and leaves. The next day, an encrypted email shows up in your inbox; it reads:

Get on the Manhattan-bound L train at Bedford Avenue at 3:27 pm. Sit in the second car.

Pull out your phone and join a network called "OMG SECRET SHIT" with the password doopie_d00pie_d00.

Then watch this You Tube Video: http://www.youtube.com/watch?v=qMPaTRYaaR8

“Well, ok,” you think. “That’s kind of cryptic, but whatever.” You follow the instructions, and on the train, when you click that link, you’re facing a dinkly little page that simply contains an file uploader. “Shiiiiiiiit!” you think, as you select your document from your phone’s file system, and upload to some invisible little internet thingie somewhere on the train with you. By the time you emerge at 1st Avenue, you’ve taken that dump, if you know what I mean.

###OK, cool. Let’s make that.###

OK.

####Ingredients####

####Step 1: Hello OpenWRT!####

Install the OpenWRT firmware and PirateBox software on your router according to these instructions. It’s ok if you brick yours. It’s recoverable. Once you’ve verified that PirateBox is working (meaning you can find the access point, join the network, and even send a chat message) you’ll be super impressed with what you’ve got so far. However, we want to make some l33t cloak-n-dagger crap, so let’s rip out their interface and make out own!

####Step 2: Let’s add PHP####

What I want to do is, be able to authenticate certain people to upload files onto my router– each person identifiable by a simple, one-time-use token. Also, I want to be able to so some server-side authentication to prevent things like XSRF. So, I’m going to want to add some server stuff for HTTP requests. I want PHP. But before I start adding packages, I need to reconnect the router back to the internet.

To do that, you have to plug the router back into your internet-serving router, and (temporarily) change some of the configurations to get to the net. SSH into the router and open /etc/config/network. Modify it like so:

config interface 'lan'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'	# or whatever your router IP is
	option ipaddr '192.168.1.14'	# shouldn't confilict with your router's IP, btw!
	list dns '192.168.1.1'	# (router IP again)
	list dns '8.8.8.8'	# good-old Google DNS

Then reboot your router. Once it’s back on, you should be able to have it use the internet to download new software. Let’s:

opkg update
opkg -d piratebox install php5
opkg -d piratebox install php5-cgi
opkg -d piratebox install php5-mod-json
opkg -d piratebox install php5-mod-session
cp /mnt/ext/etc/php.ini /etc/

The php modules will be installed in a different place than where php thinks by default, so do a search-n-replace for the default path with our extension path with

sed -i 's,extension_dir = \"/usr/lib/php\",extension_dir = \"/usr/local/lib/php\",g' /etc/php.ini

Finally, let’s change the doc_root in php.ini to point to the PirateBox www folder. Open up /etc/php.ini and replace

doc_root = "/www"

with

doc_root = "/opt/piratebox/www"

Cool, so we have PHP now, and it’ll totally work once we re-init PirateBox.

####Step 3: Ditch the old default www####

We want to make our own file uploader thingie, so let’s create our own web root for our own app. To do this, we must create a folder called www_alt in the PirateBox directory (/mnt/usb/Piratebox usually.) Go ahead, do it:

mkdir /mnt/usb/Piratebox/www_alt

And fill it up with your app files. Perhaps, you place a stub phpinfo file as your index.php, just to test it out?

<?php phpinfo(); ?>

Once that’s done with, we have to reload and restart the PirateBox engine. In order for PB to pull in our changes so far, we have to do the following (NB: make sure you’re not in either the /mnt/usb or /opt/piratebox directories; do cd / first!):

/etc/init.d/piratebox stop
/etc/init.d/piratebox updatePB

####Step 4: Fix your webserver config####

Now, piratebox is stopped. That’s ok– we have to fix some things in our web server’s configurations for PHP to be totally functional. Open /opt/piratebox/conf/lighttpd/lightpd.conf and make the following edits:

Replace

static-file.exclude-extensions = ( ".php",".pl", ".fcgi" , ".cgi" , ".py" )

with

static-file.exclude-extensions = ( ".pl", ".fcgi" , ".cgi" , ".py" )

(Get it? You just removed “.php” from the directive…)

And scroll down to

$HTTP["url"] =~ "^/cgi-bin/" {
	cgi.assign = ( ".py" => "/usr/bin/python" )
}

and add

$HTTP["url"] =~ "^" {
	cgi.assign = ( ".php" => "/usr/local/bin/php-cgi" )
}

In my build, I also found the directives that allow users to see the directory tree and commented them out– bad for security.

#dir-listing.encoding        = "utf-8"
#server.dir-listing          = "enable"

You should also have a look at the line

# 404 Error Page with redirect         
#                                       
server.error-handler-404 = "/redirect.html"

Might want to 1) make sure /redirect.html exists (and if not, make it or change the directive), and is appropriate for what you want, and 2) add the following

server.errorfile-prefix = "/error-"

…so you have error pages, instead of generic, auto-generated pages that leak information about your server set-up. A note: you can use PHP (for error logging, ensnaring, doxxing, etc.) in the page that handles the server.error-handler-404 directive. The others, however, must be static HTML.

Now, start up PirateBox with

/etc/init.d/piratebox start

and you’re done! Since the box is on your home network, try accessing it by its IP– you should see your index.

####Step 5: Configure your network and wireless settings####

You no longer need the box to be on the internet. At this point, you should reconfigure the router to function as an access point, and put encryption on it. First, edit /etc/config/network and restore its gateway, DNS, and IP address:

config interface 'lan'
	option ifname 'eth0'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option ipaddr '192.168.1.1'
	list dns '192.168.1.1'

Next, edit /etc/config/wireless to set your access point ssid and encryption:

config wifi-iface
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ssid 'OMG SECRET SHIT'
	option key 'doopie_d00pie_d00'

Reboot your router. Like a boss.