Karmetasploit Wireless Fun

I just posted the first public documentation on Karmetasploit. This project is a combination of Dino Dai Zovi and Shane Macaulay's KARMA and the Metasploit Framework. The result is an extremely effective way to absorb information and remote shells from the wireless-enabled machines around you. This first version is still a proof-of-concept, but it already has an impressive feature list:

- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws

One of the cool features is the probe-to-beacon code that we submitted as a patch to airbase-ng. Windows XP and Mac OS X systems use probe requests to determine if any of their preferred wireless networks are in range. Windows Vista no longer sends probes, instead it listens for a beacon containing the name of a preferred network. The new feature of airbase-ng (-C XX) allows one probing client to be used to discover a client that is listening for beacons. This works by rebroadcasting all probed networks as beacons for a short period of time. The result is that all actively-probing clients can be used to discover passive clients that are listening for the same network name :-)