Karma Rogue AccessPoint Offense with badkarma.py17 Mar 2015
For those that don’t know, karma is a patch that is applied to hostapd which allows the creation of a wifi honeypot. This honeypot listens for probe requests from devices which announce SSIDs used to autojoin preferred wifi hotspots. The honeypot then spoofs this SSID, luring in unsuspecting devices. Once on the network, many nasty methods can be used to attempt to compromise the device itself, or the data which traverses the access point.
This attack can be detected simply by creating a nonsense SSID, and attempting to connect.
First, create a nonsense SSID:
atechdad@kali:~# sudo ifconfig wlan1 down atechdad@kali:~# sudo iwconfig wlan1 essid badkarma atechdad@kali:~# sudo ifconfig wlan1 up atechdad@kali:~# sudo iwconfig wlan1
Then see if we joined. You’ll see we did because Access Point has a MAC assigned.
wlan0 IEEE 802.11bg ESSID:"badkarma" Mode:Managed Frequency:2.412 GHz Access Point: F6:B1:14:6D:AB:01 Bit Rate=24 Mb/s Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=70/70 Signal level=-25 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:8 Missed beacon:0
Here is the view from the attacker’s perspective:
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma' KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma' KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma' KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma' KARMA: Checking SSID for start of association, pass through badkarma KARMA: Successful association of 00:1e:2a:18:26:60
So now we’re on the network– and we know how to find it.
There are a few ways I can think of offhand to defend against this kind of attack.
1. Turn off auto connect.
2. Audit your devices.
3. Add a fake AP with bad network settings to your device. Configure your device to alert on join.
I wouldn’t recommend #3. Without other controls in place, this could open your device up to the attack we’re trying to avoid.
Here’s how to see what your devices are probing :
atechdad@kali:~# sudo airmon-ng start wlan1 atechdad@kali:~# sudo airodump-ng mon0
You’ll see something like this. Pay attention to the second section:
BSSID STATION PWR Rate Lost Frames Probe (not associated) XX:XX:XX:XX:XX:F6 -44 0 - 1 0 1 (not associated) 00:1E:2A:18:26:60 -59 0 - 1 86 11 badkarma
You’ll notice in the second section a list of client devices. Pay attention to the Probe column
badkarma.py is a simple that works by creating a randomized AP, joining it, then deauthenticating all connected guests. It was written to run using kali linux. At minimum, it requires python, wireless-tools, the aircrack-ng suite, and mdk3 be present.
atechdad@kali:~/badkarma# ./badkarma.py -i wlan1 [!] Stopping network-manager.. [!] Starting monitor interface.. [!] Monitor active on interface mon0 [!] ESSID is now robesunconnected [!] Wireless MAC is now 6c:18:c5:21:29:c3 [!] Bad AP EA:BE:1C:E7:C3:A7 found! Adding to blacklist... [!] Liberation! Disconnecting between: 6C:18:C5:21:29:C3 and: F6:B1:14:6D:AB:01 [!] Liberation! Disconnecting between: XX:XX:XX:XX:XX:XX and: F6:B1:14:6D:AB:01 [!] ESSID is now distilsfinagling [!] Wireless MAC is now c6:5c:7d:76:f9:a4 ^C[!] Cleaning Up... [!] Deleting blacklist... [!] Ending deauth... [!] Stopping monitor interface mon0 [!] Resetting interface wlan1 [!] Starting network-manager... [!] Exiting.. atechdad@kali:~/badkarma#
Verification of deauthentication from Attacker’s perspective:
wlan0: mgmt::deauth wlan0: deauthentication: STA=6c:18:c5:21:29:c3 reason_code=1 wlan0: STA 6c:18:c5:21:29:c3 IEEE 802.11: deauthenticated wlan0: STA 6c:18:c5:21:29:c3 MLME: MLME-DEAUTHENTICATE.indication(6c:18:c5:21:29:c3, 1)
atechdad@kali:~# git clone https://github.com/atechdad/badkarma.git
atechdad@kali:~# cd badkarma/ atechdad@kali:~/badkarma# ./badkarma.py -i wlan0
This should only be run against access points you have permission to attack. I assume no responsibility for its use and offer no support.
The script was just thrown together to meet my needs. If you make improvements, please contribute back.