Karma

Karma is a set of patches to access point software to get it to respond to probe requests not just for itself but for any ESSID requested. This allows the AP to act as a lure to draw in any clients probing for known networks. The original Karma patches were released by Dino Dia Zovi for Madwifi, I then took over and ported the patches to Madwifi-ng and have now taken them to the new hostapd.

Contrary to some people belief the Karma patches do not get the AP to send out beacons beyond any that it has been configured to in its normal setup as an AP. This means that when you start it up you should not expect to see a flood of new networks advertised in your client. The way it works is that most clients have a list of perfered networks, usually most of them set to auto-connect. When a clients wireless is enabled it works through this list sending out probe requests for each one. As soon as Karma sees a probe request it says yes, regardless of what ESSID is requested, and the client then tries to associate. Some clients may continue to probe for other APs with higher preference in their list so may will drop off the first one they associate with in preference of the highest one that Karma responds to.

Most clients, when they try to associate, will check the encryption level offered by the AP, if this doesn't match what is expected then the client won't associate. This causes a flapping client, one that connects then disconnects quickly over a short period. I have however seen some clients just dropping to no encryption if that is what is offered.

If you are testing Karma and clients aren't connecting make sure they have networks in their preferred list and that they are set to auto-connect, just because Windows has a list of preferred APs it doesn't mean that it is set to auto-connect to them all. I get regular bug reports from people saying that Karma isn't doing its job but when they finally check the list they find that no networks are set to auto-connect.

Hostapd

After some prodding from Zero_Chaos I've finally patched hostapd allowing Atheros users to move away from Madwifi-ng and into ath5k and ath9k. It should also open the field to users of Prism54 and various other cards but these are yet to be tested.

Below you can download a fully patched version of hostapd and a sample config file. To run it up simply untar the tarball, change to the hostapd directory and run make. You can then start the AP with the -dd parameter to get the Karma output messages. The config file I provide has an ESSID of "FreeInternet" which it is beaconing, this is designed to attract those who aren't probing for any networks but can be drawn in by the offer of a free connection. The config file is commented up so it should be easy to modify to your own needs.

You can check you are running the patched version of hostapd by checking the version information:

./hostapd -v
hostapd v0.7.2
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2010, Jouni Malinen  and contributors
Karma patches by Robin Wood - robin@digininja.org

And start it like this:

# ./hostapd -dd ~/hostapd-karma.conf

If you grep out just the KARMA references then you will see something like this after a successful association:

KARMA: Probe Request from 00:c0:ca:2f:96:50 for SSID 'test'
KARMA: Checking SSID for start of association, pass through test
KARMA: Successful association of 00:c0:ca:2f:96:50

One problem I know about with this release is that when the client finally associates only the MAC address is printed, not the ESSID it is associated with. This is because by this point it is assumed that the association is with the same ESSID as in the config file so the original probed ESSID doesn't appear to be stored in any of the available structures. I'm working on this and will hopefully find a way to pass it through to here.

I'm currently lacking the black and white list feature I added to the last set of Madwifi-ng patches I released, I'll work on these at some point but for how I just want to get something out there.

Download

Madwifi-ng

Seeing as I haven't created any patches for this for a while I've lost track of where the Madwifi project is. Last time I tried to patch it I couldn't get it to build with my kernel (2.6.23) without further patching the drivers so I gave up. I've collected all my previous patches together below and if you need specific help with them for some reason then get in touch, otherwise I recommend moving to the hostapd method.

Download

Project Categories

Twitter

@secti0n9 not that I can think of, you could just copy the appropriate files across and restart
Just seen biggest advert for Android ever on Fringe
@digininja too much to say.Ton of default pwds,open ports,backdoors,ways to bypass call restrictions

Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work please use the link below when buying from Amazon and I will recieve a small commission on all purchases.