The home of the new and improved version of airpwn... airpwn-ng

Disclaimer

Illicit usage of this code has the potential to land the user in Legal and/or Civil jeopardy if used for malicious purposes or even unknowingly by perhaps using the wrong MAC filter as an example. Ensure you know what the syntax you are running actually does. Even better, have a glance at the source code to make sure for yourself. Better than that, help us write a wiki on how this whole thing is put together for the betterment of society.

airpwn-ng is a tool meant for legal and ethical purposes. The authors of airpwn-ng, airpwn and pretty much every other hacking tool out there take no, zip, zilch, zero and nada on the responsibility for what you the user does with it.

It is a tool, that is it.

Overview

• We force the target's browser to do what we want
• Demo video: https://www.youtube.com/watch?v=hiyaUZh-UiU

Features

• Inject to all visible clients (a.k.a Broadcast Mode)
• Inject on OPEN, WEP and WPA protected networks
• Inject with 1 or multiple NICs
• Managed mode injection

How do we do it?

• We inject packets into a pre-existing TCP stream
• For a more detailed and in-depth explanation as to how this occurs, read the original documentation for airpwn:
• http://airpwn.sourceforge.net/Documentation.html

Setup

The majority of prerequisites are met via pip and local file storage

python3 -m pip install RESOURCEs/*.tar.gz

You also need to have a copy of aircrack-ng installed on the system

Usage

airpwn-ng has a unique talent in that it not only injects on the Monitor Mode side of things, but it can do a hybrid model whereby it injects on a Managed interface as well. Depending on your scenario this may or may not come into play. airpwn-ng assumes the default of Monitor mode for each NIC used.

airpwn-ng has the potential to inject whatever the user wants. For explanation purposes only the --injection method will be covered. A lot of the prior features for airpwn-ng are being removed in favor of speeding the tool up.

Open Wireless

This is by far the fastest mode for airpwn-ng as the least amount of math and overheard is involved. A typical scenario would be one where you only need 1 NIC and are running a broadcast attack for anyone within earshot. While this is most likely unfeasible due to encroachment onto other ESSIDs, depending on where you and the target are at it is not impossible to perform a Broadcast style attack legally and without concern.

python3 ./airpwn-ng -i wlan0mon -m wlan0mon --injection payloads/wargames.html --channel 6 -s 5 -t 'b8:27:eb:04:47:7b' -w 30

airpwn-ng - The new and improved 802.11 packet injector

[+] Setting NIC Channel(s) to 6
[+] Loaded injection file payloads/wargames.html
[+] Adding target b8:27:eb:04:47:7b
Speedpatch && No BSSID filtering
[*] Injecting Packet to victim b8:27:eb:04:47:7b (TOTAL: 2 injected packets)

In the above combination we are monitoring the channel using wlan0mon. We are also using wlan0mon to inject. --injection represents the file we want to use as the strings to inject. Shall we play a game? The user is presented with the --channel option. -s, this is all about the size of the packet. The default size is explicitly shown because this is Open Wireless. The size of the packets is not increased with WEP or WPA encapsulation. Read main() in airpwn-ng and then scroll down about 20 lines or so; you'll see it. That should explain it quite well. Remember, airpwn-ng is not limited to just injecting strings. Sometimes small packets help us to filter out the junk a lot faster and earlier in the parsing phase. -t is our friend. -t keeps us legal. Learn and know, then get to really know -t. -t only lets the injection happen on the listed MACs. If you have more than one put them in quotes and space them apart. -w is a relatively new feature in that sometimes knowing your backpressure is good. airpwn-ng pushes the limits via our friend scapy. The less capable your gear, the lower value you should set you warnings on. Everything you see here is running on a Raspberry Pi 3b.

WEP

Alas, our good friend WEP. Still alive and running around in the world. It is not uncommon to spot a wild WEP in public in any major urban area. WEPs are notorious for their uncanny ability to evade compliance requirements. Should you get hired to catch one of these little pests, airpwn-ng is your new best friend.

Coming soon!

WPA

Our jovial little pal WPA has no power here. airpwn-ng and pyDot11 have quite a story to tell.

Coming soon!

Wait, what?

Yes, WEP and WPA have been left off the readme for the time being. airpwn-ng is ever so slowly porting over to Python 3. Some of the roadblocks are interesting for sure. In the interest of keeping this project alive, this README will shortly be updated with directions on how to verify that all modules are implemented in a Python 2 environment. As it is now 2021, this can be difficult. Stay tuned, hang tight and you'll probably see an OS option in the not too distant future.

Yes, you read that correct

You mean to tell me that if I setup a Python 2 environment and do a bit of homework I too can have a fully functional airpwn-ng complete with WEP and WPA options all without having to wait on an update to the README?

Yes. This is a porting process, not a removal of working code. Do your homework.