Since OSX Snow Leopard there is an Airport wireless API that allows some fun tricks but it takes some minor setup to use it properly...
First make sure you can easily run the new Airport API utility:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
Now you have easy ability to scan and sniff packets:
And the sexiest feature is to dump packets in monitor mode:
sudo -s airport sniff 11
Note that you still cannot actively inject and sniff without using a realtek USB wifi card.
To stop the airport utility from sniffing drop it into the background and kill the process ID:
sudo -s killall airport
So what kind of attacks are possible without injection? Well any wireless traffic (non encrypted via WEP/WPA/HTTPS) on the channel your sniffing you can then read with a packet inspection tool like tcpdump which comes by default on your Mac. A pcap will be saved in the /tmp directory, simply read it in with tcpdump to see what fun you captured!
Gregs-MacBook-Air:tmp gregmartin$ ls /tmp |grep air
To print the ASCII content of all HTTP traffic:
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80 |grep -i pass
Here we see an Android phone at the Boingo wireless captive portal ready to log in!
Of course you can use any libpcap tool such as Wireshark to analyze the resulting file.