Monday, August 18, 2008

Metasploit + Karma=Karmetasploit Part 2

Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.

We take a look at our current network connection before airbase-ng starts doing its thing.


*Note the blistering connection I had at the hotel.

Now we take a look at some of the available APs after airbase-ng starts doing its thing.


And lastly my computer connected to the hhonors AP


After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.



But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.


Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.


A shot of airbase-ng doing its thing


Iphones connecting up

Cookie theft

POP password gathering

I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.

That's it for now.

8 comments:

Desmond said...

Hihi~ I followed ur example and set up karmetasploit as shown, everything goes on fine, able to get dhcp up also listening on interface at0 but when my XP client is trying to get connected, it can connect but with limited or no connectivity as the dhcp server does not return any ip to the client, did i went wrong anywhere? Will appreciate it if you could give any advice. Thanks! =)

CG said...

check your dhcp leases and make sure the client actually got handed an IP from your DHCP server.

You can also check the metasploit framework list there is a thread about karmetasploit there as well.

post the commands you can and the output and i'll be happy to try to help.

desmond said...

Hi..I did some trouble-shooting. Change the config file and stop the dhcp server by sending SIGTERM signal to the dhcp process and re-start the server again. Then everything can work. Thanks for the advice given though, appreciate that =)

CG said...

cool. thanks for posting the followup on it

desmond said...

Hi again, now i managed to get karmetasploit up and running and successfully captured all the cookies, dns, etc details from the user but how do i access the karma database from the msf console. Are there other commands other than db_notes, db_connect, db_destroy, db_create and db_disconnect? Or do i have to connect directly via sqlite3? Thanks alot man! Cheers~!

desmond said...

Hi~, i have some updates:

Stumbled upon the metasploit blog and realised they have this instructions for launching metasploits so i followed their instructions, manage to match exploits and launch a attack on client computer (Port 445) running XP but at the last moment, my window XP client (SP2) displays "Generic Host Process for Winn32 Services" error and my attacker PC (msfconsole) shows error (Timed out) in connecting to SMB services. Is there any reason to why this happens? Hehe i very much like your blog, gotten me on the right direction. Thanks =)

Kosis said...

another thing that makes the connection more stable (between the connecting client and the attacker machine) is if you use airodump-ng to find out which wireless channel existing AP's arent currently using, then use airmon-ng to set your wireless card to a specific channel. (this prevents it from switching channels every half-second and dropping all connected clients. some clients cant even connect if your fake AP is channel hopping, such as the ipod touch and XP machine used for testing) for some reason this fixed all of my issues with connecting and the entire thing working, except that sqlite3-ruby wont install for me at all.

currently get
"
Building native extensions. This could take a while…
ERROR: Error installing sqlite3-ruby:
ERROR: Failed to build gem native extension.
"
when i try to install it. activerecord installs perfectly, yet this one is giving me problems.

Any ideas?

Anonymous said...

Hi CG,

This tute still stands up after several years, excellent work.

Do you have any follow-up blogs on bridging, for those who are multi-homed? I know it can be done with iptables, but I'd like to read an experienced user's thoughts on it, notably what other connectivity you might kill off when starting iptables if you weren't already running it!

I often perform wi-fi MITM as part of pen tests, though usually I have to use vetted tools (IMPACT).

Keep up the excellent work, man ;)

MadHopper