atechdad make it so

Karma Rogue AccessPoint Offense with

For those that don’t know, karma is a patch that is applied to hostapd which allows the creation of a wifi honeypot. This honeypot listens for probe requests from devices which announce SSIDs used to autojoin preferred wifi hotspots. The honeypot then spoofs this SSID, luring in unsuspecting devices. Once on the network, many nasty methods can be used to attempt to compromise the device itself, or the data which traverses the access point.

This attack can be detected simply by creating a nonsense SSID, and attempting to connect.

First, create a nonsense SSID:

atechdad@kali:~# sudo ifconfig wlan1 down
atechdad@kali:~# sudo iwconfig wlan1 essid badkarma
atechdad@kali:~# sudo ifconfig wlan1 up
atechdad@kali:~# sudo iwconfig wlan1

Then see if we joined. You’ll see we did because Access Point has a MAC assigned.

wlan0     IEEE 802.11bg  ESSID:"badkarma"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: F6:B1:14:6D:AB:01   
          Bit Rate=24 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=70/70  Signal level=-25 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:8   Missed beacon:0

Here is the view from the attacker’s perspective:

KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Probe Request from 00:1e:2a:18:26:60 for SSID 'badkarma'
KARMA: Checking SSID for start of association, pass through badkarma
KARMA: Successful association of 00:1e:2a:18:26:60

So now we’re on the network– and we know how to find it.

There are a few ways I can think of offhand to defend against this kind of attack.
1. Turn off auto connect.
2. Audit your devices.
3. Add a fake AP with bad network settings to your device. Configure your device to alert on join. 

I wouldn’t recommend #3. Without other controls in place, this could open your device up to the attack we’re trying to avoid.

Here’s how to see what your devices are probing :

atechdad@kali:~# sudo airmon-ng start wlan1
atechdad@kali:~# sudo airodump-ng mon0

You’ll see something like this. Pay attention to the second section:

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 (not associated)   XX:XX:XX:XX:XX:F6  -44    0 - 1      0        1
 (not associated)   00:1E:2A:18:26:60  -59    0 - 1     86       11  badkarma

You’ll notice in the second section a list of client devices. Pay attention to the Probe column

Offense: is a simple that works by creating a randomized AP, joining it, then deauthenticating all connected guests. It was written to run using kali linux. At minimum, it requires python, wireless-tools, the aircrack-ng suite, and mdk3 be present.

Sample output:

atechdad@kali:~/badkarma# ./ -i wlan1
[!] Stopping network-manager..
[!] Starting monitor interface..
[!] Monitor active on interface mon0
[!] ESSID is now robesunconnected
[!] Wireless MAC is now 6c:18:c5:21:29:c3
[!] Bad AP EA:BE:1C:E7:C3:A7 found! Adding to blacklist...
[!] Liberation! Disconnecting between: 6C:18:C5:21:29:C3 and: F6:B1:14:6D:AB:01
[!] Liberation! Disconnecting between: XX:XX:XX:XX:XX:XX and: F6:B1:14:6D:AB:01
[!] ESSID is now distilsfinagling
[!] Wireless MAC is now c6:5c:7d:76:f9:a4
^C[!] Cleaning Up...
[!] Deleting blacklist...
[!] Ending deauth...
[!] Stopping monitor interface mon0
[!] Resetting interface wlan1
[!] Starting network-manager...
[!] Exiting..

Verification of deauthentication from Attacker’s perspective:

wlan0: mgmt::deauth
wlan0: deauthentication: STA=6c:18:c5:21:29:c3 reason_code=1
wlan0: STA 6c:18:c5:21:29:c3 IEEE 802.11: deauthenticated
wlan0: STA 6c:18:c5:21:29:c3 MLME: MLME-DEAUTHENTICATE.indication(6c:18:c5:21:29:c3, 1)

Getting Script:

atechdad@kali:~# git clone


atechdad@kali:~# cd badkarma/
atechdad@kali:~/badkarma# ./ -i wlan0

This should only be run against access points you have permission to attack. I assume no responsibility for its use and offer no support.
The script was just thrown together to meet my needs. If you make improvements, please contribute back.