git subrepo clone https://github.com/atimorin/karma

subrepo:
  subdir:   "karma"
  merged:   "7399a35"
upstream:
  origin:   "https://github.com/atimorin/karma"
  branch:   "master"
  commit:   "7399a35"
git-subrepo:
  version:  "0.2.0"
  origin:   "https://github.com/ingydotnet/git-subrepo"
  commit:   "5c38bbc"

karma/.gitignore

@@ -0,0 +1,18 @@
+# Object files
+*.o
+*.ko
+
+# Libraries
+*.lib
+*.a
+
+# Shared objects (inc. Windows DLLs)
+*.dll
+*.so
+*.so.*
+*.dylib
+
+# Executables
+*.exe
+*.out
+*.app

karma/.gitrepo

@@ -0,0 +1,11 @@
+; DO NOT EDIT (unless you know what you are doing)
+;
+; This subdirectory is a git "subrepo", and this file is maintained by the
+; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme
+;
+[subrepo]
+	remote = https://github.com/atimorin/karma
+	branch = master
+	commit = 7399a35e825cc200f8bdf78fa8bd1725b237bc64
+	parent = 4634540949632519e980ab949f5c88ac06aaaaf4
+	cmdver = 0.2.0

karma/README.md

@@ -0,0 +1,34 @@
+KARMA
+=====
+KARMA Attacks Radioed Machines Automatically (KARMA) is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.
+
+KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for `linksys`, it is `linksys` to them (even while it may be `tmobile` to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.
+
+Thanks to some great work by HD Moore, KARMA now lives on in the modern era as [Karmetasploit](http://dev.metasploit.com/redmine/projects/framework/wiki/Karmetasploit). Karmetasploit is an integration of parts of KARMA and its ideas into the Metasploit framework. Karmetasploit is your best option for running KARMA these days, even though the original version by Dino and Shane is available here. For an in-depth description of the KARMA attacks against wireless clients, see the whitepaper and presentation.
+
+### Docs
+
+* Attacking Automatic Wireless Network Selection [[slides]](http://www.trailofbits.com/resources/attacking_automatic_network_selection_slides.pdf) [[paper]](http://www.trailofbits.com/resources/attacking_automatic_network_selection_paper.pdf)
+* [Karmetasploit](http://dev.metasploit.com/redmine/projects/framework/wiki/Karmetasploit) documentation
+* [CNET News.com](http://news.cnet.com/Microsoft-meets-the-hackers/2009-1002_3-5747813.html) story mentioning our KARMA demo at Microsoft’s Blue Hat summit
+* [Legacy KARMA README](karma.README.txt)
+* [KARMA HOWTO](http://www.wirelessdefence.org/Contents/KARMAMain.htm) at WirelessDefence.org
+
+### Software
+
+* Legacy KARMA Snapshot (20060124) - this repository
+* [Karma 0.4 CanSecWest/core05 Alpha Release](/archive/karma-0.4.tar.gz)
+* [Karma 0.3 Microsoft BlueHat Alpha Release](/archive/karma-0.3.tar.gz)
+* [Karma 0.2 Immunity NYC Security Shindig Alpha Release](/archive/karma-0.2.tar.gz)
+* [Karma 0.1 PACSEC Alpha Release](/archive/karma-0.1.tar.gz)
+
+### Related Projects
+
+* [KARMetasploit](http://dev.metasploit.com/redmine/projects/framework/wiki/Karmetasploit) - KARMA functionality in Metasploit
+* [Jaseger](http://www.digininja.org/jasager/) - Portable KARMA on the FON La Fonera router
+* [WiFi Pineapple](https://hakshop.myshopify.com/products/wifi-pineapple) - Integrated device with Jaseger pre-installed
+
+### Authors
+
+* Dino A. Dai Zovi <[email protected]> (All Things Ruby)
+* Shane "K2" Macaulay <[email protected]> (MADWifi and Samba patches)

karma/bin/karma

@@ -0,0 +1,62 @@
+#!/usr/bin/env ruby
+#
+#
+#
+
+require 'rexml/document'
+require File::dirname(__FILE__) + "/../modules/loader"
+
+###
+# Main
+###
+
+if (ARGV.length < 1)
+    puts "usage: #{$0} <karma-config.xml>"
+    exit -1
+end
+
+#
+# Splash
+#
+puts "Starting KARMA..."
+
+Thread.abort_on_exception = true
+
+# Scan module directories for XML descriptor files when loaded
+Karma::ScanModules()
+
+#
+# Load configuration file
+#
+
+puts "Loading config file #{ARGV[0]}"
+
+config = REXML::Document.new(File.new(ARGV[0]))
+
+# Parse options first
+config.elements.each('karma/option') { |element|
+    module_id = element.attributes['module']
+    option_name = element.attributes['name']
+    option_value = element.attributes['value']
+
+    Karma::MODULES[module_id].options[option_name] = option_value
+}
+
+# Run modules now
+config.elements.each('karma/run') { |element|
+    module_id = element.attributes['module']
+
+    Karma::MODULES[module_id].run()
+}
+
+puts "Delivering judicious KARMA, hit Control-C to quit."
+
+# Wait for all threads to terminate or SIGINT
+trap ("SIGINT") {
+    Karma::MODULES.each_value() {|m|
+        m.stop()
+    }
+
+    exit(0)
+}
+sleep()  # Sleep forever

karma/bin/monitor-mode.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+INTERFACE=$1
+
+if [ $# -lt 1 ]; then
+    echo "usage: $0 <interface>"
+    exit 1
+fi
+
+if [ "$OSTYPE" = "FreeBSD" ]; then
+    ifconfig $INTERFACE down
+    ifconfig $INTERFACE channel 1 mediaopt monitor up
+else
+    # Assuming MadWiFi because the other drivers suck
+    /sbin/ifconfig $INTERFACE down
+    /usr/sbin/iwconfig $INTERFACE channel 1 mode monitor essid any
+    /sbin/ifconfig $INTERFACE up
+fi

karma/doc/paper/Makefile

@@ -0,0 +1,7 @@
+all: pdf
+
+pdf: aawns.tex aawns.bib
+	pdflatex aawns.tex && bibtex aawns && pdflatex aawns.tex && pdflatex aawns.tex
+
+view: pdf
+	gv aawns.pdf

karma/doc/paper/aawns.bib

@@ -0,0 +1,121 @@
+@article{parks01cyberwar,
+     author=        "R. C. Parks and David P. Duggan",
+     title=         "Principles of Cyber-warfare",
+     journal=       "Proceedings of the IEEE Workshop on Information Assurance and Security",
+     pages=         "122--125",
+     month=         "June",
+     year=          "2001"
+   }
+
+@InProceedings{nobles05wlandos,
+  author = 	 {Phillip Nobles and Peter A. Horrocks},
+  title = 	 {Vulnerability of {IEEE802.11} {WLANs} to {MAC} layer {DoS} attacks},
+  booktitle =    {Proceedings of The 2nd IEE Secure Mobile Communications Forum},
+  year = 	 {2005},
+  OPTeditor = 	 {},
+  OPTvolume = 	 {},
+  OPTnumber = 	 {},
+  OPTseries = 	 {},
+  OPTaddress = 	 {},
+  OPTmonth = 	 {},
+  organization = {Instituion of Electrical Engineers},
+  OPTpublisher = {},
+  OPTnote = 	 {},
+  OPTannote = 	 {}
+}
+
+@InProceedings{provos04honeyd,
+  author = 	 {Niels Provos},
+  title = 	 {A virtual honeypot framework},
+  booktitle =    {Proceedings of The 13th USENIX Security Symposium},
+  address =      {San Fransisco, CA},
+  year = 	 {2004},
+  month = 	 {August},
+}
+
+@Misc{shipley01wardriving,
+  OPTkey = 	 {},
+  author = 	 {Peter Shipley},
+  title = 	 {Open {WLAN}s: The Early Results of WarDriving},
+  howpublished = {http://www.dis.org/filez/openlans.pdf}
+}
+
+@Misc{klaus02wlan,
+  OPTkey = 	 {},
+  author = 	 {Christopher W. Klaus},
+  title = 	 {Wireless {LAN} Security {FAQ}},
+  howpublished = {http://www.iss.net/wireless/},
+  OPTmonth = 	 {},
+  OPTyear = 	 {},
+  OPTnote = 	 {},
+  OPTannote = 	 {}
+}
+
+@TechReport{ieee99wireless,
+  author = 	 {{IEEE Computer Society LAN/MAN Standards Committee}},
+  title = 	 {Wireless {LAN} Medium Access Control ({MAC}) and Physical Layer ({PHY}) Specifications},
+  institution =  {ANSI/IEEE},
+  year = 	 {1999},
+  OPTkey = 	 {},
+  OPTtype = 	 {},
+  OPTnumber = 	 {},
+  OPTaddress = 	 {},
+  OPTmonth = 	 {},
+  OPTnote = 	 {},
+  OPTannote = 	 {}
+}
+
+@Misc{rfc3330,
+  author = {{Internet Assigned Numbers Authority}},
+  title = {{RFC 3330}: Special-Use {IPv4} Addresses},
+  month = {September},
+  year = {2002},
+  howpublished = {ftp://ftp.internic.net/rfc/rfc3330.txt}
+}
+
+@Misc{leffler02madwifi,
+  author = {Sam Leffler},
+  title = {Multimode Atheros Driver for {WiFi} on Linux},
+  howpublished = {http://madwifi.sourceforge.net}
+}
+
+@Misc{nycwireless,
+  title = {{NYC} wireless},
+  howpublished = {http://www.nycwireless.net}
+}
+
+@Misc{samba,
+  author = {{The Samba Team}},
+  title = {Samba},
+  howpublished = {http://www.samba.org}
+}
+
+@Misc{moser04hotspotter,
+  author = {Max Moser},
+  title = {Hotspotter: Automatic wireless client penetration},
+  howpublished = {http://new.remote-exploit.org/index.php/Hotspotter\_main}
+}
+
+@Article{cableguy02wac,
+  author = 	 {{The Cable Guy}},
+  title = 	 {Windows {XP} Wireless Auto Configuration},
+  journal =      {Microsoft TechNet},
+  OPTurl =          {http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx},
+  month = 	 {November},
+  year = 	 {2002},
+}
+
+@Article{lohr04desktop,
+  author = 	 {Steve Lohr},
+  title = 	 {One Small Step in Uphill Fight As Linux Adds a Media Player},
+  journal = 	 {The New York Times},
+  year = 	 {June 28, 2004},
+  OPTkey = 	 {},
+  OPTvolume = 	 {},
+  OPTnumber = 	 {},
+  OPTpages = 	 {},
+  OPTmonth = 	 {},
+  OPTnote = 	 {},
+  OPTannote = 	 {}
+}
+