Since OSX Snow Leopard there is an Airport wireless API that allows some fun tricks but it takes some minor setup to use it properly...
First make sure you can easily run the new Airport API utility:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
Now you have easy ability to scan and sniff packets:
And the sexiest feature is to dump packets in monitor mode:
sudo -s airport sniff 11
Note that you still cannot actively inject and sniff without using a realtek USB wifi card.
To stop the airport utility from sniffing drop it into the background and kill the process ID:
sudo -s killall airport
So what kind of attacks are possible without injection? Well any wireless traffic (non encrypted via WEP/WPA/HTTPS) on the channel your sniffing you can then read with a packet inspection tool like tcpdump which comes by default on your Mac. A pcap will be saved in the /tmp directory, simply read it in with tcpdump to see what fun you captured!
Gregs-MacBook-Air:tmp gregmartin$ ls /tmp |grep air
To print the ASCII content of all HTTP traffic:
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80 |grep -i pass
Here we see an Android phone at the Boingo wireless captive portal ready to log in!
Of course you can use any libpcap tool such as Wireshark to analyze the resulting file.
Tuesday, August 30, 2011
Friday, August 12, 2011
So during the London riots I return home the next morning to find my flat ransacked and my Macbook Pro laptop stolen!
Police showed up, took a report and dusted for prints, performed typical forensics... One thing they did not expect was that I had installed the amazing open source tracking software from http://preyproject.com
Once I flagged my laptop as missing within Prey, I waited eagerly for the first report to come in. I was concerned he wouldn't be able to get past the login password but he was clever enough to add a new account: Here is how to create a new admin account on a Mac
Almost two weary days had gone by and I'm at dinner on a business trip in Luxembourg and I received an email which nearly knocked me out of my chair with excitement.
Next thing I did was buy a pack of smokes and run back to my hotel room so the games could begin... I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.
After two hours hours of watching him surf religious revelation videos, shopping for Mercedes A class on autotrader he finally popped onto facebook! This was the treasure trove of information, at this point I had the following:
His Name: Sxxxxx Kxxxx
His School: xxxx School Class of 2009
His address: xxx N End Rd London W14
His IP Address: 90.201.72.xx
His ISP: BSKYB
His wireless AP: SKY378xx
His Facebook Page: https://www.facebook.com/profile.php?id=101952xxx
Of course I had pictures of him from the webcam on my Macbook as well as his Facebook page, now I just had to pass the info on to London Metro police and get to bed at a decent hour as I had to run an all-day meeting the following morning!
The tip of the iceberg, now that all the details were collected, London Metro police could make their move!
And the icing on the cake... justice served. Add me on twitter @gregcmartin lets laugh together!