Scribd
Upload
154 views

Mac For Hackers: How To Set Up A MacOS System For Wi-Fi Packet Capturing Null Byte :: WonderHowTo

This document provides instructions for setting up a MacOS system to capture Wi-Fi packets without installing additional software. It describes how to use built-in MacOS tools and aliases to scan for nearby wireless networks, check the current connection, and change the Wi-Fi channel. The aliases make long terminal commands shorter and easier to remember. The document also discusses using Wireshark for packet capture and how changing channels with the built-in tools allows capturing traffic on any channel.

Uploaded by

waraceo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
154 views

Mac For Hackers: How To Set Up A MacOS System For Wi-Fi Packet Capturing Null Byte :: WonderHowTo

This document provides instructions for setting up a MacOS system to capture Wi-Fi packets without installing additional software. It describes how to use built-in MacOS tools and aliases to scan for nearby wireless networks, check the current connection, and change the Wi-Fi channel. The aliases make long terminal commands shorter and easier to remember. The document also discusses using Wireshark for packet capture and how changing channels with the built-in tools allows capturing traffic on any channel.

Uploaded by

waraceo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

FORUM METASPLOIT BASICS FACEBOOK HACKS "# % $

FORUM METASPLOIT BASICS


NULL BYTE
FACEBOOK HACKS

M AC FO R H AC K E R S

How to Set Up a MacOS System for Wi-Fi Packet


Capturing
BY KODY ! 08/07/2018 6:17 AM MAC FOR HACKERS

M acOS isn't known as an ideal operating system for hacking without customization, but it includes
native tools that allow easy control of the Wi-Fi radio for packet sniffing. Changing channels, scanning
for access points, and even capturing packets all can be done from the command line. We'll use aliasing
to set some simple commands for easy native packet capture on a macOS system.

MacOS Built in Tools


If you can't download or install new tools onto a MacBook or other macOS computer, capturing packets
or performing Wi-Fi scanning might not appear straightforward. In fact, while there are terminal
commands to do this, they are incredibly long and not very intuitive for beginners. For example, to
perform a simple Wi-Fi scan for nearby access points, the command is as follows.

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

That command isn't exactly easy to remember, so instead, we can shorten them dramatically by
mapping the most useful commands for Wi-Fi scanning and sniffing to shorter, more memorable ones. Of
the available commands, the most important are scanning the current connection for available detail,
scanning for nearby access points, switching the current Wi-Fi channel, and beginning a packet capture
session.

Using Wireshark on MacOS


While Wireshark is the standard tool for packet capture, it does have a few limitations that mean you'll
need to get into the macOS terminal commands anyway. Because Wireshark can't set the channel the
card in a macOS computer is on, it can only listen in on a channel that your laptop can connect to a
network on; This is pretty annoying because, by default, you can only see traffic directed to your
machine.

Don't Miss: Use Kismet to Watch Wi-Fi User Activity Through Walls

By changing some settings in Wireshark, you can begin to see all of the traffic on a particular channel,
but this still doesn't give you the ability to sniff on channels on which you have no network to join. To
solve this, we'll need to use a macOS tool to set the channel manually so that we can switch between
channels of interest based on the result of a scan of nearby APs.

What You'll Need


These commands should work on most macOS systems, even ones not fully updated. Because they're
built-in system tools, you won't need to download anything to get them to work. If you're using a
MacBook Air, Pro, or other Apple device running macOS with a wireless card, these commands should
work fine. You will need the ability to run commands as sudo, as most of these commands require
administrator access.

Step 1
Create an Alias
First, to create an alias, we'll be editing our terminal Bash profile; This will allow us to map lengthy or
more complicated commands we frequently use to smaller commands. To do this, open a new terminal
window and type the following.

nano .bash_profile

That command will open up a text file that should say something like this:

# Setting PATH for Python 3.6


# The original version is saved in .bash_profile.pysave
PATH="/Library/Frameworks/Python.framework/Versions/3.6/bin:${PATH}"
export PATH

Beneath that, you can begin to add aliases. So how do they work? The anatomy of a Bash alias looks
like this:

alias (NameOfAlias)='(TheCommandsYouWantTheAliasToRun)'

Using that format, let's write and text our first alias.

Useful Aliases for AP Discovery


To get started, we'll be using a command to scan the area and give a list of every nearby AP. This
includes information we need to locate and capture a target wireless network. By running this scan, we
can match the name of a network to the channel it is broadcasting on, discover the BSSID of nearby
networks, the signal strength, and the type of security used in the network.

Don't Miss: Wardrive with the Kali Raspberry Pi to Map Wi-Fi Devices

All of this information is handy for targeting nearby networks or deciding which channel to sniff on. To
do this scan, we need to type the following command into a terminal window.

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airpo

I prefer to shorten this to an alias I've named scanarea for quick access. To create this alias, type nano
.bash_profile and then add the following code at the bottom of the text document.
alias scanarea='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current

Press Ctrl-X to close out of the text file, typing Y to save the changes when prompted. To test the alias,
quit your terminal program and reopen it again. After restarting your terminal window, you should now
be able to see the alias there by typing alias into a terminal window.

Now, you should be able to type scanarea into a terminal window, enter your password, and see a list
of all nearby Wi-Fi networks.

SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)


BPS Guest Access 92:2a:a8:58:bf:51 -86 132,+1 Y -- WPA2(PSK/AES/AES)
BPS Mgmt 82:2a:a8:58:bf:51 -87 132,+1 Y -- WPA2(PSK/AES/AES)
BWXLVS 54:3d:37:7a:1a:bc -85 56 Y US WPA2(PSK/AES/AES)
attwifi 54:3d:37:3a:1a:bc -85 56 Y US NONE
ALPHA fc:0a:81:78:16:c1 -83 11 Y US WPA2(PSK/AES/AES)
_Travelers WiFi 00:14:06:11:4a:40 -77 11 N -- NONE
BPS Guest Access 82:2a:a8:57:bf:51 -83 11 Y -- WPA2(PSK/AES/AES)
DELTA fc:0a:81:78:16:c4 -82 11 Y US WPA2(802.1x/AES/AES)
_LasVegas.Net HC 00:14:06:11:4a:41 -77 11 N -- NONE
Caesars_Resorts fc:0a:81:78:16:c0 -83 11 Y US NONE
ND BOH d0:17:c2:ea:99:b0 -81 10 Y -- WPA2(PSK/AES/AES)
HP-Print-F2-Officejet Pro 8600 a4:5d:36:43:a4:f2 -88 8 N -- WPA2(PSK/AES/AES)
BETA fc:0a:81:78:4a:42 -68 6 Y US WPA2(PSK/AES/AES)
DELTA fc:0a:81:78:42:c4 -64 6 Y US WPA2(802.1x/AES/AES)
DELTA fc:0a:81:78:4a:44 -69 6 Y US WPA2(802.1x/AES/AES)
Caesars_Resorts fc:0a:81:78:42:c0 -64 6 Y US NONE
GAMMA fc:0a:81:78:42:c3 -64 6 Y US WPA2(802.1x/AES/AES)
Caesars_Resorts fc:0a:81:78:4a:40 -67 6 Y US NONE
DIRECT-84-HP OfficeJet Pro 8720 30:e1:71:d7:bc:85 -74 6 Y -- WPA2(PSK/AES/AES)
Caesars_Resorts fc:0a:81:78:4a:60 -86 1 Y US NONE
GAMMA fc:0a:81:78:56:53 -74 1 Y US WPA2(802.1x/AES/AES)
ALPHA fc:0a:81:0d:7c:91 -84 1 Y US WPA2(PSK/AES/AES)
ALPHA fc:0a:81:78:40:51 -73 1 Y US WPA2(PSK/AES/AES)
ALPHA fc:0a:81:78:56:51 -68 1 Y US WPA2(PSK/AES/AES)

Reopen the Bash profile and add the following code to also be able to display what channel the card is
currently set to, as well as information about the AP you're currently connected to.

alias currentap='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Curren

After again saving and closing the file, you should be able to open a fresh terminal window, and after
restarting terminal, type "currentap
currentap" to learn information about the current link status of your
computer.

currentap

agrCtlRSSI: 0
agrExtRSSI: 0
agrCtlNoise: 0
agrExtNoise: 0
state: init
op mode:
lastTxRate: 0
maxRate: 0
lastAssocStatus: 16
802.11 auth: open
link auth: none
BSSID: 0:0:0:0:0:0
SSID:
MCS: -1
channel: 4
Dell-2:~ skickar$ currentap
agrCtlRSSI: -56
agrExtRSSI: 0
agrCtlNoise: -93
agrExtNoise: 0
state: running
op mode: station
lastTxRate: 130
maxRate: 144
lastAssocStatus: 0
802.11 auth: open
link auth: none
BSSID: fc:a:81:78:40:90
SSID: Caesars_Resorts
MCS: 15
channel: 149

Step 2

Use Wireshark & Setting the AP Channel


Next, we can use aliasing to solve the problem of running Wireshark on a macOS computer without
being able to select the channel. To create a channel-changing alias, we can use the following scripts for
each of the 13 channels available on 2.4 GHz networks.

alias setchannelto1='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu


alias setchannelto2='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto3='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto4='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto5='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto6='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto7='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto8='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto9='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Cu
alias setchannelto10='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/C
alias setchannelto11='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/C
alias setchannelto12='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/C
alias setchannelto13='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/C

This command can't have any spaces in it, so we need to create a new alias for each channel that we
want our Wi-Fi card to be able to switch to.

Save this alias withCtrl-X and then agree to save by typing Y . Quit your terminal session, and reopen it
to see the command available by typing alias into a fresh terminal window. While this command is the
most useful, it is also one that is likely to need to be run more than once.
Don't Miss: Spy on Your 'Buddy 's' Network Traffic with Wireshark

To make sure this command works, disconnect from any access point you are currently connected to.
You may need to "forget" nearby networks in order to do so, by going into your advanced network
settings. Once you are disconnected from any AP and with the Wi-Fi card turned on, try to set the
channel to channel 4 by typing setchannelto4 in a terminal window. Then, run currentap to find
which channel you're on.

setchannelto4
currentap
agrCtlRSSI: 0
agrExtRSSI: 0
agrCtlNoise: 0
agrExtNoise: 0
state: init
op mode:
lastTxRate: 0
maxRate: 0
lastAssocStatus: 16
802.11 auth: open
link auth: none
BSSID: 0:0:0:0:0:0
SSID:
MCS: -1
channel: 4

If it's not on the right AP, turn your Wi-Fi card off and back on again, then run the command again. You
may need to do this a few times, as macOS will tend to ignore this if it thinks it can connect to an AP in
range.

If you're running Wireshark, you should be able to see packets all start coming in on the same channel;
This means that you've successfully switched the wireless card to the desired channel.

Step 3

Capture Packets Natively


Now that we have the ability to set the channel we're sniffing on, go ahead and set it to your desired
channel. Next, we can start sniffing packets on that channel by returning to our Bash profile and adding
the following alias.

alias sniff='sudo /usr/libexec/airportd en0 sniff'

Running this command will begin saving all observed packets to a .cap file, which you can open in
Wireshark later to interpret. Once the alias is set and you've saved and closed the file, quit terminal, and
reopened it to make the alias available for use.

Don't Miss: Detect Script-Kiddie Wi-Fi Jamming with Wireshark


Begin sniffing packets by typing sniff in a terminal window. When you're finished, press Ctrl-C to stop
sniffing and save the captured packets to a .cap file.

sniff
Capturing 802.11 frames on en0.
Session saved to /tmp/airportSniffuwvwnx.cap.

Step 4

Open Captured Packets in Wireshark


Finally, if you have a .cap file you want to open in Wireshark, the command to do so is easy. With the
name of your macOS capture file handy, you can open Wireshark to inspect the packets you've captured
if you have Wireshark installed, or later on another device, by typing the following command.

wireshark -r /tmp/yourfilename.cap

This will open the capture in Wireshark, allowing you to confirm you got the capture you needed and
inspect the intercepted packets.

Any MacOS System Can Be a Packet Capturing Node


MacOS computers are commonplace in many tech and creative business environments, and learning to
use the built-in tools to your advantage means nothing but access is required to begin capturing packets
from networks around you.

Utilizing aliasing makes the built-in commands shorter and more memorable, allowing a hacker to create
an easy workflow for discovering, tuning to, and capturing traffic from networks of interest. Using these
tactics, a macOS computer near your target is everything you need to spy on local Wi-Fi
communications.

I hope you enjoyed this guide to configuring an Apple computer to control the wireless card and sniff
Wi-Fi packets! If you have any questions about this guide on working with macOS or you have a
comment, feel free to reach me below or on Twitter @KodyKinzie.

Don't Miss: The Everyman's Guide to How Network Packets Are Routed Across the Web

Follow Null Byte on Twitter, Flipboard, and YouTube


Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard

Cover photo by Kody/Null Byte


WonderHowTo.com About Us Privacy Policy Terms of Use

You might also like