Tuesday, August 30, 2011

Wireless fun with your Macbook

Since OSX Snow Leopard there is an Airport wireless API that allows some fun tricks but it takes some minor setup to use it properly...

First make sure you can easily run the new Airport API utility:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

Now you have easy ability to scan and sniff packets:

airport scan

And the sexiest feature is to dump packets in monitor mode:
sudo -s airport sniff 11

Note that you still cannot actively inject and sniff without using a realtek USB wifi card.

To stop the airport utility from sniffing drop it into the background and kill the process ID:

sudo -s killall airport

So what kind of attacks are possible without injection? Well any wireless traffic (non encrypted via WEP/WPA/HTTPS) on the channel your sniffing you can then read with a packet inspection tool like tcpdump which comes by default on your Mac. A pcap will be saved in the /tmp directory, simply read it in with tcpdump to see what fun you captured!

Gregs-MacBook-Air:tmp gregmartin$ ls /tmp |grep air

To print the ASCII content of all HTTP traffic:
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80


tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80 |grep -i pass

Here we see an Android phone at the Boingo wireless captive portal ready to log in!

Of course you can use any libpcap tool such as Wireshark to analyze the resulting file.

No comments: