KARMA

KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.

KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for ‘linksys’, it is ‘linksys’ to them (even while it may be ‘tmobile’ to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.

Thanks to some great work by HD Moore, KARMA now lives on in the modern era as Karmetasploit.  Karmetasploit is an integration of parts of KARMA and its ideas into the Metasploit framework.  Karmetasploit is your best option for running KARMA these days but the original KARMA software written by Dino Dai Zovi and Shane Macaulay is also available below.  For an in-depth description of the KARMA attacks against wireless clients, see the whitepaper and presentations below.

Docs:

Presentations:

  • All Your Layer Are Belong To Us
    PacSec.JP 2004, November 2004, Tokyo, Japan.
    slides ]
  • All Your Layer Are Belong To Us
    CanSecWest/core05, May 2005, Vancouver, Canada.
    slides ]
  • Attacking Automatic Wireless Network Selection
    IEEE Information Assurance Workshop, June 2005, West Point, NY.
    slides ]

Software: