Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking It's funny.  Laugh. Security Hardware

The Dark Side Of DefCon's Wireless Network 185

An anonymous reader writes "While there's been a few postings on events happening at DefCon 12, one event seems to have been overlooked. A new wireless packet injection tool was quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."
This discussion has been archived. No new comments can be posted.

The Dark Side Of DefCon's Wireless Network

Comments Filter:
  • awesome . . . (Score:5, Informative)

    by randyest ( 589159 ) on Saturday August 07, 2004 @02:03AM (#9907262) Homepage
    . . . but you need two wifi cards one on machine to use it.

    • Re:awesome . . . (Score:3, Interesting)

      by Lord Kano ( 13027 )
      I have two extra wifi cards sitting in a box. But if you don't, why not just use two USB wifi adapters?

      LK
      • Well, because I don't have two extra wifi cards sitting in a box. In fact I have but one and it's in use. At least, that is, until you send me one of yours. Then I will have two and you will have two (assuming you have another, since the two you mentioned are merely sitting in a box,) and I won't need the two USB wifi adapters that I don't have, and you won't have the extra wifi card that you don't need. See? Everyone wins that way. I'll email my shipping address . . .
      • Even simpler. If your PocketPC has CompactFlash [netgear.com] and SDIO [socketcom.com] slots, a ported version of airpwn would be equally disruptive, and much harder to detect physically.
    • it could be refitted with custom firmware to serve as a "packet-injector", serving the wrong stuff from a local laptop.
  • Ethereal dump? (Score:5, Interesting)

    by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Saturday August 07, 2004 @02:09AM (#9907278)
    Anyone have an ethereal dump of what all of this looks like?

    • Re:Ethereal dump? (Score:5, Interesting)

      by thinkfat ( 789883 ) on Saturday August 07, 2004 @02:56AM (#9907428)
      figure you'd see a regular HTTP response packet that fits your TCP sequence numbers quite nicely, and a RST afterwards because the numbers got messed up as the faked response didn't have the same length as the real server response. Perhaps they hold down the server by injecting RST packets, too, like juggernauts TCP stream capturing mode did...
    • It looks like a perfectly good response from the server. It's an entire frame constructed to be a reply to your request.
  • Early ./? (Score:2, Funny)

    by Chibo ( 762245 )
    At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive) Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch a
  • by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Saturday August 07, 2004 @02:13AM (#9907295)
    You gotta love the condom over the little antenna [evilscheme.org].

  • i was owned (Score:4, Interesting)

    by daevux ( 626542 ) on Saturday August 07, 2004 @02:15AM (#9907299)
    I was a victim of this at defcon, but since I was using lynx, I really didn't see any of the images mentioned. Actually, most of the surfing I did at defcon was using links or w3m over ssh (on a home box).
    • Re:i was owned (Score:3, Insightful)

      So really you weren't because this wouldn't have affected you at all.

      This type of attack doesn't bother people that don't request images.

      Stop karma whoring.
  • by Anonymous Coward on Saturday August 07, 2004 @02:16AM (#9907303)
    airpwn - bringing goatse (and friends) to Defcon 12!

    Images from Dave's camera
    Movies from Dave's camera
    Images from my phone
    At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)

    Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

    HTTP goatse, 100% of the screen
    HTTP goatse replacing all images
    HTTP goatse as the page background via CSS
    HTTP tubgirl replacing all images
    HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
    HTTP javascript alert boxes, letting people know just how pwned they were
    FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

    How does it work?

    airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:

    begin goatse_html
    match ^(GET|POST)
    ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
    response content/goatse_html

    and here is the content that we return when the match is triggered:
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html

    pwnedOPEN YOUR MIND -- TO
    THE ANUS!!

    Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.
    In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful . The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:

    Open browser, see goatse, jump backwards a little
    quickly close browser, take a breath
    open browser, see goatse, close browser (faster this time)
    scratch head, quit browser process, re-launch browser
    see page indicating that goatse will load soon (page header, etc.) immediately close browser.
    open up browser preferences, click all the tabs, look for the "no goatse" checkbox
    clear the browser cache
    open browser, see goatse, close browser
    open network preferences, click on all the tabs, look for the "no goatse" checkbox.
    disconnect from network, re-associate
    open browser, see goatse, close browser
    At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The m
  • Hardly bad (Score:5, Insightful)

    by shfted! ( 600189 ) on Saturday August 07, 2004 @02:17AM (#9907305) Journal
    It's a hacker conference. There is probably no more tolerant place to release such a piece of code, where your talents will be respected instead of persecuted. There were also no doubt many members of the computer security community present who would want to be aware of any new vulnerabilities immediately. I think it's a great thing it was tried and released at DefCon first.
  • by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Saturday August 07, 2004 @02:20AM (#9907316)
    What kind of middle finger [evilscheme.org] is that?

  • why.. (Score:4, Insightful)

    by Anonymous Coward on Saturday August 07, 2004 @02:22AM (#9907323)
    Do people still do this? Packet injections of various and sundry sorts are old news.

    There's a worrisome pattern, in the IT security biz, of repetition. Hacks discovered a few years ago re-appear in new clothes as "new," technologies for protecting against them resurface every few years in the same way. Computing as a whole tends to re-invent things on something like a 15 year cycle, but security seems to be on a truly frenetic clock, cycling every 2 years or so (very very approximately ;)

    Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?
    • Re:why.. (Score:5, Funny)

      by thinkfat ( 789883 ) on Saturday August 07, 2004 @02:45AM (#9907402)
      Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?

      Yes. Human Stupidity

    • Headless chickens (Score:2, Insightful)

      by AndroidCat ( 229562 )
      I can't wait for the headless-chicken legal/political responses. When they discovered that anyone could listen to their cell-radio conversations, they banned scanners that could cover those frequencies. (Wow, that was effective!) Eventually the technical solution was to go digital/encrypted.

      What are they going to do this time, ban WiFi cards? (Perhaps a warning sticker on products: "This is not a phone or a LAN. This is a two-way radio. Wireless means they don't need wires either.")

  • Fuck. (Score:5, Funny)

    by sekzscripting ( 687192 ) on Saturday August 07, 2004 @02:22AM (#9907326) Homepage
    Well, it looks like all you hax0rz got them back by slashdotting their site.

    Mirror mirror on the wall?
  • Starbucks! (Score:5, Funny)

    by eingram ( 633624 ) on Saturday August 07, 2004 @02:24AM (#9907334)
    Someone get to a local Starbucks with this, fast! Oh, and bring your camera!
    • by jrockway ( 229604 ) *
      That's an interesting point you bring up. Defcon-goers have likely seen goatse, but some random business-mom with her kids would probably shit herself. Off to starbucks indeed!!!
      • by Anonymous Coward
        Fuck you! Me and my pringles can are going to be across the street from the elementary, then middle, then high schools, private schools in affluent neighborhoods first. I can't wait to see the kids wander out stunned on to the playground and try to make sense of the horrors they've seen. Muwahahaha.
        • You laugh, but back in the day when I was considering becoming a terrorist, I actually considered something like that.

          Nothing like ruining this culture's obsessions with "protecting kids" than leaving porn mags around the local schools for the eager tikes to snatch up and hide in their bookbags.

          Heh, heh.

          "Stunned", my ass. "Stunned" at their good fortune, more likely.

          (Of course, goatsex wouldn't be my first choice of material. You have to have SOME taste.)

      • I'd like to go to Defcon, if it wan't on the other side of the world I would, but am I really a minority in the hacker world? Am I the only person who hasn't, and has no desire to look at goatse?

        I'd shit myself too. Then fire up ethereal, but I would shit myself first.
        • Well you build up an immunity after a while. I'm not going to go to goatse during my normal browsing session, but if it mysteriously showed up i wouldn't freak out. I could look without throwing up long enough to close the window, anyway.

          As a side note, what's with mr. goatse's ring... take off your rings when you're expanding your anus, please :-)
          • Meh....I shit myself when I found out one of my friends was running Windows 2003 on his web server, and not Apache on Linux. It doesn't take a lot.
    • Goatse! (Score:1, Interesting)

      by randyest ( 589159 )
      Anyone else freaked out by goatse being on the /. font page? Not a direct link, I know, but were the server not melted, you'd definitely have seen the goatse horrorshow images that are there.

      And you'd be yucked out. But the repost of the article explaining the wireless goatse injection is +5 informative. That's weird too.

      If you're confused (RIP goatse) see wikipedia.com and search slashdot.
  • by Moonwick ( 6444 ) on Saturday August 07, 2004 @02:24AM (#9907336) Homepage
    Go easy on it.

    http://leela.lasthome.net/airpwn/
  • Ohhh how I wish I had an x86 laptop instead of my iBook!! :(
    • You could use an external USB wifi adapter with an iBook. There's a few Mac-compatible ones available.

      Sample product. [dlink.com]

      • I have the Belkin 802.11b USB adapter and it has official drivers from Belkin for Mac and the chipset manufacture has good Linux drivers. It has REALLY excellent range, it can pull in just about anything my Cisco 350 card can.Also, the airport cards all support a promiscuous mode, so you can always use them to scan.

        I doubt this tool will make it's way to OSX anytime soon, but OSX(and OS9) has EtherPEG [etherpeg.org]. When I run it in my dorm I get a nice porn collage.

  • There could be uses (Score:5, Interesting)

    by Rob_Warwick ( 789939 ) <[moc.rettirfelppa] [ta] [kciwraw]> on Saturday August 07, 2004 @02:25AM (#9907339) Homepage Journal
    This could actually be a fairly annoying tool in the hands of advertisers. It also has some pretty good uses I can think of.

    Three scenarios to point this out.

    You're at Joes Internet Cafe, munching on your slightly overpriced muffin and glad for the free Wi-Fi access since you're out of town, and don't get to check your email much on the road. You hit the link to a message you want to read on webmail, when all of a sudden, an ad comes up. Nothing too bad, but it seems that Joe has decided that instead of charging people directly for 'net access, he'll rig up an old desktop with wireless to transmit the ad source for every 100th HTTP request that comes through his system.

    This is a potentially annoying way of using the technology, but it also sounds like it could be a good way for Joe to help recoup his costs on the internet. Not a place I'd mind going.

    Scenario Two

    You're at Joes Internet Cafe, munching on your slightly overpriced bagel, glad for the...well, you know. This time the 'net access isn't free, but Joe's giving it out for $1 an hour, more than reasonable. 58 minutes in, you make an HTTP request, and a small javascript window pops up informing you that you've just got a couple minutes left, more time can be bought at the counter. After 60 minutes, instead of locking you out, all your requests simply get a screen advising you that if you want to keep going, Joe's going to need a dollar at the counter.

    Seems useful to me.

    Scenario Three

    You're in Joes Internet Cafe, sipping some slightly overpriced coffee and you try to get online. After you've payed your dollar to the friendly man at the counter.

    You keep gettings ads. You click out, thinking that it's a popup window, and no, you really don't need to enlarge that, it's fine how it is.

    All browser windows closed. You try again.

    No, I don't really need those drugs...

    Or those pieces of software

    Or...

    You get the idea. Turns out, that guy in the corner is making some quick cash by spamming everyone in the place. The only sites that are coming through are from those ads. He leaves after about 15 minutes, because it can't be long until someone figures it out, but you've just lost 15 minutes of your time.

    I realize it's an extreme example, but you think someone won't try it?

    Joe, if you're out there, we need to talk. I've got some ideas for you.

    • by SKorvus ( 685199 ) on Saturday August 07, 2004 @02:42AM (#9907391) Homepage
      If you're at Joe's cafe, there's there's no need for Joe to use AirPwn. He already pwns the net connection you're connecting through (wirelessly). He can intercept & replace any packet he wants to anyway.

      The point of AirPwn is intercepting wifi traffic on someone else's network; the uses of which are overwhelmingly malicious than benign, to my thinking. Exactly like Scenario 3. Or worse, detecting passwords, requests for secure connections to eBay, banks, etc.

      My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

      • I stand corrected. (This humility is only happening because I know if I don't, at least 10 slashdotters will repeat the same fact as this guy.) I just had scenario 4 pop into my head, where some kids with a laptop grabs the code for Joe's 'service denied, pay me at the counter' screen, and starts replacing all requests with it. It could cause quite a bit of confusion, as Joe would think it was an issue with his server.
      • by Homology ( 639438 ) on Saturday August 07, 2004 @02:53AM (#9907421)
        My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

        Use IPSec instead of WEP for the wireless network, and AirPwn would not amount to much more than DoS. OpenBSD has IPSec in the base install, and is fairly easy to setup.

        ssh with protocoll 2 is also safe. If you connect to someone impersonating the ssh server, and you try to connect, ssh will give a warning that the keys on the ssh server has changed.

      • by Photo_Nut ( 676334 ) on Saturday August 07, 2004 @06:49AM (#9907877)
        You're at Joe's internet cafe, or in an airport, etc. Suddenly, your internet explorer gets a web page redirect to some random porno movie of 3 guys raping a rather unattractive asian girl, complete with audio... in full screen mode. Since your laptop's audio is on, everyone in the area, including your girlfriend hear, "No don't put it in my pussy. [scream]"... And you're joe blow who doesn't know how to use the keyboard to close the window to save your life.

        Yes, it could happen, particularly, if the geek in the corner is sniffing your WiFi traffic, and singles you out.

        More serious would be something which noted when you wanted a secure site, such as a bank, and proxied to a full-screen web page image complete with security icons that tricked the user into sending you their password in the clear.

        There are malicious 14 year olds with laptops out there that would find this awfully amusing.
    • by Anonymous Coward
      Joe or any other operator of an access point doesn't need AirPwn, since they obviously have physically access to the upstream Internet connection and could intercept packets more efficiently there and inject ads, etc. What's unique about AirPwn is that it enables easier packet injection by those who don't control/own/operate/admin. the access points, but by almost anyone in the neighborhood (or with a sector antenna pointed in your direction).
    • At a Hilton I stayed at last week with both wired and wireless support, the first HTTP connection (per computer or something) is redirected to a hilton.com intro page, although by a simpler, completely different method at the router itself. The general idea has been there, and when used by the network owner, is acceptable.
    • You could bum around the Republican National Convention, and every time an image is requested, replace it with a banner ad for Kerry...

      This idea was shamelessly stolen from here [defcon.org].
  • response of a victim (Score:5, Informative)

    by menscher ( 597856 ) <[menscher+slashdot] [at] [uiuc.edu]> on Saturday August 07, 2004 @02:27AM (#9907344) Homepage Journal
    Ok, so I got hit by this, when attempting to check slashdot during one of the talks. First reaction was to hit the Back button as fast as I could, to get the image off my screen.

    Once the shock wore off, I pointed out the issue to my friends sitting next to me. They spent some time analyzing ethereal output, while I downloaded and ran arpwatch. It's pretty sad to hear that some kiddies were checking browser settings....

    The article claims there was no arp poisoning going on, but actually there was. I saw plenty of that. Which kinda confused us, since there doesn't seem to be much need for that in a wireless environment. You can sniff w/o arping, and you can inject traffic (as they were). But yes, it was definitely happening, though apparently by a different group. (Actually, I detected three different MAC addresses competing for the AP's IP.)

    In hindsight I should have saved some of my packet captures. Might have been fun to look over later.

  • don't use wi-fi for anything that might be even close to important :D
  • by westyvw ( 653833 )
    Wireless was pushed along by a need to get it out. READ COMPANY PROFITS. I have attended lectures where this is described on and on. Little to no attention was paid to security. WEP? Yeah good luck. It is fairly easy to exploit any wireless connection. It just wasnt done right.
    But this is the best part. Become the middle man.
    • It is fairly easy to exploit any wireless connection. It just wasnt done right. But this is the best part. Become the middle man.

      You'll have a hard time exploiting a properly configured IPSec.

      • His point is that 802.11abg was pushed out too quickly. Had they taken the time, then IPSec would have been the default.

        But it's not. So WiFi is open to this kind of shit. What's easier, plugging in an AP? Or setting up a router, plugging in the wifi interface, plugging in ethernet, routing the packets, getting the ipsec stuff working, getting all the clients ipsec clients, etc, etc, etc?

        That's the point.
    • WiFi was never pushed. It became successful because the 802.11b standard was open and available, while other competing technologies were either proprietary, or hadn't made it to market, stuck in endless deliberation. Given the choice between an imperfect, but useful technology, and vaporware, most people went for what worked.

      It's easy to forget now that WiFi was by no means a "sure thing". I was working at a wireless networking company (that's still going strong today) in early 2001 that used 802.11b, a

  • ahh, how clever (Score:1, Interesting)

    by Anonymous Coward
    reminds me of when I was a kid and I'd fuck with people using an incredibly overpowered and possibly illegal FM transmitter

    But I'm a little surprised that this is "new", I thought stuff like this would've been written already a long time ago.
  • Bad News... (Score:2, Interesting)

    by Piranhaa ( 672441 )
    I wonder what this will be for people at home browsing the internet on their wireless computers. There's nothing parents can do to stop their children from seeing images that are being injected like this with Frank next door beaming modified HTTP requests through the neighbourhood. The only way to do that would be a) Disabling *ALL* images displayed on their web browser b) Running wires through the house. I'll be this will be another push for WEP and other forms of wireless encryptions. I wouldn't want my 4
    • Re:Bad News... (Score:5, Interesting)

      by Homology ( 639438 ) on Saturday August 07, 2004 @03:12AM (#9907461)
      You can setup IPSec for your wireless network. Or if that becomes to troublesome to setup, you can use OpenVPN [sourceforge.net] that is easy to configure and has a client for Windows as well.

      After reading a few posts on this thread, I find it peculiar that so many slashdotters don't know that IPSec or related vpn products can be used to secure wireless.

    • Uh...Would your prefer goatse at the top of MSN?, talk about being scarred. I don't think a playboy bunny would have quite that effect.
  • A few questions (Score:4, Interesting)

    by mcrbids ( 148650 ) on Saturday August 07, 2004 @02:48AM (#9907408) Journal
    1) does SSL prevent this attack from working?

    2) What about the data stream that ocmes thru the wire legimately?

    3) What effect does WEP encryption have on the new "sploit"?

    4) What about SSL? Do HTTPS websites remain at all vulnerable to this attack? Nearest I can tell, the answer is "no".

    So, what we have herei is a lame way to spoof packets for unsecuredd onnections. So.... secure your IP already!

    • For one, it explains that the program does not work with 802.11g or WEP yet... All it's doing it detecting an HTTP header and injecting pictures into it. So if SSL puts out an HTTP header, I'm assuming it will work with it.
    • Re:A few questions (Score:2, Informative)

      by thinkfat ( 789883 )

      1) does SSL prevent this attack from working?

      Yes. You cannot hack into a SSL stream by just injecting packets, you'd have to recover the session key first

      2) What about the data stream that ocmes thru the wire legimately?

      If the faked response arrives earlier, the legitmate data gets discarded.

      3) What effect does WEP encryption have on the new "sploit"?

      WEP will prevent the attack, unless it has been hacked itself before

      4) What about SSL? Do HTTPS websites remain at all vulnerable to this attack? N

    • Re:A few questions (Score:3, Interesting)

      by westyvw ( 653833 )
      Nope. Nothing about wireless should be considered secure. WEP doesnt guarantee security, the tools are already out there to crack that (although it takes time).
      Additionally, copied from Jim Geier's article at wi-fi planet.com:

      "You can view the frames sent back and forth between a user's radio NIC and access point during the association process. As a result, you'll learn information about the radio card and access point, such as IP address of both devices, association ID for the radio NIC, and SSID of the n
    • Re:A few questions (Score:3, Insightful)

      by Vellmont ( 569020 )

      1) does SSL prevent this attack from working?

      Yes and no. If you do the packet injection after the SSL session is negotiated, yes (since you'll no longer be able to read the HTTP get or post). If you do the packet injection before the SSL session is negotiated (and setup your own SSL session with your own self-signed certificate), no.

      Someone correct me if I'm wrong, but I believe the way it works is to hijack the TCP connection. If you can do that, you can take over anything (though obviously authenti
      • A rather broad question, no? If your IPv6 connection has AH and ESP enabled, then sure it is immume. As IPsec would be.

        About the self-signed certificate: any self-respecting browser will complain about self-signed certificates (unless already known and told to accept it). Highjacking SSL isn't that easy.


        • About the self-signed certificate: any self-respecting browser will complain about self-signed certificates (unless already known and told to accept it). Highjacking SSL isn't that easy.


          I'm not denying this at all. But the fact remains that people will simply just click OK and not think much about it.
      • >> 1) does SSL prevent this attack from working?
        >
        >If you do the packet injection before the SSL session is negotiated (and setup your own SSL session with your own self-signed certificate), no.


        The whole purpose of certificates in SSL/TLS is to prevent against man-in-the-middle attacks such as this. A self-signed certificate is as good as no certificate at all, and this should not fool any decent SSL application.
      • No. You need the server's cert to authenticate yourself.

        Or at least, you're supposed to. You could self-sign and most people would probably click "accept".
    • 1) usually no, coz you need DNS and most people just click OK anyway in response to bad certs.

      Once you are getting the "wrong" IPs for every DNS request you're pretty screwed.

      This can happen on wired networks too. On april fool's day this year I made the DNS entries of tons of ad sites to be a local webserver. So plenty of banner ads were showing the corporate logo instead of ads.

      You could show locally relevant ads if you want: e.g. a company could have company related ads (meetings etc). Starbucks could
    • Re:A few questions (Score:5, Informative)

      by JSmooth ( 325583 ) on Saturday August 07, 2004 @06:03AM (#9907782)
      To Actually answer your questions.

      1. SSL would effectively block this attack IF the user pays attention to invalid certs. Your browser contains certain CAs it trusts and, unless they had control of your PC which is certainly possible but was not done in this case, the CA they would use would be invalid and generate that pop-up box telling you so. If you ignore that box and click yes you do so at your own peril.

      2. What about it? Once the data is on wifi than it is fair game for any type of manipulation. That is why they have 2 nics. The first nic "hears" your request for content "GET" and then responded much more quickly than the remote web server can with the corrupted "POST". When the correct information finally gets to your PC it is simply ignored as invalid TCP traffic and a RST packet is generated.

      3. WEP would have stopped it in this instant. WEP is breakable but requires a good amount of data to be sent over the wire. Since your average user is not going to send GBs of data over HTTP and the processing power needed to break 100s of connection would be more than a couple of laptops could handle this attack would have been alot less fun. Still possible but would need to be much more dedicated. I run WEP at home, I know it will not stop the determined hacker but the casual war-drive will ignore me in favor of my many neighbors with open APs.

      4. You are correct AS LONG AS you pay attention to the cert's trail. SSL really is two seperate pieces in my mind. 1 - encryption - End - To - End data encryption and 2 - Trust - I know the data I am receiving comes from the correct website. This is done with certificates. Since there is no God of the internet and we have to trust someone initially companies like verisign, etc have working with Microsoft, Mozilla, etc to get their root certs pre-installed in your browser. Anybody can generate a certificate but only companies that have passed the "Idenitifcation Test" with Verisgin or whoever can issue certs that will have the proper path back to a valid root cert. Please note Verisign has been duped before and even given out valid MS certs to non-microsoft organizations.

      You may think it is lame but it is actually a harmless example of things to come. Why is wardriving so popular? Because 90% of the APs do NOT use WEP. If everyone used WEP that would stop casual attacks. Consider two fences. One a 3-ft high fence. This fence is only going to stop people who don't want to go in. The 2nd fence is 10' high with barbed wire. This can still be overcome but will require some dedication. That is the difference between open and WEP. The problem is nobody uses WEP so this attack will work most of the time with ease.

      Regards
  • say, um... somebody, was to use AirPwn, would it be possible to track down who is using it?

    let's just say I go to a school which has wireless internet access : D
  • by ConsumedByTV ( 243497 ) on Saturday August 07, 2004 @05:55AM (#9907769) Homepage
    Hi.

    I wrote the manual page for airpwn.

    All I see in this discussion is either people joking, bitching or having no idea how airpwn works.

    Let's just set things straight.
    First of all, there is no arp posioning.
    Do you disagree? Well it's a GPL app, go read the source, show me the arp posion part of the code. What's that you can't find it? Oh, well jesus, it's because it doesn't do that.

    You can hijack any tcp connection with this, it cannot be blocked without blocking the legit traffic.

    This is accomplished by using raw frame injection.
    One network card listens on a given channel (or in the case of a cisco card, all channels) and the other card simply injects custom frames with perfect replies. If your reply (it's up to you how big it is) is the right size, it's injected so perfectly that the connection not only still works, all of your webpage stuff still works, images just load as whatever the attacker wants.

    It works with ftp, http, aim or whatever.
    You can just have a ball.

    It would be entirely possible to write regex that replied over aim or icq or any of that crap with a raw frame telling the other people in the conversation that they were coming out, it's up to you.

    The software uses a very customizable framework to allow for use of regular expressions for matching. It's really useful for things other than goatse, but at defcon, they deserve the best.

    Anyway, the totally clueless people here that claim to know how it works haven't even compiled it, so don't listen to them.

    If you have any questions, feel free to ask.
  • I'm new to wireless (Score:3, Interesting)

    by Anonymous Writer ( 746272 ) on Saturday August 07, 2004 @06:27AM (#9907833)

    I just got an Airport Express recently and during the setup process it gave me the option of using WEP or WPA, which it said was more secure, so I chose the latter. Why hasn't anyone mentioned WPA in this discussion? I don't really know anything about it other than it is supposed to be a more secure alternative to WEP, yet I've never heard anyone mention it even from the store I bought the Airport Express from.

    Also, is there IPSEC for OS X? It's not mentioned anywhere in the Airport Admin Utility. Is it built-in? I Googled [google.com] for it, and some of the first few links mention vulnerabilities in Mac OS X IPSEC. What's this all about?

    • It was in the Internet Connect application under VPN. Does this mean that it only applies to VPN and I can't use it to secure my internet connection for general web browsing and email through my ISP? I'm thinking this means I can use it only if I was hooked up to a server in a VPN configuration- is that right?
    • by mgv ( 198488 )
      I just got an Airport Express recently and during the setup process it gave me the option of using WEP or WPA, which it said was more secure, so I chose the latter. Why hasn't anyone mentioned WPA in this discussion? I don't really know anything about it other than it is supposed to be a more secure alternative to WEP, yet I've never heard anyone mention it even from the store I bought the Airport Express from.

      I don't think that alot of wireless vendors implement WPA. Apple has chosen to do so for a whil
  • by freelunch ( 258011 ) on Saturday August 07, 2004 @09:12AM (#9908286)
    When using WIFI, I generally always use an SSH port forward to encrypt and tunnel my traffic back to a 'safe' host.

    At home, my AP is connected to a dedicated interface that only allows SSH. You could add port knocking for additional security.

    Sure, SSH port forwards can still be disrupted or messed with. But not like plain HTTP.

    BTW, nice hack!

  • *while i do admire the desire to prove the inadequacies of wireless...
    *while i do recognize that this is a hacker's conference...
    *while i do realize that it's a good thing to do this, to prove that we should use encryption...

    it's just sad. i'm old enough to remember open mail relays, not being abused, so maybe i'm just tired of the continual need to upgrade, secure, and encrypt.

    wireless is cool, no two words about it. i'm sitting on my front porch, enjoying the cool air, waving to the neighbors who are ou
  • Earlier evilscheme.org wouldn't load. Now it comes up just fine. Go figure.

    Here's a mirror [pbp.net] in case it goes *splat* again.

    Have fun!
  • While we're on the subject of wireless attacks and such,

    does anyone know of a WEPcracker dealy that will run on Windows XP or Cygwin?

    I don't have a laptop running *nix, unfortunately, I could always boot to Phlack for this sort of thing but that's not quite what I want to do.

    Help appreciated.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...