The Dark Side Of DefCon's Wireless Network

An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."

awesome . . .

[randyest]

. . . but you need two wifi cards one on machine to use it.

Server dead, here's the text:

airpwn - bringing goatse (and friends) to Defcon 12!

Images from Dave's camera
Movies from Dave's camera
Images from my phone
At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)

Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

How does it work?

airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:

begin goatse_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response content/goatse_html

and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

pwnedOPEN YOUR MIND -- TO
THE ANUS!!

Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.
In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful . The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:

Open browser, see goatse, jump backwards a little
quickly close browser, take a breath
open browser, see goatse, close browser (faster this time)
scratch head, quit browser process, re-launch browser
see page indicating that goatse will load soon (page header, etc.) immediately close browser.
open up browser preferences, click all the tabs, look for the "no goatse" checkbox
clear the browser cache
open browser, see goatse, close browser
open network preferences, click on all the tabs, look for the "no goatse" checkbox.
disconnect from network, re-associate
open browser, see goatse, close browser
At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The m

Working on a mirror of the video/images

[Moonwick]

Go easy on it.

http://leela.lasthome.net/airpwn/

response of a victim

[menscher]

Ok, so I got hit by this, when attempting to check slashdot during one of the talks. First reaction was to hit the Back button as fast as I could, to get the image off my screen.

Once the shock wore off, I pointed out the issue to my friends sitting next to me. They spent some time analyzing ethereal output, while I downloaded and ran arpwatch. It's pretty sad to hear that some kiddies were checking browser settings....

The article claims there was no arp poisoning going on, but actually there was. I saw plenty of that. Which kinda confused us, since there doesn't seem to be much need for that in a wireless environment. You can sniff w/o arping, and you can inject traffic (as they were). But yes, it was definitely happening, though apparently by a different group. (Actually, I detected three different MAC addresses competing for the AP's IP.)

In hindsight I should have saved some of my packet captures. Might have been fun to look over later.

Re:There could be uses

[Homology]

My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

Use IPSec instead of WEP for the wireless network, and AirPwn would not amount to much more than DoS. OpenBSD has IPSec in the base install, and is fairly easy to setup.

ssh with protocoll 2 is also safe. If you connect to someone impersonating the ssh server, and you try to connect, ssh will give a warning that the keys on the ssh server has changed.

Re:Multiple Wifi Cards!??

[gabebear]

I have the Belkin 802.11b USB adapter and it has official drivers from Belkin for Mac and the chipset manufacture has good Linux drivers. It has REALLY excellent range, it can pull in just about anything my Cisco 350 card can.Also, the airport cards all support a promiscuous mode, so you can always use them to scan.

I doubt this tool will make it's way to OSX anytime soon, but OSX(and OS9) has EtherPEG. When I run it in my dorm I get a nice porn collage.

Re:A few questions

[thinkfat]

1) does SSL prevent this attack from working?

Yes. You cannot hack into a SSL stream by just injecting packets, you'd have to recover the session key first

2) What about the data stream that ocmes thru the wire legimately?

If the faked response arrives earlier, the legitmate data gets discarded.

3) What effect does WEP encryption have on the new "sploit"?

WEP will prevent the attack, unless it has been hacked itself before

4) What about SSL? Do HTTPS websites remain at all vulnerable to this attack? Nearest I can tell, the answer is "no".

See 1)

Re:Hardly bad

Apparently many defcon users were not impressed

Re:A few questions

[JSmooth]

To Actually answer your questions.

1. SSL would effectively block this attack IF the user pays attention to invalid certs. Your browser contains certain CAs it trusts and, unless they had control of your PC which is certainly possible but was not done in this case, the CA they would use would be invalid and generate that pop-up box telling you so. If you ignore that box and click yes you do so at your own peril.

2. What about it? Once the data is on wifi than it is fair game for any type of manipulation. That is why they have 2 nics. The first nic "hears" your request for content "GET" and then responded much more quickly than the remote web server can with the corrupted "POST". When the correct information finally gets to your PC it is simply ignored as invalid TCP traffic and a RST packet is generated.

3. WEP would have stopped it in this instant. WEP is breakable but requires a good amount of data to be sent over the wire. Since your average user is not going to send GBs of data over HTTP and the processing power needed to break 100s of connection would be more than a couple of laptops could handle this attack would have been alot less fun. Still possible but would need to be much more dedicated. I run WEP at home, I know it will not stop the determined hacker but the casual war-drive will ignore me in favor of my many neighbors with open APs.

4. You are correct AS LONG AS you pay attention to the cert's trail. SSL really is two seperate pieces in my mind. 1 - encryption - End - To - End data encryption and 2 - Trust - I know the data I am receiving comes from the correct website. This is done with certificates. Since there is no God of the internet and we have to trust someone initially companies like verisign, etc have working with Microsoft, Mozilla, etc to get their root certs pre-installed in your browser. Anybody can generate a certificate but only companies that have passed the "Idenitifcation Test" with Verisgin or whoever can issue certs that will have the proper path back to a valid root cert. Please note Verisign has been duped before and even given out valid MS certs to non-microsoft organizations.

You may think it is lame but it is actually a harmless example of things to come. Why is wardriving so popular? Because 90% of the APs do NOT use WEP. If everyone used WEP that would stop casual attacks. Consider two fences. One a 3-ft high fence. This fence is only going to stop people who don't want to go in. The 2nd fence is 10' high with barbed wire. This can still be overcome but will require some dedication. That is the difference between open and WEP. The problem is nobody uses WEP so this attack will work most of the time with ease.

Regards