"KARMA is a set of tools for assessing the security of wireless clients at
multiple layers. Wireless sniffing tools discover clients and their
preferred/trusted networks by passively listening for 802.11 Probe Request
frames. From there, individual clients can be targeted by creating a Rogue AP
for one of their probed networks (which they may join automatically) or using a
custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side
vulnerabilities on the host." -http://theta44.org
stable code (currently KARMA SNAPSHOT 20060124) from
Using KARMA (discovery)
Using KARMA (Rogue Services)
The following installation
process assumes that you are utilising the FC4 Auditing Laptop Build as described in
Auditing Laptop Build: HOWTO all other builds have not been tested.
Thanks to Dino Dai
Zovi (tools co-author) for the new KARMA snapshot, which is easily installed on
patch -p0 < madwifi.patch
yum install ruby
(answer "y" when prompted).
(cd ./src/ && make)
&& ./src/karma ath0
"This display will
list wireless clients in range and the networks they send probe requests for.
This reveals the entries in their preferred networks list." -http://theta44.org
KARMA runs in stealth
mode so basic wireless scanning activity (e.g. Netstumbler) will not detect the
KARMA also provides a
number of other configurations stored in karma-20060124/etc
"Attempts to find insecure wireless clients that will associate to rouge network
and possibly obtain IP address via DHCP". -http://theta44.org
Now the rogue services
are started any probing clients will now connect to KARMA on our machine
whichever SSID their machine chooses to use.
Above we can see the
client received the IP address 169.254.0.254 from KARMA's DHCP server.
a rogue base station with DHCP, DNS and HTTP services. The HTTP service
re-directs all requests to the ExampleWebExploit module that displays a simple
HTML page. This page can be replaced with something that informs the user
that their wireless settings are insecure and that it may be a violation of
corporate policy etc" -http://theta44.org
KARMA is now offering a
variety of services (POP, FTP and HTTP) for any curious user to connect up to.
Above we can see an
attempted FTP connection to www.mysecretwebsite.com which actually was
received by KARMA and the users credentials - username = myusername and
password = mypassword were capture by KARMA.
"This configuration runs a rogue DHCP, DNS and HTTP services on an existing
(wired) network connection. The HTTP service redirects all requests to
ExampleWebExploit module that displays simple HTML page" -http://theta44.org
The karma-lan.xml configuration file provides you with all the
features (e.g. to capture POP, FTP and HTTP traffic) of karma.xml but for
a wired interface.
Many thanks to Dino Dai Zovi for
producing the new KARMA snapshot without which this guide would not exist.