Karma is a collection of tools and code patches that can turn any laptop into the perfect evil twin access point. The patches supplied by Karma change your wireless card into an access point that will pretend to be using any network name, or ESSID, that a victim machine might ask for. For example, if you have your laptop configured to always connect to linksys, then when you ask for that network, Karma will say its network name is "linksys." At the same time, another laptop might be trying to connect to tmobile, and Karma will respond saying that its network name is "tmobile." In short, Karma is all things to all clients; but the fun doesn't stop there—Karma also comes packed with fake servers that allow you to clone any network service you want.
For an open source tool that uses code patches, Karma is surprisingly easy to install. The hardest part is taking care to properly patch the wireless drivers and the Samba server. To get started, you're going to need to install some required packages. Most of Karma is written in Ruby, so you'll need to install that first. Then Linux users will need to patch and install the modified madwifi drivers that will let Karma be all access points at once. The patch for the madwifi drivers can be found in src/misc/madwifi.patch in the Karma package. If your Linux distribution stores your wireless tools someplace other than /sbin, you will need to do something like the following, so that Karma can find them:
ln -s /sbin/iwconfig /usr/sbin/iwconfig ln -s /sbin/iwpriv /usr/sbin/iwpriv ln -s /sbin/iwevent /usr/sbin/iwevent
After you get to this point, you can optionally install the Samba patches that will let victims connect to your file share no matter what name they ask for. If you do install this patch, be sure to get the right Samba version; as of this writing, you need version 3.0.
According to the authors of Karma, the most common reason people have trouble getting it to work is that they don't apply the driver patches correctly, or they don't install the patched drivers. The second most common reason is that they don't put the wireless device in monitor mode.
Karma lets you passively scan for wireless clients that are probing for their preferred networks. This can be useful if you want to see what potential victims are available, but you don't want to do any active attacks yet. This is also useful to test that your wireless setup is working correctly. After setting your wireless card in monitor mode using the script ./bin/monitor-mode.sh, run ./src/karma to see the list of clients sending probe requests; for example:
KARMA Hardware Address Sig Probe Requests 00:16:cb:09:0e:c5 200 robots <broadcast> 00:19:d2:17:ad:4d 164 blizzard 00:0e:35:df:3b:fe 175 <broadcast> linksys
The passive scan gives you a list of probing clients, but it doesn't guarantee that they will all be tricked into connecting to your fake network. To see which clients will connect without actually doing any attacking, you can run Karma with the scan-only configuration. Run the following:
./bin/karma ./etc/karma-scan.xml
This gives you the same basic information as from passive scanning, but this time you can see which clients are actively trying to connect to your network.
[root@localhost karma-20060124]# ./bin/karma ./etc/karma-scan.xml
Starting KARMA...
ACCESS-POINT is running
DHCP-SERVER is running
Delivering judicious KARMA, hit Control-C to quit.
AccessPoint: 00:0d:93:7f:8f:b4 associated with SSID test
DhcpServer: 00:0d:93:7f:8f:b4 discover
DhcpServer: 00:0d:93:7f:8f:b4 (Davros) <- 169.254.0.254
DhcpServer: 00:0d:93:7f:8f:b4 (Davros) <- 169.254.0.254In the last example, we told Karma to use a scanning configuration described by karma-scan.xml. This is the simplest configuration that Karma ships with. The main configuration file has two basic types of configuration values. First, specify any special options for a particular module, and then provide a list of modules for Karma to run. An option is specified like this:
<option module="ACCESS-POINT" name="ssid" value="karma"/>
Here, ACCESS-POINT is the module, and you are setting the option ssid to karma. In order for this option to be useful, you will need to load the ACCESS-POINT module, which is accomplished with the following config line:
<run module="ACCESS-POINT"/>
It's that simple. And because Karma is mostly written in open source Ruby code, adding your own module is relatively easy for anyone willing to write some small Ruby scripts.
By default, Karma captures any connected victims and shows them only the view of the Internet that you create for them to see. That's all well and good if you just want to attack their web browser; but if you want to fool the person using the laptop (and not just his software), you will need to actually have some real Internet content. Karma accomplishes this by allowing you to proxy network traffic from the real Internet to be seen by the victim. This is perfect for when you just want to see what a user would do on the Internet, or if you want to attack a service other than HTTP and you need to keep the illusion alive as long as possible. To enable this feature, you will of course need to have Internet access from a source other than the wireless card you are using to do the attacking (a modem that works on the cell phone network would serves this purpose). Then all you have to do is add the following line to your config file:
<option module="HTTP-SERVER" name="proxy" value="enable" />With that enabled, you will now have a man-in-the-middle view of your entire victim's network traffic. If you're willing to write some code of your own, this can let you mount attacks on almost all weakly authenticated encrypted communications.