Airpwn

Airpwn is a tool near and dear to my heart because I wrote the program. It started as a competition between me and a coworker to build a wireless data-injection tool the week before Defcon. His solution used a man-in-the-middle attack, while my tool injects wireless frames into the air in an attempt to beat the legitimate access point, sort of a man-on-the-side attack. We had fun playing harmless pranks on the Defcon wireless network using my tool, and enough onlookers wanted to play with it that I released the code publicly as Airpwn (http://sf.net/projects/airpwn/).

Airpwn works by sniffing one or more wireless networks, looking for user-supplied patterns of data sent from a client (laptop, PDA, and so on) to the access point (AP). If a pattern is detected, Airpwn injects a packet back to the client with user-supplied data that appears to come from the AP. Since Airpwn is almost guaranteed to provide the packet before the AP can (the AP is usually proxying the request off to some far-away server), the client accepts Airpwn's packet and discards the APs, allowing Airpwn to control the server-side of the communication.

By allowing the user to match arbitrary patterns and reply with arbitrary content, Airpwn can perform a variety of tricks, including some pretty dangerous attacks. The possibilities are virtually limitless, but here are some examples of simple things you can do with Airpwn:

• By matching HTTP request packets, you can reply with custom HTTP responses, allowing you to control the content of any web site, both on the Internet as well as an intranet. This could be used to perform a variety of pranks or attacks, such as stealing web site logins, executing arbitrary JavaScript, or making people believe a giant lizard is attacking their city by creating a fake CNN.com news page.

• By matching POP or IMAP mail retrieval requests, you can inject POP or IMAP responses to add arbitrary messages to the victim's mailbox.

• By responding to certain requests with invalid responses (or TCP reset packets), you can deny access to arbitrary network services.

• You can replace legitimate software downloads with Trojaned executables.

Because Airpwn allows you to inject whatever content you want, the possibilities are pretty much limited only to your imagination. The only traffic that is safe from Airpwn is on a connection protected with some form of encryption.