airpwn - bringing goatse (and friends) to Defcon 12!

**WARNING** In case you can't figure it out, HERE THERE BE GOATSES!!

Images from Dave's camera
Movies from Dave's camera
Images from my phone

At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)

Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

How does it work?

airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:

    begin goatse_html
    match ^(GET|POST)
    ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
    response content/goatse_html

and here is the content that we return when the match is triggered:

    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html

    <html><head><title>pwned</title></head><body><h1>OPEN YOUR MIND -- TO
    THE ANUS!!</h1><img src='http://goat.cx/hello.jpg' width='100%' height='100%'>

Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.

In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:

Open browser, see goatse, jump backwards a little
quickly close browser, take a breath
open browser, see goatse, close browser (faster this time)
scratch head, quit browser process, re-launch browser
see page indicating that goatse will load soon (page header, etc.) immediately close browser.
open up browser preferences, click all the tabs, look for the "no goatse" checkbox
clear the browser cache
open browser, see goatse, close browser
open network preferences, click on all the tabs, look for the "no goatse" checkbox.
disconnect from network, re-associate
open browser, see goatse, close browser

At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or DNS poisoning (WRONG!) and do something else..

After a few hours, it quickly became apparent that the image replacement mode was the only mode that would sustainable for long periods of time. The full-screen goatse amounted to a complete DoS of HTTP, which was just plain rude. The javascript injection (with dialog boxes talking about the victim being pwned) was by far the most distruptive. Most people (quite sanely) immediately turned off their laptops or whipped out ethereal in full COUNTERHACK mode. The goatse image mode was disruptive enough to be fully fucking hillarious, yet still left HTTP enough alone to be usable. I guess image-maps were the only things we truly broke with that mode (hint: click the anus!)

Overall, airpwn was just about the only reason why defcon was amusing this year.. Without airpwn I think I would have been mostly asleep and would have just IRCed the entire time.. If you want to play with airpwn yourself, an early alpha has been posted to sourceforge..