Jump to content

How does karma attack work on multiple devices in the same time?


Recommended Posts

Like when you open the network manager(the wifi list ) in the attacked devices while the attack is on you see different fake networks on each device which is normal as it responds to the devices saved ssids probs .. the thing is when you click on any of these fake networks on multiple devices each device connect to a unique ssid .. how is that possible while to launch multiple ssids at the same time you need different mac addresses the normal router have 2 or 4 max and can't launch more than these numbers to ssids ... how is a single wireless adapter able to launch more than 4 ssids at the same time ? does it really launch them or just fake them during the connection in some way so all of them be connected to one real ssid and one mac

 
Link to post
Share on other sites

The software creates the wireless packets that are sent out and so it can put whatever value it wants in the BSSID (MAC) address field. If it wanted to increment the value for every packet it could do it.

Your router is only limited because it's software is limited, no other reason.

Link to post
Share on other sites
5 hours ago, digininja said:

The software creates the wireless packets that are sent out and so it can put whatever value it wants in the BSSID (MAC) address field. If it wanted to increment the value for every packet it could do it.

@digininjahmm... so no need to change the mac address of the device before launching each fake ap .... and it's all done on the air ?

 

So what's the max number of fake aps that a single adapter can make while still being able to connect to them for sure ... 

Link to post
Share on other sites

A single BSSID can support multiple ESSIDs so you can put up as many ESSIDs as you want on an AP. The maximum would be dependant on your hardware's ability to handle the throughput and the network traffic. A rubbish little home router may be maxed out with 10 connections, an expensive commercial AP may be able to handle 100.

  • Like 1
Link to post
Share on other sites
19 minutes ago, digininja said:

A single BSSID can support multiple ESSIDs so you can put up as many ESSIDs as you want on an AP. The maximum would be dependant on your hardware's ability to handle the throughput and the network traffic.

@digininja didn't know that ....

By hardware ability you mean the device or the adapter ? 

 

Also is there any guide about performing this manually  ? ( prob collecting from clients on a target ap - launching all these collected probs )

 

Thanks for your answer.

 

Edited by mooooon
Link to post
Share on other sites
Quote

By hardware ability you mean the device or the adapter ? 

Whatever is acting as the AP as it is that that is sending out the ESSIDs and having clients connect to it.

 

Quote

Also is there any guide about performing this manually  ? ( prob collecting from clients on a target ap - launching all these collected probs )

what exactly is it you want to do?

Link to post
Share on other sites
7 minutes ago, digininja said:

Whatever is acting as the AP as it is that that is sending out the ESSIDs and having clients connect to it.

Still didn't get the answer.... my pc is acting as ap through my wifi adapter and my wifi adapter is having clients connect to it through the processing of my pc to the requests.... so ... ? 

9 minutes ago, digininja said:

what exactly is it you want to do?

I am looking for a bit complicated thing .... but for now i just want to know the procedures to collect the prob requests ( i know about aircrack but it provides no option for extracting the collected probs only) by monitoring the clients on an AP ... then use these collected probs to launch fake aps that the clients would automatically connect to them (i know about hostapd but for making a one ap only ... would  i just keep fedding it the new ssids with the conf and everything ) ... sure mdk3 would be involved ... also all of this must happen on a single channel , right ?

 

And i wanna make sure that all the clients that was connected to the real ap are/have connected to my fake aps before exiting the attack.

Link to post
Share on other sites
4 minutes ago, mooooon said:
26 minutes ago, digininja said:

Whatever is acting as the AP as it is that that is sending out the ESSIDs and having clients connect to it.

Still didn't get the answer.... my pc is acting as ap through my wifi adapter and my wifi adapter is having clients connect to it through the processing of my pc to the requests.... so ... ? 

If your PC, with attached wifi adaptor, is acting as the AP, then it is down to what your PC, with attached wifi adaptor, can handle. If you have a cheap little AP that has very limited throughput, then you won't be able to do much before it is flooded, if you have a top of the range adaptor, then then it will handle more. If you have a really old 486 PC, it will handle less than a top end i9.

For putting up fake APs, you can probably do it with other tools now, but the way I would do it is with custom modified hostapd, this will respond to any ESSID requested.

https://digi.ninja/karma/

I've not maintained that for many years though, so you'd have to find a patch for the current hostapd. I assume that the current Pineapples are still running it, again, I've not looked since I stopped working on them after version 2.

Link to post
Share on other sites
6 hours ago, digininja said:

For putting up fake APs, you can probably do it with other tools now, but the way I would do it is with custom modified hostapd, this will respond to any ESSID requested.

https://digi.ninja/karma/

I've not maintained that for many years though, so you'd have to find a patch for the current hostapd. I assume that the current Pineapples are still running it, again, I've not looked since I stopped working on them after version 2.

Great ... thanks for the informative answers .... but how can i use the tool on cleints from a specific network .... the default option in the tool is more like passive.

Link to post
Share on other sites
1 minute ago, digininja said:

You can dynamically add and remove ESSIDs with the client app.

Target essid ?  To monitor prob requests from its clients ? 

 

Or ssids to launch ...

Which app do you mean? 

Link to post
Share on other sites

Do some research on how hostapd and it's client works. Get it installed and play with it just on its own with any attacks. After that you'll understand more.

Link to post
Share on other sites
6 minutes ago, digininja said:

Do some research on how hostapd and it's client works. Get it installed and play with it just on its own with any attacks. After that you'll understand more.

I know how to launch an app using it ...  but what i am looking for is a combination of airodump-ng --bssid "target ap mac"  output probs -> probs.txt 

 

Hostapd.conf

Essid : cat probs.txt

I don't think that can be figured out while playing .. also i tried searching but it didn't help much that's why i am mentioning this here.

Edited by mooooon
Link to post
Share on other sites
7 minutes ago, digininja said:

Have you used the hostapd client? Have you used the patched version I wrote? Have you investigated either of them?

Hi easy on me 😅 ... i used the hostspd client before but just the basics from an online guide .... amd what do you mean by investigating?  I tried google what else there is to do after googling ? ... i wouldn't post here if i found an answer to how karma work on multi devices on the same time .... your answer " an mac can launch as many ssids as it wants"  i couldn't find anything like this on the web  .... just 4 ssids for a router blah blah.

 

Anyway thanks for your answers

I think i will try a mixed solution an read script/tool to collect probs from a selected ap (as aircrack can't seem to provide an option of doing it directly) and hostapd to lunch them.

 

Thanks again and sorry if bothered you 😕

Link to post
Share on other sites

If you understand how the client app works and look at my patches you will see that I added a way to dynamically add ESSIDs to the list that hostapd supports, using that, you can take your list and add as many as you like one the AP is up and running.

 

And for investigate, use the tool, understand how it interacts and how it can make changes on the fly. Read about Karma, Dino posted stuff when he invented it, I published quite a bit when o took over, Hak5 have done plenty of videos on it, Security Tube has a full module on WiFi attacks which includes Karma style attacks.

Link to post
Share on other sites
3 minutes ago, digininja said:

you can take your list and add as many as you like one the AP is up and running.

Yup .. my problem was getting the list from a specific ap not passive.

 

4 minutes ago, digininja said:

And for investigate, use the tool, understand how it interacts and how it can make changes on the fly. Read about Karma, Dino posted stuff when he invented it, I published quite a bit when o took over, Hak5 have done plenty of videos on it, Security Tube has a full module on WiFi attacks which includes Karma style attacks.

Thanks again i will try and check them 🙂

Link to post
Share on other sites

From a specific AP, just sniff traffic around it and watch for matching or very similar BSSIDs. If it is broadcasting beacons then you'll get them straight away, if it isn't you'll just have to watch traffic.

Link to post
Share on other sites
2 minutes ago, digininja said:

From a specific AP, just sniff traffic around it

From a specific AP clients ... what after sniffing ? I think extracting prob requests from a pcap file would be a bit complicated.

Edited by mooooon
Link to post
Share on other sites

You are mixing terms up here, you said you wanted a list from an AP. That is the access point and it will often have a small set of ESSIDs that it will accept.

You are now mentioning a list from a client, that can have many more ESSIDs in its PNL. If you want those, you have to listen for probe requests.

What is it you are ultimately trying to achieve?

Link to post
Share on other sites
3 minutes ago, digininja said:

You are mixing terms up here, you said you wanted a list from an AP. That is the access point and it will often have a small set of ESSIDs that it will accept.

Prob requests from an ap ... would that make sense ?  

3 minutes ago, digininja said:

You are now mentioning a list from a client, that can have many more ESSIDs in its PNL. If you want those, you have to listen for probe requests.

Yeah and previously up there ... listen using what?  Aircrack doesn't provide an option for probes listening only.

 

5 minutes ago, digininja said:

What is it you are ultimately trying to achieve?

Ah... mostly 

Karma + mdk3 to get them to auto connect

Then 

Dnsmasq + apache + iptables to get the captive portal to pop up 

Then php to log useragents into a txt file.

 

And later i may try something more advanced.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...