Home > Articles > Home & Office Computing

Airpwn: Owning the Airwaves

There is no shortage of wireless exploits: cracking WEP and WPA, man in the middle attacks, rogue access points, etc. In this article Seth Fogie deals with a method that is not widely discussed: data traffic injection.
Editor's Note: This article originally appeared in the Wireless Security section of the Informit Security Reference Guide.
Like this article? We recommend

Like this article? We recommend

Wireless networking has experienced many black eyes in the recent past due to the various ways it can be exploited and abused by people with malicious intent. Most people are familiar with the ever-popular attack against WEP that can extract a key from the air in less than five minutes. There are also attacks against WPA that can crack a passphrase with only four bytes of data, man in the middle attacks that give an attacker full access to SSL encrypted traffic, and rogue access points that can trick a victim into connecting to an attacker's network. While these various vectors of owning a victim are dangerous and need to be protected against and understood, this section will deal with a method that is not widely discussed: data traffic injection.

In an open wireless network, all requests to the internet made from your computer are passed as plain text over the airwaves. Most wireless users are aware of this and often avoid using POP based email, ftp/telnet programs, and the like. Since all the information being passed over the network is in plain text, anyone with a sniffer can easily capture and view the data. This includes your emails, account information, chat sessions, etc. However, this simple fact does not stop people from surfing their favorite online sites, such as informit.com, to read up on the latest news or do some innocent research.

The ability to sniff and record wireless traffic is so well-known that programs have been created that do nothing but monitor for specific types of data. For example, one such program known as driftnet will capture all jpeg and mpeg traffic that is traversing the airwaves and spit the images out into a display window. Another program called dsniff will monitor a wireless network for password information. Cain & Abel takes this one step further and actually can capture and record VoIP sessions. There is even a program that will monitor traffic for web page requests, then take the IP information and load the same webpage up on the attacker's computer (i.e. webspy). However, all of these types of 'attacks' are passive non-invasive methods of information gathering. At no time does the program or attacker attempt to alter or control the data being processed by the victim...at least until airpwn came along.

Web Request Details

When a person loads up their favorite web browser and views a web page, their computer does a lot behind the scenes to download and display the page in the browser. The following is the general outline of what happens when http://www.google.com is requested:

  1. http://www.google.com is requested.
  2. A DNS server is queried for an IP address that http://www.google.com can be found.
  3. A GET request is constructed and sent to Google's IP address from a specific port.
  4. The computer leaves the port open and waits for the results.
  5. Google gets the request, processes it, and returns the results to the specific port.
  6. The computer receives the results.
  7. The browser processes the HTML results and determines what other files are needed from google.com (image, css, javascript, etc.).
  8. The computer requests the necessary files via the specific port.
  9. The files are sent from their hosts to the specific port on the computer.
  10. The page load completes and the specific port is closed.

From this shortened overview of how a page is loaded, you can see that the requesting computer sends the request and waits for the results all from a specific port. When the web page and all associated files are downloaded, the port is closed. In other words, the port is only open for a short period of time and should only be communicating with a specific server. But what if an attacker could inject false results into the port before the valid server had a chance to respond? Well, in a wireless network this is not only possible, but trivial.

First, let's take a close look at what happens behind the scenes via Ethereal:

  1. The request is made and a DNS query is performed and an IP address is obtained (figure 1)
    Figure 1

    Figure 1: Google DNS request

    Figure 1: DNS Request

  2. A /GET request is made to 66.233.161.99 from port 1594
    GET / HTTP/1.1Host: http://www.google.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-alive
  3. The results are passed back to port 1594 from 66.233.161.99
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html
    Content-Encoding: gzip
    Server: GWS/2.1
    Content-Length: 1314
    Date: Sat, 24 Sep 2005 17:55:09 GMT
  4. A new /GET request is made to download the Google image from port 1594
    Host: http://www.google.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7Accept: image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com/
  5. The results are passed back to port 1594 from 66.233.161.99
    HTTP/1.1 200 OKContent-Type: image/gifLast-Modified: Mon, 25 Apr 2005 21:06:18 GMTExpires: Sun, 17 Jan 2038 19:14:07 GMTServer: GWS/2.1Content-Length: 8558Date: Sat, 24 Sep 2005 17:55:09 GMT
  6. The connection is closed

Airpwn'age

In an unencrypted wireless network, all the /GET requests are made in plaintext and are as easy to read in a sniffer as they are on this page. In addition, due to simple physics, it takes Google's servers several milliseconds or longer to reply with the requested information. Unfortunately, for the victim, a local attacker is probably only a few feet away and they can respond in a more expedient manner, thus leaving the doors wide open for abuse.

In fact, this is exactly how airpwn works. In short, it monitors the local airwaves for specific types of traffic, and if that traffic meets a preconfigured filter, it will cause the attackers computer to send a packet of data to the open port on the victims computer, which is then processed by the browser and displayed to the user.

For example, the following filter will search each packet for all GET/POST requests that do not include jpg/gif/tiff images, and if matched, with respond with the data contained in airpwn_html.

	begin airpwn_html
  	match ^(GET|POST)
  	ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
  	response content/airpwn_html

Based on the above filter, you can probably guess that airpwn can also monitor for image files and inject suitable replacements back into the network for the victim's pleasure. However, it doesn't end here. Airpwn can also monitor for javascript, FTP banners, and CSS's. In addition, since the filters are customizable, the attacker can easily target a specific page or file for replacement.

Using airpwn

In order to use this program, you will need to have a Linux based laptop with airpwn installed, two wireless networks cards, hostap drivers, and a target network. The easiest way to get airpwn up and running is to download the latest Auditor LiveCD from Remote Exploit (http://public.www.planetmirror.com/pub/auditor/). This CD contains all the files you will need to get airpwn up and running in under 5 minutes, if not less. Simply insert two compatible network cards into your favorite laptop, insert and boot up the Auditor CD (make sure the BIOS is configured to boot from the CD-Rom), then setup the cards/system as follows:

Eth0 (we used a Linksys WPC11):

  1. iwpriv eth0 monitor 2 <channel of existing network> - sets this card into monitor mode
    wlan0 (we used an Senao 2511CD Plus EXT2):
  2. iwpriv wlan0 hostapd 1 – sets this card into access point mode
  3. iwconfig wlan0 mode master channel <channel number of existing network> essid home – sets the card into master mode on designated channel
  4. ifconfig wlan0ap up – turns card on
  5. cd /usr/share/doc/airpwn
  6. airpwn –i eth0 –o wlan0 –c conf/greet_html (-i = in card, -o = out card, -c = config file)

With that done, connect another computer to the wireless network and open up a webpage. You should see a flashing banner across the top of the web page. To adjust the message or change the filter, simply change the –c option to an alternate file, or adjust the contents of the file in the 'content' folder. The following is an example of the fun you can have with a program like airpwn.

Figure 2

Figure 2: Airpwn'ing Informit.com

The Dangers

Obviously, this program can be a lot of fun. However, it can also give an attacker a dangerous tool that could be used to help them own your computer or steal your information. Just imagine what an attacker could do if they inserted a javascript program into your browser without your knowledge? For example, what if you went to Paypal.com on an open wireless network and someone injected some javascript code to redirect you to an alternate site they controlled? Or how about redirecting you to Hotmail.com and stealing your cookies as the page reloads? The options are endless and quite dangerous.

Unfortunately, the only way to avoid this type of attack is to never use an open wireless network. If you must use an open hotspot, tunnel all web traffic via a VPN or SSH tunnel. This will encrypt your web traffic and ensure no one can see or alter it before it loads up in your browser.

Summary

Airpwn is a great example of why open wireless networks and hotspots are very dangerous. It is trivial for an attacker to control and alter what you see in your browser. Not only this, but it is not hard to imagine someone adding a little extra code to airpwn to give it the ability to mess with email, chat, etc. The next time you decide to connect to an unprotected wireless network, take a moment and consider who really owns the airwaves.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020