At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)
Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:
* HTTP goatse, 100% of the screen
* HTTP goatse replacing all images
* HTTP goatse as the page background via CSS
* HTTP tubgirl replacing all images
* HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
* HTTP javascript alert boxes, letting people know just how pwned they were
* FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
How does it work?
airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:
begin goatse_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response content/goatse_html
and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
pwnedOPEN YOUR MIND -- TO
THE ANUS!!
Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.
In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:
* Open browser, see goatse, jump backwards a little
* quickly close browser, take a breath
* open browser, see goatse, close browser (faster this time)
* scratch head, quit browser process, re-launch browser
* see page indicating that goatse will load soon (page header, etc.) immediately close browser.
* open up browser preferences, click all the tabs, look for the "no goatse" checkbox
* clear the browser cache
* open browser, see goatse, close browser
* open network preferences, click on all the tabs, look for the "no goatse" checkbox.
* disconnect from network, re-associate
* open browser, see goatse, close browser
At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or D
Slashdot Mirror
I think you missed the part about it being in the wet.
It doesn't say that they were hacked for sure. Why the title proclaiming that it has?
I actually live in that neighborhood. haha.
At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive) Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were: * HTTP goatse, 100% of the screen * HTTP goatse replacing all images * HTTP goatse as the page background via CSS * HTTP tubgirl replacing all images * HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures) * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly) How does it work? airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode: begin goatse_html match ^(GET|POST) ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html and here is the content that we return when the match is triggered: HTTP/1.1 200 OK Connection: close Content-Type: text/html pwnedOPEN YOUR MIND -- TO THE ANUS!! Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page. In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this: * Open browser, see goatse, jump backwards a little * quickly close browser, take a breath * open browser, see goatse, close browser (faster this time) * scratch head, quit browser process, re-launch browser * see page indicating that goatse will load soon (page header, etc.) immediately close browser. * open up browser preferences, click all the tabs, look for the "no goatse" checkbox * clear the browser cache * open browser, see goatse, close browser * open network preferences, click on all the tabs, look for the "no goatse" checkbox. * disconnect from network, re-associate * open browser, see goatse, close browser At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or D