The Dark Side Of DefCon's Wireless Network

An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."

Hardly bad

[shfted!]

It's a hacker conference. There is probably no more tolerant place to release such a piece of code, where your talents will be respected instead of persecuted. There were also no doubt many members of the computer security community present who would want to be aware of any new vulnerabilities immediately. I think it's a great thing it was tried and released at DefCon first.

Re:wireless protection

[beyonddeath]

Well they are geeks, its not like they have any real use for it... *ducks*

Fuck.

[sekzscripting]

Well, it looks like all you hax0rz got them back by slashdotting their site.

Mirror mirror on the wall?

Starbucks!

[eingram]

Someone get to a local Starbucks with this, fast! Oh, and bring your camera!

There could be uses

[Rob_Warwick]

This could actually be a fairly annoying tool in the hands of advertisers. It also has some pretty good uses I can think of.

Three scenarios to point this out.

You're at Joes Internet Cafe, munching on your slightly overpriced muffin and glad for the free Wi-Fi access since you're out of town, and don't get to check your email much on the road. You hit the link to a message you want to read on webmail, when all of a sudden, an ad comes up. Nothing too bad, but it seems that Joe has decided that instead of charging people directly for 'net access, he'll rig up an old desktop with wireless to transmit the ad source for every 100th HTTP request that comes through his system.

This is a potentially annoying way of using the technology, but it also sounds like it could be a good way for Joe to help recoup his costs on the internet. Not a place I'd mind going.

Scenario Two

You're at Joes Internet Cafe, munching on your slightly overpriced bagel, glad for the...well, you know. This time the 'net access isn't free, but Joe's giving it out for $1 an hour, more than reasonable. 58 minutes in, you make an HTTP request, and a small javascript window pops up informing you that you've just got a couple minutes left, more time can be bought at the counter. After 60 minutes, instead of locking you out, all your requests simply get a screen advising you that if you want to keep going, Joe's going to need a dollar at the counter.

Seems useful to me.

Scenario Three

You're in Joes Internet Cafe, sipping some slightly overpriced coffee and you try to get online. After you've payed your dollar to the friendly man at the counter.

You keep gettings ads. You click out, thinking that it's a popup window, and no, you really don't need to enlarge that, it's fine how it is.

All browser windows closed. You try again.

No, I don't really need those drugs...

Or those pieces of software

Or...

You get the idea. Turns out, that guy in the corner is making some quick cash by spamming everyone in the place. The only sites that are coming through are from those ads. He leaves after about 15 minutes, because it can't be long until someone figures it out, but you've just lost 15 minutes of your time.

I realize it's an extreme example, but you think someone won't try it?

Joe, if you're out there, we need to talk. I've got some ideas for you.

Re:There could be uses

[SKorvus]

If you're at Joe's cafe, there's there's no need for Joe to use AirPwn. He already pwns the net connection you're connecting through (wirelessly). He can intercept & replace any packet he wants to anyway.

The point of AirPwn is intercepting wifi traffic on someone else's network; the uses of which are overwhelmingly malicious than benign, to my thinking. Exactly like Scenario 3. Or worse, detecting passwords, requests for secure connections to eBay, banks, etc.

My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

response of a victim

[menscher]

Ok, so I got hit by this, when attempting to check slashdot during one of the talks. First reaction was to hit the Back button as fast as I could, to get the image off my screen.

Once the shock wore off, I pointed out the issue to my friends sitting next to me. They spent some time analyzing ethereal output, while I downloaded and ran arpwatch. It's pretty sad to hear that some kiddies were checking browser settings....

The article claims there was no arp poisoning going on, but actually there was. I saw plenty of that. Which kinda confused us, since there doesn't seem to be much need for that in a wireless environment. You can sniff w/o arping, and you can inject traffic (as they were). But yes, it was definitely happening, though apparently by a different group. (Actually, I detected three different MAC addresses competing for the AP's IP.)

In hindsight I should have saved some of my packet captures. Might have been fun to look over later.

Re:why..

[thinkfat]

Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?

Yes. Human Stupidity

Re:Ethereal dump?

[thinkfat]

figure you'd see a regular HTTP response packet that fits your TCP sequence numbers quite nicely, and a RST afterwards because the numbers got messed up as the faked response didn't have the same length as the real server response. Perhaps they hold down the server by injecting RST packets, too, like juggernauts TCP stream capturing mode did...