Airsnarf is a simple rogue wireless access point setup utility designed
to demonstrate how a rogue AP can steal usernames and passwords from
public wireless hotspots. Airsnarf was developed and released to
demonstrate an inherent vulnerability of public 802.11b
hotspots--snarfing usernames and passwords by confusing users with DNS
and HTTP redirects from a competing AP.
Airsnarf has been tested with (i.e. probably requires) the following:
Install & run Airsnarf with the following commands:
tar zxvf airsnarf-0.2.tar.gz
cd ./airsnarf-0.2
./airsnarf
How does it work? Basically, it's just a shell script that uses
the above software to create a competing hotspot complete with a captive
portal. Variables such as local network, gateway, and SSID to
assume can be configured within the ./cfg/airsnarf.cfg file.
Optionally, as a command line argument to Airsnarf, you may specify a
directory that contains your own airsnarf.cfg, html, and cgi-bin.
Wireless clients that associate to your Airsnarf access point receive
an IP, DNS, and gateway from you--just as they would any other
hotspot. Users will have all of their DNS queries resolve to your
IP, regardless of their DNS settings, so any website they attempt to
visit will bring up the Airsnarf "splash page", requesting a username
and password. The username and password entered by
unsuspecting users will be mailed to root@localhost. The reason
this works is 1) legitimate access points can be impersonated and/or
drowned out by rogue access points and 2) users without a means to
validate the authenticity of access points will nevertheless give up
their hotspot credentials when asked for them.
So what's the big deal? Well, with a setup like Airsnarf one can
obviously create a "replica website" of many popular, nationally
recognized, "pay to play" hotspots. That's as simple as replacing
the index.html file Airsnarf uses with your own custom webpage that
still points its form field variables to the airsnarf.cgi.
Combined with sitting at or near a real hotspot, hotspot users will
associate and unknowingly give out their username and password for the
hotspot provider's network. The usernames and passwords can then
be misused at will to utilize other hotspots of the same provider,
possibly anywhere in the nation, leaving the original duped user to pay
the bill. Should the user be charged per minute usage, they may
recognize something is terribly wrong when they get their next
bill. If the user pays a flat rate for unlimited usage, the user
may never realize their credentials have been captured and are being
misused.
Wireless hotspot operators should consider the following:
stronger authentication mechanisms, one-time authentication setups,
monitoring the existence and creation of APs, and perhaps just giving
away hotspot access for free to remove any user service theft risks.
Questions, comments, or concerns regarding Airsnarf should be directed
to: airsnarf@shmoo.com