Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dark Side Of DefCon's Wireless Network

Posted by michael on from the the-goggles,-they-do-nothing dept.

An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."

10 of 185 comments (clear)

  1. Ethereal dump? by scubacuda · · Score: 4, Interesting
    Anyone have an ethereal dump of what all of this looks like?

    1. Re:Ethereal dump? by thinkfat · · Score: 5, Interesting

      figure you'd see a regular HTTP response packet that fits your TCP sequence numbers quite nicely, and a RST afterwards because the numbers got messed up as the faked response didn't have the same length as the real server response. Perhaps they hold down the server by injecting RST packets, too, like juggernauts TCP stream capturing mode did...

  2. i was owned by daevux · · Score: 4, Interesting

    I was a victim of this at defcon, but since I was using lynx, I really didn't see any of the images mentioned. Actually, most of the surfing I did at defcon was using links or w3m over ssh (on a home box).

  3. There could be uses by Rob_Warwick · · Score: 5, Interesting
    This could actually be a fairly annoying tool in the hands of advertisers. It also has some pretty good uses I can think of.

    Three scenarios to point this out.

    You're at Joes Internet Cafe, munching on your slightly overpriced muffin and glad for the free Wi-Fi access since you're out of town, and don't get to check your email much on the road. You hit the link to a message you want to read on webmail, when all of a sudden, an ad comes up. Nothing too bad, but it seems that Joe has decided that instead of charging people directly for 'net access, he'll rig up an old desktop with wireless to transmit the ad source for every 100th HTTP request that comes through his system.

    This is a potentially annoying way of using the technology, but it also sounds like it could be a good way for Joe to help recoup his costs on the internet. Not a place I'd mind going.

    Scenario Two

    You're at Joes Internet Cafe, munching on your slightly overpriced bagel, glad for the...well, you know. This time the 'net access isn't free, but Joe's giving it out for $1 an hour, more than reasonable. 58 minutes in, you make an HTTP request, and a small javascript window pops up informing you that you've just got a couple minutes left, more time can be bought at the counter. After 60 minutes, instead of locking you out, all your requests simply get a screen advising you that if you want to keep going, Joe's going to need a dollar at the counter.

    Seems useful to me.

    Scenario Three

    You're in Joes Internet Cafe, sipping some slightly overpriced coffee and you try to get online. After you've payed your dollar to the friendly man at the counter.

    You keep gettings ads. You click out, thinking that it's a popup window, and no, you really don't need to enlarge that, it's fine how it is.

    All browser windows closed. You try again.

    No, I don't really need those drugs...

    Or those pieces of software

    Or...

    You get the idea. Turns out, that guy in the corner is making some quick cash by spamming everyone in the place. The only sites that are coming through are from those ads. He leaves after about 15 minutes, because it can't be long until someone figures it out, but you've just lost 15 minutes of your time.

    I realize it's an extreme example, but you think someone won't try it?

    Joe, if you're out there, we need to talk. I've got some ideas for you.

    1. Re:There could be uses by SKorvus · · Score: 5, Interesting
      If you're at Joe's cafe, there's there's no need for Joe to use AirPwn. He already pwns the net connection you're connecting through (wirelessly). He can intercept & replace any packet he wants to anyway.

      The point of AirPwn is intercepting wifi traffic on someone else's network; the uses of which are overwhelmingly malicious than benign, to my thinking. Exactly like Scenario 3. Or worse, detecting passwords, requests for secure connections to eBay, banks, etc.

      My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

      --
      Live simply, that others may simply live. -Gandhi
  4. Re:awesome . . . by Lord+Kano · · Score: 3, Interesting

    I have two extra wifi cards sitting in a box. But if you don't, why not just use two USB wifi adapters?

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
  5. A few questions by mcrbids · · Score: 3, Interesting

    1) does SSL prevent this attack from working?

    2) What about the data stream that ocmes thru the wire legimately?

    3) What effect does WEP encryption have on the new "sploit"?

    4) What about SSL? Do HTTPS websites remain at all vulnerable to this attack? Nearest I can tell, the answer is "no".

    So, what we have herei is a lame way to spoof packets for unsecuredd onnections. So.... secure your IP already!

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  6. Re:Bad News... by Homology · · Score: 4, Interesting
    You can setup IPSec for your wireless network. Or if that becomes to troublesome to setup, you can use OpenVPN that is easy to configure and has a client for Windows as well.

    After reading a few posts on this thread, I find it peculiar that so many slashdotters don't know that IPSec or related vpn products can be used to secure wireless.

  7. I wrote the man page for airpwn by ConsumedByTV · · Score: 4, Interesting

    Hi.

    I wrote the manual page for airpwn.

    All I see in this discussion is either people joking, bitching or having no idea how airpwn works.

    Let's just set things straight.
    First of all, there is no arp posioning.
    Do you disagree? Well it's a GPL app, go read the source, show me the arp posion part of the code. What's that you can't find it? Oh, well jesus, it's because it doesn't do that.

    You can hijack any tcp connection with this, it cannot be blocked without blocking the legit traffic.

    This is accomplished by using raw frame injection.
    One network card listens on a given channel (or in the case of a cisco card, all channels) and the other card simply injects custom frames with perfect replies. If your reply (it's up to you how big it is) is the right size, it's injected so perfectly that the connection not only still works, all of your webpage stuff still works, images just load as whatever the attacker wants.

    It works with ftp, http, aim or whatever.
    You can just have a ball.

    It would be entirely possible to write regex that replied over aim or icq or any of that crap with a raw frame telling the other people in the conversation that they were coming out, it's up to you.

    The software uses a very customizable framework to allow for use of regular expressions for matching. It's really useful for things other than goatse, but at defcon, they deserve the best.

    Anyway, the totally clueless people here that claim to know how it works haven't even compiled it, so don't listen to them.

    If you have any questions, feel free to ask.

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  8. SSH port forward is your friend by freelunch · · Score: 4, Interesting

    When using WIFI, I generally always use an SSH port forward to encrypt and tunnel my traffic back to a 'safe' host.

    At home, my AP is connected to a dedicated interface that only allows SSH. You could add port knocking for additional security.

    Sure, SSH port forwards can still be disrupted or messed with. But not like plain HTTP.

    BTW, nice hack!