Slashdot Mirror
The Dark Side Of DefCon's Wireless Network
An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."
. . . but you need two wifi cards one on machine to use it.
everything in moderation
We would probably need a linux compatible wireless card? If not, can we run the binary on windows?
At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive) Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were: * HTTP goatse, 100% of the screen * HTTP goatse replacing all images * HTTP goatse as the page background via CSS * HTTP tubgirl replacing all images * HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures) * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly) How does it work? airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode: begin goatse_html match ^(GET|POST) ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html and here is the content that we return when the match is triggered: HTTP/1.1 200 OK Connection: close Content-Type: text/html pwnedOPEN YOUR MIND -- TO THE ANUS!! Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page. In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this: * Open browser, see goatse, jump backwards a little * quickly close browser, take a breath * open browser, see goatse, close browser (faster this time) * scratch head, quit browser process, re-launch browser * see page indicating that goatse will load soon (page header, etc.) immediately close browser. * open up browser preferences, click all the tabs, look for the "no goatse" checkbox * clear the browser cache * open browser, see goatse, close browser * open network preferences, click on all the tabs, look for the "no goatse" checkbox. * disconnect from network, re-associate * open browser, see goatse, close browser At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or D
I was a victim of this at defcon, but since I was using lynx, I really didn't see any of the images mentioned. Actually, most of the surfing I did at defcon was using links or w3m over ssh (on a home box).
In this case, the text really does say "OPEN YOUR MIND -- TO THE ANUS!!" -- it's part of the message people saw (along with the picture, of course)
airpwn - bringing goatse (and friends) to Defcon 12!
Images from Dave's camera
Movies from Dave's camera
Images from my phone
At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)
Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:
HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
How does it work?
airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:
begin goatse_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response content/goatse_html
and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
pwnedOPEN YOUR MIND -- TO
THE ANUS!!
Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.
In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful . The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:
Open browser, see goatse, jump backwards a little
quickly close browser, take a breath
open browser, see goatse, close browser (faster this time)
scratch head, quit browser process, re-launch browser
see page indicating that goatse will load soon (page header, etc.) immediately close browser.
open up browser preferences, click all the tabs, look for the "no goatse" checkbox
clear the browser cache
open browser, see goatse, close browser
open network preferences, click on all the tabs, look for the "no goatse" checkbox.
disconnect from network, re-associate
open browser, see goatse, close browser
At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The m
It's a hacker conference. There is probably no more tolerant place to release such a piece of code, where your talents will be respected instead of persecuted. There were also no doubt many members of the computer security community present who would want to be aware of any new vulnerabilities immediately. I think it's a great thing it was tried and released at DefCon first.
He who laughs last is stuck in a time dilation bubble.
They link to that in the story. You don't even need to RTFA!
Does this strike anyone else as dumb?
Page = SlashPwned. I wonder what it would be like to actually have a chance to RTFA as I get told all the time?
Someday? Anyone? Bueller?
Do people still do this? Packet injections of various and sundry sorts are old news.
;)
There's a worrisome pattern, in the IT security biz, of repetition. Hacks discovered a few years ago re-appear in new clothes as "new," technologies for protecting against them resurface every few years in the same way. Computing as a whole tends to re-invent things on something like a 15 year cycle, but security seems to be on a truly frenetic clock, cycling every 2 years or so (very very approximately
Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?
Well, it looks like all you hax0rz got them back by slashdotting their site.
Mirror mirror on the wall?
Anyone else try loading www.evilscheme.org?
Someone get to a local Starbucks with this, fast! Oh, and bring your camera!
Go easy on it.
http://leela.lasthome.net/airpwn/
Only on slashdot can a posting be rated "Score -1, Insightful".
Ohhh how I wish I had an x86 laptop instead of my iBook!! :(
Three scenarios to point this out.
You're at Joes Internet Cafe, munching on your slightly overpriced muffin and glad for the free Wi-Fi access since you're out of town, and don't get to check your email much on the road. You hit the link to a message you want to read on webmail, when all of a sudden, an ad comes up. Nothing too bad, but it seems that Joe has decided that instead of charging people directly for 'net access, he'll rig up an old desktop with wireless to transmit the ad source for every 100th HTTP request that comes through his system.
This is a potentially annoying way of using the technology, but it also sounds like it could be a good way for Joe to help recoup his costs on the internet. Not a place I'd mind going.
Scenario Two
You're at Joes Internet Cafe, munching on your slightly overpriced bagel, glad for the...well, you know. This time the 'net access isn't free, but Joe's giving it out for $1 an hour, more than reasonable. 58 minutes in, you make an HTTP request, and a small javascript window pops up informing you that you've just got a couple minutes left, more time can be bought at the counter. After 60 minutes, instead of locking you out, all your requests simply get a screen advising you that if you want to keep going, Joe's going to need a dollar at the counter.
Seems useful to me.
Scenario Three
You're in Joes Internet Cafe, sipping some slightly overpriced coffee and you try to get online. After you've payed your dollar to the friendly man at the counter.
You keep gettings ads. You click out, thinking that it's a popup window, and no, you really don't need to enlarge that, it's fine how it is.
All browser windows closed. You try again.
No, I don't really need those drugs...
Or those pieces of software
Or...
You get the idea. Turns out, that guy in the corner is making some quick cash by spamming everyone in the place. The only sites that are coming through are from those ads. He leaves after about 15 minutes, because it can't be long until someone figures it out, but you've just lost 15 minutes of your time.
I realize it's an extreme example, but you think someone won't try it?
Joe, if you're out there, we need to talk. I've got some ideas for you.
Once the shock wore off, I pointed out the issue to my friends sitting next to me. They spent some time analyzing ethereal output, while I downloaded and ran arpwatch. It's pretty sad to hear that some kiddies were checking browser settings....
The article claims there was no arp poisoning going on, but actually there was. I saw plenty of that. Which kinda confused us, since there doesn't seem to be much need for that in a wireless environment. You can sniff w/o arping, and you can inject traffic (as they were). But yes, it was definitely happening, though apparently by a different group. (Actually, I detected three different MAC addresses competing for the AP's IP.)
In hindsight I should have saved some of my packet captures. Might have been fun to look over later.
don't use wi-fi for anything that might be even close to important :D
Wireless was pushed along by a need to get it out. READ COMPANY PROFITS. I have attended lectures where this is described on and on. Little to no attention was paid to security. WEP? Yeah good luck. It is fairly easy to exploit any wireless connection. It just wasnt done right.
But this is the best part. Become the middle man.
I have two extra wifi cards sitting in a box. But if you don't, why not just use two USB wifi adapters?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
reminds me of when I was a kid and I'd fuck with people using an incredibly overpowered and possibly illegal FM transmitter
But I'm a little surprised that this is "new", I thought stuff like this would've been written already a long time ago.
You're right. You just...don't...get...it.
I wonder what this will be for people at home browsing the internet on their wireless computers. There's nothing parents can do to stop their children from seeing images that are being injected like this with Frank next door beaming modified HTTP requests through the neighbourhood. The only way to do that would be a) Disabling *ALL* images displayed on their web browser b) Running wires through the house. I'll be this will be another push for WEP and other forms of wireless encryptions. I wouldn't want my 4 year old nephew opening up internet explorer to find a Playboy bunny sitting on the top of their MSN.ca startup page! Anyways... back to sleep...
Uhh dude its 5pm in Australia.
1) does SSL prevent this attack from working?
2) What about the data stream that ocmes thru the wire legimately?
3) What effect does WEP encryption have on the new "sploit"?
4) What about SSL? Do HTTPS websites remain at all vulnerable to this attack? Nearest I can tell, the answer is "no".
So, what we have herei is a lame way to spoof packets for unsecuredd onnections. So.... secure your IP already!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well, because I don't have two extra wifi cards sitting in a box. In fact I have but one and it's in use. At least, that is, until you send me one of yours. Then I will have two and you will have two (assuming you have another, since the two you mentioned are merely sitting in a box,) and I won't need the two USB wifi adapters that I don't have, and you won't have the extra wifi card that you don't need. See? Everyone wins that way. I'll email my shipping address . . .
everything in moderation
Joe or any other operator of an access point doesn't need AirPwn, since they obviously have physically access to the upstream Internet connection and could intercept packets more efficiently there and inject ads, etc. What's unique about AirPwn is that it enables easier packet injection by those who don't control/own/operate/admin. the access points, but by almost anyone in the neighborhood (or with a sector antenna pointed in your direction).
Anyone else freaked out by goatse being on the /. font page? Not a direct link, I know, but were the server not melted, you'd definitely have seen the goatse horrorshow images that are there.
And you'd be yucked out. But the repost of the article explaining the wireless goatse injection is +5 informative. That's weird too.
If you're confused (RIP goatse) see wikipedia.com and search slashdot.
everything in moderation
it could be refitted with custom firmware to serve as a "packet-injector", serving the wrong stuff from a local laptop.
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
say, um... somebody, was to use AirPwn, would it be possible to track down who is using it?
let's just say I go to a school which has wireless internet access : D
>>Unless he's hosting a 150 MB mpeg, why would it be slashdotted... NOW?
I was on the site much earlier today looking at con pics and he has 4(?) videos.
>OMFG
>WTF?
For those you get no accMORONess tonight.. You can see the 15MORON0MB mpeMORONg in 2 days.. go to beMORONd.
SIG: XP SP2 download links http://notebookforums.com/showthread.php?t=35612
Are ANY of those pictures in focus?
;)
Though, maybe they did that on purpose, seeing what's on most of those people's monitors.
NT
Yeah, this is an amusing joke. But sooner or later some evil minded script kiddie will do this in a more harmful way. But hey: if you *have* a net, then presumably you could *see* it happening by having a sniffer running full time on that old dustbin linux hacky box you keep around? libpcap + some python scripts + (python for dynamically using human intel to figure whats good/bad right now). Someone research this (because it's serious - traffic analysis stuff maybe?). I'd guess the NSA knows about these things, but they don't come here except to watch (perverts?). Does being a hacker imply an absence of social responsibility (you want script kiddies with nukes?). I know a lot of us (not me) are libertarians but I don't read that as meaning totally lacking awareness (quite the opposite). We should be careful people. Not everyone is as innocent as ESR, RMS, Bruce, Tim etc... (not even CowboyNeal :-)).
Oh, and how the heck do you *REMOVE* packets?
Is there an way of making an IP Cookie Monster?
The only good red team is in a UT match.
After all it pollutes the airwaves instead of sniffing them :)
should be sent to CowboyNeal.
However wardriving is not very useful for commercials. The problem is that a commerical only works if the sender is known. (I got a commercial saying eat at McDonalds... I wonder who send it)
Hi.
I wrote the manual page for airpwn.
All I see in this discussion is either people joking, bitching or having no idea how airpwn works.
Let's just set things straight.
First of all, there is no arp posioning.
Do you disagree? Well it's a GPL app, go read the source, show me the arp posion part of the code. What's that you can't find it? Oh, well jesus, it's because it doesn't do that.
You can hijack any tcp connection with this, it cannot be blocked without blocking the legit traffic.
This is accomplished by using raw frame injection.
One network card listens on a given channel (or in the case of a cisco card, all channels) and the other card simply injects custom frames with perfect replies. If your reply (it's up to you how big it is) is the right size, it's injected so perfectly that the connection not only still works, all of your webpage stuff still works, images just load as whatever the attacker wants.
It works with ftp, http, aim or whatever.
You can just have a ball.
It would be entirely possible to write regex that replied over aim or icq or any of that crap with a raw frame telling the other people in the conversation that they were coming out, it's up to you.
The software uses a very customizable framework to allow for use of regular expressions for matching. It's really useful for things other than goatse, but at defcon, they deserve the best.
Anyway, the totally clueless people here that claim to know how it works haven't even compiled it, so don't listen to them.
If you have any questions, feel free to ask.
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
I just got an Airport Express recently and during the setup process it gave me the option of using WEP or WPA, which it said was more secure, so I chose the latter. Why hasn't anyone mentioned WPA in this discussion? I don't really know anything about it other than it is supposed to be a more secure alternative to WEP, yet I've never heard anyone mention it even from the store I bought the Airport Express from.
Also, is there IPSEC for OS X? It's not mentioned anywhere in the Airport Admin Utility. Is it built-in? I Googled for it, and some of the first few links mention vulnerabilities in Mac OS X IPSEC. What's this all about?
It was in the Internet Connect application under VPN. Does this mean that it only applies to VPN and I can't use it to secure my internet connection for general web browsing and email through my ISP? I'm thinking this means I can use it only if I was hooked up to a server in a VPN configuration- is that right?
No it's not. It's 8:38 Saturday evening. Someday you too will discover the joy of NTP. ;-)
...???)
(Oh yeah, I am in Tokyo, and you are in
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
You're at Joe's internet cafe, or in an airport, etc. Suddenly, your internet explorer gets a web page redirect to some random porno movie of 3 guys raping a rather unattractive asian girl, complete with audio... in full screen mode. Since your laptop's audio is on, everyone in the area, including your girlfriend hear, "No don't put it in my pussy. [scream]"... And you're joe blow who doesn't know how to use the keyboard to close the window to save your life.
Yes, it could happen, particularly, if the geek in the corner is sniffing your WiFi traffic, and singles you out.
More serious would be something which noted when you wanted a secure site, such as a bank, and proxied to a full-screen web page image complete with security icons that tricked the user into sending you their password in the clear.
There are malicious 14 year olds with laptops out there that would find this awfully amusing.
The picture with the CSS is farking priceless. Although they could have chosen a nicer picture lick a chic sucking of horse or something like that.
(if only so I can justify unleashing wget)
:)
http://homestar.sytes.net/airpwn/
Parent deserves the karma, so don't mod me up until he gets to 5.
I rarely criticize things I don't care about.
When using WIFI, I generally always use an SSH port forward to encrypt and tunnel my traffic back to a 'safe' host.
At home, my AP is connected to a dedicated interface that only allows SSH. You could add port knocking for additional security.
Sure, SSH port forwards can still be disrupted or messed with. But not like plain HTTP.
BTW, nice hack!
What are they going to do this time, ban WiFi cards? (Perhaps a warning sticker on products: "This is not a phone or a LAN. This is a two-way radio. Wireless means they don't need wires either.")
One line blog. I hear that they're called Twitters now.
*while i do admire the desire to prove the inadequacies of wireless...
*while i do recognize that this is a hacker's conference...
*while i do realize that it's a good thing to do this, to prove that we should use encryption...
it's just sad. i'm old enough to remember open mail relays, not being abused, so maybe i'm just tired of the continual need to upgrade, secure, and encrypt.
wireless is cool, no two words about it. i'm sitting on my front porch, enjoying the cool air, waving to the neighbors who are out walking.
i don't use encryption on the wireless, simply because i'm not worried about somebody sniffing these unsecured packets (since i use ssh sessions for things that matter.) and because my old plaster walls don't let it go far.
but the main reason i didn't use it was because dammit, i am tired of being suspicious of everybody and everything. use secure channels, sure, but why should we have to encrypt the transport itself? i don't know why i thought wireless was going to be different than anything else.
(i'm also kinda embarrassed that i didn't think of this first. it's TERRIBLY obvious in hindsight. do also note, i'm not blaming the messengers in any way- good on you, dudes.)
end-result: time to start educating people about why it's necessary now to really worry about encrypting the transport, rather than just the communication. and one more thing that makes the net a less cool place, because some idiot out there will use it for bad purposes.
stored on computers from birth to the grave
Earlier evilscheme.org wouldn't load. Now it comes up just fine. Go figure.
Here's a mirror in case it goes *splat* again.
Have fun!
I feel cheated. I opened the article expecting 802.11 a good example of WEP reinjection.
Surely the same can be achieved by the quite mature Ettercap?
While we're on the subject of wireless attacks and such,
does anyone know of a WEPcracker dealy that will run on Windows XP or Cygwin?
I don't have a laptop running *nix, unfortunately, I could always boot to Phlack for this sort of thing but that's not quite what I want to do.
Help appreciated.
my favorite thing about this "discussion" is all the people claiming that airpwn is an "old idea" or "not unique" or "just a redone insertprogramhere" however they chose to put it. If it's such a tired idea, why didn't you guys come up with it? gg Toast and crew, you guys == win.
How easily can the tools signature be traced?
When you got your gmail account, I got no invite. Now, you come to me asking a favor...
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
It's easy to forget now that WiFi was by no means a "sure thing". I was working at a wireless networking company (that's still going strong today) in early 2001 that used 802.11b, and we made sure that our technology was independent of the hardware, because nobody knew at the time if 802.11 would become dominant.
And it covered more protocols. Anyone opening a telnet or ftp got an ascii middle finger and a little message telling them it was a bad idea to use protocols with clear text authentication. Anyone who tried to visit a web page got a picture of Pete Shipley's face photoshopped over a naked chick having sex. Shipley was shown it and destroyed the IBM T21 laptop that was used to do it. Priest, head Defcon goon, didn't do anything about it except escort Little Mike from Dallas away from the scene, and ultimately the laptop was never replaced or repaired. We also had fun with Shipley's war driving presentation.
It was a lot funnier and certainly more original four years ago.
Remember the Alamo, and God Bless Texas...
[video|page]
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
Even simpler. If your PocketPC has CompactFlash and SDIO slots, a ported version of airpwn would be equally disruptive, and much harder to detect physically.
Oh oh!! Air Pwn!! Something new!!
Not quite, Packet injectors are old. The only new thing here is that it use wireless networking. A simple authentication / crypto solution could have prevented such a primitive thing. But do people care to encrypt their networks? No. Do people care to lock their doors when the leave for work? Yes. How come they work with security in the first place? Only god knows.
or, if your already-running linux machine (i have an sl5500, but i'm talking about the sl6000, which i am currently coveting post-purchase) has WiFi already built-in, with a free CF slot, all I need do is take my old Clie (junk!) WLAN card, stick it in, and away we go
linux in your pocket rocks it. sharp are waaaay ahead of the pack.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
The configurations were:
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
don't agree! you leave those there for the real 'leet'rs, the ones who do read ftp banners. bum score!
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --