If I asked how many of you have ever used a public hotspot, whether at the airport, a coffee shop, a store, or anywhere else, the vast majority of you would probably answer yes. Of course, we all know how unsafe these public wireless networks can be; so we know better than to read our email, enter our passwords, or give out any sensitive information. However, many people (even the most informed) still believe that casual surfing of the net on a public network is perfectly fine. Usually, they would respond with:
“If I’m not looking at something private, who cares if someone’s watching?”
The reality is that packet sniffing is no longer the only threat to public network users, packing injection tools like airpwn can make even casual browsing incredibly dangerous.
In this article, I will show you how airpwn can generate spoofed packets containing XSS payloads and what you could potentially do with them. Hopefully, this article will give you some insight on the huge dangers of using unencrypted public hotspots and will convince you to try and avoid them.
I wrote this article purely as an education illustration of what airpwn can do to users of an unencrypted public wireless network. Neither I, nor HackThisSite, shall be held responsible for any damages you cause based on the information in this article.
How Airpwn Works
Airpwn is a packet injection tool that monitors 802.11a/b/g networks and scans for outgoing request packets from a victim’s computer. It uses a regex-based configurable filtering engine to find ‘matching’ request packets. Once it locates ‘matching’ request packets, airpwn can inject spoofed reply packets back to the victim’s computer carrying the correct IP address and MAC address of the requested resource as well as any specified payload. Since the attacker’s spoofed packets arrive faster than the packets from the requested resource (airpwn can respond in less than 1ms, average internet latency is about 50ms), the victim’s computer will accept the injected packets and treat them as valid. When the real packets from the requested resource finally arrive, they will either by dropped (if the requested packet is shorter than the spoofed) or appended to the spoofed packets (if the requested packet is longer than the spoofed).
Backtrack 2 is an excellent Slackware LiveCD that comes bundled with a variety of useful tools and software for security and penetration testing. Airpwn, the packet injection tool we will be using, is included on this LiveCD. You can get Backtrack 2 from http://www.remote-exploit.com. Once you have downloaded it, burn the Backtrack 2 image to a CD and boot from it. Depending on your computer, you may have to change your boot order. Once the LiveCD boots, you can use the username root and the password toor to login.
1. Go to the root directory of the airpwn program. On Backtrack 2, you can do this by running the command: cd /pentest/wireless/airpwn-*
2. Go the configuration directory by running: cd conf
3. Start up your favourite text editor (I prefer nano) and create a new file named xss_attack. In this file, type:
ignore ^GET [^ ?]+.(jpg|jpeg|gif|png|tiff|tif)
This is the configuration we will specify for airpwn’s internal filtering engine. The second line is a regular expression for the packets that will be accepted by airpwn. The third line is another regular expression for the packets that will be ignored by airpwn. The last line specifies the content file that will be injected into each spoofed packet.
4. Go back to the root directory of the airpwn program by running: cd ..
5. Go to the content folder by running: cd content
6. Start up your favourite text editor again and create another new file named xss_content. In this file, type:
HTTP/1.1 200 OK
7. Go back to the root directory of the airpwn program by running: cd ..
8. Run: ./madwifing_prep.sh to set up your 802.11a/b/g wireless network card.
9. Find the name of your wireless interface by running: iwconfig
10. Set the channel of your wireless card to the channel of the target wireless network. For example, if my wireless interface was ath0 and the channel of my target wireless network was 13, I would run: iwconfig ath0 channel 13
11. Enable your wireless interface by running: ifconfig ath0 up
12. Finally, start up airpwn by running: airpwn –c conf/xss_attack –i ath0 –d madwifi –vvv
The –c flag specifies the configuration file, the –i flag specifies the wireless interface, the –d flag specifies the driver (which should be madwifi if you used the madwifing_prep shell script), and the –vvv flag specifies verbosity.
Once you can successfully inject arbitrary content to your target wireless networks, your capabilities become endless. You could insert invisible/visible IFRAMEs, cookie stealing code, history scanners, or ANY other XSS code you wish.
“With airpwn, you *are* the network…You are every web server out there” – Source: Airpwn Readme
Preventing These Attacks
The only real way to prevent against this type of attacks is to avoid unencrypted public wireless networks! If you absolutely must use a public network, ensure that ALL HTTP traffic goes over an encrypted tunnel (e.g. VPN, encrypted proxies).
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 27 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.