802.11 Race Condition Exploitation
This post is about the Race Condition Exploitation method for "hijacking" WiFi clients.
Basically how it works is, the client sends a GET request for whatever. You respond with a 301 redirect to your content.
How you do this is by sniffing the traffic, and when you see a GET you inject a 301 to the client and a FIN or RST to the AP. You essentially pretend to be the access point for a second.
SO far there are several variants out there, including a Metasploit module. It can be found in auxiliary/spoof/wifi/airpwn
The technique was originally demoed by "toast" at DEFCON 12, and used to replace images with shock porn like Goatse or Tubgirl.
Some links of interest...
http://evilscheme.org/defcon/
http://airpwn.sourceforge.net/Airpwn.html
http://sourceforge.net/projects/airpwn/
http://securitysumo.wordpress.com/2008/04/22/running-airpwn/
Aaaaand some video...
So naturally, I wondered. I can inject images and javascript... So what about executables? (you see where I am going...)
Then I found someone else was doing this exact thing with updates. Hijacking them ala airpwn. Their tool is named "IPPON", and is very interesting, albeit buggy as fuck. If you can make it work, please god message me!
Here be their presentation from DEFCON 17, and their code!
http://www.slideshare.net/itzikk/ippondefcon17
http://code.google.com/p/ippon-mitm/
Now on to the best of the bunch (IMO). RCX. Developed by Melchi Salins, it allows you to do *anything*, is written in Python using SCAPY, and generally is fucking BADASS! With it, you can redirect ANYTHING to ANYTHING.
http://rcx.sourceforge.net/rcx.html
Coming Soon... The RCX config file for mass update hijacking!
##
Ok. Comments were asking for how to install AirPwn in Ubuntu 10.04/Back Track 5.
Here is how it is SUGGESTED to do it...
http://www.timashley.me/node/718
Now I found the second part of that (install lorcon + airpwn) did not work for me. So... I did things a bit differently.
Check out this LaunchPad: https://launchpad.net/~nagos/+archive/ppa?field.series_filter=
Now, I simply grabbed the .deb files for Airpwn and Liblorcon from there.
Install Liblorcon FIRST. Then Airpwn.
However, this PPA should work fine also: ppa:nagos/ppa
It just didn't work for me :P
awesome explanation :)
ReplyDeletei was testing this on my bt5 r1, and it showed me some error during the installation. i doubt it's probably because of some python library. Can u help me out to resolve this issue ?
Hey, I updated the post to explain AirPwn installation. While Airpwn is *faster*, RCX offers more options. I had some fun replacing *.exe with http://www.mysite.com/youfool.exe and having the "victim computer" run my simple .exe.
ReplyDeleteAs one can guess, a pentester could target users with http://site.com/malware.exe and exploit autoupdates, etc. Any .exe download can be hijacked, as can any *file* or *site*