BT3 / Karmetasploit / Alfa update

People have been asking me about how my adventures with Karmetasploit have been going. Well, I have some good news on getting Karmetasploit working on BackTrack 3 with the Alfa AWUS036H USB WiFi Adapter, but it's still not working 100%. This is an update to the quandary I posted a little more than a month ago. It's after 1:00 am and I need to be up bright and early so I have to call it a night. I hope to have more info in the coming week as I get some lab time to put into this project.

What I've got is pretty raw, but this is just as much for our readers as it is for me to document for myself what's worked so far. Out of literally dozens of tries, this is the closest I've come to getting this to work the way I want it.

First and foremost, the version of aircrack-ng that ships with BT3 is old and lacking some functionality that's needed for what I'm trying to do. Among other things, airbase-ng doesn't have the -P option that lets it reply to all probes. This is stuff that's normally handled by the MadWifi drivers when you've got an Atheros adapter. Since the Alfa's using the RTL8187 chipset, we need to rely on airbase-ng. Updating airbase-ng is easy, but if you're running BT3 from CD and without saving changes, you'll have to do it every time. Just snag the latest aircrack-ng source via Subversion and compile it right there in the BT3 environment with the following commands.

svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
cd aircrack-ng
make
make install

Then, airbase-ng will be updated with the functionality needed for karma. Keep in mind that Karma's just the "greedy access point" part that uses probe requests to rope in wireless clients.

Use airmon-ng to enable monitor mode on your Alfa:

airmon-ng start wlan0

I run airbase-ng in its own terminal window and in verbose mode so I can watch as crap scrolls by. If it gives you an error about not being able to create a tap interface, run "modprobe tun" to load the module it's complaining about.

airbase-ng -P -C 30 -e "HiR WiFi Lab" -v wlan0

You should see all probe requests and get messages whenever anyone associates.

In another window, I bring up the at0 interface. I know using a /24 netmask on 10.x.x.x is a sin, but that's how the dhcp configuration comes on BackTrack:

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

Then we clear the dhcp leases and start the dhcp server:
echo > /var/state/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf at0

At this point, I have a computer that's running BackTrack 3, broadcasting as an access point named "HiR WiFi Lab" but will snag any wireless client in range trying to associate to a network, regardless of their SSID. It will issue a DHCP lease and the DNS specified by dhcp will point to the BackTrack 3 box.

Now, to start the "metasploit" part, which should start a fake DNS Server (which makes all services point to the BackTrack 3 box as well) and a bunch of fake services for password grabbing, etc:

/msf3/msfconsole -r /msf3/karma.rc

All the services appear to come up just fine in Metasploit Console, but the fake DNS isn't working. In fact, lots of the fake services aren't working as they should. The fake FTP server, for example, just opens a session and sits idle without prompting for a login. If I point my browser to 10.0.0.1, however, it loads the "evil" cookie-grabbing web page (which consists of a bunch of invisible iframes to grab cookies from several popular domains), but since DNS doesn't work, the pages within the iframes never resolve.

So, I'm a lot closer to having Karmetasploit working with the Alfa on BackTrack, but it seems like there's still a lot of troubleshooting to do. Also, with having to download and re-compile aircrack-ng every time I boot BackTrack on my lab box, I'm thinking I might install BT3 to an old hard drive to make things a little easier.