Mac for Hackers: How to Set Up a MacOS System for Wi-Fi Packet Capturing

How to Set Up a MacOS System for Wi-Fi Packet Capturing

MacOS isn't known as an ideal operating system for hacking without customization, but it includes native tools that allow easy control of the Wi-Fi radio for packet sniffing. Changing channels, scanning for access points, and even capturing packets all can be done from the command line. We'll use aliasing to set some simple commands for easy native packet capture on a macOS system.

MacOS Built in Tools

If you can't download or install new tools onto a MacBook or other macOS computer, capturing packets or performing Wi-Fi scanning might not appear straightforward. In fact, while there are terminal commands to do this, they are incredibly long and not very intuitive for beginners. For example, to perform a simple Wi-Fi scan for nearby access points, the command is as follows.

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

That command isn't exactly easy to remember, so instead, we can shorten them dramatically by mapping the most useful commands for Wi-Fi scanning and sniffing to shorter, more memorable ones. Of the available commands, the most important are scanning the current connection for available detail, scanning for nearby access points, switching the current Wi-Fi channel, and beginning a packet capture session.

Using Wireshark on MacOS

While Wireshark is the standard tool for packet capture, it does have a few limitations that mean you'll need to get into the macOS terminal commands anyway. Because Wireshark can't set the channel the card in a macOS computer is on, it can only listen in on a channel that your laptop can connect to a network on; This is pretty annoying because, by default, you can only see traffic directed to your machine.

By changing some settings in Wireshark, you can begin to see all of the traffic on a particular channel, but this still doesn't give you the ability to sniff on channels on which you have no network to join. To solve this, we'll need to use a macOS tool to set the channel manually so that we can switch between channels of interest based on the result of a scan of nearby APs.

What You'll Need

These commands should work on most macOS systems, even ones not fully updated. Because they're built-in system tools, you won't need to download anything to get them to work. If you're using a MacBook Air, Pro, or other Apple device running macOS with a wireless card, these commands should work fine. You will need the ability to run commands as sudo, as most of these commands require administrator access.

Step 1: Create an Alias

First, to create an alias, we'll be editing our terminal Bash profile; This will allow us to map lengthy or more complicated commands we frequently use to smaller commands. To do this, open a new terminal window and type the following.

nano .bash_profile

That command will open up a text file that should say something like this:

# Setting PATH for Python 3.6
# The original version is saved in .bash_profile.pysave
PATH="/Library/Frameworks/Python.framework/Versions/3.6/bin:${PATH}"
export PATH

Beneath that, you can begin to add aliases. So how do they work? The anatomy of a Bash alias looks like this:

alias (NameOfAlias)='(TheCommandsYouWantTheAliasToRun)'

Using that format, let's write and text our first alias.

Useful Aliases for AP Discovery

To get started, we'll be using a command to scan the area and give a list of every nearby AP. This includes information we need to locate and capture a target wireless network. By running this scan, we can match the name of a network to the channel it is broadcasting on, discover the BSSID of nearby networks, the signal strength, and the type of security used in the network.

All of this information is handy for targeting nearby networks or deciding which channel to sniff on. To do this scan, we need to type the following command into a terminal window.

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

I prefer to shorten this to an alias I've named scanarea for quick access. To create this alias, type nano .bash_profile and then add the following code at the bottom of the text document.

alias scanarea='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s'

Press Ctrl-X to close out of the text file, typing Y to save the changes when prompted. To test the alias, quit your terminal program and reopen it again. After restarting your terminal window, you should now be able to see the alias there by typing alias into a terminal window.

Now, you should be able to type scanarea into a terminal window, enter your password, and see a list of all nearby Wi-Fi networks.

SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                BPS Guest Access 92:2a:a8:58:bf:51 -86  132,+1  Y  -- WPA2(PSK/AES/AES)
                        BPS Mgmt 82:2a:a8:58:bf:51 -87  132,+1  Y  -- WPA2(PSK/AES/AES)
                          BWXLVS 54:3d:37:7a:1a:bc -85  56      Y  US WPA2(PSK/AES/AES)
                         attwifi 54:3d:37:3a:1a:bc -85  56      Y  US NONE
                           ALPHA fc:0a:81:78:16:c1 -83  11      Y  US WPA2(PSK/AES/AES)
                 _Travelers WiFi 00:14:06:11:4a:40 -77  11      N  -- NONE
                BPS Guest Access 82:2a:a8:57:bf:51 -83  11      Y  -- WPA2(PSK/AES/AES)
                           DELTA fc:0a:81:78:16:c4 -82  11      Y  US WPA2(802.1x/AES/AES)
                _LasVegas.Net HC 00:14:06:11:4a:41 -77  11      N  -- NONE
                 Caesars_Resorts fc:0a:81:78:16:c0 -83  11      Y  US NONE
                          ND BOH d0:17:c2:ea:99:b0 -81  10      Y  -- WPA2(PSK/AES/AES)
  HP-Print-F2-Officejet Pro 8600 a4:5d:36:43:a4:f2 -88  8       N  -- WPA2(PSK/AES/AES)
                            BETA fc:0a:81:78:4a:42 -68  6       Y  US WPA2(PSK/AES/AES)
                           DELTA fc:0a:81:78:42:c4 -64  6       Y  US WPA2(802.1x/AES/AES)
                           DELTA fc:0a:81:78:4a:44 -69  6       Y  US WPA2(802.1x/AES/AES)
                 Caesars_Resorts fc:0a:81:78:42:c0 -64  6       Y  US NONE
                           GAMMA fc:0a:81:78:42:c3 -64  6       Y  US WPA2(802.1x/AES/AES)
                 Caesars_Resorts fc:0a:81:78:4a:40 -67  6       Y  US NONE
 DIRECT-84-HP OfficeJet Pro 8720 30:e1:71:d7:bc:85 -74  6       Y  -- WPA2(PSK/AES/AES)
                 Caesars_Resorts fc:0a:81:78:4a:60 -86  1       Y  US NONE
                           GAMMA fc:0a:81:78:56:53 -74  1       Y  US WPA2(802.1x/AES/AES)
                           ALPHA fc:0a:81:0d:7c:91 -84  1       Y  US WPA2(PSK/AES/AES)
                           ALPHA fc:0a:81:78:40:51 -73  1       Y  US WPA2(PSK/AES/AES)
                           ALPHA fc:0a:81:78:56:51 -68  1       Y  US WPA2(PSK/AES/AES)

Reopen the Bash profile and add the following code to also be able to display what channel the card is currently set to, as well as information about the AP you're currently connected to.

alias currentap='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --getinfo'

After again saving and closing the file, you should be able to open a fresh terminal window, and after restarting terminal, type "currentap" to learn information about the current link status of your computer.

currentap

     agrCtlRSSI: 0
     agrExtRSSI: 0
    agrCtlNoise: 0
    agrExtNoise: 0
          state: init
        op mode:
     lastTxRate: 0
        maxRate: 0
lastAssocStatus: 16
    802.11 auth: open
      link auth: none
          BSSID: 0:0:0:0:0:0
           SSID:
            MCS: -1
        channel: 4
Dell-2:~ skickar$ currentap
     agrCtlRSSI: -56
     agrExtRSSI: 0
    agrCtlNoise: -93
    agrExtNoise: 0
          state: running
        op mode: station
     lastTxRate: 130
        maxRate: 144
lastAssocStatus: 0
    802.11 auth: open
      link auth: none
          BSSID: fc:a:81:78:40:90
           SSID: Caesars_Resorts
            MCS: 15
        channel: 149

Step 2: Use Wireshark & Setting the AP Channel

Next, we can use aliasing to solve the problem of running Wireshark on a macOS computer without being able to select the channel. To create a channel-changing alias, we can use the following scripts for each of the 13 channels available on 2.4 GHz networks.

alias setchannelto1='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=2'
alias setchannelto2='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=2'
alias setchannelto3='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=3'
alias setchannelto4='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=4'
alias setchannelto5='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=5'
alias setchannelto6='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=6'
alias setchannelto7='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=7'
alias setchannelto8='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=8'
alias setchannelto9='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=9'
alias setchannelto10='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=10'
alias setchannelto11='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=11'
alias setchannelto12='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=12'
alias setchannelto13='sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=13'

This command can't have any spaces in it, so we need to create a new alias for each channel that we want our Wi-Fi card to be able to switch to.

Save this alias withCtrl-X and then agree to save by typing Y. Quit your terminal session, and reopen it to see the command available by typing alias into a fresh terminal window. While this command is the most useful, it is also one that is likely to need to be run more than once.

To make sure this command works, disconnect from any access point you are currently connected to. You may need to "forget" nearby networks in order to do so, by going into your advanced network settings. Once you are disconnected from any AP and with the Wi-Fi card turned on, try to set the channel to channel 4 by typing setchannelto4 in a terminal window. Then, run currentap to find which channel you're on.

setchannelto4
currentap
     agrCtlRSSI: 0
     agrExtRSSI: 0
    agrCtlNoise: 0
    agrExtNoise: 0
          state: init
        op mode:
     lastTxRate: 0
        maxRate: 0
lastAssocStatus: 16
    802.11 auth: open
      link auth: none
          BSSID: 0:0:0:0:0:0
           SSID:
            MCS: -1
        channel: 4

If it's not on the right AP, turn your Wi-Fi card off and back on again, then run the command again. You may need to do this a few times, as macOS will tend to ignore this if it thinks it can connect to an AP in range.

If you're running Wireshark, you should be able to see packets all start coming in on the same channel; This means that you've successfully switched the wireless card to the desired channel.

Step 3: Capture Packets Natively

Now that we have the ability to set the channel we're sniffing on, go ahead and set it to your desired channel. Next, we can start sniffing packets on that channel by returning to our Bash profile and adding the following alias.

alias sniff='sudo /usr/libexec/airportd en0 sniff'

Running this command will begin saving all observed packets to a .cap file, which you can open in Wireshark later to interpret. Once the alias is set and you've saved and closed the file, quit terminal, and reopened it to make the alias available for use.

Begin sniffing packets by typing sniff in a terminal window. When you're finished, press Ctrl-C to stop sniffing and save the captured packets to a .cap file.

sniff
Capturing 802.11 frames on en0.
Session saved to /tmp/airportSniffuwvwnx.cap.

Step 4: Open Captured Packets in Wireshark

Finally, if you have a .cap file you want to open in Wireshark, the command to do so is easy. With the name of your macOS capture file handy, you can open Wireshark to inspect the packets you've captured if you have Wireshark installed, or later on another device, by typing the following command.

wireshark -r /tmp/yourfilename.cap

This will open the capture in Wireshark, allowing you to confirm you got the capture you needed and inspect the intercepted packets.

Any MacOS System Can Be a Packet Capturing Node

MacOS computers are commonplace in many tech and creative business environments, and learning to use the built-in tools to your advantage means nothing but access is required to begin capturing packets from networks around you.

Utilizing aliasing makes the built-in commands shorter and more memorable, allowing a hacker to create an easy workflow for discovering, tuning to, and capturing traffic from networks of interest. Using these tactics, a macOS computer near your target is everything you need to spy on local Wi-Fi communications.

I hope you enjoyed this guide to configuring an Apple computer to control the wireless card and sniff Wi-Fi packets! If you have any questions about this guide on working with macOS or you have a comment, feel free to reach me below or on Twitter @KodyKinzie.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo by Kody/Null Byte

3 Comments

Great tutorial. I have to delete my home network for it to work, but the aliases are all working fine. Most of the stuff picked up sniffing is all encrypted, but it's still interesting to find out that Mac has all of these capabilities hidden from less curious users...

Is this something that would work? Instead of having to add them individually to the file.

alias getchannel='read -p "what channel: " curchan; sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport --channel=$curchan'

Awesome video and article!

Share Your Thoughts

  • Hot
  • Latest