KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.
KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for ‘linksys’, it is ‘linksys’ to them (even while it may be ‘tmobile’ to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.
- Dai Zovi, D. A., & Macaulay, S. A. (2005). Attacking Automatic Wireless Network Selection. In Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop (pp. 365–372). IEEE. doi:10.1109/IAW.2005.1495975
- Technical whitepaper
- Conference presentations
KARMA was developed as a research proof-of-concept and hasn’t been updated since 2006. It lives on, however, in form and/or spirit in these projects:
These archived releases are all BYOX (Bring Your Own Exploits), although a number of client-side exploits were written, tested, and demonstrated within this framework.