Hi! Welcome to airpwn!

Some things you should probably know about airpwn, in some random order:

* This will work on linux w/ any drivers that are supported by LORCON.
  This includes 802.11b, 802.11a, 802.11g & 802.11n cards.

* airpwn requires one card to operate in monitor mode; we listen and
  transmit on the same interface.

* Silly limitations to the technology that will hopefully be solved
  soon:

  1. airpwn only supports TCP now
  2. for port-based DoS (think wireless firewall) it would be nice to
     respond to a SYN with a RST..
  3. only server-to-client responses are supported now

Prerequisites:

  * libpcap (www.tcpdump.org)
  * libnet (www.packetfactory.net/libnet)
  * libpcre (www.pcre.org)
  * lorcon (provided in the lorcon-current.tgz archive)
  * openssl (www.openssl.org) (only needed for the keygen)

How airpwn works:

  Airpwn will monitor traffic on an 802.11 network and respond with
  arbitrary content as configured.  The configuration file specifies a
  match regex, an ignore regex and a file containing the contents to
  inject.  If 'match' is detected and 'ignore' is not, a packet(s)
  appearing to come from the remote IP address with the proper sequence
  numbers, and having the MAC address of the AP the client is associated
  with is injected into the air.  As long as airpwn responds before the
  remote site, the client will accept the airpwn packet(s) as valid and
  will push the data to the application.  (Average internet latency is
  on the order of ~ 50msec. Airpwn should be able to respond in under
  1msec..) 

  (TCP details): Since the packet airpwn generates is the next segment
  in the stream and lines up with the expected numbers perfectly, the
  stack will push the data to the application immediately.. The "real"
  packet sent from the intended server will be handled in one of two
  ways, depending on the relative lengths of the packets:

    * If the "real" packet is longer than the injected one, the
      additional data in the real packet will be appended to the end of
      the stream, directly after the injected data.  (If you spoof a
      short response to an HTTP request, the rest of the web page will
      flow after your request (unless the server sends gzipped data, in
      which case you will see garbage.))

    * If the "real" packet is shorter than the injected one, the client
      will be confused by the packet and a) ignore it or b) send an ACK
      to the server letting the server know what sequence number it
      expects to see.  NOTE: in some cases this will cause an endless
      loop of client/server arguments over who has the right sequence
      number.  I have observed over 2000pps being generated by a single
      client/server pair due to this effect.

  airpwn has been succesfully tested against windows, linux and OSX.
  All of them are vulnerable.  In our experience windows is more
  vulnerable than OSX which is again more vulnerable than linux.  IE on
  windows is highly reliable as it will apparently take any data you
  throw at it and put it on the screen as fast as possible.

What can you do with airpwn:

  Well, a lot of things really.  With airpwn, you *are* the network..
  You are every web server out there.  Here are some good (and bad)
  ideas:

  * Be silly and respond to web requests with nasty things like goatse
  * Inject javascript into various webpages and see what fun stuff you
    can do.. Trusted websites have powerful script-fu..
  * Replace all banner-ad requests with ads you feel are more
    appropriate.
  * Write a wireless IDS and respond to dangerous packets with RSTs
  * Overwrite bad MP3s with your own music.. 
  * Automatic chat bot for AIM, IRC, etc.. 
  * Lots of worse/better things..
  * Have fun and teach people about wireless security!  Give people a
    good incentive to, and a solid understanding of why they should use
    VPNs, encrypted proxies, etc..

A note on packet retransmissions:

  Since airpwn is sending packets with the spoofed source MAC of the
  access point, the 802.11 ACK packet is sent to the AP and not the host
  running airpwn.  This will likely cause your wireless driver to
  continually retransmit the same airpwn packets over and over waiting
  for an ACK that will never come.  Depending on the driver, this can
  fill the packet queue to stall leading to poor performance.  If airpwn
  seems to work for the first instance of the match but not subsequent
  matches (for example: only replacing the first image or two on a page)
  you are likely seeing this behavior.  "Tuning" your driver to not
  retransmit packets will lead to much better behavior.

  To hack the madwifi-ng drivers to not retransmit packets, edit
  ath/if_athvar.h and set ATH_TXMACTRY to 1 (default value is 11).

  For drivers that support the TX Flags field of the Radiotap header
  for outgoing packets, airpcap sets the No ACK flag to disable retrans-
  missions, so such drivers need no modification to work with airpcap.
