KARMA + Metasploit 3 == Karmetasploit

In 2004 Dino Dai Zovi and Shane Macaulay presented All Your Layer Are Belong To Us at Pacsec in Tokyo. This presentation focused on the insecure behavior of wireless clients. Accompanying the presentation was a tool called KARMA (KARMA Attacks Radioed Machines Automatically). This tool acts as wireless access point and responds to all probe requests from wireless clients. Once a client has associated with the KARMA access point, every service they try to access leads to a malicious application. The services side of KARMA was written in Ruby, making it a perfect match for integration with version 3 of the Metasploit Framework.

The original version of KARMA depended on a modified version of the MADWIFI driver for Atheros-based wireless cards. While this approach works, its limits the types of network cards that can be used and requires some effort to maintain the patch against the latest version of the MADWIFI source code. To remedy this, the Aircrack-NG developers (specifically hirte) developed a user-mode access point that works with any wireless card that supports monitor mode and injection. This tool is called 'airbase' and was included in the 1.0rc1 release of Aircrack-NG. Not only does airbase solve the hardware limits of using a patched MADWIFI driver, but its also much easier to modify and integrate new features. The Metasploit staff contributed a patch to airbase that adds multiple ESSID beaconing, the option to temporarily beacon ESSIDs seen in probe requests, the ability to tune the beacon interval, and an option to force promiscuous (respond to all probes) mode regardless of whether an ESSID has been specified. The result is powerful replacement for the MADWIFI patch that can lure in a much wider range of wireless clients.

With the access point working, the next requirement was a number of "evil" network services. These services include a DNS daemon that responds to all requests, a POP3 service, an IMAP4 service, a SMTP service, a FTP service, a couple of different SMB services, and most importantly, a web service. These modules can be found under the auxiliary/server module subdirectory in the development version of the Metasploit Framework. All DNS lookups result in the IP address of the access point being returned, resulting in a blackhole effect for all email, web, and other network traffic.