Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dark Side Of DefCon's Wireless Network

Posted by michael on from the the-goggles,-they-do-nothing dept.

An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."

13 of 185 comments (clear)

  1. Early ./? by Chibo · · Score: 2, Funny

    At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive) Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were: * HTTP goatse, 100% of the screen * HTTP goatse replacing all images * HTTP goatse as the page background via CSS * HTTP tubgirl replacing all images * HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures) * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly) How does it work? airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode: begin goatse_html match ^(GET|POST) ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html and here is the content that we return when the match is triggered: HTTP/1.1 200 OK Connection: close Content-Type: text/html pwnedOPEN YOUR MIND -- TO THE ANUS!! Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page. In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this: * Open browser, see goatse, jump backwards a little * quickly close browser, take a breath * open browser, see goatse, close browser (faster this time) * scratch head, quit browser process, re-launch browser * see page indicating that goatse will load soon (page header, etc.) immediately close browser. * open up browser preferences, click all the tabs, look for the "no goatse" checkbox * clear the browser cache * open browser, see goatse, close browser * open network preferences, click on all the tabs, look for the "no goatse" checkbox. * disconnect from network, re-associate * open browser, see goatse, close browser At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or D

  2. wireless protection by scubacuda · · Score: 4, Funny
    You gotta love the condom over the little antenna.

    1. Re:wireless protection by beyonddeath · · Score: 5, Funny

      Well they are geeks, its not like they have any real use for it... *ducks*

    2. Re:wireless protection by Biogenesis · · Score: 3, Funny

      Finally! Geeks have a reason to buy condoms!

      --
      ...just so Google finds it.
  3. flipping the bird by scubacuda · · Score: 2, Funny
    What kind of middle finger is that?

  4. Fuck. by sekzscripting · · Score: 5, Funny

    Well, it looks like all you hax0rz got them back by slashdotting their site.

    Mirror mirror on the wall?

  5. Starbucks! by eingram · · Score: 5, Funny

    Someone get to a local Starbucks with this, fast! Oh, and bring your camera!

    1. Re:Starbucks! by jrockway · · Score: 2, Funny

      That's an interesting point you bring up. Defcon-goers have likely seen goatse, but some random business-mom with her kids would probably shit herself. Off to starbucks indeed!!!

      --
      My other car is first.
    2. Re:Starbucks! by Anonymous Coward · · Score: 1, Funny

      Fuck you! Me and my pringles can are going to be across the street from the elementary, then middle, then high schools, private schools in affluent neighborhoods first. I can't wait to see the kids wander out stunned on to the playground and try to make sense of the horrors they've seen. Muwahahaha.

  6. Re:why.. by thinkfat · · Score: 5, Funny
    Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?

    Yes. Human Stupidity

  7. Re:I wrote the man page for airpwn by Anonymous Coward · · Score: 1, Funny

    It's really useful for things other than goatse, but at defcon, they deserve the best.

    Before you tout your pride over airpwn you might want to replace the tubgirl and goatse config samples in the damn tarball with something a bit more tasteful. How the fuck can you expect to be taken seriously when you distribute that crap? Don't get me wrong, it's an interesting piece of code and the DefCon prank made me chuckle - but for the love of god yank that shit out from the source distribution! As it stands, by default, it's nothing more than a curiosity for trolls and script kiddies.

  8. Re:awesome . . . by Lord+Kano · · Score: 2, Funny



    When you got your gmail account, I got no invite. Now, you come to me asking a favor...

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  9. Re:I wrote the man page for airpwn by drinkypoo · · Score: 2, Funny

    I know many assorted people who have gone to defcon and returned to tell me stories, not all of whom are the get drunk types. Nonetheless there is no need whatsoever to go to defcon to learn this shit, to interface with these people, et cetera, thanks to the internet. It's a party, build a bridge and get over it.

    Incidentally, your little comment about laps flipping - was that intentional? If so, it wasn't clever - just marks you as being the same kind of wanker that I expect to try to defend the reputation of defcon.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"