Airpwn: Owning the Airwaves
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Wireless networking has experienced many black eyes in the recent past due to the various ways it can be exploited and abused by people with malicious intent. Most people are familiar with the ever-popular attack against WEP that can extract a key from the air in less than five minutes. There are also attacks against WPA that can crack a passphrase with only four bytes of data, man in the middle attacks that give an attacker full access to SSL encrypted traffic, and rogue access points that can trick a victim into connecting to an attacker's network. While these various vectors of owning a victim are dangerous and need to be protected against and understood, this section will deal with a method that is not widely discussed: data traffic injection.
In an open wireless network, all requests to the internet made from your computer are passed as plain text over the airwaves. Most wireless users are aware of this and often avoid using POP based email, ftp/telnet programs, and the like. Since all the information being passed over the network is in plain text, anyone with a sniffer can easily capture and view the data. This includes your emails, account information, chat sessions, etc. However, this simple fact does not stop people from surfing their favorite online sites, such as informit.com, to read up on the latest news or do some innocent research.
The ability to sniff and record wireless traffic is so well-known that programs have been created that do nothing but monitor for specific types of data. For example, one such program known as driftnet will capture all jpeg and mpeg traffic that is traversing the airwaves and spit the images out into a display window. Another program called dsniff will monitor a wireless network for password information. Cain & Abel takes this one step further and actually can capture and record VoIP sessions. There is even a program that will monitor traffic for web page requests, then take the IP information and load the same webpage up on the attacker's computer (i.e. webspy). However, all of these types of 'attacks' are passive non-invasive methods of information gathering. At no time does the program or attacker attempt to alter or control the data being processed by the victim...at least until airpwn came along.
Web Request Details
When a person loads up their favorite web browser and views a web page, their computer does a lot behind the scenes to download and display the page in the browser. The following is the general outline of what happens when http://www.google.com is requested:
- http://www.google.com is requested.
- A DNS server is queried for an IP address that http://www.google.com can be found.
- A GET request is constructed and sent to Google's IP address from a specific port.
- The computer leaves the port open and waits for the results.
- Google gets the request, processes it, and returns the results to the specific port.
- The computer receives the results.
- The browser processes the HTML results and determines what other files are needed from google.com (image, css, javascript, etc.).
- The computer requests the necessary files via the specific port.
- The files are sent from their hosts to the specific port on the computer.
- The page load completes and the specific port is closed.
From this shortened overview of how a page is loaded, you can see that the requesting computer sends the request and waits for the results all from a specific port. When the web page and all associated files are downloaded, the port is closed. In other words, the port is only open for a short period of time and should only be communicating with a specific server. But what if an attacker could inject false results into the port before the valid server had a chance to respond? Well, in a wireless network this is not only possible, but trivial.
First, let's take a close look at what happens behind the scenes via Ethereal:
- The request is made and a DNS query is performed and an IP address is
obtained (figure 1)
Figure 1: Google DNS request
Figure 1: DNS Request
- A /GET request is made to 66.233.161.99 from port 1594
GET / HTTP/1.1Host: http://www.google.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-alive
- The results are passed back to port 1594 from 66.233.161.99
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Encoding: gzip Server: GWS/2.1 Content-Length: 1314 Date: Sat, 24 Sep 2005 17:55:09 GMT
- A new /GET request is made to download the Google image from port 1594
Host: http://www.google.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7Accept: image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com/
- The results are passed back to port 1594 from 66.233.161.99
HTTP/1.1 200 OKContent-Type: image/gifLast-Modified: Mon, 25 Apr 2005 21:06:18 GMTExpires: Sun, 17 Jan 2038 19:14:07 GMTServer: GWS/2.1Content-Length: 8558Date: Sat, 24 Sep 2005 17:55:09 GMT
- The connection is closed
)
Airpwn'age
In an unencrypted wireless network, all the /GET requests are made in plaintext and are as easy to read in a sniffer as they are on this page. In addition, due to simple physics, it takes Google's servers several milliseconds or longer to reply with the requested information. Unfortunately, for the victim, a local attacker is probably only a few feet away and they can respond in a more expedient manner, thus leaving the doors wide open for abuse.
In fact, this is exactly how airpwn works. In short, it monitors the local airwaves for specific types of traffic, and if that traffic meets a preconfigured filter, it will cause the attackers computer to send a packet of data to the open port on the victims computer, which is then processed by the browser and displayed to the user.
For example, the following filter will search each packet for all GET/POST requests that do not include jpg/gif/tiff images, and if matched, with respond with the data contained in airpwn_html.
begin airpwn_html match ^(GET|POST) ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/airpwn_html
Based on the above filter, you can probably guess that airpwn can also monitor for image files and inject suitable replacements back into the network for the victim's pleasure. However, it doesn't end here. Airpwn can also monitor for javascript, FTP banners, and CSS's. In addition, since the filters are customizable, the attacker can easily target a specific page or file for replacement.
Using airpwn
In order to use this program, you will need to have a Linux based laptop with airpwn installed, two wireless networks cards, hostap drivers, and a target network. The easiest way to get airpwn up and running is to download the latest Auditor LiveCD from Remote Exploit (http://public.www.planetmirror.com/pub/auditor/). This CD contains all the files you will need to get airpwn up and running in under 5 minutes, if not less. Simply insert two compatible network cards into your favorite laptop, insert and boot up the Auditor CD (make sure the BIOS is configured to boot from the CD-Rom), then setup the cards/system as follows:
Eth0 (we used a Linksys WPC11):
- iwpriv eth0 monitor 2 <channel of existing network> - sets this card
into monitor mode
wlan0 (we used an Senao 2511CD Plus EXT2):
- iwpriv wlan0 hostapd 1 – sets this card into access point mode
- iwconfig wlan0 mode master channel <channel number of existing network> essid home – sets the card into master mode on designated channel
- ifconfig wlan0ap up – turns card on
- cd /usr/share/doc/airpwn
- airpwn –i eth0 –o wlan0 –c conf/greet_html (-i = in card, -o = out card, -c = config file)
With that done, connect another computer to the wireless network and open up a webpage. You should see a flashing banner across the top of the web page. To adjust the message or change the filter, simply change the –c option to an alternate file, or adjust the contents of the file in the 'content' folder. The following is an example of the fun you can have with a program like airpwn.
)
Figure 2: Airpwn'ing Informit.com
The Dangers
Obviously, this program can be a lot of fun. However, it can also give an attacker a dangerous tool that could be used to help them own your computer or steal your information. Just imagine what an attacker could do if they inserted a javascript program into your browser without your knowledge? For example, what if you went to Paypal.com on an open wireless network and someone injected some javascript code to redirect you to an alternate site they controlled? Or how about redirecting you to Hotmail.com and stealing your cookies as the page reloads? The options are endless and quite dangerous.
Unfortunately, the only way to avoid this type of attack is to never use an open wireless network. If you must use an open hotspot, tunnel all web traffic via a VPN or SSH tunnel. This will encrypt your web traffic and ensure no one can see or alter it before it loads up in your browser.
Summary
Airpwn is a great example of why open wireless networks and hotspots are very dangerous. It is trivial for an attacker to control and alter what you see in your browser. Not only this, but it is not hard to imagine someone adding a little extra code to airpwn to give it the ability to mess with email, chat, etc. The next time you decide to connect to an unprotected wireless network, take a moment and consider who really owns the airwaves.