KARMETASPLOIT, Pwning the Air!
I’ve used this software before during penetration tests, and it can be a very valuable tool in your toolbox.
Wireless networks have become very common in today’s world, people are used to be connected to wireless networks in office, home, coffee shops etc.
In order to facilitate the process of connecting to the wireless network, most of the operating systems often remember the previous networks connected to (often stored in Preferred Networks List) and send continuous probes looking for these networks. Once the network is found, the system automatically connects to the network.
If more than one of the probed networks is found, it connects to the network with the highest signal strength (though it may vary sometimes on the operating system used). Since these clients send continuous probes, any hacker within the radio frequency range can listen passively and see the networks the client is probing for.
Because of the vulnerabilities in the implementation of the algorithms for connecting to previous networks, it is possible for an attacker to set up a custom station (Access point) and have the victim connect to it. Once the victim is connected to the Fake AP the attacker has IP-level connectivity to the victim and can launch a bunch of attacks against the victim.
Dino Dai Zovi and Shane Macaulay, 2 security researchers, wrote a set of wireless security tools developed as a Proof of concept for this vulnerability and called it Karma.
It was later integrated with Metasploit and called Karmetasploit, so when a victim connects to the fake AP, karmetasploit launches all the suitable attacks available in the Metasploit framework against the vicitm. Karmetasploit also implements various evil services like DNS, POP3, FTP, SMB etc and responds to the client’s requests for these services. That way, we can also capture passwords and other credentials.