Airpwn Documentation
Supported Cards
 
In theory airpwn supports any cards supported by the LORCON framework.  This list as of 5/27/09 is: wlan-ng, hostap, airjack, prism54, madwifing, madwifiold, r8180, r8187, rt2500, rt2570, rt61, rt73, zd1211rw-softmac, bcm43xx and mac80211 (including acx-mac80211, ath5k, ath9k, b43, b43legacy, iwl3945, iwlagn, p54, rt2x00, rtl8180, rtl8187 and zd1211rw-mac80211).
 
Airpwn has been tested successfully with an Atheros (AR5xxx) card (standard on IBM thinkpads) using the madwifi driver, an RTL8187L using r8187 & rtl8187, and a ZD1211B using zd1211rw (mac80211 version).  If you have success using other cards/drivers please let me know and I’ll update this page.
 
How Airpwn Works
 
Airpwn works by spoofing 802.11 packets to look as if they came from a legitimate access point (AP).  When you use a traditional 802.11 network, you are communicating all your data to the AP, and all responses come from the AP.  One drawback of wireless networks is that all the data you send to the AP is in fact broadcast to every other computer in your general area. By eavesdropping on the data you send to the AP and spoofing a response from the AP, airpwn can appear to be whatever computer you are communicating with.  (This is similar, but not identical to a classic man-in-the-middle attack.)
 
Here’s an example:  Say you type “google.com” into your web browser using a wireless network.  Your browser sends a series of packets to the AP in order to setup a TCP connection, then sends an HTTP request packet to the google IP (via the AP) on port 80 that looks something like this:
 
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
 
Under normal circumstances, the google webserver processes this request and returns an HTTP response with HTML content, such as:
 
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Content-Length: 1462
Date: Wed, 05 Jul 2006 22:03:19 GMT
<html>
<head><title>Google</title></head>
...
 
If airpwn were running and configured to respond to simple HTTP requests, airpwn would spoof a response from google (via the AP) and send is to your wireless client.  Most operating systems will accept the first packet they see as valid (after all, they’re trying to get the data to you ASAP), so as long as airpwn delivers the spoofed packet before google does, you will see airpwn’s data instead of google’s.  For example, airpwn might inject:
 
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 500
<html>
<head><title>You Have Been Airpwned</title></head>
...
 
In practice, beating google’s packet (or any site for that matter) is easy.  Average internet latencies easily extend into the tens of milliseconds, while airpwn, being local, can respond within a few microseconds.  By the time the google packet(s) arrive, the airpwn packet has likely been accepted and processed, and the duplicate data from google is silently ignored.
 
If the legitimate site sends more data than airpwn (which tends to be a common scenario) the remainder of the legitimate content may be appended to the end of the injected data.  (This can be controlled by using the reset option, or by using protocol hints like HTTP’s Content-length.)  Another trick is to end your injected content with some markup (in the case of HTML) that will hide the remainder of the content.  For example, ending your injected data with the following tends to work well:
 
This is some injected content.

<div style=”visibility:hidden; position:absolute; left:-99999px;>
<!--
 
The remainder of the legitimate content is wrapped in an HTML comment inside an invisible DIV element placed far off the screen.
 
Airpwn Configuration Files
 
At runtime, a single configuration file is passed to airpwn in addition to the command line parameters.  The configuration contains one or more entry.  Each entry contains some match criteria and a link to the content to be sent in response.
 
The match criteria are a (required) PCRE expression to match, and an optional PCRE expression to use as an ‘ignore’ filter.  Airpwn will spoof a response to a packet if the match expression is found and the ignore pattern (if present) does not match.  Here’s a sample config file to match non-image HTTP requests:
 
begin greet_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(?i:jpg|jpeg|gif|png)
response content/greet_html
 
In this example, all HTTP requests using the GET or POST method are matched that don’t request one of the common content types.  This is useful for replacing webpage contents without breaking images.  The response keyword specifies the path to a file containing the response to be sent by airpwn.  In this case, the contents are:
 
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

<html><head><title>HELLO!</title>
</head><body>
<blink><font size=+5 color=red>
Hello! Your wireless network is delicious!
</font>
</blink>
<p>
 
When combined, these two files have the effect of replacing all webpages with a friendly blinking red message.
 
Multiple entries can be specified in the same configuration file, allowing for nearly limitless configurations.  For example, we can extend the above configuration to also spoof responses to website images named “logo”.
 
begin greet_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(?i:jpg|jpeg|gif|png)
response content/greet_html

begin logo_replace
match ^GET [^ ?]logo+\.(?i:jpg|jpeg|gif|png)
option reset
response content/airpwn_logo
 
The option reset line in the above configuration instructs airpwn to send a TCP reset (RST) packet immediately after injecting the response content.  This will cause the connection to terminate immediately, often making the injection work better and/or faster.