Friday, April 8, 2011

KARMA + Metasploit 3 == Karmetasploit


In 2004 Dino Dai Zovi and Shane Macaulay presented All Your Layer Are Belong To Us at Pacsec in Tokyo. This presentation focused on the insecure behavior of wireless clients. Accompanying the presentation was a tool called KARMA (KARMA Attacks Radioed Machines Automatically). This tool acts as wireless access point and responds to all probe requests from wireless clients. Once a client has associated with the KARMA access point, every service they try to access leads to a malicious application. The services side of KARMA was written in Ruby, making it a perfect match for integration with version 3 of the Metasploit Framework.


The original version of KARMA depended on a modified version of the MADWIFI driver for Atheros-based wireless cards. While this approach works, its limits the types of network cards that can be used and requires some effort to maintain the patch against the latest version of the MADWIFI source code. To remedy this, the Aircrack-NG developers (specifically hirte) developed a user-mode access point that works with any wireless card that supports monitor mode and injection. This tool is called 'airbase' and was included in the 1.0rc1 release of Aircrack-NG. Not only does airbase solve the hardware limits of using a patched MADWIFI driver, but its also much easier to modify and integrate new features. The Metasploit staff contributed a patch to airbase that adds multiple ESSID beaconing, the option to temporarily beacon ESSIDs seen in probe requests, the ability to tune the beacon interval, and an option to force promiscuous (respond to all probes) mode regardless of whether an ESSID has been specified. The result is powerful replacement for the MADWIFI patch that can lure in a much wider range of wireless clients.

airbase-ng -P -C 30 -e "PWND" -v mon0

nano /etc/dhcp3/dhcpd.conf

option domain-name-servers;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
log-facility local7;
subnet netmask {
option routers;
option domain-name-servers;

ifconfig at0 up netmask
tarl -f /var/log/messqge

/etc/init.d/dhcp3-server start

wget ""

./msfconsole -r karma.rc

Filed Under :

0 comments for "KARMA + Metasploit 3 == Karmetasploit"

Post a Comment