When a client connects to our malicious access point, the messages file we are tailing will show us when an IP address is handed out. This is our cue to switch back to msfconsole to see what is happening. Here, we see that a client connects and is assigned an IP address:

Apr  2 15:07:34 bt dhcpd: DHCPDISCOVER from 00:17:9a:b2:b1:6d via at0
Apr  2 15:07:35 bt dhcpd: DHCPOFFER on 10.0.0.100 to
 00:17:9a:b2:b1:6d (v-xp-sp2-bare) via at0
Apr  2 15:07:35 bt dhcpd: DHCPREQUEST for 10.0.0.100 (10.0.0.1) from 00:17:9a:b2:b1:6d
    (v-xp-sp2-bare) via at0
Apr  2 15:07:35 bt dhcpd: DHCPACK on 10.0.0.100 to 00:17:9a:
b2:b1:6d (v-xp-sp2-bare) via at0

The first thing our target does is open an email client. Karmetasploit is waiting, as shown here:

[*] DNS 10.0.0.100:1049 XID 45030 (IN::A time.windows.com)
  [*] DNS 10.0.0.100:1049 XID 47591 (IN::A pop3.securemail.com)
 [*] POP3 LOGIN 10.0.0.100:1102 bsmith / s3cr3tp4s5

The POP3 server configured by Metasploit intercepts the target’s email username and password at , because all DNS requests are intercepted by the DNS server that Karmetasploit set up for us.