182

Chapter 12

The POP3 server configured by Metasploit intercepts the target’s email 

username and password at  , because all DNS requests are intercepted by 
the DNS server that Karmetasploit set up for us.

Getting a Shell

At this point, the user has no new messages, so he decides to do some web 
browsing. When the browser opens, a 

captive portal

 is presented to the user, 

as shown in Figure 12-1.

Figure 12-1: Karmetasploit captive portal

As the user sits in front of his computer wondering what’s going on, 

Karmetasploit is busy configuring the attack to capture cookies; set up fake 
email, DNS, and other servers; and launch exploits against the client’s browser—
all the result of the magic contained in our 

karma.rc

 file.

Of course, some degree of luck is involved in this attack. The browser 

will display a “Loading” page while exploits are launched. If the user is impa-
tient, he may simply close the browser window, which will stop our exploits.

Next, you can see the massive amount of output that results from this attack:

[*] HTTP REQUEST 10.0.0.100 > www.microsoft.com:80 GET /isapi/redir.dll Windows IE 6.0 

cookies=WT_NVR=0=/:1=downloads:2=downloads/en; WT_FPC=id=111.222.333.444-1008969152
.30063513:lv=1267703430218:ss=1267703362203;MC1=GUID=09633fd2bddcdb46a1fe62cc49fb4ac4&HASH=
d23f&LV=20103&V=3; A=I&I=AxUFAAAAAAAuBwAADSAT6RJMarfs902pHsnj0g!!; MUID=C7149D932C864
18EBC913CE45C4326AE

[*] Request '/ads' from 10.0.0.100:1371

 [*] HTTP REQUEST 10.0.0.100 > adwords.google.com:80 GET /forms.html Windows IE 6.0 cookies=

[*] HTTP REQUEST 10.0.0.100 > blogger.com:80 GET /forms.html Windows IE 6.0 cookies=