Development

ooktools and Yard Stick One

In my last tutorial, I showed you how to install RfCat and the ooktools on your macOS, as I promised to go into more detail on the ooktools later – I want to keep this promise now.

Requirements

  • RfCat installed
  • ooktools installed
  • jq installed (optional)
  • you own a Yard Stick One (or any rfcat compatible device)
  • you own a Garage Door opener (or similar device)

Objective

Learn and understand the ooktools sub command ‘signal’.

ooktools signal

The ooktools offers many great features (look at the command line help)! In this tutorial I will focus on signal search, signal record, signal plot and signal play.

# show sub command signal help
$ python2.7 -m ooktools.console signal --help
...
Usage: console.py signal [OPTIONS] COMMAND [ARGS]…

Signal Commands.

Options:
--help  Show this message and exit.

Commands:
brute   Bruteforce a binary range.
jam     Jam a frequency by just sending noise.
play    Play frames from a source file.
plot    Plot frames from a recorded signal.
record  Record frames to a file.
search  Search for signals.
send    Send signals using a RFCat dongle.

Search a signal

Garage Door Opener & Yard Stick One

My garage door opener has information about the frequency (868.3 MHz) on the back, which makes my search a little easier! If this is not the case for you, search for the FCC identifier.

If you have a rough idea about the frequency (and other values), look in the signal search help and compare all standard values with your needs! You only have to overwrite the values ​​which do not match (as arguments).

# show help for signal search
$ python2.7 -m ooktools.console signal search --help

# search signal in specific range
$ python2.7 -m ooktools.console signal search -S 868200000 -E 868400000

Note: Only signal search throws sometimes an Python/USB exception on my OS (after finish the search), all other commands work perfectly. If you have the same problem, reconnect the USB device (Yard Stick One)!

Record a signal

Now run the signal record. Go the same way like you did for the signal search! First look at the sub command help, overwrite the default values and run the command.

# show help for signal record
$ python2.7 -m ooktools.console signal record --help

# start a signal record
$ python2.7 -m ooktools.console signal record -F 868300000 -f 60 -D  ~/Desktop/test.json

After the signal record is finished, you can have a look on the JSON file.

# view file content and pipe output to jq (optional)
$ cat ~/Desktop/test.json | jq .

Plot the recorded signal

With signal plot you can easily create and watch frames from a recorded signal (json file). The help shows you the possible fine adjustments for the plot output. I have recorded 9 Frames, maybe that differs for you!

# show help for signal plot
$ python2.7 -m ooktools.console signal plot --help

# plot a signal record (number of frames)
$ python2.7 -m ooktools.console signal plot -c 6 -S ~/Desktop/test.json
ooktools plot

To specify the plot you can use sub command agrument --series.

# plot a signal record (series of fields)
$ python2.7 -m ooktools.console signal plot -s 1:4 -S ~/Desktop/test.json
ooktools plot series

Play a signal

It’s time to try. For that I have to walk a long way to the parking garage gate (I usually drive this route). For signal play sub command only two arguments are needed (source & repeats).

# show help for signal play
$ python2.7 -m ooktools.console signal play --help

# play a signal record
$ python2.7 -m ooktools.console signal play -r 2 -S ~/Desktop/test.json

I did not modify the record file, just run all recorded frames for 2 times. If you are wondering if this worked for me? No – the signal is sent too quickly this way. The gate doesn’t open like this. With tools like GQRX / URH & HackRF One I was able to compare the signals. So some fine-tuning is needed (baud rate/modulation/etc.). Nevertheless, you should have got a good overview of the ooktools.

RfCat on BigSur (Yard Stick One)

Some time ago, I wrote a tutorial about RfCat installation on Kali Linux. Many people asked me for similar tutorial on macOS (Big Sur). So I will use this time now (my first tutorial of year 2021), to show and try to explain (as best I can do). Also I will try to provide some basics for usage, as the community seems not so big and less online documentation is available like for other topics. You can reuse the knowledge for other OS, too.

Precondition

  • latest macOS Commandline Tools installed (xcode-select --install)

Install RfCat incl. everything needed

First you need to download libusb tarball, unzip the downloaded archive and compile/install it (don’t worry sounds harder as it is). If you choose other sources like macports, you may run into location issues (paths to binaries/libraries).

Note: the following examples will just provide the latest version (1.0.24), while I was writing this tutorial. Please look beforehand if there is a newer libusb version already available.

# download via curl
$ curl -L -C - "https://github.com/libusb/libusb/releases/download/v1.0.24/libusb-1.0.24.tar.bz2" -o ~/Downloads/libusb-1.0.24.tar.bz2

# unzip archive
$ tar -xf ~/Downloads/libusb-1.0.24.tar.bz2 -C ~/Downloads/

# change into extraced archive directory
$ cd Downloads/libusb-1.0.24

# verify dependencies for build and install process are available
$ ./configure

# run build
$ make

# run installation
$ sudo make install

# verify installation (optional)
$ ls -la /usr/local/lib/libusb*

# delete archive and directory (optional)
$ rm -fr ~/Downloads/libusb-1.0.24*

Install required Python packages with Python Pip. Without these the RfCat compilation, installation and usage will not correctly work!

Note: As I do have different Python version installed, I specify the excat Python version (2.7.x) in the following examples. If you have only the default MacOS Python version installed – you could use pip directly (without python2.7 -m).

# verify already installed packages (optional)
$ python2.7 -m pip freeze

# install libusb via pip
$ python2.7 -m pip install libusb

# install pyusb via pip
$ python2.7 -m pip install pyusb

# install pyreadline via pip
$ python2.7 -m pip install pyreadline

# install ipython via pip
$ python2.7 -m pip install ipython

# install PySide2 via pip
$ python2.7 -m pip install PySide2

Clone RfCat Git repository from Github (may some older online documentations still link to Bitbucket). In the following example I choose the Downloads directory – of course you can choose any preferred destination.

# clone from GitHub
$ git clone https://github.com/atlas0fd00m/rfcat.git ~/Downloads/rfcat

# change directory
$ cd Downloads/rfcat

# run the installation
$ sudo python2.7 setup.py install

# verify the installation (optional)
$ ls -la /usr/local/bin/rfcat*

# show rfcat help (optional)
$ /usr/local/bin/rfcat -h

# delete cloned directory (optional)
$ rm -fr ~/Downloads/rfcat

If everything went well so far, you should take a look at your installed Python packages.

# verify installed packages (optional)
$ python2.7 -m pip freeze | grep -i 'libusb\|pyusb\|pyreadline\|ipython\|PySide2\|rfcat'

Optional installation of ooktools

Now I recommend to install the ooktools packages via Python Pip. The ooktools will make your life much easier and you will have much faster results.

# install ooktools via pip
$ python2.7 -m pip install ooktools

# verify and show help (optional)
$ python2.7 -m ooktools.console --help

# verify and show specific help topic (optional)
$ python2.7 -m ooktools.console wave --help

I’ll go into the ooktools in a later tutorial, but not today.

Run RfCat

So far so good. Let’s start to connect the Yard Stick One (plug into USB) and run the first example. Always have in mind, the official operating frequencies (for the Yard Stick One):

  • 300 – 348 MHz
  • 391 – 464 MHz
  • 782 – 928 MHz

Note: RfCat expact the values in “Hz”, so 315 MHz are 315000000 Hz.

Hint: don’t put any other transmitter next to the Yard Stick One while you use it (eq. Mobile, Wifi router, etc.). You could destroy it or weaken/disrupt your signals.

# start rfcat (interactive Python)
$ sudo rfcat -r

If no error message appears, you’re good to go.

# start scan on specific frequency (315 MHz)
In [1]: d.specan(315000000)

You should see now the spectrum analyser.

RfCat specan on 315 MHz

Okay, stop the scanning process by closing the spectrum analyzer window. Now let’s start a simple record (also if you don’t have a signal nearby).

Note: there are many more settings and I cannot describe all here! It always depends to the problem you like/need to solve.

# enter the IDLE state (important after any action)
In [2]: d.setModeIDLE()

# specific frequency (315 MHz)
In [3]: d.setFreq(315000000)

# specific modulation (ASK/OOK/Manchester encoding)
In [4]: d.setMdmModulation(MOD_ASK_OOK)

# specific baudrate (4800 Hz)
In [5]: d.setMdmDRate(4800)

# turn on the amplifier
In [6]: d.setMaxPower()

# drops most blocks to pkts (CARRIER)
In [7]: d.lowball()

# start and dump data to screen
In [8]: d.RFlisten()

# stop listen (press Enter to stop)

# enter the IDLE state (or you need to unplug from USB)
In [9]: d.setModeIDLE()

# exit
In [10]: exit()

Your result should look like:

RfCat listen example

Hint: use the Tabulator key for command-line completion (also tab completion) and take use of the internal help of RfCat (eq. help(d.setMdmModulation))

The popular frequencies are mostly near by:

  • 315 MHz (car fobs)
  • 433 MHz (door openers, medical devices)
  • 868 MHz (door openers in EU/swiss)
  • 915 MHz (industrial equipment, medical devices)

Send via Python script

It would be not enough to show you only Command line and nothing about transmit. Therefore now a small Python script, which send out some example data. I think the following script is self explanatory.

from rflib import *

d = RfCat()
d.setFreq(315000000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

print("Transmission starting")
d.RFxmit("\x2e\x2e\x2d\x2e\x2e\x2d\x2e\x00\x00\x00\x00\x00\x00"*10)
print("Transmission complete")

Hint: \x escape sequence means the next two characters are interpreted as hex digits for the character code (\x is used inside strings to represent a character), 0x is used for literal numbers in Python.

Install Gqrx and GNU Radio on macOS (Big Sur)

I’ve tried many times and different ways but the installation of Gqrx and GNU Radio on macOS Big Sur via MacPorts failed always. I did not give up and found a working solution for me (my HackRF One) and these two needed tools. In this tutorial I would like to show you the installation (Gqrx & GNU Radio). If you need first to install HackRF One on macOS, please have a look here.

Install XQuartz

First download and installation starts with XQuartz. Download the latest DMG, run the installation and logout/login from your system.

Install Gqrx SDR

As already mentioned, Gqrx (at least for me) cannot installed on Big Sur via MacPorts. Therefore download and install the precompiled binary from Gqrx. As soon the installation was successful, you can connect and use the HackRF One.

Gqrx and HackRF One on macOS Big Sur

Install Python 3.7

The third step also requires a download and installation. Look for the version Python 3.7! Any version below will not work.

Install GNU Radio

Finally, at the last step, we can start to download and install GNU Radio. It’s a quite big application, so please be patient while processing. Also the startup of GNU Radio (inside XQuartz) takes always some few seconds.

GNU Radio on macOS Big Sur

If you consider the time (download/installation) compared to the MacPorts installation (download/build/installation), a time gain. Of course Xquartz is also needed for MacPorts. Here if you will try via MacPorts:

# install gr-osmosdr (incl hackrf + gnu radio)
$ sudo port install gr-osmosdr

# install gr-fosphor (needed by gnu radio)
$ sudo port install gr-fosphor

# install gqrx
$ sudo port install gqrx

Install HackRF One on macOS (Big Sur)

This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.

Preparation

  • macPorts installed
  • Commandline Tools installed (SDK higher 11)
  • HackRF One connected and started (via USB cable)

CommandLineTools SDK

My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.

# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
 …
 clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
 …
 

# show clang version (optional)
$ clang --version

So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk
CommandLine Tools 12.3

To be really sure. Yes new SDK is installed.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk

# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version

Installation

After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.

# install hackrf via mac ports
$ sudo port install hackrf

Test installation

This time all went fine and I could start testing the device.

# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b

# show hackrf info
$ hackrf_info

# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r

# start record
$ hackrf_transfer -r myRecord.raw -f 433780000

# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20

macOS internet connection and service order

Many times I’v got asked (directly, via messages or forums) why the macOS internet connection does not work anymore, while using devices like Shark Jack, O.MG Cable and so on. In my tutorials I also did not mention this in detail, because I assumed this should be clear. A big mistake from my side. Therefore now this article. I will now do my best to explain, using a few examples, how to prioritize the services so that you do not lose your internet connection from your macOS. I will use the internet connection via Wifi hotspot.

Note: I show here an specific example for Shark Jack now. But main target is that you understand and can reuse your knowledge also for different other situations.

Network locations

The first part is about macOS network locations. To not destroy your current settings, we will create a new network location (all via command line).

Warning: The following steps will disconnect your internet connection (briefly), because the new created network location is not populated. Read the tutorial carefully before you execute any command!

# list all network locations
$ networksetup -listlocations

# show name of the current location
$ networksetup -getcurrentlocation

# create new location (SharkJackNetwork)
$ networksetup -createlocation SharkJackNetwork

# change location
$ networksetup -switchtolocation SharkJackNetwork

# lists network interfaces (should be empty)
$ networksetup -listallnetworkservices

Services

The newly created network location does not contain any service now. In the next second part we create two (Wifi and Bluetooth), set own DNS server and test. If you have stored your Wifi credentials (see Keychain Access.app), the internet connection will automatically established again.

# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports

# create WI-FI service (named WLAN)
$ networksetup -createnetworkservice WLAN "WI-FI"

# create Bluetooth PAN service (named Bluetooth)
$ networksetup -createnetworkservice Bluetooth "Bluetooth PAN"

# lists network interfaces (WLAN and Bluetooth)
$ networksetup -listallnetworkservices

# add dns server (to WLAN)
$ networksetup -setdnsservers WLAN 8.8.8.8 8.8.4.4

# verify DNS settings (optional)
$ dig +all example.com

My MacBook Pro does not provide an RJ45 interface (only USB-C). Therefore I buyed a Multi-Port-Adapter from Satechi. After plug in, I add this device now to my services. There are many other vendors as well, for such please choose your own name.

# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports

# create adapter service (named Satechi)
$ networksetup -createnetworkservice Satechi "USB 10/100/1000 LAN"

Now it’s time to use Shark Jack. Turn it on (arming mode), plug into adapter, wait for IP and test. If you haven’t changed it, the default IP is “172.16..24.1”, the user is “root” and password is “hak5shark”.

# wait for IP
$ ifconfig en8

# run command over SSH
$ ssh -C4 root@172.16.24.1 -C 'pwd'

# ping google dns
$ ping -c 1 google.com

The internet connection is not working anymore but Wifi seems working correctly!

Service order

Now it comes to the order of all services (prioritization). Here we ensure that internet connection works again.

# show services in the order they are contacted for a connection
$ networksetup -listnetworkserviceorder

# command to designate the order network services are contacted
$ networksetup -ordernetworkservices WLAN Satechi Bluetooth

# ping google dns
$ ping -c 1 google.com

All good now … The newly created network location (incl. services) can be used as soon you develop your Shark Jack payloads. Specific to your environment needs, you can create and use many of these network locations (to quickly switch between).

macOS network locations via gui

First steps with Shark Jack

After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.

Preparation

Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.

Download and install latest Firmware

The default settings for your new Shark Jack are:

  • IP: 172.16.24.1 (Arming mode)
  • User: root
  • Password: hak5shark

Download latest Shark Jack Firmware from here.

Hak5 Download Center - SharkJack
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin

# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin

# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/

# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1

# list directory content (optional)
root@shark:~# ls -la

# show current version
root@shark:~# cat VERSION
1.0

# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin

Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.

# check interface status (optional)
$ ifconfig

# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1

# show current version
root@shark:~# cat VERSION
1.1.0

That’s it … have fun and success.

Evil access point on macOS

With just a few steps it is possible to convert the MacBook into an evil access point. The device already has everything that is necessary in terms of hardware. For the additionally software only an Internet access is is required.

Note: The installation and configuration of Kali Linux VM (inside VirtualBox) is not part of this tutorial.

Objectives

Turn the macOS into wifi hotspot with fake DNS.

Starting position

Via cable (USB-C to Lightning) my MacBook and my IPhone are connected. On the IPhone the Hotspot (USB tethering) is enabled. The Wifi devices is off. Finally there is a Kali Linux VM and SSH access is configured in it.

Step 1: check current local config

Most of the following commands in the first step are optional, only your own IP is important. But this will give you a better understanding of your system.

# show local ip
$ ifconfig en7
[172.20.10.2]

# show system DNS configuration (optional)
$ scutil --dns | grep nameserver

# show network status (optional)
$ netstat -na | grep "\.53"

My interface is en7 and my local IP is 172.20.10.2. For you this can be different! The IPhone is my nameserver 172.20.10.1 (results of scutil) and no service is listen on port 53 (results of netstat).

Step 2: start Kali Linux and clone website

As already mentioned, we are now using the Kali Linux VM. The only important point for VM configuration is that the interface is mode “Bridged Network“.

# list all vm's
$ VBoxManage list vms

# start headless specific vm
$ VBoxManage startvm --type headless "KaliLinux"

# show running vm's (optional)
$ VBoxManage list runningvms

# get IP of vm
$ VBoxManage guestproperty get "KaliLinux" "/VirtualBox/GuestInfo/Net/0/V4/IP"
[172.20.10.3]

# SSH into VM
$ ssh <user>@172.20.10.3

Inside the Kali Linux we use The Social-Engineer Toolkit (SET) to clone quickly a website.

# start setoolkit
$ sudo setoolkit

# select Social-Engineering Attacks
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

set> 1

# select Website Attack Vectors
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules

set> 2

# select Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method

set:webattack> 3

# select Site Cloner
1) Web Templates
2) Site Cloner
3) Custom Import

set:webattack> 2

After the inputs for IP (IP of VM) and domain (URL to clone) you should use an other tab (CMD + t) on your terminal. You can check the cloning result in your browser.

Step 3: clone, build, and run dnsmasq

Now dnsmasq is needed. You can install via brew or download and compile by your self.

# clone latest git repository
$ git clone git://thekelleys.org.uk/dnsmasq.git

# change into cloned directory
$ cd dnsmasq

# build dnsmasq binary
$ make

# show help for dnsmasq
$ sudo ./src/dnsmasq --help

# run dnsmasq
$ sudo ./src/dnsmasq --no-dhcp-interface= --no-daemon --log-queries --no-hosts --no-resolv --no-poll --server=8.8.8.8 --address="/example.com/172.20.10.3"

Dnsmasq runs without DHCP service, without reading /etc/hosts and /etc/resolv.conf. Google IP is given for upstream DNS server.

Step 4: test your DNS

And again you should use an other tab (CMD + t) on your terminal. Now you can verify the dnsmasq configuration.

# flush local DNS
$ sudo killall -HUP mDNSResponder

# dig on local IP
$ dig @172.20.10.2 +short example.com

# dig on localhost
$ dig @localhost +all example.com

# nslookup on local
$ nslookup login.example.com 172.20.10.2

Step 5: create access point

Set the DNS server for the Wi-Fi service and then start the hotspot.

# set DNS server
$ networksetup -setdnsservers Wi-Fi 172.20.10.2

My favorite SSID: Starbucks

macOS hotspot Starbucks

Now it’s time to wait… In the meantime, you can find out more about your connected STA’s.

# show STA informations (optional)
$ cat /private/var/db/dhcpd_leases

Share internet from macOS to Wifi Pineapple (Part 2)

Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.

Objectives

Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).

Step 1: Prepare for next steps

If you have “Internet Sharing” enabled, now you must switch it off!

Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.

# ping device (optional)
$ ping -c 1 172.16.42.1

# show wifi pineapple network settings (optional)
$ ssh root@172.16.42.1 -C 'uci show network'

# start browser session (optional)
$ open http://172.16.42.1:1471

Step 2: Configure default subnet

The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.

# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist

# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak

# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10

# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100

# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0

Step 3: Network configuration

We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:

  • NANO: AX88x72A
  • TETRA: USB 10/100 LAN

Select the service and configure like in picture.

macOS - Wifi Pineapple IP configuration

Now change the network service order.

macOS - Wifi Pineapple network service order

After saving, we quickly check everything.

# check interface (in my case it's en5)
$ ifconfig en5                
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255

# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable

# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist

Step 4: Start Internet Sharing

Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.

macOS - Wifi Pineapple internet share

Step 5: Set bridge100 interface IP

Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.

# show interface information (optional)
$ ifconfig bridge100

# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up

That’s it already! Via “Bulletins” you can verify.

Wifi Pineapple Dashboard

BTW … Take a look at the following local files, with and without Internet sharing!

# read config file for DHCP
$ defaults read /etc/bootpd.plist

# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist