Hi! Welcome to airpwn!

Some things you should probably know about airpwn, in some random order:

* This will work on linux w/ any drivers that are supported by LORCON.
  This includes 802.11b, 802.11a or 802.11g cards, and may include
  support for 802.11n cards in the future.

* airpwn requires one card to operate in monitor mode; we listen and
  transmit on the same interface.

* Silly limitations to the technology that will hopefully be solved
  soon:

  1. airpwn only supports TCP now
  2. no WEP support yet
  3. for port-based DoS (think wireless firewall) it would be nice to
     respond to a SYN with a RST..
  4. only server-to-client responses are supported now
  5. only one packet can be injected at a time, so your response data
     needs to fit inside the interface MTU

Prerequisites:

  You'll need to have the following installed (and might need to edit
  the Makefile to specify proper paths (why? because I am too lazy to
  write a configure script :( ))

  * libpcap (www.tcpdump.org)
  * libnet (www.packetfactory.net/libnet)
  * libpcre (www.pcre.org)
  * lorcon (provided in the lorcon-current.tgz archive)

How airpwn works:

  Airpwn will monitor traffic on an 802.11 network and respond with
  arbitrary content as configured.  The configuration file specifies a
  match regex, an ignore regex and a file containing the contents to
  inject.  If 'match' is detected and 'ignore' is not, a packet
  appearing to come from the remote IP address with the proper sequence
  numbers, and having the MAC address of the AP the client is associated
  with is injected into the air.  As long as airpwn responds before the
  remote site, the client will accept the airpwn packet as valid and
  will push the data to the application.  (Average internet latency is
  on the order of ~ 50msec. Airpwn should be able to respond in under
  1msec..) 

  (TCP details): Since the packet airpwn generates is the next segment
  in the stream and lines up with the expected numbers perfectly, the
  stack will push the data to the application immediately.. The "real"
  packet sent from the intended server will be handled in one of two
  ways, depending on the relative lengths of the packets:

    * If the "real" packet is longer than the injected one, the
      additional data in the real packet will be appended to the end of
      the stream, directly after the injected data.  (If you spoof a
      short response to an HTTP request, the rest of the web page will
      flow after your request (unless the server sends gzipped data, in
      which case you will see garbage.))

    * If the "real" packet is shorter than the injected one, the client
      will be confused by the packet and a) ignore it or b) send an ACK
      to the server letting the server know what sequence number it
      expects to see.  NOTE: in some cases this will cause an endless
      loop of client/server arguments over who has the right sequence
      number.  I have observed over 2000pps being generated by a single
      client/server pair due to this effect.

  airpwn has been succesfully tested against windows, linux and OSX.
  All of them are vulnerable.  In our experience windows is more
  vulnerable than OSX which is again more vulnerable than linux.  IE on
  windows is highly reliable as it will apparently take any data you
  throw at it and put it on the screen as fast as possible.

What can you do with airpwn:

  Well, a lot of things really.  With airpwn, you *are* the network..
  You are every web server out there.  Here are some good (and bad)
  ideas:

  * Be silly and respond to web requests with nasty things like goatse
  * Inject javascript into various webpages and see what fun stuff you
    can do.. Trusted websites have powerful script-fu..
  * Replace all banner-ad requests with ads you feel are more
    appropriate.
  * Write a wireless IDS and respond to dangerous packets with RSTs
  * Overwrite bad MP3s with your own music.. 
  * Automatic chat bot for AIM, IRC, etc.. 
  * Lots of worse/better things..
  * Have fun and teach people about wireless security!  Give people a
    good incentive to, and a solid understanding of why they should use
    VPNs, encrypted proxies, etc..
