Use of Karmetasploit Technique During a Pentest


I have been playing a lot with airbase in the lab and one if the things that I first noticed while testing this technique as specified in the karmetasploit wiki is that we are setting the machine to attack any wireless client in the area, this may have legal implications during a valid pentest and may result in criminal actions if one is not careful. There are ways to minimize this risk and this is the way I see it, first we need to assess the are and identify all AP of the client and their SSIDs this cam be done using airodump-ng:


wlanconfig ath0 destroy

airmon-ng start ath0

airodump-ng -b bg -a ath0


in the example I'm showing it running with an Atheros card. First we set the card in monitor mode then we are using the "-b" switch so we can scan both b and g and "-a" so we get only a list of only associated clients, the main reason we want associated clients is because we only want to target those that are connected to the access points of the company that we have been contracted to pentest that way we can minimize the risk of attacking the wrong target. The best time I would recommend for this reconoissance is during the early hours in the morning this is when most user will arrive at the office and turn on their laptops, preferably Mondays since it is the day that most mobile workers tend to go to the office. An example output is the following:


CH 14 ][ Elapsed: 2 mins ][ 2008-10-02 00:01 ][ WPA handshake: 00:0C:85:71:6C:2C
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:0C:85:71:6C:2C 78 98 38 0 3 11. WPA TKIP PSK target
00:30:BD:F3:3E:35 -1 0 0 0 11 -1 <length: 0>

BSSID STATION PWR Rate Lost Packets Probes
00:0C:85:71:6C:2C 00:13:E8:80:04:4F 93 11-11 0 28 target
00:0C:85:71:6C:2C 00:21:E9:B0:AC:B2 81 11- 2 50 26 target
00:0C:85:71:6C:2C 00:21:E9:A5:A2:04 79 0- 2 13 93 target,linksys,belking54g
00:30:BD:F3:3E:35 00:1C:B3:BF:61:70 38 0- 5 0 3

as we can see 3 clients are associated to the target ESSID. This are
00:13:E8:80:04:4F
00:21:E9:B0:AC:B2
00:21:E9:A5:A2:04

we place this mac addresses inside a text file one per line. We can call this file targets.txt, once we have them in the text file we will use it as a filter for airbase-ng. the command would be as follows:
airbase-ng -P -C 30 -D /root/targets.txt -e "target" -v ath0
The -P option will create a softap that will respond to all probes regardless of the ESSIDs specified, the -C option will indicate the amount of time that the ESSIDs seen will be beaconed, -D will indicate the file of mac addresses that will be used as filters for the connection and -e will specify an ESSID to broadcast by default and -v will be verbose output followed by the interface that is in monitor mode. This will generate the at0 tun interface that we will use with dhcpd and Metasploit to continue the karmetasploit attack. This same concept can be used for other types of attacks and limit those to approved targets.

One important point when conducting this type of attack against a valid target is to use powerful card with a good antenna so as to assure that your machine will be selected instead of the valid AP, I highly recommend the Ubiquity and the Alfa USB high gain with a good yagui antenna.

Tcpdump Filter for CDP

Recently on an engagement I wanted to capture only Cisco Discovery Protocol (CDP) packets so as to passively enumerate Cisco equipment and I decided to share the filter I used:

sudo tcpdump -nn -v -i en0 -s 1500 'ether[20:2] == 0x2000'
Password:
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:41:35.971435 CDPv2, ttl: 180s, checksum: 692 (unverified), length 334
Device-ID (0x01), length: 8 bytes: 'ap1.home'
Version String (0x05), length: 231 bytes:
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEB1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 20:51 by dchih
Platform (0x06), length: 26 bytes: 'cisco AIR-AP1230A-A-K9 '
Address (0x02), length: 13 bytes: IPv4 (1) 192.168.1.250
Port-ID (0x03), length: 13 bytes: 'FastEthernet0'
Capability (0x04), length: 4 bytes: (0x00000002): Transparent Bridge
Duplex (0x0b), length: 1 byte: full
power consumption (0x10), length: 2 bytes: 8.50W

I hope that it's useful to anyone who might need it during a pentest or troubleshooting a network.

Airport's and Karmetasploit

I recently had to go to several Central American countries to do some consulting work, while waiting for a connecting flight at the Panama airport I notice a wallpaper that was very familiar to me, the Backtrack3 Default wallpaper and even more familiar what was running on a terminal window, it was karmetasploit I watched for a while as the kid was gathering info from unsuspecting people, as I saw from my seat I could make passwords from tweeter account from people using their iphones, I even saw the kid saving the cookies and using them on Firefox by pasting them on a extension installed on his browser, I could see all of this since he was not being careful and putting his back to one of the walls, I was sitting right behind the kid and he didn't even noticed. So guys be careful with what your browser and machines sends automatically in wifi networks you might never know who is next to you just waiting for you to fire up your browser, a good recommendation have wireshark run on your laptop while you connect to your wireless at home and see if it is sending any info it should not be sending out, be careful out there scripkiddies are everywhere.

Palin's Yahoo Mail Attack

I have been reading about the the way the crackers from Anonymous got access to her email account, I was surprised to find out that you can reset the password of an account with zip code and date of birth, one should consider using fake information for when one is asked for this information. With tools like Maltego out there profiling a person and their presence in the internet is extremely easy.

Is the iPhone helping with the Bad Password Problem?

Well it has been a long time since my last blog, no excuses here. In this long time I finally got and iPhone and I have really love the user experience in this device but it has gotten me thinking, is the iphone helping with the problem of users chossing bad passwords? since it does not have copy paste and entering a long complex password starts becoming a problem I have seen many friends choosing porr passswords, specially since the iphone does not come by default with a good password manager nor copy and paste, on can use third party apps like 1password but still I do feel that the iphone is adding to this problem. what do you think?