“KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.” -http://theta44.org
Download latest stable code from:
We will cover the following:
- Installing KARMA
- Using KARMA (discovery)
- Using KARMA (Rogue Services)
Installing KARMA: (the number following karma may be different)
tar zxvf karma-20060124.tar.gz
cp src/misc/madwifi.patch /root
patch -p0 < madwifi.patch
ln -s /sbin/iwconfig /usr/sbin/iwconfig
ln -s /sbin/iwpriv /usr/sbin/iwpriv
ln -s /sbin/iwevent /usr/sbin/iwevent
yum install ruby
(answer “y” when prompted).
Using KARMA (discovery):
(cd ./src/ && make) && ./src/karma ath0
“This display will list wireless clients in range and the networks they send probe requests for. This reveals the entries in their preferred networks list.” -http://theta44.org
KARMA runs in stealth mode so basic wireless scanning activity (e.g. Netstumbler) will not detect the servers presence.
Using KARMA (Rogue Services):
KARMA also provides a number of other configurations stored in karma-20060124/etc
karma-scan.xml – “Attempts to find insecure wireless clients that will associate to rogue network and possibly obtain IP address via DHCP”. -http://theta44.org
Now the rogue services are started any probing clients will now connect to KARMA on our machine whichever SSID their machine chooses to use.
Above we can see the client received the IP address 169.254.0.254 from KARMA’s DHCP server.
karma.xml – “Runs a rogue base station with DHCP, DNS and HTTP services. The HTTP service re-directs all requests to the ExampleWebExploit module that displays a simple HTML page. This page can be replaced with something that informs the user that their wireless settings are insecure and that it may be a violation of corporate policy etc” -http://theta44.org
KARMA is now offering a variety of services (POP, FTP and HTTP) for any curious user to connect up to.
Above we can see an attempted FTP connection to www.mysecretwebsite.com which actually was received by KARMA and the users credentials – username = myusername and password = mypassword were capture by KARMA.
karma-lan.xml – “This configuration runs a rogue DHCP, DNS and HTTP services on an existing (wired) network connection. The HTTP service redirects all requests to ExampleWebExploit module that displays simple HTML page” -http://theta44.org
The karma-lan.xml configuration file provides you with all the features (e.g. to capture POP, FTP and HTTP traffic) of karma.xml but for a wired interface.