KARMA Main:
Project homepage:
http://theta44.org/karma/index.html
"KARMA is a set of tools for assessing the security of wireless clients at
multiple layers. Wireless sniffing tools discover clients and their
preferred/trusted networks by passively listening for 802.11 Probe Request
frames. From there, individual clients can be targeted by creating a Rogue AP
for one of their probed networks (which they may join automatically) or using a
custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side
vulnerabilities on the host." -http://theta44.org
Installing KARMA
Using KARMA (discovery)
Using KARMA (Rogue Services)
The following installation
process assumes that you are utilising the FC4 Auditing Laptop Build as described in
the
Auditing Laptop Build: HOWTO all other builds have not been tested.
Download latest
stable code (currently KARMA SNAPSHOT 20060124) from
http://theta44.org/karma/index.html to /tools/wifi
Thanks to Dino Dai
Zovi (tools co-author) for the new KARMA snapshot, which is easily installed on
FC4.
cd /tools/wifi
tar zxvf
karma-20060124.tar.gz
cd karma-20060124
cp
src/misc/madwifi.patch /root
cd /root
patch -p0 < madwifi.patch
ln -s
/sbin/iwconfig /usr/sbin/iwconfig
ln -s
/sbin/iwpriv /usr/sbin/iwpriv
ln -s
/sbin/iwevent /usr/sbin/iwevent
yum install ruby
(answer "y" when prompted).
cd
/tools/wifi/karma-20060124
bin/monitor-mode.sh
ath0
(cd ./src/ && make)
&& ./src/karma ath0
"This display will
list wireless clients in range and the networks they send probe requests for.
This reveals the entries in their preferred networks list." -http://theta44.org
KARMA runs in stealth
mode so basic wireless scanning activity (e.g. Netstumbler) will not detect the
servers presence.
KARMA also provides a
number of other configurations stored in karma-20060124/etc
karma-scan.xml
Description:
karma-scan.xml -
"Attempts to find insecure wireless clients that will associate to rouge network
and possibly obtain IP address via DHCP". -http://theta44.org
Usage:
cd
/tools/wifi/karma-20060124
bin/monitor-mode.sh
ath0
bin/karma
etc/karma-scan.xml
Now the rogue services
are started any probing clients will now connect to KARMA on our machine
whichever SSID their machine chooses to use.
Above we can see the
client received the IP address 169.254.0.254 from KARMA's DHCP server.
karma.xml
Description:
karma.xml -
"Runs
a rogue base station with DHCP, DNS and HTTP services. The HTTP service
re-directs all requests to the ExampleWebExploit module that displays a simple
HTML page. This page can be replaced with something that informs the user
that their wireless settings are insecure and that it may be a violation of
corporate policy etc" -http://theta44.org
Usage:
cd
/tools/wifi/karma-20060124
bin/monitor-mode.sh ath0
bin/karma
etc/karma.xml
KARMA is now offering a
variety of services (POP, FTP and HTTP) for any curious user to connect up to.
Above we can see an
attempted FTP connection to www.mysecretwebsite.com which actually was
received by KARMA and the users credentials - username = myusername and
password = mypassword were capture by KARMA.
karma-lan.xml
Description:
karma-lan.xml -
"This configuration runs a rogue DHCP, DNS and HTTP services on an existing
(wired) network connection. The HTTP service redirects all requests to
ExampleWebExploit module that displays simple HTML page" -http://theta44.org
Usage:
cd
/tools/wifi/karma-20060124
bin/monitor-mode.sh ath0
bin/karma
etc/karma-lan.xml
The karma-lan.xml configuration file provides you with all the
features (e.g. to capture POP, FTP and HTTP traffic) of karma.xml but for
a wired interface. Many thanks to Dino Dai Zovi for
producing the new KARMA snapshot without which this guide would not exist.
|
Linux
